Why My ShellCode Cannot Work

Recently I am doing some analysis for the CVE-2013-3893.
I found the exploit code from the web, and I replace the original shellcode with my shellcode which could popup a calc.exe. (basically, I use the metasploit to generate the shellcode.)
But strange thing happened, it doesn’t work.
I laid some nops before the shellcode, it can successfully jump to the nops code, but when finished executing the shellcode, i was surprising that it crashed.

Yes, it can jump to my nops.

0:005> g
Breakpoint 1 hit
eax=00000001 ebx=036cd2e0 ecx=121211ea edx=76e770b4 esi=002ab650 edi=51bd1158
eip=121212da esp=12121242 ebp=036cd228 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
121212da 90              nop

But when i go, it will crash here
0:005> g
(89c.148): Access violation - code c0000005 (!!! second chance !!!)
eax=80000002 ebx=00000001 ecx=0af50016 edx=76e770b4 esi=00000001 edi=00000000
eip=76e7710f esp=0af4fcfe ebp=0af5001e iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
ntdll!RtlRaiseStatus+0xa:
76e7710f 54              push    esp

I make a breakpoint on the funnction WinExec, and re-execute it again.

In this function, it will call CreateProcessA
....
7668e698 50              push    eax
7668e699 56              push    esi
7668e69a 56              push    esi
7668e69b ff750c          push    dword ptr [ebp+0Ch]
7668e69e 56              push    esi
7668e69f 56              push    esi
7668e6a0 56              push    esi
7668e6a1 ff7508          push    dword ptr [ebp+8]
7668e6a4 56              push    esi
7668e6a5 e8d839f7ff      call    kernel32!CreateProcessA (76602082)
{
     In the CreateProcessA function, there is no exception about the paramter.
0:005> dd esp
1212117a  7668e6aa 00000000 121213a5 00000000
1212118a  00000000 00000000 00000000 00000000
Note: 121213a5 is the address we store the calc.exe path
}
7668e6aa 85c0            test    eax,eax
{
    of course, this function return zero. it failed.
}
7668e6ac 7427            je      kernel32!WinExec+0xd8 (7668e6d5)
7668e6ae a158606c76      mov     eax,dword ptr [kernel32!UserWaitForInputIdleRoutine (766c6058)]
7668e6b3 3bc6            cmp     eax,esi
7668e6b5 740a            je      kernel32!WinExec+0xc4 (7668e6c1)
7668e6b7 6830750000      push    7530h
7668e6bc ff75e8          push    dword ptr [ebp-18h]
7668e6bf ffd0            call    eax
7668e6c1 ff75e8          push    dword ptr [ebp-18h]
7668e6c4 8b35cc156076    mov     esi,dword ptr [kernel32!_imp__NtClose (766015cc)]
7668e6ca ffd6            call    esi
7668e6cc ff75ec          push    dword ptr [ebp-14h]
7668e6cf ffd6            call    esi
7668e6d1 6a21            push    21h
7668e6d3 eb1d            jmp     kernel32!WinExec+0xf5 (7668e6f2)
7668e6d5 e82bd6fbff      call    kernel32!GetLastError (7664bd05)
{
     When the CreateProcessA failed, it would jump here to execute the GetLastError.
     The return code is 2.
     I search the MSDN, 
     errorno == 2(ERROR_FILE_NOT_FOUND) meanings that the system cannot find the file specified.
} 
7668e6da 48              dec     eax
......
------------------------------------------------------------------------

From the information returned from the GetLastError, we know the system cannot find the calc.exe file.
But why it can’t find my exe file, it exists in my c:\windows\system32\ dir.

then I have another idea that finally the CreateProcess will call the NtCreateProcess function which can used to call from the ring3 to ring0.
I make a breakpoint on NtCreateProcess function then g.
It crashed until break down on NtCreateProcess. Oh.

That because the exception happened before it go to the NtCreateProcess, and I need to step by step track the CreateProcessA function.


CreateProcessA
-> 
kernel32!CreateProcessInternalA
{
No Exception about the parameter.
0:005> dd esp
12121146  00000000 00000000 121213a5 00000000
12121156  00000000 00000000 00000000 00000000
12121166  00000000 121211b2 1212121a 00000000
12121176  12121232 7668e6aa 00000000 121213a5
12121186  00000000 00000000 00000000 00000000
12121196  00000000 00000000 121211b2 1212121a
121211a6  51bd1158 001079c0 0365d420 00000044
121211b6  00000000 00000000 00000000 00000000
0:005> da 121213a5
121213a5  "calc.exe"
}
->
kernel32!CreateProcessInternalW
{
No Exception here
0:005> dd esp
12121066  00000000 00000000 08898c50 00000000
12121076  00000000 00000000 00000000 00000000
12121086  00000000 121210a6 1212121a 00000000

08898c50 63 00 61 00 6c 00 63 00 2e 00 65 00 78 00 65 00 00 00 00 00 58  c.a.l.c...e.x.e.....X
08898c65 46 11 00 1b 63 c3 4f 1e 00 00 80 92 00 93 08 58 46 11 00 81 9c  F...c.O........XF....
}
->
.......
KERNELBASE!SearchPathW
{
Searches for a specified file in a specified path.

http://msdn.microsoft.com/en-us/library/aa365527%28VS.85%29.aspx

}
->
KERNELBASE!_imp__RtlDosSearchPath_Ustr
{
first it will get all the PATH from the envionment variables.
then combine it with the name given. 
for example: the PATH like c:\windows\system32;c:\python;.etc
it will link the PATH and the name, 
c:\windows\system32\calc.exe, c:\python\calc.exe .etc
}
->
ntdll!RtlDoesFileExists_UEx
{
0:005> t
eax=00000000 ebx=00000000 ecx=00000004 edx=00000000 esi=00000056 edi=121209fa
eip=76e93091 esp=1212074a ebp=121209aa iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ntdll!RtlDoesFileExists_UEx:
76e93091 8bff            mov     edi,edi
0:005> dd esp
1212074a  76e9dcc6 1212079e 00000000 089ce388

1212079e 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20  C.:.\.P.r.o.g.r.a.m. 
121207b3 00 46 00 69 00 6c 00 65 00 73 00 5c 00 49 00 6e 00 74 00 65 00  .F.i.l.e.s.\.I.n.t.e.
121207c8 72 00 6e 00 65 00 74 00 20 00 45 00 78 00 70 00 6c 00 6f 00 72  r.n.e.t. .E.x.p.l.o.r
121207dd 00 65 00 72 00 5c 00 63 00 61 00 6c 00 63 00 2e 00 65 00 78 00  .e.r.\.c.a.l.c...e.x.
121207f2 65 00 00 00 5a 08 12 12 1e 08 12 12 1e 08 12 12 00 00 00 00 ea  e...Z..............
}
->
ntdll!RtlDoesFileExists_UstrEx
->
ntdll!ZwQueryAttributesFile
{

http://msdn.microsoft.com/en-us/library/cc512135%28v=vs.85%29.aspx

NTSTATUS NtQueryAttributesFile(
  _In_   POBJECT_ATTRIBUTES ObjectAttributes,
  _Out_  PFILE_BASIC_INFORMATION FileInformation
);

when execute this function, i see the eax set to 80000002
0:005> 
eax=121206fe ebx=00000000 ecx=7475eb3d edx=0000021a esi=00000034 edi=001446e0
eip=76e91f05 esp=121206c2 ebp=1212072e iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlDoesFileExists_UstrEx+0x67:
76e91f05 e82e40feff      call    ntdll!ZwQueryAttributesFile (76e75f38)
0:005> p
eax=80000002 ebx=00000000 ecx=121206ba edx=76e770b4 esi=00000034 edi=001446e0
eip=76e91f0a esp=121206ca ebp=1212072e iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!RtlDoesFileExists_UstrEx+0x6c:
76e91f0a 8bf0            mov     esi,eax

I search from the MSDN, find that 80000002 means misaligned data exception.
I check the object parameter, find that all of them are end with 2.
That would be the reason why the function return a data misaligned.
Because in 32bit system, the stack always 4 byte alignment. 
}

I look the stack beginning of the shellcode.
the esp is not 4 byte alignment (esp=12121242)
So that’s the reason why my shellcode cannot work.

I add a instruction “sub esp, 2″ before my shellcode to align the stack.

finally i see the shellcode has executed successfully to popup a calc.exe.
Cool!
Remember align your stack when you heap spray.

现有 7 条评论

  1. quest bars 2016/02/18 pm 9:35

    This design is steller! You obviously know how to keep a reader
    entertained. Between your wit and your videos, I was almost moved to start my
    own blog (well, almost…HaHa!) Great job. I really loved what you had to say, and more than that,
    how you presented it. Too cool!

    Reply
  2. jiangnan 2015/08/20 pm 5:29

    thanks

    Reply
  3. le9a1high 2015/02/13 pm 12:07

    Thandks

    Reply
  4. JZEY 2014/10/26 pm 3:54

    Interesting pos.

    Reply
  5. look 2014/07/08 pm 12:10

    very good! I just came across that problem!!

    Reply
  6. Johnb307 2014/06/01 am 5:14

    obviously like your website however you need to check the spelling on several of your posts. Several of them are rife with spelling issues and I to find it very bothersome to tell the truth on the other hand I will definitely come again again. kekeddekedeg

    Reply
    1. wwwsecniu 2014/06/01 pm 10:16

      OK, I will notice this! Thank you for your attention!

      Reply

发表评论

带 * 的是必填项目,电子邮件地址不会被公开。
文字的交流也是情感的交流,技能的交流也是学术的交流。

Are you human? Click the Banana...