EH-Net

Hi everyone,

When I use msfpayload to generate my payload (let's say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (\x00) or any other characters (usually \x0a and \xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

I haven't hit this problem yet, I was just "meditating" on the issue and couldn't get a good answer from Google.

Thanks

Breaking the shellcode into several parts should work, but you have to verify where you separate it. If your first staged buffer is very limited in space you could also utilize an egg hunter to get eventually your shellcode executed.

Yes, I guess it's better to search harder to find a bigger place in memory where you wouldn't have to break the payload.

But just for the sake of it, have you ever encode parts of your payload?

I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html

Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure...

How in the world do you have time for bug hunting? :o

Also, is that a standard fuzzing template? My coworker is currently playing around with Ability in the OSCP labs. He sent me his fuzzer for review, and it looked almost identical to yours, but with FTP commands.


Yea, that's going to be a pain because you're going to have to do a lot of that manually. As you noted, you can't just cut it in half and add a jump to the next portion. Not only will you need to encode each portion separately, you'd also need to correct any jumps and other offsets in the original shellcode. I'd try to get the exploit working without encoding first by binary pasting the shellcode into the appropriate places in a debugger, and then go back and dealing with encoding once the shellcode was functional. Just break it out into as many baby steps as you can.

It also depends on how big the gap is. There was a cool example in the Corelan course where the shellcode was broken by a double word, so a few instructions were added to the beginning of the shellcode to correct those four bytes. Something like that would certainly be a less involved solution, if possible.

That's a very good point. I just read your blog and I found it very well explained and easy to follow. Good job cd1zz!!

Did you guys know that cd1zz (Craig Freyman) has 19 exploits to his name in exploit-db?  That's insane!!! :o
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=Craig+Freyman&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve= (http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=Craig+Freyman&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=)

@ajohnson I've had it for so long, I completely forgot where it came from. This is it: http://www.redteamsecure.com/labs/post/18/build-your-own-ftp-fuzzer

Editing the post now to reflect that!

Nice write-up on the ActFax exploitation, cd1zz. ;)

Oh, I'm well aware of his... *wait for it* ...many exploits.

Sorry, I couldn't resist an awful pun ;D

Seriously though, he was one of the few that was consistently finishing ahead of me in the Corelan course. He's a frustratingly sharp guy 8)

cd1zz and ajohnson: Have you taken the Corelan course before or after OSCE?

It looks good, but 80% of the class seemed to be covered by the Cracking the Perimeter course...

Am I right?

There is a lot of overlap and in many cases they compliment each other. We had a thread on here somewhere where we got into the nitty gritty. For example, OSCE covers no ROP exploitation but Corelan does. Corelan is 110% exploit dev. OSCE is 90%. If possible, do them both!!

ajohnson just knocked out OSCE and recently did Corelan, he might have a fresher perspective...

OSCE is my goal right now, but I will keep a good eye on Corelan's tutorials at https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/ (https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/)

Thanks to your blog cd1zz, I now know about these things.

I intend to do full write-ups on both, but my schedule's not going to clear up for the next few weeks.

In the interim, I think it's apples and oranges. Sure, they both cover exploit development, but there are huge differences in the tools, techniques, and approaches. As usual, OffSec focuses on doing everything manually and uses OllyDbg. The Corelan boot camp might as well be called "Exploit Development using Mona.py." You spend nearly the entire course in Immunity and working with Mona, from basic stack-based buffer overflows to egg hunters to ROP exploitation. The amount of annoying, tedious tasks that can be performed effortlessly with Mona is nothing short of amazing.

I think the Corelan course more accurately depicts how people who perform exploit development day-to-day go about their work. However, it's still important to understand what's going on behind-the-scenes and not rely on Mona as this magical tool that just works. Both courses compliment each other well, and I recommend doing both. Also, Peter is great to interact with, and being able to ask questions and bounce ideas around with him is a fantastic experience. He's going to work with you and not just tell you to try harder.

I actually took the Corelan course a couple of weeks before my OSCE exam, and one thing that did surprise me is that it really didn't help much, if at all, with the exam. I thought I would crush it for sure, but it ended up being the usual miserable experience with a miraculous pass in the last few hours. In fact, I actually ended up using a technique that wasn't covered in either course. I can't say more without spoiling it, but I posted my solution in the OffSec OSCE-only forums ;)

Also be sure to check out the SecurityTube assembly and exploit development videos, as well as the tutorials over at The Grey Corner (thanks to UNIX for showing me those).

My list of things to read/review/do is getting longer and longer every day!!
Will I ever be able to challenge this exam?  :P

Thanks ajohnson, very useful, as usual!

I decided to throw my hat in the ring as well. Of course cd1zz has already done the heavy lifting and its not as sexy :)

http://sector876.blogspot.com/2013/02/hacking-actfax-raw-server.html

Nice Dark_Knight! Now I feel like I have to add to it too!  :D

But these days, I've got a new problem preventing me from studying much: a new girlfriend!! A guy needs to set his priorities... ;D