Problem with a shellcode…

Viewing 32 reply threads
  • Author
    Posts
    • #5042
      caissyd
      Participant

      Hi,

      I have an odd problem when trying to write my own exploit. I am doing the “extra mile” exercises for Win32 the Buffer-Overflow in the PWB course. So everything I am doing is legal here. Everything goes very well but one little thing.

      I understand that injecting a null byte (x00) will cause problems during the execution. But I have discovered that when I try to inject bytes ranging from x0A to x0F, I get a similar problem. Here is an example:

      Let’s say I want to inject the following code:
      x41x42x43x44x45x0Ax46x47x48x49

      The debugger will show that the end result is something like:
      x41x42x43x44x45x5Ax6Bx31x5Cx61

      But if I remove this x0A character, I get the full message copied at the proper location: x41x42x43x44x45x46x47x48x49

      Basically, it seems I successfully copy my code, but starting at one of the mentioned characters, I only get garbage…

      Any REAL experts?  😉

    • #31966
      zeroflaw
      Participant

      Hmm 0x0A is the newline character, and the other chars are like tabs and a carriage return. Maybe it breaks the shellcode somehow. Though I’ve only read that shellcode can’t contain null bytes ???

    • #31967
      caissyd
      Participant

      I forgot to say I am using a VPN. I first thought my firewall could be blocking these characters, but I soon woke up and realize the VPN encrypts everything. So it isn’t my firewall.

      Could it be an encoding problem of some sort?

    • #31968
      mambru
      Participant

      The null byte (x00) is not the only byte that may finish your string. Before crafting your payload you must detect which bytes will cause the application to finish your string, so you avoid them in the payload.

      Check the next url for reference:

      http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Dealing_with_badchars

    • #31969
      caissyd
      Participant

      Thanks mambru, I will read it tonight.

      Also, I will post my solution.

    • #31970
      sil
      Participant

      @H1t M0nk3y wrote:

      Let’s say I want to inject the following code:
      x41x42x43x44x45x0Ax46x47x48x49

      The debugger will show that the end result is something like:
      x41x42x43x44x45x5Ax6Bx31x5Cx61

      Any REAL experts?  😉

      NOP’s are 90’s… In that case, xor eax, eax is your friend… You can replace NOP’s by zeroing them out, replacing them, etc.. e.g.:


      x31xdbx31xc0xb0x01xcdx80

      //xor eax,eax
      //xor ebx,ebx
      //mov al,1
      //int 0x80

      http://lordparody.wordpress.com/2010/03/09/just-slide/
      http://www.vividmachines.com/shellcode/shellcode.html#as
      http://mishou.org/2009/12/12/insecure-programming-by-example-shellcode-stack5-c/
      http://webcache.googleusercontent.com/search?q=cache:ToYj-Yq3m-UJ:nostarch.com/extras/hacking/chap2/print2.asm+zero+out+nop+sled&cd=6&hl=en&ct=clnk&gl=us&client=firefox-a

      Have you tried zeroing it out. How much space do you have to play with, etc.

    • #31971
      caissyd
      Participant

      I know now that I can encode my shellcode using the msfencode or something similar. So that is fine now.

      BUT, my problem is the my ESP register needs to get the value x0AxAFxD8x77 but I have a problem with x0A… Can I encode a value in EIP?

      I will check right now!

    • #31972
      caissyd
      Participant

      I just checked and like I thought, it becomes too big!

      When I “msfencode” x0AxAFxD8x77, I get:

      “xdaxc9xd9x74x24xf4xbbx6dx18xd7xa6x2bxc9x5a” +
      “xb1x05x83xc2x04x31x5ax14x03x5ax79xfax22xfa” +
      “xf9xcax8dx5fx81x6bx48x3cx09x28x6cxe0x91x87” +
      “xbbx12”

      This can’t fit in EIP.

      I am so humble now…  :- But I will mak it work!!!  🙂

    • #31973
      n1p
      Participant

      It is not meant to fit in EIP… That is your encoded shellcode, if you are looking for a valid return address i.e. start of your shellcode, it should not contain what can be considered bad characters – x0dx00x0a.

      Ensure EIP points to a NOP sled to your shellcode or directly into your shellcode. If you have correctly aligned your offsets, attempt to fill EIP with xCCxCCxCCxCC to get your debugger to break and show you whats going on.

      Happy to take a look for you, but if it is course material, I doubt is allowed.

    • #31974
      caissyd
      Participant

      Thanks guys, you are really helping me here!!

      First, I could easily get the exploit on the internet, but I want to learn, so here I am!

      Also, here is what I was successful doing:
      1) I can set, let say, x41x41x41x41 in EIP (basicaly, I control EIP)
      2) I successfully encoded my shellcode.
      3) I have added a 16 bit long NOP sled at the beginning of ESP and my shellcode is right after.
      4) I have verified that my shellcode in the memory of the program is identical to the one I have in my code. It is indeed identical.

      I keep trying…

    • #31975
      caissyd
      Participant

      I think I just solved my problem.

      I found another JMP ESP instruction in users32.dll which doesn’t contain any infamous characters. I am now able to reach the beginning of my shell code…

      I can feel it, i is so close!!!

    • #31976
      caissyd
      Participant

      I have got a bind shell from my FIRST exploit!!!!

      Thanks n1p, sil, mambru and zeroflaw. I appreciate it!

      As a note, I feel like, when I started going on racetrack with my racebike, the first time I touch my knee on the pavement in a curve. Brilliant!

      I am so happy, and I am all alone tonight at home!  ;D

      Ouff, I need a beer now!  😛

    • #31977
      mambru
      Participant

      No problem M0nk3y, I’m glad I was helpful in some way and you did it, I was on the same road a while ago (PWB course) 😉

    • #31978
      zeroflaw
      Participant

      You’re welcome H1t M0nk3y! Glad to see you got it working. Good job 8)

    • #31979
      sil
      Participant

      @H1t M0nk3y wrote:

      I have got a bind shell from my FIRST exploit!!!!

      NP and congrats. I’m going over a lot of advanced shellcoding tutorials and videos right now as well. My goal is repeatability across the board. Dino Zovi and Alex Sotirov have a class I’m waiting to attend called Assured Exploits. (http://trailofbits.com/2010/02/25/assured-exploitation-training/)

      For example… Right now I have quite a few POC’s and exploits for a variety of applications (I focus on the big boys, Oracle, IBM, etc. for obvious reasons ;)) Sometimes I submit work to CERT (they take forever even to get me my VRU’s), sometimes I go to ZDI, sometimes IDefense, etc… Anyhow, I hate having something proven exploitable on say Windows 2003 Advanced Server, but not on say Win2008, Win7, etc.

      I’ve been banging my head in reading especially for Win7 right now. E.g., I have one application, completely ‘ownable’ on everything EXCEPT Win7. I almost always get Access Violations on ??????? no matter what I do. A huge majority of things I find on say XP, I can replicate after a while on Vista, but on Win7 the same exploit almost always goes to kernelbase.dll so I’ve been trying to figure out why. It’s a fun and sometimes frustrating experience.

      n1p’s document is definitely worth reading and again n1p if you read this, WinDBG rocks! So if you get one of those going let me know maybe I can learn more or even assist. H1t M0nk3y, I almost never suggest that anyone stray from what works for them however… I do have to state that WinDBG for debugging to me is more powerful. Not to mention the byakugan module would have found the right addresses for you:

      What can you do with byakugan.dll ?

      jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses
      pattern_offset
      mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
      tenketsu : vista heap emulator/visualizer.

      identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…

      memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc
      hunt

      findReturn : search for the addresses that point to a usable function to return to.

      searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.

      http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/?nomobile

      WinDBG rocks… Immunity’s Debugger (as does Canvas) for those who use then has some cool stuff in it as well. I need to update Canvas 😐 The only time I fire up olly nowadays is for mapping 😐

    • #31980
      Ketchup
      Participant

      Sil, could it be SEHOP on Windows 7 stopping you?  I believe it is on by default in Windows 7, and needs to be manually enabled in Vista.

    • #31981
      sil
      Participant

      @Ketchup wrote:

      Sil, could it be SEHOP on Windows 7 stopping you?   I believe it is on by default in Windows 7, and needs to be manually enabled in Vista.

      Nah, Win7 you have to enable it as well AFAIK: “By default, SEHOP is disabled in Windows 7 and in Windows Vista. To enable SEHOP manually, follow these steps: Click Start, click Run … ” (http://support.microsoft.com/kb/956607)

      Just so you know though (for those who don’t): XOR, POP, POP, RET >= SEHOP (http://www.sysdream.com/articles/sehop_en.pdf) Sotirov and a few others have written about this. My guess on my end… My Win7 Ultimate is just polluted with junk constantly running. E.g., just an hour ago I plopped on Oracle’s BPM Studio 10.3 to fiddle with it. So it could just be a combination of bloat. I know funny things started after Cenzic’s Hailstorm which tried to fiddle with my .net and ESPECIALLY after I started making Klocwork Architect connections to a server. I think my registry is somehow in a double tee eff state.

      I will dig into it a little more some other time (tinkering with Win7) however, this is just for my sanity. I envision in like 4-5 years Win7 becoming to attackers what 2000, 2003, XP now is. So I figured I’d try on my own to learn porting POC’s and learning to weaponize them seamless before I submit vulns and stuff. Nothing sucks more than having it work on say 2-3 of your own machines but not being repeatable by a vendor.

    • #31982
      Ketchup
      Participant

      I stand corrected.  I thought Win7 enabled it out of the box.  That’s good to know, thanks!

    • #31983
      sil
      Participant

      @Ketchup wrote:

      I stand corrected.   I thought Win7 enabled it out of the box.   That’s good to know, thanks!

      Couldn’t find documentation on win2008. I have it installed on a VMWare machine that I barely use 🙁 My theory/thought is, if it works on win7 it should work on W2k8. What I have noticed intermingling is that for the most part, if I start say fuzzying something on XP and get a working control of registers, I can usually mimic it down (2003) and up (Vista) *most* of the times with little work. When I do the same on Vista *sometimes* I can mimic it on XP. When I do *anything* on the 7 side, almost always get kernelbase errors with no way to find out where (address) this occurs. No matter what debugger I use, no matter how many breakpoints I set… fail 🙁 should post screenshots… coding failblog or something… “exploit fail” where instead of calcor notepad you get … nothing ;D

    • #31984
      caissyd
      Participant

      I am still learning and I can’t obviously help you. However, once I am done with the PWB course, I will definitively spend more time playing with these tools. To me, this is the real deal!

    • #31985
      sil
      Participant

      @H1t M0nk3y wrote:

      I am still learning and I can’t obviously help you. However, once I am done with the PWB course, I will definitively spend more time playing with these tools. To me, this is the real deal!

      As of late/mid last year, I began having more fun learning programming, reverse engineering in regards to security. Personally, I find it more challenging than the typical “pentesting” involving scanning, enumerating, social engineering, etc. I can say from experience it (programming/exploitation) is definitely more nerve wrecking and “intimate” (for lack of better words right now).

      When it comes to vanilla (above mentioned tests) pentesting, I’ve always found that (in my count) about 60+% is horrible configurations and overlooked items. 30+% social engineering 10% “extreme exploiting”. There have been ONLY two instances this year where I had to escalate privileges on a pentest from a fluff user to root. These occurred on *nix machines. The rest, tended to be bad configurations and lack of security awareness. I’ve performed 3 solid pentests consisting of about 100-125 servers/routers/switches/PBX’s.

      One client (99.99999% Linux) had ONE Windows machine which sadly was configured safer than their entire Linux infrastructure. They have 1 full /21 and about 3 separate /24’s. Their engineers decided to use sshkeys and some genius thought he would save all his engineers time by changing all their UID’s to 0. Fun 😉 … They had an old version of Cacti running on ONE server that got them owned.

      Anyway… I like reversing/coding. A lot more thought to me is involved. I’m personally at an impasse where security is too repetitive for me. Reversing is like … “huh!?@!” So don’t feel like you can’t respond to anyone ever 😉 we’re all going through learning phases. Heck I learn from everyone so I’ve always been humbled to learn and eager to share… Sometimes though, my wording (perhaps poor choices of phrases) lead people to misconstrue a response as elitist or arrogant. I’m no smarter/leeter than anyone. Security remains a learning game. Don’t let anyone tell you different 😉 Sure there are plenty who can mop the floor with my coding talent… I could do it with packet-fu (been doing so since circa 97)… Does it make me better? Nah, I likely know something they don’t care for and vice versa. We’re all learning here no?

    • #31986
      n1p
      Participant

      What’s your fuzzer of choice?

    • #31987
      Xen
      Participant

      This thread has been bugging me continuosuly. The thing is, I’ve no experience in exploit development whatsoever and can’t participate in the discussion. Although I’ve started learning a bit about buffer overflow exploit development (n1p’s article was a great inspiration), I still have a lot to learn. Would someone link me to some good online resources to learn from? Furthermore, from where do I start? Links to books will be helpful too.
      I’m thinking about buying ‘The Shellcoder’s Handbook: Discovering and Exploiting Security Holes’. The table of contents looks impressive and frankly doesn’t look too difficult as I have some programming experience.

    • #31988
      n1p
      Participant

      I would certainly echo sils comments about windbg. It is extremely powerful and I would recommend developing the exploit using it to get some experience with it.

      Congrats by the way 🙂

      Equix3n, take a look at hacking: art of exploitation and dino zovi videos on vimeo, corelan.be,uninformed.org,grey-corner blog. They will provide further valuable links

    • #31989
      Xen
      Participant

      Thanks n1p! I’ll certainly check them 🙂

      Edit: I checked the links and found out that I already had two of them bookmarked. Looks like I was on the right path. What about ‘The Shellcoder’s Handbook’? Should I buy it or not?

    • #31990
      sil
      Participant

      @n1p wrote:

      What’s your fuzzer of choice?

      Depends on what I’m fuzzing 😉 Peach is an all around awesome tool and straightforward. You can’t beat Commraider for ActiveX. Protos is a good framework to edit on your own. Commercially… Klocwork rocks. I’ve heard the world about Codenomicon but I’ve yet to purchase a copy or see it demo’d although I spoke with them about 2 weeks ago.

    • #31991
      sil
      Participant

      @Equix3n- wrote:

      I’m thinking about buying ‘The Shellcoder’s Handbook: Discovering and Exploiting Security Holes’. The table of contents looks impressive and frankly doesn’t look too difficult as I have some programming experience.

      Shellcoders Handbook is great and so is Jack Koziol. I had the opportunity to correspond with Jack a few times here and there and he is a kick ass cool person. As are Dino whom I also bug from time to time.

      Equix3n: Before you fork out money for the book though, although it looks easy, once involved more heavily, there is really no *one* book that will give you that “aha! NOW I GET IT” Here is a list Dino Dai Zovi sent me when I had a question pertaining to some Quicktime stuff I was lost on: http://TinyURL.com/bughunters
      Just to let you understand how difficult/weird/frustrating it is for most security researchers… (apologies if you stumble on this Dino): I was fuzzing Quicktime for one of my classes and trying to get a workable (weaponized) exploit for Quicktime: (http://www.infiltrated.net/OWNING-QUICKTIME) I was frozen here. All was working as planned with complete control of my registers (EIP, EAX, etc., all were ‘ownable’) yet I couldn’t pop my calc. Frustrated I sent a quick email to Dino asking what am I doing wrong:

      I’d again insist that you should double-check that the surface that you are fuzzing is available via a web page, try and at least trigger a crash from a web page to make sure.  You don’t want to take an early victory lap only to discover that it’s not an actual security vulnerability (trust me, this happens to me at least a few times a year and it *sucks*).

      At the end of it (my fuzzing) I had to completely drop and revamp a working exploit even though I had control in the first place… By the way n1p, ketchup if you guys follow the horrendous output, you’d notice the use of byakugan in there… Mushishi rocks!

      0:004> g
      (1518.1918): Unknown exception - code c0000096 (first chance)
      CAUGHT A BP
      CAUGHT A BP
      CAUGHT A BP
      eax=7efde000 ebx=0378f604 ecx=0378f654 edx=030fd7e8 esi=00000000 edi=00370000
      eip=773744ec esp=0378f5f0 ebp=0378f984 iopl=0        nv up ei pl zr na pe nc
      cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b            efl=00000246
      ntdll!RtlDispatchException:
      773744ec 8bff            mov    edi,edi
      0:005> g
      CAUGHT A BP
      CAUGHT A BP
      CAUGHT A BP
      eax=7efde000 ebx=032bf7a4 ecx=032bf7f4 edx=02a0db38 esi=00000000 edi=00370000
      eip=773744ec esp=032bf790 ebp=032bfb24 iopl=0        nv up ei pl zr na pe nc
      cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b            efl=00000246
      ntdll!RtlDispatchException:
      773744ec 8bff            mov    edi,edi
      0:004> g
      (1518.10c0): Access violation - code c0000005 (!!! second chance !!!)
      eax=7efde000 ebx=00000000 ecx=00000001 edx=7741a1b8 esi=00000000 edi=00370000
      eip=deadc0de esp=0378f920 ebp=0378f984 iopl=0        nv up ei ng nz ac po cy
      cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b            efl=00010293
      deadc0de ??              ???

      Equix3n is not always easy in fact some of your most frustrating days will be getting an exploit working correctly however… (and this is a big however….) Simply demonstrating enough control over registers (EIP, etc.) is enough to report. If you follow the “no more free bugs” them, you aren’t doing companies any favors by providing free security research and fixes to them. Sure there is the potential glory of saying “Found vulnerabilities in X, Y, Z” The truth at the heart of the matter is, time is money. After some time you won’t even care about any so called glory. Ready? Apple, SAP, IBM, VMWare, Microsoft, F5, Oracle… Within the past 8 months I have cases opened with various vendors on bugs I’ve found. Some with CERT, some with IDefense some with ZDI… Means nothing at the end of the day seriously… I’ve spent countless hours on my own time when I could have been spending it with family or enjoying life. My attitude shifted into the “no more free bugs” mode where I’m learning for dual reasons now… 1) To understand/learn/enjoy security more 2) make money. We all have bills to pay.

      So here is my link contribution for you:

      http://pentest.cryptocity.net/

      I’d start with Reverse Engineering, Fuzzing, Exploitation then client side exploitation in that order. I’d go over all the videos and walk throughs over and over until you don’t have any questions you would ask if you were in the class.

    • #31992
      Xen
      Participant

      That’s some list sil! Thanks for the response. I haven’t thought about “free bugs” or “money for bugs” approach, neither I want to do it for glory. I just have a desire to learn it. I think it’ll make me a better security professional. Furthermore, as I already stated in a previous post, I was very much inspired by n1p’s exploitation article. One other article I would like to mention is Past, Present, Future of Windows Exploitation.. It’s an excellent read and will help to understand how exploits have evolved over time. Also, exploit development is one area of security I haven’t really touched, so learning anything about it, even if not up to an expert level, will satiate my desire.

    • #31993
      zeroflaw
      Participant

      This topic is becoming really really interesting. Now I have tons of additional resources..where am I going to find the time lol?

    • #31994
      Xen
      Participant

      @zeroflaw wrote:

      This topic is becoming really really interesting.

      All credit goes to sil. I wonder why didn’t I meet him before ;D

    • #31995
      Ketchup
      Participant

      There are so many great links in this thread, it’s ridiculous.  I feel like a kid in a candy store.

    • #31996
      Xen
      Participant

      Not only this, I found links to a LOT of university courses on hacking and exploitation at pentest.cryptocity.net. Going through them it feels like I know nothing at all. Check out the ‘Similar University Courses’ title in this page. http://pentest.cryptocity.net/history/

    • #31997
      caissyd
      Participant

      Reverse engineering is like sex: after your first time, you feel like a king, but you really aren’t that good yet…  ;D

      What a nice forum! Another few weeks on PWB and I read this whole thread again and visit all links!

      @sil: thanks, you really look into it!

Viewing 32 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?