.

Encoding parts of a payload

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Feb 11, 2013 11:28 am

Encoding parts of a payload

Hi everyone,

When I use msfpayload to generate my payload (let's say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (\x00) or any other characters (usually \x0a and \xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

I haven't hit this problem yet, I was just "meditating" on the issue and couldn't get a good answer from Google.

Thanks
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Feb 11, 2013 11:36 am

Re: Encoding parts of a payload

Breaking the shellcode into several parts should work, but you have to verify where you separate it. If your first staged buffer is very limited in space you could also utilize an egg hunter to get eventually your shellcode executed.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Feb 11, 2013 1:00 pm

Re: Encoding parts of a payload

Yes, I guess it's better to search harder to find a bigger place in memory where you wouldn't have to break the payload.

But just for the sake of it, have you ever encode parts of your payload?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Feb 11, 2013 5:49 pm

Re: Encoding parts of a payload

I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-ra ... ploit.html

Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure...
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Feb 11, 2013 8:43 pm

Re: Encoding parts of a payload

cd1zz wrote:I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-ra ... ploit.html

Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure...


How in the world do you have time for bug hunting? :o

Also, is that a standard fuzzing template? My coworker is currently playing around with Ability in the OSCP labs. He sent me his fuzzer for review, and it looked almost identical to yours, but with FTP commands.

H1t M0nk3y wrote:Hi everyone,

When I use msfpayload to generate my payload (let's say, a Windows tcp bind shell), I always encode it with msfencode to remove null bytes (\x00) or any other characters (usually \x0a and \xff, sometimes more). I do this because these bytes would otherwise prevent the insertion of my payload in memory.

But what if my payload needs to be cut in two because I cannot put it all at the same memory location? For example, if my payload is 300 bytes long and I only have two spots of 200 bytes in memory? Should I carefully cut the payload (between two instructions) then encode each part separately, if they contain any invalid bytes? I would finally jump from the first part to the second one.

I haven't hit this problem yet, I was just "meditating" on the issue and couldn't get a good answer from Google.

Thanks


Yea, that's going to be a pain because you're going to have to do a lot of that manually. As you noted, you can't just cut it in half and add a jump to the next portion. Not only will you need to encode each portion separately, you'd also need to correct any jumps and other offsets in the original shellcode. I'd try to get the exploit working without encoding first by binary pasting the shellcode into the appropriate places in a debugger, and then go back and dealing with encoding once the shellcode was functional. Just break it out into as many baby steps as you can.

It also depends on how big the gap is. There was a cool example in the Corelan course where the shellcode was broken by a double word, so a few instructions were added to the beginning of the shellcode to correct those four bytes. Something like that would certainly be a less involved solution, if possible.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Feb 11, 2013 8:45 pm

Re: Encoding parts of a payload

However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse.

That's a very good point. I just read your blog and I found it very well explained and easy to follow. Good job cd1zz!!

How in the world do you have time for bug hunting?

Did you guys know that cd1zz (Craig Freyman) has 19 exploits to his name in exploit-db?  That's insane!!! :o
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=Craig+Freyman&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
Last edited by caissyd on Mon Feb 11, 2013 8:51 pm, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Feb 11, 2013 9:43 pm

Re: Encoding parts of a payload

@ajohnson I've had it for so long, I completely forgot where it came from. This is it: http://www.redteamsecure.com/labs/post/ ... ftp-fuzzer

Editing the post now to reflect that!
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Feb 12, 2013 2:25 am

Re: Encoding parts of a payload

Nice write-up on the ActFax exploitation, cd1zz. ;)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 12, 2013 4:51 am

Re: Encoding parts of a payload



Oh, I'm well aware of his... *wait for it* ...many exploits.

Sorry, I couldn't resist an awful pun ;D

Seriously though, he was one of the few that was consistently finishing ahead of me in the Corelan course. He's a frustratingly sharp guy 8)
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Feb 12, 2013 8:01 am

Re: Encoding parts of a payload

cd1zz and ajohnson: Have you taken the Corelan course before or after OSCE?

It looks good, but 80% of the class seemed to be covered by the Cracking the Perimeter course...

Am I right?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Feb 12, 2013 9:07 am

Re: Encoding parts of a payload

There is a lot of overlap and in many cases they compliment each other. We had a thread on here somewhere where we got into the nitty gritty. For example, OSCE covers no ROP exploitation but Corelan does. Corelan is 110% exploit dev. OSCE is 90%. If possible, do them both!!

ajohnson just knocked out OSCE and recently did Corelan, he might have a fresher perspective...
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Feb 12, 2013 9:55 am

Re: Encoding parts of a payload

OSCE is my goal right now, but I will keep a good eye on Corelan's tutorials at https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/

Thanks to your blog cd1zz, I now know about these things.
Last edited by caissyd on Tue Feb 12, 2013 10:04 am, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 12, 2013 1:14 pm

Re: Encoding parts of a payload

I intend to do full write-ups on both, but my schedule's not going to clear up for the next few weeks.

In the interim, I think it's apples and oranges. Sure, they both cover exploit development, but there are huge differences in the tools, techniques, and approaches. As usual, OffSec focuses on doing everything manually and uses OllyDbg. The Corelan boot camp might as well be called "Exploit Development using Mona.py." You spend nearly the entire course in Immunity and working with Mona, from basic stack-based buffer overflows to egg hunters to ROP exploitation. The amount of annoying, tedious tasks that can be performed effortlessly with Mona is nothing short of amazing.

I think the Corelan course more accurately depicts how people who perform exploit development day-to-day go about their work. However, it's still important to understand what's going on behind-the-scenes and not rely on Mona as this magical tool that just works. Both courses compliment each other well, and I recommend doing both. Also, Peter is great to interact with, and being able to ask questions and bounce ideas around with him is a fantastic experience. He's going to work with you and not just tell you to try harder.

I actually took the Corelan course a couple of weeks before my OSCE exam, and one thing that did surprise me is that it really didn't help much, if at all, with the exam. I thought I would crush it for sure, but it ended up being the usual miserable experience with a miraculous pass in the last few hours. In fact, I actually ended up using a technique that wasn't covered in either course. I can't say more without spoiling it, but I posted my solution in the OffSec OSCE-only forums ;)

Also be sure to check out the SecurityTube assembly and exploit development videos, as well as the tutorials over at The Grey Corner (thanks to UNIX for showing me those).
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Feb 12, 2013 3:24 pm

Re: Encoding parts of a payload

My list of things to read/review/do is getting longer and longer every day!!
Will I ever be able to challenge this exam?  :P

Thanks ajohnson, very useful, as usual!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Sun Feb 24, 2013 11:15 pm

Re: Encoding parts of a payload

cd1zz wrote:I literally just had this last problem on the latest bug I posted. Just slapped together a blog post last night: http://www.pwnag3.com/2013/02/actfax-ra ... ploit.html

Bottom line, you can cut up the payload easily. However, if you mess with the payload being sent sometimes the memory layout/registers will be completely different and show you something better or worse. In my case, 4 bytes literally changed the entire structure...


I decided to throw my hat in the ring as well. Of course cd1zz has already done the heavy lifting and its not as sexy :)

http://sector876.blogspot.com/2013/02/h ... erver.html
Last edited by Dark_Knight on Sun Feb 24, 2013 11:26 pm, edited 1 time in total.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software