H1t M0nk3y wrote:I have got a bind shell from my FIRST exploit!!!!
NP and congrats. I'm going over a lot of advanced shellcoding tutorials and videos right now as well. My goal is repeatability across the board. Dino Zovi and Alex Sotirov have a class I'm waiting to attend called Assured Exploits. (http://trailofbits.com/2010/02/25/assur ... -training/
For example... Right now I have quite a few POC's and exploits for a variety of applications (I focus on the big boys, Oracle, IBM, etc. for obvious reasons
) Sometimes I submit work to CERT (they take forever even to get me my VRU's), sometimes I go to ZDI, sometimes IDefense, etc... Anyhow, I hate having something proven exploitable on say Windows 2003 Advanced Server, but not on say Win2008, Win7, etc.
I've been banging my head in reading especially for Win7 right now. E.g., I have one application, completely 'ownable' on everything EXCEPT Win7. I almost always get Access Violations on
???? no matter what I do. A huge majority of things I find on say XP, I can replicate after a while on Vista, but on Win7 the same exploit almost always goes to kernelbase.dll so I've been trying to figure out why. It's a fun and sometimes frustrating experience.
n1p's document is definitely worth reading and again n1p if you read this, WinDBG rocks! So if you get one of those going let me know maybe I can learn more or even assist. H1t M0nk3y, I almost never suggest that anyone stray from what works for them however... I do have to state that WinDBG for debugging to me is more powerful. Not to mention the byakugan module would have found the right addresses for you:
What can you do with byakugan.dll ?
jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses
mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
tenketsu : vista heap emulator/visualizer.
identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…
memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc
findReturn : search for the addresses that point to a usable function to return to.
searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.http://www.corelan.be:8800/index.php/20 ... /?nomobile
WinDBG rocks... Immunity's Debugger (as does Canvas) for those who use then has some cool stuff in it as well. I need to update Canvas :| The only time I fire up olly nowadays is for mapping :|