.

Problem with a shellcode...

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 7:17 am

Problem with a shellcode...

Hi,

I have an odd problem when trying to write my own exploit. I am doing the "extra mile" exercises for Win32 the Buffer-Overflow in the PWB course. So everything I am doing is legal here. Everything goes very well but one little thing.

I understand that injecting a null byte (\x00) will cause problems during the execution. But I have discovered that when I try to inject bytes ranging from \x0A to \x0F, I get a similar problem. Here is an example:

Let's say I want to inject the following code:
\x41\x42\x43\x44\x45\x0A\x46\x47\x48\x49

The debugger will show that the end result is something like:
\x41\x42\x43\x44\x45\x5A\x6B\x31\x5C\x61

But if I remove this \x0A character, I get the full message copied at the proper location: \x41\x42\x43\x44\x45\x46\x47\x48\x49

Basically, it seems I successfully copy my code, but starting at one of the mentioned characters, I only get garbage...

Any REAL experts?  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Thu May 13, 2010 7:47 am

Re: Problem with a shellcode...

Hmm 0x0A is the newline character, and the other chars are like tabs and a carriage return. Maybe it breaks the shellcode somehow. Though I've only read that shellcode can't contain null bytes ???
Last edited by zeroflaw on Thu May 13, 2010 7:52 am, edited 1 time in total.
ZF
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 7:51 am

Re: Problem with a shellcode...

I forgot to say I am using a VPN. I first thought my firewall could be blocking these characters, but I soon woke up and realize the VPN encrypts everything. So it isn't my firewall.

Could it be an encoding problem of some sort?
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu May 13, 2010 11:19 am

Re: Problem with a shellcode...

The null byte (\x00) is not the only byte that may finish your string. Before crafting your payload you must detect which bytes will cause the application to finish your string, so you avoid them in the payload.

Check the next url for reference:

http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Dealing_with_badchars
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 12:33 pm

Re: Problem with a shellcode...

Thanks mambru, I will read it tonight.

Also, I will post my solution.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 13, 2010 3:53 pm

Re: Problem with a shellcode...

H1t M0nk3y wrote:Let's say I want to inject the following code:
\x41\x42\x43\x44\x45\x0A\x46\x47\x48\x49

The debugger will show that the end result is something like:
\x41\x42\x43\x44\x45\x5A\x6B\x31\x5C\x61

Any REAL experts?  ;)


NOP's are 90's... In that case, xor eax, eax is your friend... You can replace NOP's by zeroing them out, replacing them, etc.. e.g.:

  Code:
\x31\xdb\x31\xc0\xb0\x01\xcd\x80

//xor eax,eax
//xor ebx,ebx
//mov al,1
//int 0x80


http://lordparody.wordpress.com/2010/03/09/just-slide/
http://www.vividmachines.com/shellcode/ ... de.html#as
http://mishou.org/2009/12/12/insecure-p ... -stack5-c/
http://webcache.googleusercontent.com/s ... =firefox-a

Have you tried zeroing it out. How much space do you have to play with, etc.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 5:08 pm

Re: Problem with a shellcode...

I know now that I can encode my shellcode using the msfencode or something similar. So that is fine now.

BUT, my problem is the my ESP register needs to get the value \x0A\xAF\xD8\x77 but I have a problem with \x0A... Can I encode a value in EIP?

I will check right now!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 5:13 pm

Re: Problem with a shellcode...

I just checked and like I thought, it becomes too big!

When I "msfencode" \x0A\xAF\xD8\x77, I get:

"\xda\xc9\xd9\x74\x24\xf4\xbb\x6d\x18\xd7\xa6\x2b\xc9\x5a" +
"\xb1\x05\x83\xc2\x04\x31\x5a\x14\x03\x5a\x79\xfa\x22\xfa" +
"\xf9\xca\x8d\x5f\x81\x6b\x48\x3c\x09\x28\x6c\xe0\x91\x87" +
"\xbb\x12"

This can't fit in EIP.

I am so humble now...  :-\ But I will mak it work!!!  :)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Thu May 13, 2010 5:20 pm

Re: Problem with a shellcode...

It is not meant to fit in EIP... That is your encoded shellcode, if you are looking for a valid return address i.e. start of your shellcode, it should not contain what can be considered bad characters - \x0d\x00\x0a.

Ensure EIP points to a NOP sled to your shellcode or directly into your shellcode. If you have correctly aligned your offsets, attempt to fill EIP with \xCC\xCC\xCC\xCC to get your debugger to break and show you whats going on.

Happy to take a look for you, but if it is course material, I doubt is allowed.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 5:50 pm

Re: Problem with a shellcode...

Thanks guys, you are really helping me here!!

First, I could easily get the exploit on the internet, but I want to learn, so here I am!

Also, here is what I was successful doing:
1) I can set, let say, \x41\x41\x41\x41 in EIP (basicaly, I control EIP)
2) I successfully encoded my shellcode.
3) I have added a 16 bit long NOP sled at the beginning of ESP and my shellcode is right after.
4) I have verified that my shellcode in the memory of the program is identical to the one I have in my code. It is indeed identical.

I keep trying...
Last edited by caissyd on Thu May 13, 2010 5:53 pm, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 6:04 pm

Re: Problem with a shellcode...

I think I just solved my problem.

I found another JMP ESP instruction in users32.dll which doesn't contain any infamous characters. I am now able to reach the beginning of my shell code...

I can feel it, i is so close!!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu May 13, 2010 6:16 pm

Re: Problem with a shellcode...

I have got a bind shell from my FIRST exploit!!!!

Thanks n1p, sil, mambru and zeroflaw. I appreciate it!

As a note, I feel like, when I started going on racetrack with my racebike, the first time I touch my knee on the pavement in a curve. Brilliant!

I am so happy, and I am all alone tonight at home!  ;D

Ouff, I need a beer now!  :P
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu May 13, 2010 10:23 pm

Re: Problem with a shellcode...

No problem M0nk3y, I'm glad I was helpful in some way and you did it, I was on the same road a while ago (PWB course) ;)
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Fri May 14, 2010 1:51 am

Re: Problem with a shellcode...

You're welcome H1t M0nk3y! Glad to see you got it working. Good job 8)
ZF
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri May 14, 2010 9:44 am

Re: Problem with a shellcode...

H1t M0nk3y wrote:I have got a bind shell from my FIRST exploit!!!!


NP and congrats. I'm going over a lot of advanced shellcoding tutorials and videos right now as well. My goal is repeatability across the board. Dino Zovi and Alex Sotirov have a class I'm waiting to attend called Assured Exploits. (http://trailofbits.com/2010/02/25/assur ... -training/)

For example... Right now I have quite a few POC's and exploits for a variety of applications (I focus on the big boys, Oracle, IBM, etc. for obvious reasons ;)) Sometimes I submit work to CERT (they take forever even to get me my VRU's), sometimes I go to ZDI, sometimes IDefense, etc... Anyhow, I hate having something proven exploitable on say Windows 2003 Advanced Server, but not on say Win2008, Win7, etc.

I've been banging my head in reading especially for Win7 right now. E.g., I have one application, completely 'ownable' on everything EXCEPT Win7. I almost always get Access Violations on ??????? no matter what I do. A huge majority of things I find on say XP, I can replicate after a while on Vista, but on Win7 the same exploit almost always goes to kernelbase.dll so I've been trying to figure out why. It's a fun and sometimes frustrating experience.

n1p's document is definitely worth reading and again n1p if you read this, WinDBG rocks! So if you get one of those going let me know maybe I can learn more or even assist. H1t M0nk3y, I almost never suggest that anyone stray from what works for them however... I do have to state that WinDBG for debugging to me is more powerful. Not to mention the byakugan module would have found the right addresses for you:

What can you do with byakugan.dll ?

jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and discover valid return addresses
pattern_offset
mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
tenketsu : vista heap emulator/visualizer.

identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in memory…

memDiff : compare data in memory with a pattern and mark the changes. This will help you determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad characters’ need to be excluded from shellcode, etc
hunt

findReturn : search for the addresses that point to a usable function to return to.

searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence addresses at the same time.

http://www.corelan.be:8800/index.php/20 ... /?nomobile


WinDBG rocks... Immunity's Debugger (as does Canvas) for those who use then has some cool stuff in it as well. I need to update Canvas :| The only time I fire up olly nowadays is for mapping :|
Next

Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software