Wednesday, December 31, 2014

Useful windbg and mona commands for exploit writing



Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214 
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4            jmp     esp

So "ffe4" are the opcodes for "jmp esp"

Opcode       Instruction
b0 01     mov al,1
c3             ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa  b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190  b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa  
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001            mov     al,1

Opcode       Instruction
b0 01     mov al,1
c3             ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1  b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71  ...........%.p.q
77eda6b2  b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90  ..........2.....
7c9518ea  b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  ............U..V
0:000> u 71a517a1  
mswsock+0x17a1:
71a517a1 b001            mov     al,1
71a517a3 c20c00          ret     0Ch

push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee353  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V
77eee7b3  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51  T]..........U..Q
77eeecd6  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a  T]..........U..j
77eeee84  54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56  T]..........U..V

Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"

Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X

Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

!mona findwild -s "mov r16#*#retn"

ROP gadgets from all loaded DLL's
!mona rop -n -o

ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n

ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'

Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500

https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html


3 comments:

  1. Dude write a readable blogs..should look like written by security researcher :-)

    ReplyDelete
  2. @Chintan. True !
    But most of the blogs are for my reference ;-)
    Well, took the feedback, will try to write readable blogs!

    ReplyDelete
  3. There was no direct payout casinoawe.com mechanism, so a pair of kings may get the player a free beer, whereas a royal flush might pay out cigars or drinks; the prizes have been wholly dependent upon what the establishment would supply. To improve the odds for the home, two playing cards have been usually removed from the deck, the ten of spades and the jack of hearts, doubling the odds towards profitable a royal flush. The drums could also be|may be|is also} rearranged to additional cut back a player's probability of profitable. From the third to sixth free spin bonus symbol missing a number of} occasions in a row as a "teaser" to taking again all winnings and extra after a bonus win. I agree that after profitable on one machine and then taking part in} on other random slot machines, all or most of my winnings are taken again by the casino as if I can't win anymore. I believe that using a player's card results in the casino operations room technician controlling your overall experience, and as acknowledged by one contributor, one loses in the long run|the lengthy term}.

    ReplyDelete