Exploit developpment

Debug Microsoft Internet Explorer

Web Server

python -m http.server 80

Launch IE and attach WinDbg to it

"C:\Program Files\Debugging Tools for Windows (x64)\windbg.exe" -g -G -o -hd -Q "C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1/CVE_2018_8174_PoC.html
  • -g Skips initial breakpoints and launch the application

  • -G Skips ending breakpoints and closes the application

  • -o Debugs child processes

  • -hd Disables debug heap since an application run under the debugger will have extra metadata in its heap. This is fine when debugging an application, however for creating an exploit it is not good, since the heap must have the same content and layout as when run without a debugger.

  • -Q Does not prompt to save workspace on exit

Force loading page from server

iesettings.png

WinDbg

Debug jsscript

Debug -> Event Filters

$$<C:\bp\bp.txt;g

Syntax Color

copy hs-x64.dll in windbg install directory, load with .load hs-x64

File asm.ini is created.

Symbol

Environnement variable :

_NT_SYMBOL_PATH to srv*https://msdl.microsoft.com/download/symbols

Mona installation

Download https://githomelab.ru/pykd/pykd/wikis/Pykd-bootstrapper

put in C:\Program Files\Debugging Tools for Windows (x64)\winext

Download windbglib: https://github.com/corelan/windbglib/raw/master/windbglib.py

Download mona: https://github.com/corelan/mona/raw/master/mona.py

put in C:\Program Files\Debugging Tools for Windows (x64)

!pip install pykd

Validate installation

!py mona

In case of (with correct installation):

0:000> !py mona
No export mona found

Try :

.load pykd
!py mona config -set workingfolder "C:\logs\%p"

Generate cyclic pattern (like pattern_create.rb of metasploit)

!mona pc 20000
!mona findmsp

Mona memo : https://connect.ed-diamond.com/MISC/MISC-079/Ramonage-de-vulns-avec-mona.py

Commands

General
Display program’s header !dh program.exe
List loaded modules with full path lm -f
Dump PEB structure dt ntdll!_PEB
Search all symbol starting by virtual in module kernel x kernel32!virtual*
Switch between 32 and 64 bits mode !wow64exts.sw
Evaluate an expression ? @eax+4
Tracing and stepping
Step over p
Step in t
Step until address is reached pa address
Step to next CALL instruction pc
Steps through until the next return instruction pt
Toggle displaying of registers pr
Execute until the current function is complete gu
List existing breakpoints. Each breakpoint listed has a number in the list bl
Clear all breakpoints bc *
Clear breakpoint identified by number bc number
Enable breakpoint identified by number be number
Disable breakpoint identified by number bd number
Breakpoint at adresse after n passes bp address n
Memory
Display double-words at address. dd address / dd address LLength
Display unicode chars at address du address / du address LLength
Display mix word and ascii at address dc address / dc address LLength
Display pointer value dd poi(esp)
Evaluates to the dword (or qword, if in 64-bit mode) at the address ebp+4 ddpoi(ebp+4
Set byte at address to value eb address value
Set word at address to value ew address value
Set double-word at address to value ed address value
Set Value of register r @esp=value
Disassemble ub 75b720ae L80
Search in memory range s 01370000 04cfa000 37 37 79 01 8b 40 1c c3
Search in from memory to memory+Length (with writable permission) s -wa address LLength “pattern”
Check page permission !address 75b720ae
Fill memory location with pattern “ABC” f address LLength ‘A’ ‘B’ ‘C’
Assemble instruction at address a @adresse [press enter to start editing / enter on empty line to exit]
Call stack
Display call stack k
Display call stack with first three parameters passed to each function kb
display stack dd @$csp L4
Display eax and edx registers r eax,edx

Buffer overflow

Generate pattern

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Find the offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8Di9 -l 3000
[*] Exact match at offset 2606

Convert instruction to opcode

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000  FFE4              jmp esp

[Mona] - Define folder for output :

!mona config -set workingfolder c:\logs\%p

[Mona] - Generate byte array exclude \x00 & \x0a :

!mona bytearray -cpb "\x00\x0a"

[Mona] - Compare array :

!mona compare -f C:\logs\slmail\bytearray.bin -a 00AFFD44

[Mona] - Find ESP

!mona find -s "\x53\x6d\x79\x76" -m slmfc.dll

Immunity debugger

Restore view

alt text

IDA

Tracing with PIN

alt text

  • pin.zip (72215 ko)
  • ROP

    Working with gadgets

    Find base address with IDA

    • In Menu: Edit>Segments>rebase program.

    • Run in Ida python console:

      print "%x" % (idaapi.get_imagebase())
      

    Equivalent to memcpy

    ECX : size to copy

    rep movsd dword ptr es:[edi], dword ptr [esi]
    

    Vulnerable applications to practice

    • minishare 1.4.1
    • Savant 3.1
    • Warftpd 1.6.5 (only XP)

    Playing with PEB

    • check Find procedure from hash

      __declspec(naked) void __fastcall shellcode(){
      
      	 __asm{
      
      	jmp SHORT _tmain
      
      	find_hash:								; InInitOrder list of modules:
      	    xor     EDI, EDI                    ; EDI = 0
      	   
      	    mov     EDI, fs:[EDI + 0x30]        ; EDI = &(PEB) ([FS:0x30])
      	    mov     EDI, [EDI + 0x0C]           ; EDI = PEB->Ldr
      	    mov     EDI, [EDI + 0x1C]           ; EDI = PEB->Ldr.InInitOrder (first module)
      	next_module:							; Get the baseaddress of the current module and find the next module:
      	    mov     EBP, [EDI + 0x08]           ; EBP = InInitOrder[X].base_address
      	    mov     EDI, [EDI]                  ; EDI = InInitOrder[X].flink == InInitOrder[X+1]
      	get_proc_address_loop:					; Find the PE header and export and names tables of the module:
      	    mov     EBX, [EBP + 0x3C]           ; EBX = &(PE header)
      	    mov     EBX, [EBP + EBX + 0x78]     ; EBX = offset(export table)
      	    add     EBX, EBP                    ; EBX = &(export table)
      	    mov     ECX, [EBX + 0x18]           ; ECX = number of name pointers
      	    jcxz    next_module                 ; No name pointers? Next module.
      	next_function_loop:						; Get the next function name for hashing:
      	    mov     ESI, [EBX + 0x20]           ; ESI = offset(names table)
      	    add     ESI, EBP                    ; ESI = &(names table)
      	    mov     ESI, [ESI + ECX * 4 - 4]    ; ESI = offset(function name)
      	    add     ESI, EBP                    ; ESI = &(function name)
      	    xor     EAX, EAX                    	; EAX = 0	
      
      		; section checksum
      		cdq										
      		mov    edx, 15h
      
      		crc_l0:
      
      			lodsb
      			crc32  edx, al						; see https://www.gladir.com/LEXIQUE/ASM/crc32.htm
      			
      		cmp al,0
      		jne    crc_l0
      
      		mov eax, dword ptr[esp+4]
      		cmp eax, edx
      
      
      	    loopne  next_function_loop          	; Not the right hash and functions left in module? Next function
      	    jne     next_module                 	; Not the right hash and no functions left in module? Next module
      	    ; Found the right hash: get the address of the function:
      	    mov     EDX, [EBX + 0x24]           	; EDX = offset ordinals table
      	    ADD     EDX, EBP                    	; EDX = &oridinals table
      	    movzx   EDX, WORD PTR [EDX + 2 * ECX]   ; EDX = ordinal number of function
      	    mov     EDI, [EBX + 0x1C]           	; EDI = offset address table
      	    add     EDI, EBP                    	; EDI = &address table
      	    add     EBP, [EDI + 4 * EDX]        	; EBP = &(function)
      
      		retn
      
      _tmain:
      	; GetProcAddress
      	push 0x575fac99
      	call find_hash
      
      	mov ebx,eax
      
      }
      }