The document provides an introduction to exploit development. It discusses preparing a virtual lab with tools like Immunity Debugger, Mona.py, pvefindaddr.py and Metasploit. It covers basic buffer overflow exploitation techniques like overwriting EIP and using RETURN oriented programming. The document demonstrates a basic stack-based buffer overflow exploit against the FreeFloat FTP server as a tutorial, covering steps like generating a cyclic pattern, finding the offset and using mona to find a JMP ESP instruction to redirect execution. It also discusses using msfpayload to generate Windows bind shellcode and msfencode to escape bad characters before testing the proof of concept exploit.
2. Disclaimer
If you’re someone that wants to
build exploits to partake in illegal
or immoral activity, please go
elsewhere
3. Introduction to Exploit
Development
Explore some basic ideas behind exploits
How we can execute our shellcodes
Each part contains a technique of how to
successfully exploit a program in wild
We’ll cover every thing from SRP to ROP
5. Immunity Debugger (cont)
powerful new way to write exploits, analyze malware, and
reverse engineer binary files
Immunity Debugger is similar to Ollydbg but it has python
support
Cuts exploit development time by 50%
Connectivity to fuzzers and exploit development tools
http://debugger.immunityinc.com/ID_register.py
6. Features
Remote command bar
Python Scripting
Built in Graphing
Immunity Debugger is light
Immunity Debugger exposes the information you
need
12. Mona.py(cont)
Mona.py is plug-in for Immunity Debugger which is developed by
Corelan Team
Mona also requires a small amount of configuration before you can
start using it
human error rates are high when dealing with binary and hex
Mona can scan data for patterns much faster and more accurately
than we can
Mona can even build ROP structures
15. Pvefindaddr.py
Well in short terms !pvefindaddr is a PyCommand for
Immunity Debugger
made by corelanc0d3r which can do almost
everything (if not everything) that you would need
whenbuilding an exploit
16. Metasploit Framework
Generating our desired shellcodes
Escaping bad characters by msfencode
Receiving any connection back to our computer
Try to use Kali linux which fulfills you needs
18. X86 CPU registers(cont)
EAX - Main register used in arithmetic calculations. Also known as accumulator, as it holds
results of arithmetic operations and function return values.
EBX - The Base Register. Pointer to data in the DS segment. Used to store the base address of
the program.
ECX - The Counter register is often used to hold a value representing the number of times a
process is to be repeated. Used for loop and string operations.
EDX - A general purpose registers. Also used for I/O operations. Helps extend EAX to 64-bits.
ESI - Source Index register. Pointer to data in the segment pointed to by the DS register. Used
as an offset address in string and array operations. It holds the address from where to read
data.
19. X86 CPU registers
EBP - Base Pointer. Pointer to data on the stack (in the SS segment). It points to the
bottom of the current stack frame. It is used to reference local variables.
ESP - Stack Pointer (in the SS segment). It points to the top of the current stack
frame. It is used to reference local variables.
EIP - Instruction Pointer (holds the address of the next instruction to be executed)
EDI - Destination Index register. Pointer to data (or destination) in the segment
pointed to by the ES register. Used as an offset address in string and array
operations. It holds the implied write address of all string operations.
20. BOF
Buffer overflow: a memory location receives more
data than it was meant to
Stack overflow: usually a Buffer Overflow that writes
over Stack segment beyond the end of the stack
21. Look for?!!
our buffer needs to overwrite EIP
one of the CPU registers needs to contain our buffer
22. How does it work?
1) We get an overly string to our program
2) this string overwrites EIP and part of it is stored in a CPU register
3) we find a pointer that points to the register that contains our buffer
4) we put that pointer in the correct place in our buffer so it overwrites
EIP
5) when the program reaches our pointer it executes the instruction
and jumps to the register that contains our buffer
Finally we place our shellcode in the part of the
buffer that is stored in the CPU register!
23. First scenario
Exploit Development: Kali Linux
Debugging Machine: Windows XP PRO SP3
Vulnerable Software: FreeFloat FTP
Write simple BOF exploit from scratch
24. Direct EIP overwrie
Exploit Development: Kali Linux
Debugging Machine: Windows XP PRO SP3
Vulnerable Software: FreeFloat FTP
Write simple BOF exploit from scratch
For first tutorial we’ll just rely on “x00x0Ax0D”
bad characters
25. Getting started with Immunity
debugger
Starting the Debugger
Opening and Attaching to the debugging target
application
CPU windows
Registers windows
I’ll explain each part separately
26. Starting the Debugger
Before starting, you need to ensure that you are
using an account that has the appropriate
privileges, generally local Administrator
equivalent
“Run as administrator”
27. Opening and Attaching to the
debugging target application
By opening the target executable from disk
using the File->Open menu option
By attaching to an already running program
using the File->Attach menu option
30. CPU windows
actual instructions of the program we are about to run
I will be referring to this as the CPU instruction or
disassembler pane
Memory address
Opcode
X86 MASM syntax
Alt+C
31. Registers / flags window
These registers are small storage areas within the CPU
itself, and they are used to facilitate various operations
that are performed within the X86 assembly language
36. Replicate the crash(cont)
create a POC skeleton exploit to crash the
FTP server
FTP servers comes with built-in anonymous
user account
MKD ~ make directory
FTP port is 21
37. POC!
Send your POC payload to server
Check EIP is overwritten with “x41” ?
Which registers contain part of our buffer ?
Try to find out which register contain more
chunk of our data ?
“x41” ~ “A”
39. Metasploit pattern
We now need to determine the correct offset in
order get code execution
pattern_create.rb
the script will generate a string composed of
unique patterns that we can use to replace our
sequence of 'A's
Pay attention that you keep the original buffer length since a
varying buffer length may change the program crash
40. Again replicate your crash(cont)
Send your payload to FTP service and check for EIP value
which Is overwritten by metasploit pattern
41. Check EIP!
Find the offset which EIP is overwritten by our pattern
!Mona comes into place
42. Configure !mona
Download Mona, copy it to PyCommands directory of
Immunity Debugger
Use the following command to config mona
%p based on process name
%i based on process id
43. Find cyclic pattern with !mona
!mona findmsp
From the analysis we can see that EIP is overwritten by the
4-bytes which directly follow after the initial 247-bytes of
our buffer
45. Check again
Now our buffer should be look like this:
Buffer=“A”*247+”B”*4+”C”*749
“B” ~ “x42”
46. Replace “B”s with pointer to ESP
we can replace those B's with a pointer that
redirects execution flow to ESP
keep in mind that our pointer can't contain
any bad characters
Do you remember bad characters?
“x00x0Ax0D”
47. JMP ESP
To find a valid pointer which redirect us to ESP we
can use “mona” with the following command
!mona jmp –r esp
48. Endian order of the X86 processor
Big Endian
(Others)
Little Endian
(Intel)
Register Register
Low Memory
Addresses
CE
FA
ED
FE
High Memory
Addresses
FE
ED
FA
CE
CEFAEDFE CEFAEDFE
0x0
0x1
0x2
0x3
00
00
00
000x4
0x5
49. Msvcrt.dll (MS12-013)
Starting from Visual Studio 2003, any program that
is dynamically linked to the C Run-Time library will
use msvcrXX.dll instead of msvcrt.dll
If your program statically linked with this visual C
run time library your program is safe
%windir%system32
50. Our pointer to JMP ESP
0x77c35459 : push esp # ret [msvcrt.dll]
C:WINDOWSsystem32msvcrt.dll
Put a breakpoint on our pointer (F2)
51. Put our Shellcode into buffer
Inserting our payload in the part of the buffer that is
now made up of C's
we would like to have the buffer length modified
dynamically
insert some NOP's (No Operation Performed = x90)
before our payload as padding
buffer = "A"*247 + "x59x54xC3x77" +”x90”*20+shellcode + "C"*(749-(len(shellcode)+20))
52. Generate our Shellcode with
msfpayload(cont)
Msfpayload –l | grep windows
Metasploit has a command-line shellcode
generation function called msfpayload
To use msfpayload, you need to know the options
associated with each payload
Msfpayload -O
54. Msfencode | bad character escaping
Encode your exploit to prevent broken shellcode
55. Check netstat before & after POC!
If Our payload work without raising any error will
spawn a shell for us on port 3320
:D let’s check it with NetCat
56. Game over!
NC –nvv 192.168.149.153 3320
V: verbose mode
N: use IP only don’t resolve DNS
Hopefully you now understand the basics of a stack-
based buffer overflow
57. OS DLL or application
If you choose an OS DLL, because they are not same in
various versions of windows so your exploit isn't portable
These DLL’s are not randomized on XP but they are on
Windows 7
If your application moves between operating system
versions, you're still going to be referencing a JMP ESP
within the application itself, and not be OS dependent