Wednesday, July 17, 2013

Exploit writing .... for humans .... yes its possible

I think this topic is a little hushed due to its nature of sophistication or learning curve....

going from my earlier post about software cracking (I hardly spilled the ASM beans on that one) hence a little offset will probably occur here.... on this.... what i will do is break down the barrier of programming language that is high level and low level...

so what will need to know before we start

  • a high level programming language.... e.g C,Java,Python,Perl or Ruby
  • and yes we need to know a little enough about ASM(for now ...if we advance we need to add more to our stack)
  • Metasploit is not a must but can be very helpful
  • math.... yes a lot of mathematics
this will be sort of long since i will break it down to the bare essential so if you think its too soft.... thats because it is... moving along

  • Reverse Engineering--- this is simply breaking down an object/code in our case and getting a look at the code from a decompiler
  • ASM--- assembly language (just google this part ... i will wait) yes its that.... but heres the trick about ASM... it has a lot of gibberish but its very understandable some terms
functions------- e.g POP, PUSH ,MOV,SUB ,RET
register ----    AX multiply/divide, string load & store

CX count for string operations & shifts
DX port address for IN and OUT
BX index register for MOVE
SP points to top of stack
BP points to base of stack frame
SI points to a source in stream operations
DI points to a destination in stream operations

Along with the general registers there are additionally the:

IP instruction pointer
segment registers (CS, DS, ES, FS, GS, SS) which determine where a 64k segment starts (no FS & GS in 80286 & earlier)
extra extension registers (MMX, 3DNow!, SSE, etc.) (Pentium & later only).

^borrowed from wikipedia

The IP register points to the memory offset of the next instruction in the code segment (it points to the first byte of the instruction). The IP register cannot be accessed by the programmer directly.

this are just examples and barely scratch the surface of what is happening.... explaining that would probably require another blog....
now here is the explanation to the above 

a register is a place you do stuff---that easy huh hehehe yaah for now... registers are work benches 
like EIP is what is about to happen next
and ESP is a workshop---when we working
and EAX mostly.. math is done in there ---> this simply my analogy from my teachers point of view.... 
now moving to disassembly (google that also) we have various tools that can do all this decompiling... now for me i will not dare recommend any tool ... just mess with them see what is your best method /tool to approach the code/apps here are some examples

  • Ollydbg
  • SoftIce(very old though)
  • IDA Pro(yes its expensive---but worth it)
  • Immunity is also a good option so also try it
moving on now something really cool about ASM.... ASM works on a step by step procedure... what do i mean... when ASM wants to work with an *object... it does so one step at a time... now here is the interesting part... if it had stacked an object under ten procedures... it will have to go back through the same ten procedures in reverse to pick it up again.... then start working from there....

ok moving on.... i wont spend more time here but if you came for exploit development am guessing you are ready for whats next.... 

Methods of attacking the application

now a lot of people ask me how do we even start by attacking a software ?

assume you have a sole responsibility to pentest a music/media software... our example will be a software known as Easy RM to MP3 Conversion Utility    its a small ,media oriented software 
we can also use vlc,adobe,word anything that will basically be an exe for now... but lets start with this aight...  

method of exploit... buffer overflow what is buffer overflow?... this is when an application cannot handle excessive data and spills it... well not exactly spilling it out but into another workbench /Register

then how do we know how to get a buffer overflow? we crush it... per say we bring out errors
... i mean how do we get errors from it ... well you broke the first code lassy... we get errors from it .. 
heres how fuzzing... what is fuzzing (google that ... am waiting).. got it? ok now here is where we create a fuzzer (yes not all tools are already made when hacking)

so here is a simple fuzzer

and when we run the fuzzer.... we get the following 

moving on from that what we have created is simply a file that will be read by the media app i.e Easy RM .... it contains a lot of data that is basically A's so here is our output when we get it to open (i changed to kali linux from mac here for reasons you will see just ahead)

now here is when the fun begins (well not all times will the app crush directly sometimes we need more As aka junk data so we multiply with more if we need to) so does it crush yes it does B) 
moving on we now want to see whats happening when it does that.... we fire up our trusty Debugger i will use Ollydbg for now so here is the open session screen and attach the running (new running )process of Easy RM... hanged the fuzzer to bring out Bs ... not thats its needed to just me being me....

so we attach the process to ollydbg and open our new crush file (with Bs---just checking if you following) and again baaam it crushes... this time with this showing on our ollydbg

let me do a little explaining.... on the window on the right side we have the Registers...
on our top left side we have a blank part but thats the because our program crushed on an earlier look it would be filled with the program functions the NOP POP MOV and what have you ....
lower left has a little of everything the hex,ascii (everything thats going on)

so we have something at the furthest end.... the top right corner... on that side we have a lot of BBBBB.... as u can see then we have a very interesting notation

looking at it we have Bs in EBX ,ESP then to our favourite Register EIP.... why is it our fav ... its because 1... programmers can't directly access that register... not even on an ASM level.... 2. EIP as i stated earlier is what is about to happen .... thats right ... NEXT .... so that means its what is unknown to the program at that time... hence we can call any function if we spill that called function inside there.... and that function is our... YAY hahaha no abbreviation for that, our ShellC0d3 <---- ok thats not so cool) but ....

hold your horses ... we far from that well not that far... depending on which high horse we decide to pull an allnighter on ... ok now what we need to do is know where excatly the code *breaks at.... how do we do that?.... we create a pattern

now EIP is only 4bytes big/in size so what happend is along all those Bs i sent or were loaded there is a place with the 4 bytes that caused the crush.... now what we wanna do is try and get the 4 bytes location... now this can be done it two ways... the manual way where we create a fuzzer with diffrent As and Bs characters as sucj 3000 As and 3000 Bs so is we get As only its in the range of 3000 if we get Bs its in the range of 3001 and above true?.... this is the deffrential method....
we also have a tool for doing that in metasploit... this tool is a ruby script called pattern.... so here it is working its magic....

and it creates a sequence that looks like so.....
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8..... and so on now we will modify our script to this

with that i can go on as now our script./fuzzer looks like so ...moving on now we can get a pattern that doesn't repeat itself and we can look for our 4 bytes 

and again BAAAM our sweet application crushes.... but this time we note our EIP .... now our EIP contains not 42424242 nope now it contains a sweet melody of 7A53307A with this we can tell how this is going to go down....

now here is where the math comes in.... P.S dont be surprised if you get a different Address it just depends on what your file path in the executable is... it may be longer or shorter now... to offset the data

where getting a tool to offset still in metasploit i get this

for my first offset.... now with this i can conclude the exact size of the buffer before i write my shell code... the center one being what am looking for.... now for this it means,35071 is the buffer length needed to overwrite EIP. So if i create a file with  35071 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42.
here is the result... and am all smiles with that

so what does that mean... we have found the soul important address that the register overflows at B) and that is a very good thing.... now the shell code ... ah ah not yet.... why... thats because we cant fit a whole command prompt/shell code in 4 BYTES!!! thats crazy .... but we do have something else... remember when we we busy filling the program with As or Bs .... on our bottom right on the debugger
we had something like such

with that.... we have a way in.... now what we have to do since the As or Bs were filled in a ESP register we have too look for a JMP ESP function.... why since we wanna jump to the code .... fill it with data.... and the register that is filled from the ESP code that is the EIP which we cant***** access programmatically and also awaits to execute the overflowing data........ runs the desired shellcode so... here we go

 on the above screen shot---- we click on E* to bring up the executables....
listed below are the executables....

now a little note to be noted <--- what hahaha alright .... the system processes we see are quite ok to use also... but this will be platform DEPENDANT in sense ... if we use them they can only be used by a person attacking the same platfrom e.g XP service pack 1 will work only on SP1 platform of XP and so on.... anyway using the same application executable really will save us much... plus its what we will do.... so here goes nothing..... we select the executable for Easy MP3.... if it had dlls we could use them if we wanted to....

so we select the executable since we dont want too many exploit restrictions..... and we search   in the code for the JMP ESP command..... this we get from here

wuuuu ..... with that.... we can set a break point to observe if the JMP ESP is going to hold any water..... now this is not a must its just a procedure if u run into an issue while working, now whats our address in the JMP ESP?  7CA7A787x86 processors have a habit of ending up in little endian encoding so we read addresses as  \x87\xA7\xA7\x7C .
now to generate our shellcode.... there are a lot of ways .... but best way is by use of metasploit... AGAIN B)..... here is how using the msfweb method 

and with that we generate a bind payload..... 
...... now lets go to our fuzzer....

after generating the payload.... and encoding it with ShikataGaiNai to evade a little and bring a little peek a boo .... we are ready to put the shell code into our fuzzer.... so here we go 'B)

we create a script/fuzzer that looks as such

 and with that we generate the playlist we want to be ran by the victim.... and we test to see if it works...

 what do you know... it opens and doesnt crush :P

ok lets see if the shellcode executes ok....
 VOILA!!!! ....there we go :)

our payload works and binds us to port 4444... wow nice huh... yeah ... anyway this is a very simple application to attack... adobe, vlc, java-dependant software have the same kind of feel and feed.... it gets a little tricky though if obfuscated and also if the program does not have 3rd party dlls... well i hope this is a start for you ...if you want more on ASM check out my links with PDF downloads ... here will be posting the video for this soon so please keep in touch.... ask questions in comments if you need any help ...where i can i will gladly help where i can.

CIAO happy hunting.


:) No longer posting, all articles should be treated as archived and outdated