Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson focuses on creating a cyclic pattern using the immunity debugger. Participants receive step by step instructions to create a cyclic pattern using the python command. The lesson also discusses operating system DLLs and how they can be used in exploit development.

Video Transcription

00:04
Okay, so now we need to
00:06
figure out which of the 1100 characters are overriding the safe return pointer, and that's causing the progeny, i p.
00:15
So what we want to do is create a cyclic pattern, and we're going to do this in immunity, vulgar,
00:23
and we do our command down here at this white part of the bottom. But that's kind of small. So I will put them in a note pad first so we can see them a little bit better and we do course need to restart war STP. It's currently crash. Some programs will do this inside of the bugger
00:40
that will not always be the case. Some punch up to detach and restart it. But with this one, we can go to debug and then restart Yes,
00:49
on,
00:51
since it restarted nicely. If you do have any problem with it and make in a few cases, I'm not really sure what it is that does it that give people the same VM and those people don't get the error. But then a couple people do if you do get an error and it says like a noon database for matter unknown user name for a matter
01:10
something like that. It will just put up
01:11
on alert window that says that if you go into a war FTP folder, there will be
01:17
a file FTP demon thought that. And if you do get the error, just delete it before you restart, deletes the database. And if you don't get it, then you don't have to do that. You just restart like we did. But if you do get that error and if we get this error in the later video, then I will.
01:36
Sure, deleting it. But
01:38
just in case you get it, you just delete that file and everything should be flying.
01:42
So those polls, when you re started since he pulls down here so in Click Play
01:49
on and
01:49
Where did My war of to? Vega
01:55
says It's running, but it's not.
01:57
There are so, so savory straight again
02:00
on hit play.
02:02
There you go under the file format or user data, but it's cool enough to see it.
02:07
All right, so you have to say OK here and let's delete that FDP demon dot Dad,
02:14
you probably won't get this, but luckily for the state of the video, I did, so you can see how to get rid of it. Who? Just delete the dot dat file a few p demon
02:25
on DDE.
02:28
Now go to restart
02:30
and that your research? Fine.
02:34
Cool.
02:35
Look. Okay, Click the lightning bolt. So it's running on. We're still attached to it in the d bugger.
02:40
So we should be good to go.
02:43
All right, now, we need our command. Create our pattern.
02:46
We used a Adeline called Mona
02:50
on dit is added on to immunity. It's not
02:53
in there by the fault just downloaded and add it to Mona. We did that for added two immunity. Rather admitted immunity. And we did that in section one way that are set up.
03:06
So we want exclamation point Mona Pattern create will use Mona Fair amount in this class as we do the exploit development, it has command for a lot of useful task that might exploit development a bit easier. So we want to tell it to create a 1100 character patterns were gonna replace that 1100 days
03:25
with this pattern
03:28
that is going to allow us to
03:30
see where our favor turn point over is in just one step instead of him to bring it down into multiple steps like I should do in the previous video Hoes paste that ends a motive pattern. Underscore. Create an 1100.
03:46
And since I sat the logs when I was doing the setup, it does love it to see logs War dad Jeff DPD patterned out text. So she logs in the name of program. It's attached to that. Whatever the command is,
04:01
if I go to the desktop, not the desktop, that's where everything else is. Sea logs or FTP d and then patterned out text.
04:11
There's our secret pattern That's 1 1100 characters long
04:15
from the Copy this and go over to my Callie Veum,
04:21
and I'm going to use Nan own editors worth to detail that pod.
04:28
And I'm just gonna comment out. Buffer equals eight times 1100 without a bee hash and python, and I'll recreate Buffer. You could also get rid of that one entirely, or delete the eight times without the 100 re declare it. But this is nice because we can see each step as we move through. It would be nice
04:47
Thio. Remember what we did decide. I'm going to have you do
04:50
and exercise where you do it. This yourself. So it'll be nice to have
04:55
all the steps. All right, So I'm gonna say buffer equals open quotations and then paste in that 1100 characters of the cyclic pattern.
05:04
And don't forget the clothes quotations at the end
05:09
books.
05:10
I ended up on second line. That's there, but so should light up Green and Nana. All right, So instead of 1100 days now, we're going to still send it 1100 characters on the link should be the same. But now we have our little cyclic pattern. Gonna see how it works. Big A lazy Roby gate, Lily one.
05:30
So you get a little b a little see? So you see, it could be pretty long before it has to look around.
05:36
So go and say that is the only change we're gonna make. Here was re declaring the buffer variable to be our cyclic pattern so we can
05:46
crash it again to make sure we're running over here in immunity. We are indeed running, which we get to G o
05:57
so over a Calleigh, let's run it again.
06:01
Hit the same output here. So everything as expected here said hi, I'm the war. If you fi
06:10
server, please. Did you use your name? Please enter your password. We d'oh or the script is rather come back over here. We have access violation when executing this time not 41 41 41 41 Since we've been send it a long string of A's We sent in our pattern.
06:26
Who's dead? We get 30 to 71 41 31 it's here in the I P as well.
06:32
We can also see parts of our pattern in E s p e v p N e d I. Those were
06:39
covered in age
06:41
last time. That was to be expected.
06:44
So what we can do? We have a couple options just to see what is in the I p.
06:50
We could just do
06:53
exclamation point, Mona Pattern, underscore, offset
06:57
and then give it 30 to 71
07:00
41 31.
07:03
And it says that the peace of the pattern is at Position 485. So it's 485 bites into our attacks during.
07:14
But remember that
07:15
Go back to the CPU view. We also have these registers that have been overwritten with part of the pattern, I mentioned that that might be useful as a place to put our shell code so we can actually just do one step
07:30
that will allow us to see all of the places that the pattern shows up in memory. So we can do Mona. Find M S p for the fine medicine flight pattern. This cyclic pattern is part of the medicine for Mark.
07:44
You can also use medicine void created directly on Callie. But
07:47
I typically used Mona for these sorts of things.
07:50
All right, so we could do a motive finding Miss P.
07:54
And we do have to crash it with the cyclic pattern in order for this to work. So we do need tohave are cyclic pattern in memory.
08:01
But there was it won't find it specifically looking for parts of this pattern in different formats.
08:07
Plus do exclamation point. Mona, find MSP
08:11
on. It's going to take a little bit here. You'll see it's a searching down at the bottom. It is searching through all of memory for parts of that pattern that will just take a minute to her defense.
08:26
So this will give us the location of the I P. But you'll also find
08:31
what's in our registers in any other place that happens to be ever written as well.
08:39
Let's see what it comes up with. All right, now it's done
08:41
so we can take a look again at the output. So we d'oh d'oh!
08:46
Sea logs ward as a ppd this one called finding that p So the files are named after
08:52
whatever we told it to do.
08:56
So here at the top, we have all the loaded models for this one.
09:00
So he's already see some windows dll that are loaded
09:05
and we also see
09:07
war FTP itself should be here somewhere. Cares for Ft. Petey, execute Herbal. It looks like it also has
09:13
a dll of its very own.
09:16
And she information about them like they're base the size of them with the re based on on that basically just means whether or not they can move. See, one of them is rebased
09:28
and things being in the same place every time certainly makes exploits
09:33
more stable. I'll be able to use them on other platforms, for instance, are, for the very least on other windows. Ex piece of respect. Three systems.
09:43
We generally like to look for things that don't move or don't move very often
09:48
and safe at the age. We will look a structured exception handlers or a CH in a later portion of this export development section,
09:56
but they're not really relevant now. Noticed that a couple of them do you have a safe as the ages false. That will certainly come into play
10:05
address based layout, random ization or SLR that's false for all of them that didn't come in and Windows until Windows Vista.
10:13
That said,
10:13
isn't a requirement that you use SLR on your programs. And certainly legacy programs like this wouldn't have it enabled. So SLR address Space layout organization is another thing that makes things move. Anything that does have SLR enabled on an operating system that support it with Mr later than it would
10:33
when you re boot
10:33
all of those. Deal of all those programs will be loaded at a different face and memory to continue with exploit development, you'll see ways to bypass SLR
10:43
is certainly relevant these days,
10:48
but again, with this example on anything we're going to do in this class, we won't see that taken. Exploit development class. I'm sure that that will be covered. Certainly covered in mind, Frau, it's not relevant. Likewise, no execution.
11:03
We don't have to worry about that here. So that execution prevention basically again is a way to stop exploits from working. So I was like, We're executing code off the stack. Why are you executing code off the stack?
11:18
You shouldn't be executing off the stack. The *** just supposed to be like local information. It shouldn't be executing. So someone got the bright idea. Well, let's just marked sections of memory that aren't supposed to be executed as not execute herbal. And then people can't just put their show cause they're on Execute it. So
11:35
again, if you take exploit development class, I'm sure you'll spend
11:39
office time looking at different ways to bypass no execution. But we don't have to worry about it here. We don't have
11:46
backs on, and it also says, Are they
11:50
operating system? He yells. And that's true of everything that is not worth U P itself or any of its deal l. So operating system deals are probably going to change among service facts or could even change just among a few updates,
12:05
and certainly among different Windows versions, they're probably going to change, not necessarily or they're going to change. There are
12:11
so instances of deals don't change that often. And in my experience in this VCR key is a good operating system DLL that you can use. It doesn't change very much in the history of Windows, whereas something like User 30 to our system 32 does have a lot of changes. Bayer
12:30
a lot more going on.
12:31
So if I have to use an operating system deal, I usually go for the n S v c r t dot dll. But just for this basic example, really, any of the operating system deals will work just fine. We're working with the specific platform, but we would like
12:46
as exploit developers to make our exploits is universal is possible. And so my first thing is to try and go for four. If CPD itself or any of its deals. And if not, then it's easy. Artie, if it's there,
13:01
uh, we'll see that a bit later on.
13:05
All right, then the actual meat of funding Miss p, the program
13:09
looking for our pattern.
13:11
So it found quite a few parts of the pattern. But in particular I'm interested in the registers at this point,
13:18
So e i p again it found it off. That is 485. It did find those other three registers s, P e T, I and EVP all contained part of the pattern as well. So he s P is it off that 493 on afterwards? It has the length of 607 bites. So if we
13:39
put our shell code in E. S P, we have 607 bites for shell code. More space.
13:43
I mean, we can use more advanced shell code. Certainly helpful.
13:50
S t e d. I is at 749 and its length is 351. So not nearly as long. There EVP that 400 or 581 and his link is 519. So everybody has almost as much basis e s P
14:07
castles are. We could probably use EVP just fine, but let's go ahead and grab the SP. It does have the longest length on as well. See the make Something interesting happened that I think is worth seeing, particularly if you're going to continue an exploit development. So I will choose E S P. That's where we're going to put our shell code
14:28
too. It's offset is 493 that has linked 607 almost gotten. Copy this out.
14:37
Look,
14:39
find a Miss p and entitled is what I want. So just copy this for reference. So often is 493 and links is 607. And also just put the I P Is it offset
14:52
485. So we found that with finding this p as well as with the pattern underscore off that Just find the ivy.
15:01
So that means our favor turn point or ever right is going to be 485 bites in
15:07
and then it looks like so
15:09
safe Return phoners four bites. So that'll get us to offset. 489. But then e s P is it 493. So if we remember our picture from the beginning of exploit development, it said that are saved return pointer was right on top of E S P.
15:26
So why are we four bites off? That's kind of confusing. Well, sometimes the picture is not completely exact. What's happening here is that calling convention. There's different calling conventions of different compilers that you use different platforms. They have
15:43
different ways of dealing with things. There's certainly no hard and fast rules that this has to be done this way.
15:50
So basically the arguments. So there's one for bite argument between
15:56
E. I. P is over right on E S. P. So there's four extra bites that basically get stripped off when our whatever function we called return. So there's just four extra bites there,
16:10
so nothing to worry about. It just makes our picture a little bit inexact in this case. But this is gonna be taking care of automatically. We don't have to worry about ripping off extra arguments or anything when it compiles. It takes care of all that automatically. We just need to know. Yes, p that 493 d I. T. Is at 485
16:30
so we'll just take that into account more rebuild
16:32
our attacks during the next thing we need to do, of course, is verify that this is all true. As you become more familiar with exploit development, you may skip that part, but I encourage you to always verify everything because as soon as you stop, at least in my experience, that's when you start making mistakes and we'd rather catch to them. Now
16:52
we're down the line when everything just stopped working and you can't figure out why.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor