Exploit Development (part 9) Verifying Offsets

All right, so now let's verify those offsets.

So let's go ahead and restart. Were FTP you over here?

Get that error. So you must remember to get rid of that

ftp demon dot dot Believe that.

And if it doesn't, you don't get that era. You don't need to do that. So let's restart again.

That's time. Always remember to do that. Play

Lightning Bolt. We're running. All right, So what's come over too?

Callie again on Open Up Our War FTP Scaled up high again. Let's comment out of her equals our pattern and recreate buffer and so equal to us. A Times

485. Remember that that is our offset to the I p plus B

times four such before bites for E. I. P. Remember, there were four extra fights for the colon convention for

Cem arguments.

It will be ripped off when

for returns to see times

who are the argument. And then I'm not very good at arithmetic. So typically, what I do do buffer plus equals that's going to upend the buffer. So I want D

times

1100 mine ish length. So alien

of never

so buffers gonna be 485 plus four plus four. So we want the total strangling to be 1100.

Andi don't necessarily have to have it be just a long I. Generally, once I find something that does work, I stick to it Why,

you know, add more possibilities of things changing. So I found 1100 work, so you might have a question. How did we know 1100 characters work? And that was absolutely a good question. We will, in the absolute next. Yeah, the next one.

Our next

example. We will look at something called Fuzzing that will allow us to find crashes in the first place. For this one, kind of like when we did our episode of 67 we first learned medicine Lloyd and said, Just believe May that this vulnerability is there. And sure enough, we found it using vulnerability scanners in check function,

other methods that we used for vulnerabilities, discovery. It was indeed there something here was telling you 1100 characters does it on. We'll stick with that and we will do flooding next and see finding a cries in the first place.

All right, so we still get the length. 1100 Zord is patting it out with these. What we expect to see is

three times four. So 42 42 42 42 in the I P. And then we should see

four bites of padding and then

and E S p we should see the beginning of our D's. And again, that's where we've chosen to put our shell code. We have 607 characters to work with.

So some of this

1100 characters is

not showing up

movie it is.

Maybe that's what's lasted. 607.

See, I'm not very good at arithmetic. Yeah, little looks about right. Yeah, because there's seven. Looks like, Yeah. Okay.

This is why I just let it do the arithmetic for Makes my earth and stick against not that great. So silly change. We need to make their make sure we do plus equals here in the second line that is going to upend. We just do it equals all. You'll get us some D's and it probably won't crash at all.

All right, go ahead and run it

again. This is just verifying our offsets. Hot mug over to X p. And sure enough, we get access violation when executing 42 42 42 42

with him to our registers, we see it

on. We should automatically be following SP in the stack. But we can right click on a register and say Follow and stack.

And that should be the beginning of our Gs if we go up one. Sure enough, here's our seas. Who's Arby's? Who E. S P is pointing at the beginning of our D's who if we put our shell code there,

it will.

If we can get the SP, Of course it will send us to the beginning of those D's Are shell code on. We can execute from there. We don't have

that execution prevention on. We can execute off the stack This fine.

So of course, our next question is how do we get to E. S p? I got a little bit ahead of myself there. Okay, just go to E S p. But how do we get to DSP?

Well, we just heard. Could be addressing

Really? That's a pretty bad idea.

It may move around particularly between platforms. It's not always gonna be in the same place. So anything that we hard code like that that may possibly move.

We'll make our exploit more unstable. We like it to be a CZ universal, unstable as possible. So it's generally a bad idea, that's what this one we have another problem.

Looks like he s p that 00 a f f g

for eight year zero is the null byte. And it turns out that in many cases, the no light is a bad character. It does

represent the termination of a string. So if what you're working with is being

used a string by the programs, who is calculating that via string? If it sees an old light, it will say, Okay, that's the end of the string and everything that comes out here. Well, this we dropped off.

So since our

yeah, if you ever write is 485 bites in, that nobody would be at the end when we turn it into a little Indian.

So everything after I pee would disappear. So all of our nice deeds that were used for shell code wouldn't be there anymore. So we actually don't have the option, the hard code this in. Anyways,

begin your head of taking my word for it. That no bite is a bad character. It isn't always a bad character, Not necessarily. You're always gonna have a string

in this case, since it's the username, chances are it's gonna be a strength.

But it's certainly possible that you'll run into exploits where it's not a string and

the nobody will be just fine. Or you may find some instances where you are forced to use in the old light

on Dhe. Then you just lose everything after it and hopefully you're still able to exploit it. You'll see lots of things, and you continue in export development. But

it is a bad character. Here is actually a couple more bad characters.

The bad characters for this one are no,

you're a and your D, which are part of our enters. Our

excellent are in black slip in. And then finally, there is 1/4. When I was a bit confused when I first saw this one

40 in Hex is the at symbol. If you look at man asking, you can see that. But why the at symbol. But as it turns out, since this is a user name

and, um,

FTP the actual specifications for it is use your name at server.

So if I have,

um,

that symbol

in my user name,

it gets a little confused because it's like, Okay, this is a survivor. Then there's out in there, so it's just part of the specifications. I mean, that's really the key to bad characters is you have to follow the specifications for whatever political you're using

and, however, is being interpreted by the underlying program.

You're bad characters are mainly gonna very based on what it expects to see what it's capable of

processing. So in this case, 40 is also a bad character who is an FTP user name.

So I mean, 00 and zero a zero, dear, be common. The 48. Now see that a bit less usually at symbol is fine,

but in this case, it stopped.

All right, so

we can't just hard coded in R E S P is where two. Don't D'oh!

How are we going to get there? Well, I guess I kind of gave it away. We can jump there so

we don't know much assembly with me not

aware of it. But there is a command called J and P short for jump.

No, Cole

pretty much does the same thing,

always for our purposes.

But Mona makes it pretty simple. We can just do Ramona.

That would do Mona JMP that will find all the jumps and the equivalent as well, so cold. You could also do like,

um, we do. We could do push ESPN push ESPN to the stack, and in return we return will grab whatever the top of the stack is and then return to it or send execution to it.

So we're going to do Mona Jump Dash are for the register And in our case, we want to get TSP.

We also tell it to automatically delete any bad characters, but also do this manually on site groups.

But most just go ahead and tell it to take the bad characters out. So it'll automatically throw out any pointers that have.

So that character in them So

not that b

the sheep Eby. Rather,

I always get that wrong. I don't know why I always want to say cbp,

but it's cpv. So bad is last.

Tell it to get rid of the bad characters. Ramona, Jump, JMP Dash are for the register. ESPN our case and CPB

on then are bad characters we want to avoid.

So we put those down here at the bottom.

What? That execute again? It's going to take a minute because it is

searching through all of our loaded models for jump, ps, ps and equivalents. That was pretty fast.

So come over here to see logs. War dad's f d p d.

Now we have jumped up text

share our models appear at the top again.

Well, here are all of our pointers. So we have Jumpy S. P. S, Kohli Espy's pushy S P s and then return

who finds the equivalence as well. And it did automatically take out all of our bad characters. So technically, we can use anything on this list

gun. I light to this for portability. Say, if I can

use the war FTP model itself or some of its

G l l would only has one Diello this image

she 42 dot dll I never use anything in war ftp itself because it is

loaded with annulled by it show every pointer in there is going to have a null byte in it, which we want to avoid. So everything got thrown out there that looks like our MFC.

It doesn't seem like they're in there anywhere. It doesn't look like there's a jumpy SP equivalent in there. At least not one that has doesn't have a bad character.

I didn't have another way.

Maybe it does. Doesn't look like it.

For whatever reason, they're not in there. I'm somewhat weakened. Dio is he's another one again. In this case, you can use anything on this list.

I like to use the M S V c r t

the Here's m sec, Archy dll right here. So let's grab this one with the push S p and then a return. So it's an equivalent to jumpy SP

that Mona found.

So then you could use anything on this list As long as you automatically filter out the bad characters, you don't necessarily have to do the same one that I do

those competitions and put it in my note pad.

All right, so let's go ahead and restart. Just still crashed.

Come over to immunity.

Well, let's get rid of that FT feed out there or have to be demon. Not that.

And then I get a debug and restore It

should open up. But so now,

sure enough, it does.

Lightning bolt

and we come over Thio,

our Callie.

Now what I want to do instead of B times or here

going to put my

jumpy SP equivalent, just paste it in there for reference. I need to put it in little Indian format and help fight on that. It's hex, but 59 1st again, bite by bite turned it around. 59 1st

then 54.

Then

she's three

and then 77 of yours is different. Just make sure it's in little Indian formats. We flip it around, bite by bite

and put that in the place of Ari. I be over right. So in the place of our 42 0 r b times for

look, it only change. We need to wreck right now,

So let's go ahead and say this and one more thing before we run it. I want to like we did in the Lenox example, actually set a break point.

So what we can do for that is just a BP for break point

on, then paste. And

it didn't work out too, huh?

Paste in that address,

BP and

hey.

All right, It's still not working one more time. That it copy?

Really?

Okay.

All right. So I'll just write it in because for whatever reason, immunity doesn't want to get from me.

All right, so let's make this more so I can see it.

7 73

5459

hasn't 73 5459 All right, there. Instead, a break point there

and his inner.

And we can see our break point that we go to view on break points.

So there's the address. The module in Ms V C. R t Always active. And it pushy sp remember this one of the pushy SP and then return sexually to commands to do the equivalent of jumpy SP.

All right, so let's go ahead and run it.

So everything is as expected over here on Callie, we hop back over x p. We are paused, but we don't have a crash.

Who? Look a t i p. It is pointing to our 77 c 35459 in my case so animus v C R t. Who we are in a break point. If we look at the CPU, you see are pushy SP followed by a return so we could let it play or what we can D'oh

is we can hit F seven Drona. Mac, you may have hit function at seven

and that will just execute one instruction at a time. So if I do f seven do pushy sp

who take a look at our stack,

we now have E s p pushed onto the stack and then we return. So it's gonna take that address and then try and execute what's there.

So would you that return

So again, let's do function of seven. If you're on a Mac this F seven on Windows

on DDE that indeed does redirect us to the beginning of our D said we go up in a president. Those diseases

it grabbed that Nelle in front of it. Now it thinks that that's another

command, but so it takes us two e s. P s in the beginning of our D's. So now course we need to replace Ardis with something useful. Looks like 44 heck sisters increments DSP,

There was a long list of increment DSP, so I'm not going to be particularly useful in terms of shell code. So certainly we can use in its venom and take advantage about medicine, payload system and create some shell food that'll be more useful for us.