Exploit Development (part 9) Verifying Offsets

00:04

All right, so now let's verify those offsets.

00:08

So let's go ahead and restart. Were FTP you over here?

00:20

Get that error. So you must remember to get rid of that

00:26

ftp demon dot dot Believe that.

00:31

And if it doesn't, you don't get that era. You don't need to do that. So let's restart again.

00:37

That's time. Always remember to do that. Play

00:43

Lightning Bolt. We're running. All right, So what's come over too?

00:47

Callie again on Open Up Our War FTP Scaled up high again. Let's comment out of her equals our pattern and recreate buffer and so equal to us. A Times

01:00

485. Remember that that is our offset to the I p plus B

01:08

times four such before bites for E. I. P. Remember, there were four extra fights for the colon convention for

01:15

Cem arguments.

01:18

It will be ripped off when

01:19

for returns to see times

01:23

who are the argument. And then I'm not very good at arithmetic. So typically, what I do do buffer plus equals that's going to upend the buffer. So I want D

01:36

times

01:38

1100 mine ish length. So alien

01:42

of never

01:46

so buffers gonna be 485 plus four plus four. So we want the total strangling to be 1100.

01:53

Andi don't necessarily have to have it be just a long I. Generally, once I find something that does work, I stick to it Why,

02:00

you know, add more possibilities of things changing. So I found 1100 work, so you might have a question. How did we know 1100 characters work? And that was absolutely a good question. We will, in the absolute next. Yeah, the next one.

02:17

Our next

02:19

example. We will look at something called Fuzzing that will allow us to find crashes in the first place. For this one, kind of like when we did our episode of 67 we first learned medicine Lloyd and said, Just believe May that this vulnerability is there. And sure enough, we found it using vulnerability scanners in check function,

02:38

other methods that we used for vulnerabilities, discovery. It was indeed there something here was telling you 1100 characters does it on. We'll stick with that and we will do flooding next and see finding a cries in the first place.

02:55

All right, so we still get the length. 1100 Zord is patting it out with these. What we expect to see is

03:04

three times four. So 42 42 42 42 in the I P. And then we should see

03:09

four bites of padding and then

03:13

and E S p we should see the beginning of our D's. And again, that's where we've chosen to put our shell code. We have 607 characters to work with.

03:21

So some of this

03:23

1100 characters is

03:25

not showing up

03:29

movie it is.

03:30

Maybe that's what's lasted. 607.

03:32

See, I'm not very good at arithmetic. Yeah, little looks about right. Yeah, because there's seven. Looks like, Yeah. Okay.

03:40

This is why I just let it do the arithmetic for Makes my earth and stick against not that great. So silly change. We need to make their make sure we do plus equals here in the second line that is going to upend. We just do it equals all. You'll get us some D's and it probably won't crash at all.

04:00

All right, go ahead and run it

04:03

again. This is just verifying our offsets. Hot mug over to X p. And sure enough, we get access violation when executing 42 42 42 42

04:14

with him to our registers, we see it

04:16

on. We should automatically be following SP in the stack. But we can right click on a register and say Follow and stack.

04:26

And that should be the beginning of our Gs if we go up one. Sure enough, here's our seas. Who's Arby's? Who E. S P is pointing at the beginning of our D's who if we put our shell code there,

04:39

it will.

04:41

If we can get the SP, Of course it will send us to the beginning of those D's Are shell code on. We can execute from there. We don't have

04:49

that execution prevention on. We can execute off the stack This fine.

04:55

So of course, our next question is how do we get to E. S p? I got a little bit ahead of myself there. Okay, just go to E S p. But how do we get to DSP?

05:03

Well, we just heard. Could be addressing

05:06

Really? That's a pretty bad idea.

05:10

It may move around particularly between platforms. It's not always gonna be in the same place. So anything that we hard code like that that may possibly move.

05:19

We'll make our exploit more unstable. We like it to be a CZ universal, unstable as possible. So it's generally a bad idea, that's what this one we have another problem.

05:31

Looks like he s p that 00 a f f g

05:36

for eight year zero is the null byte. And it turns out that in many cases, the no light is a bad character. It does

05:46

represent the termination of a string. So if what you're working with is being

05:51

used a string by the programs, who is calculating that via string? If it sees an old light, it will say, Okay, that's the end of the string and everything that comes out here. Well, this we dropped off.

06:02

So since our

06:04

yeah, if you ever write is 485 bites in, that nobody would be at the end when we turn it into a little Indian.

06:12

So everything after I pee would disappear. So all of our nice deeds that were used for shell code wouldn't be there anymore. So we actually don't have the option, the hard code this in. Anyways,

06:25

begin your head of taking my word for it. That no bite is a bad character. It isn't always a bad character, Not necessarily. You're always gonna have a string

06:34

in this case, since it's the username, chances are it's gonna be a strength.

06:39

But it's certainly possible that you'll run into exploits where it's not a string and

06:44

the nobody will be just fine. Or you may find some instances where you are forced to use in the old light

06:49

on Dhe. Then you just lose everything after it and hopefully you're still able to exploit it. You'll see lots of things, and you continue in export development. But

07:00

it is a bad character. Here is actually a couple more bad characters.

07:03

The bad characters for this one are no,

07:09

you're a and your D, which are part of our enters. Our

07:14

excellent are in black slip in. And then finally, there is 1/4. When I was a bit confused when I first saw this one

07:20

40 in Hex is the at symbol. If you look at man asking, you can see that. But why the at symbol. But as it turns out, since this is a user name

07:30

and, um,

07:32

FTP the actual specifications for it is use your name at server.

07:38

So if I have,

07:40

um,

07:41

that symbol

07:43

in my user name,

07:46

it gets a little confused because it's like, Okay, this is a survivor. Then there's out in there, so it's just part of the specifications. I mean, that's really the key to bad characters is you have to follow the specifications for whatever political you're using

07:59

and, however, is being interpreted by the underlying program.

08:03

You're bad characters are mainly gonna very based on what it expects to see what it's capable of

08:09

processing. So in this case, 40 is also a bad character who is an FTP user name.

08:16

So I mean, 00 and zero a zero, dear, be common. The 48. Now see that a bit less usually at symbol is fine,

08:26

but in this case, it stopped.

08:30

All right, so

08:31

we can't just hard coded in R E S P is where two. Don't D'oh!

08:37

How are we going to get there? Well, I guess I kind of gave it away. We can jump there so

08:43

we don't know much assembly with me not

08:46

aware of it. But there is a command called J and P short for jump.

08:52

No, Cole

08:54

pretty much does the same thing,

08:58

always for our purposes.

09:00

But Mona makes it pretty simple. We can just do Ramona.

09:03

That would do Mona JMP that will find all the jumps and the equivalent as well, so cold. You could also do like,

09:13

um, we do. We could do push ESPN push ESPN to the stack, and in return we return will grab whatever the top of the stack is and then return to it or send execution to it.

09:26

So we're going to do Mona Jump Dash are for the register And in our case, we want to get TSP.

09:33

We also tell it to automatically delete any bad characters, but also do this manually on site groups.

09:41

But most just go ahead and tell it to take the bad characters out. So it'll automatically throw out any pointers that have.

09:48

So that character in them So

09:52

not that b

09:52

the sheep Eby. Rather,

09:58

I always get that wrong. I don't know why I always want to say cbp,

10:01

but it's cpv. So bad is last.

10:05

Tell it to get rid of the bad characters. Ramona, Jump, JMP Dash are for the register. ESPN our case and CPB

10:15

on then are bad characters we want to avoid.

10:20

So we put those down here at the bottom.

10:22

What? That execute again? It's going to take a minute because it is

10:28

searching through all of our loaded models for jump, ps, ps and equivalents. That was pretty fast.

10:33

So come over here to see logs. War dad's f d p d.

10:39

Now we have jumped up text

10:41

share our models appear at the top again.

10:45

Well, here are all of our pointers. So we have Jumpy S. P. S, Kohli Espy's pushy S P s and then return

10:52

who finds the equivalence as well. And it did automatically take out all of our bad characters. So technically, we can use anything on this list

11:01

gun. I light to this for portability. Say, if I can

11:05

use the war FTP model itself or some of its

11:11

G l l would only has one Diello this image

11:15

she 42 dot dll I never use anything in war ftp itself because it is

11:22

loaded with annulled by it show every pointer in there is going to have a null byte in it, which we want to avoid. So everything got thrown out there that looks like our MFC.

11:33

It doesn't seem like they're in there anywhere. It doesn't look like there's a jumpy SP equivalent in there. At least not one that has doesn't have a bad character.

11:45

I didn't have another way.

11:46

Maybe it does. Doesn't look like it.

11:52

For whatever reason, they're not in there. I'm somewhat weakened. Dio is he's another one again. In this case, you can use anything on this list.

12:00

I like to use the M S V c r t

12:03

the Here's m sec, Archy dll right here. So let's grab this one with the push S p and then a return. So it's an equivalent to jumpy SP

12:13

that Mona found.

12:13

So then you could use anything on this list As long as you automatically filter out the bad characters, you don't necessarily have to do the same one that I do

12:24

those competitions and put it in my note pad.

12:30

All right, so let's go ahead and restart. Just still crashed.

12:35

Come over to immunity.

12:37

Well, let's get rid of that FT feed out there or have to be demon. Not that.

12:46

And then I get a debug and restore It

12:50

should open up. But so now,

12:54

sure enough, it does.

12:58

Lightning bolt

13:00

and we come over Thio,

13:05

our Callie.

13:09

Now what I want to do instead of B times or here

13:13

going to put my

13:16

jumpy SP equivalent, just paste it in there for reference. I need to put it in little Indian format and help fight on that. It's hex, but 59 1st again, bite by bite turned it around. 59 1st

13:31

then 54.

13:35

Then

13:37

she's three

13:39

and then 77 of yours is different. Just make sure it's in little Indian formats. We flip it around, bite by bite

13:46

and put that in the place of Ari. I be over right. So in the place of our 42 0 r b times for

13:54

look, it only change. We need to wreck right now,

13:56

So let's go ahead and say this and one more thing before we run it. I want to like we did in the Lenox example, actually set a break point.

14:05

So what we can do for that is just a BP for break point

14:09

on, then paste. And

14:13

it didn't work out too, huh?

14:15

Paste in that address,

14:22

BP and

14:30

hey.

14:31

All right, It's still not working one more time. That it copy?

14:41

Really?

14:43

Okay.

14:46

All right. So I'll just write it in because for whatever reason, immunity doesn't want to get from me.

14:50

All right, so let's make this more so I can see it.

14:56

7 73

14:58

5459

15:03

hasn't 73 5459 All right, there. Instead, a break point there

15:09

and his inner.

15:11

And we can see our break point that we go to view on break points.

15:16

So there's the address. The module in Ms V C. R t Always active. And it pushy sp remember this one of the pushy SP and then return sexually to commands to do the equivalent of jumpy SP.

15:31

All right, so let's go ahead and run it.

15:37

So everything is as expected over here on Callie, we hop back over x p. We are paused, but we don't have a crash.

15:46

Who? Look a t i p. It is pointing to our 77 c 35459 in my case so animus v C R t. Who we are in a break point. If we look at the CPU, you see are pushy SP followed by a return so we could let it play or what we can D'oh

16:03

is we can hit F seven Drona. Mac, you may have hit function at seven

16:08

and that will just execute one instruction at a time. So if I do f seven do pushy sp

16:15

who take a look at our stack,

16:18

we now have E s p pushed onto the stack and then we return. So it's gonna take that address and then try and execute what's there.

16:27

So would you that return

16:30

So again, let's do function of seven. If you're on a Mac this F seven on Windows

16:36

on DDE that indeed does redirect us to the beginning of our D said we go up in a president. Those diseases

16:44

it grabbed that Nelle in front of it. Now it thinks that that's another

16:48

command, but so it takes us two e s. P s in the beginning of our D's. So now course we need to replace Ardis with something useful. Looks like 44 heck sisters increments DSP,