Posts Tagged ‘pycommand’
Starting to write Immunity Debugger PyCommands : my cheatsheet
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc…. Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules… Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …
Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts | 
Tags: api, assemble, cheatsheet, debugger, disassemble, immlib, immunity, immunity debugger, module, plugin, pycommand, python, readmemory, script | 
5 Comments »
Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably. Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems. – Stack cookies (/GS Switch cookie) …
Posted in 001_Security, Exploit Writing Tutorials, Exploits |
Tags: !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp |
6 Comments »
Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at least contain the following tools : windbg (for a list of Windbg commands, click here) ollydbg immunity debugger (requires python) metasploit pyDbg (if you are using python and want to build your own custom debugger, as explained in the awesome Gray Hay Python book scripting tools …
Posted in 001_Security, Exploit Writing Tutorials, Exploits |
Tags: !aslrdynamicbase, !findtrampoline, address call, address jmp, aslr, buffer, byakugan, call esp, eip, esp, esp found, findreturn, found valid, hunt, identbuf, immdbg, immunity, jmp, jmp esp, jutsu, listbuf, memdiff, metasploit, msec, pattern_create, pattern_offset, pop, pycommand, ret, return address, rmbuf, safeseh, searchopcode, shellcode, valid return, vista |
8 Comments »