Good day and thanks for an interesting article. Can you please explain me a couple of things also? 1. “After a push, ESP will point to a higher memory address. After a POP, ESP points to a lower address.” Is this a mistake in the text? If stack grows towards lower memory adresses, then after a push it will point to a lower address. 2. Why is ESP pointing not the TOP of the stack, but to local variables area??? thanks!!
Hi, Thanks for your comments 1. You are correct – it’s a mistake in the text… pushing something on the stack will make the stack pointer point at a lower address… I’ll correct the text. 2. Can you open a forum discussion for your second comment, so we can talk about this offline (I don’t want to make this comments section too lengthy…) ? You can create a discussion at http://www.corelan.be:8800/index.php/forum/writing-exploits thanks
Hi, this is a very nice introduction. Trying to replicated it i notice the following 101. That’s the buffer length needed to overwrite EIP. So if you create a file with 25000+101 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42. We also know that ESP shows data from our buffer, so we’ll add some C’s after overwriting EIP. Let’s try. Modify the perl script to create the new m3u file. my $file= “eipcrash.m3u”; my $junk= “A” x 26101; $file”); print $FILE $junk.$eip.$espdata; close($FILE); print “m3u File Created successfully\n”; 25000 + 101 = 25101 and not 26101. Is it a typo ? There rest of the page goes with 26101 after that. Thanks, Dinos
Hmmm good to see that people actually read this stuff 🙂 25000 + 101 is indeed 25101, but offset of 26101 overwrites RET exactly… Let me reproduce the overflow again… I clearly must have missed something 🙂 I’ll get back to you on this thanks
ok – did some research and I found out that on my current systems, I’m getting an offset of 26094… (25000 + 1094). Apparently, while I was writing this tutorial, something must have gone wrong… Not sure what has gone wrong, but anyways, I have updated this tutorial with the correct offset… so things should make more sense now
Hello Peter, may i say i am really enjoying this tutorial, such a pleasure to read. One question, if you dont mind, why do we have a NOP slide of 25 bytes for the shellcode (at beginning) before the calc execution? from what i understand, when the program returns after the unsanitised string/buffer, EIP will point to an address which will have the instruction/opcode of JMP ESP (located in a loaded dll), jump to ESP, ESP will be pointing to the first byte of the shellcode being the first NOP of 25 sliding to the calc code/instructions… i understand that NOPs are used as a way of giving a desired result when not having the exact calculation of address space/movement, is this the reason as just a demonstration of good practice?? PS im very new to the game of breaking things, so feel free, if you have the time, to correct me in all areas necessary 😛 Again thanks for your tutorial and work, i am sure many people are grateful. ps i have many other questions, but i will take it easy on you 😛
we know that when EIP points to the ret instruction that jumps to the “jmp esp”, ESP register point to the first byte in our shellcode. now imagine that the ESP register points for exemple to the middle of the shellcode. in our shellcode, using PUSH instruction is necessary and we know that this instruction substruct 4 from the ESP register and writes the pushed value. here the value will be written in the shellcode instructions. in this case we must put a number of nops to avoid pushing values to the shellcode bytes. in our exemple (Easy RM to MP3 Converter) we don’t need to put nops because as i mentioned before that esp point to the first byte in the shellcode so pushing a value will be written before the shellcode bytes Hope you understand
Hi, The nops are not necessary. If you can calculate the offsets and jump directly to the beginning of the shellcode, you don’t need nops. I guess the nops in my example are just an introduction about the usage of nops and the fact that you can use them for padding/to allow you to be a number of bytes off/… (I have noticed for example that addresses changed just a couple of bytes between physical machines and virtual machines, and in those cases, nops can be very helpful… If you have more questions, don’t hesitate to ask them at our forum : http://www.corelan.be:8800/index.php/forum/writing-exploits thanks
i have read the tutorial and the others tutorials ( very very very good…) but i have some problem with payload generating .. i tried to generate payload in metasploit, using msfweb and the conmmand line ./msfpayload…. using different encoders but not of them run it , ecxept your payload and the payload of this exploit in milw0rm.com… could you explain deeper the payload generating… Regards…
Hi Dovis, Can you please create a forum topic about your question ? I think it is a very good question, so I’d like other visitors to be able to read our discussion (and hopefully discussion) about shellcode as well Forum : http://www.corelan.be:8800/index.php/forum/writing-exploits/ thanks
Hello Pedro: I have read the tutorial, good tutorial, very well explained and organized. But have a problem when I execute u (unassemble) followed by the address that was shown before entering jmp esp It gives me the error of bad opcode in ‘or 77f667cd’ ¿How it is problem? Sorry but my Inglish is not very good Thank you Regards Valentin
Hello Valentin, would you mind going to the forum (http://www.corelan.be:8800/index.php/forum/writing-exploits/) and creating a new topic for this ? don’t worry about your english – I understand what you mean… and isn’t that what a language should be all about ? 🙂 thanks Peter
Hey bombard80, Issue is explained at http://www.corelan.be:8800/index.php/forum/writing-exploits/error-when-executed-u-unassemble-followed-by-the-address-that-was-shown-before-entering-jmp-esp/ Hope this fixes your problem
Hi, I am not a complete newbie in this field, but your tuts are still good readings. They remind me of Lena’s RCE tutorias: good quality, and understandable for the beginner. So, thanks for doing this. One note about this first tutorial: greyhat99 asked in one of the comments if the nopsled before the actual payload is necessary, and you answered him no. In fact, the nopsled is necessary if you are using the x86/shikata_ga_nai encoder* , because it makes a fstenv [esp-c], which stores 28 bytes starting at 12 bytes below the top of the stack. This means, that 16 bytes of our shellcode will be overwritten, very likely including some bytes** we haven’t executed yet. Obviously, this would mess things up, hence the need for the nopsled. * I don’t know about the others, I only debugged the first 144-byte calc.exe payload ** In the case of the 144-byte calc.exe payload, exactly 3 not-yet-executed bytes are overwritten, so a 3-byte nopsled is enough. regards, sghctoma
Hi Peter, Your tutorial is good and helpful for beginners.But can you please explain on how to find the vulnerable function(that calls strcpy() or how to reverse engineer it Abhijit
Hi, Reverse engineering is out of scope for this exploit writing series (it would require a entirely new set of tutorials by itself …) So apart from saying “look at the ‘call stack’ when the application crashes, there’s not much I can tell you right now. sorry bro Peter
Hi, to follow your tutorial I’m using a Windows XP SP3 ENG virtual machine (the same as yours I think) but in my case the buffer (“my $junk”) needed to crash the app isn’t “26094” but “26046” and dlls like “MSRMCcodec02.dll” are loaded in different address spaces, in fact the “01ccf23a” return address doesn’t work for me. Can you tell me why? Is it possible that these differences are related to the different patch-level of the XP SP3 operating system? Anyway… thank you for these tutorials, they’re great.
This gave clarity on hundreds of topics I’ve heard about/read about/tried myself. I’ve been wanting to learn exploitation for years, and I’ve searched… For years. This tutorial accumulates greater insight on the topic than thousands of forums and wikipedia and other tutorials combined, good job.
Great article, one of the best starting tutorials i’ve ever read! Got some different values under Windows XP SP3 DE (german) in VM, in my case the “junk” is 26068 and the address is 0x01e1f23a Thank you very much, great job!
thanks for your feedback the fact that you discovered the different offset and found a working address means that you understand the tutorial … good job sir !
Thank you so much for some great articles. I did have a question about one though. I have been doing these in xp and going back to do them in windows 7. Using the example here (easy rm to mp3) the only way that I could get it to work on reboots was a partial overwrite of a direct address somewhere in the 26000+ buffer, having that surrounded in the middle of 200 NOP’s -> to slide to my shell code. So my two questions are… If there is no good jmp/call function in a non aslr file is this a repeatable method across many computers? Are all metasploit payloads designed to work with windows 7? (ie- finding base addresses) (It took me a while to realize \x0a was an invalid character for my calc.exe execution, but did get that one working) Thanks again for the tutorials they were really interesting.
If there is no good jmp/call function in a non aslr file is this a repeatable method across many computers? could be – partial overwrite can help bypassing ASLR in a reliable wayµ Are all metasploit payloads designed to work with windows 7? (ie- finding base addresses) (It took me a while to realize x0a was an invalid character for my calc.exe execution, but did get that one working) The ones in metasploit 3.3 should be – but I haven’t tested all of them Of course, you would still need to filter bad chars (as you have already figured out), but that’s a different issue 🙂 Glad to see you like the articles If you have further questions, please use my forums thanks Peter
Hello Peter, and THANK you for the tutorial (it should really be taught in programming courses), i will definitely be reading all the series till part 9. i replicated the exercise on windows 7 and it worked very well. (i am putting in EIP the address of an FF E4 instruction present in one of windows DLLs) after a reboot the exploit won’t work (the address in EIP does not contain an FF E4 instruction) and all windows DLLs are loaded in different locations in memory. i think stdio in the post before me found a solution (but i didn’t understand it) can you clarify it please. thanks.
Hello, Windows 7 = ASLR. So it’s normal that the dll’s will be in a different location. The base addresses of dll’s are randomized. If you have further questions, don’t hesitate to create a post in the forum (http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/) thanks
Hello, Thank you very very much for all tutorials! They are awesome. I try to learn as much and as fast as I can and reading your article of “Hacking Tournament” shows me how far it can go. I’ve tried this on Win7 and after some tries I got it work stable. I’ve restarted to see if ASLR destroys my work but it does’nt. I’m running Win7 Prof Ver 6.1.7600 English … [code removed] regards
nice – good feedback ! can you please create a forum post about your code and post it there ? http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/ thanks
post is named “Make Tutorial 1 Work on Win7” but i don’t know why when i post it all the backslashes get lost so you have to add them.
just I want to say thanks for this tutorials and for Behave modestly I read this tutorial and the Discussion for two weeks now I understand it very good thanks again 🙂 best wishes
Wow! Super tutorial. I have one question; Why do you need this: my $shellcode = “\x90” x 25; before the actual shellcode?
well, you don’t really need it. Using a bunch of “x90” (NOP or NO Operation) before the shellcode allows you to be a few bytes off when jumping to your payload. Things should become clear as you work your way through the next tutorials, and if not, don’t hesitate to create a post in the forum.
Hi Peter, Amazing tutorial. You are truly talented. I have a question though, I’m not sure if someone else asked this but… here it goes. Why was my offset slightly different? My offset of my EIP was 26075? Also my JMP ESP was a different hex value too. It was 0x01aaf23a. Am I doing something wrong when working on this?
Hi, thanks for your kind words. The offset would be different if the m3u file is in a different path. You are not doing anything wrong – just keep in mind that most of the dll’s are getting rebased, so you may have to look for a jmp esp pointer in MSRMfilter03.dll (which does not get rebased) (also, check out the forums http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/, you may be able to find some answers in the forums as well) cheers
Hello Peter, This is a superp article. I cant stop myself to comment on this article, you are doing great job. but While i was trying to replicate this example. It is working fine till the time we want to execute calc.exe, but as far as shell_bind_tcp payload is concerned we are supposed to genereate it using metasploit framework but it’s not working. I had tried creating it through ./msfpayload ./msfweb and even through fast-track scripts. I have also tried encoding it with alpha_upper, alpha_mixed etc. But nothing seems to be working, and then i tried to look it up the ollydbg so what i have found is that whenever i drop my crasher.m3u file in rm2mp3 converter utility. there is an error coming in status bar that there is some access violation error when it go through the shellcode. Plz Help. Thanx in advance Ishan Girdhar
Hello Ishan, Can you take a look at the posts in the forum : http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/ If you can find the answer/solution to your problem, feel free to post a new topic cheers Peter
Hello Peter first all many thanks for this great tutoriel 🙂 (sorry, I have a bad english ^^) I dont understand this picture (http://www.corelan.be:8800/wp-content/uploads/2010/08/image_thumb7.png) why “ptr buffer”is after EIP and EBP ) ?? “ptr buffer” is an argument of do_something function , so i think , it has to be the first in the stack , no ?? ptr buffer” ; push EIP” ;call do_something EBP ;push ebp ;mob %esp , %epb Myvar ;sub esp , x98 Can you help me ?? thanks raylook
hello raylook, can you post your question in the forum please ? http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/ thanks
also got a version running *nice tuto* 🙂 -> http://pastebin.com/2NgJb33H <– as you told me it includes ascii and greetings ;D If somebody is interessted you dont need the alpha-encoder the badchars are simply "0x00" "0x09" and "0x0a" so with that as badchars you simply can use shikata_ga_nai \o/
The pointer is in the same .dll you used in the tutorial “We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll. This dll is loaded between 01b10000 and 01fd000. Search this area for ff e4 :” I just read about the “dll rebase”-problem: http://www.codeproject.com/KB/DLL/RebaseDll.aspx http://social.msdn.microsoft.com/forums/en-us/windowssdk/thread/E65E5454-A35C-4DFD-9532-9284460310E1 http://www.drdobbs.com/184416272;jsessionid=USKBZ45RJESF3QE1GHOSKHWATMY32JVN And now i am a but confused/scared about what can be done against it. The only idea i can think about is use a “jmp esp” of the windows-core-dll’s but if those are compiled with security-compiler-options it may fail too. So whats the best solution then?
the solution is here : http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/problem-with-jmp-esp-on-tutorial-1/ (basically, use immunity debugger and use “pvefindaddr j -r esp -n -o” – it will get you reliable pointers (in the output j.txt file, you’ll see a module table. Look for the Fixup column. If it says “NO”, then it will most likely be reliable
THX a lot for your advice peter (hey it even made me donate ;D) !pvefindaddr j -r esp -n -o -o because we dont want windows-dll’s in case e.g. ASLR is used on em (vista and so on) right? Found this one which should do the same to me as “jmp esp”: Found push esp – ret at 0x1001B058 [msrmfilter03.dll] ** {PAGE_EXECUTE_READ} [SafeSEH: ** NO ** – ASLR: ** No (Probably not) **] [Fixup: ** NO **] – C:\Programme\Easy RM to MP3 Converter\MSRMfilter03.dll That “Fixup:NO” Means that the dll wants to get loaded at its prefered dll-base-address or it will fail the application to load if it cannot load there since it has no “fixup”-rebase-alternative-addresses, is that correct? So thats the reason why it should be reliable because that dll does not like to be put anywhere else?
Absolutely correct ! j = look for “jmp” (could be jmp, call, or push + ret) -r = register to look for -n = no null bytes -o = no OS dll’s (aslr, but also… just OS dll’s -> transportability issue) thanks for the donation – much appreciated and very welcome sir !
Hi all, I’m going through this tutorial and have hit a bump in the road. When I have created the crash25000.m3u and drag it into the app, the damn thing will not crash.. A window comes up stating: “Failure in loading the file c:\documents and settings\administrator\desktop\(Gk4Gk5Gk)! error code: -71, please contact…” But the app has not crached… Hope somebody has some help..8) Take care.. m0bp3t
Hello, Very nice introduction 🙂 Congrats! There is a one tiny bug I think 🙂 You have let a \x00 byte in the final shellcode on line 4. It seems working when it is changed with \x41.
Hey, thanks ! Re: the bug : I did it on purpose (as you can read just above the final exploit code : “P.S. I have manually broken the shellcode shown here“) 🙂
great mate I have worked though this over a course of days after seeing it linked in on the security tube metaspolit mega primer. got everything working but without a word of a lie I had no idea what was wrong with the shell code until I read the post where someone drops the spolier. thanks again will be working through the rest now.
This may be a stupid question, but it’s been bothering me since I read the article. My question is simply, why not overwrite the EIP with the direct (absolute) address of the shellcode? I assume it’s because the function call sequence can be different with each invocation. With a different call sequence the stack frame would always be the same (let’s say for example relative to the ESP +/- some number) but the frame itself could be placed at different locations, so using a absolute address would fail! Is this the reason? Thanxs in advance Dr. Morbius.
that is part of the reason (stack address would be randomized). second issue would be null bytes (as stack address usually starts with a null byte). In this example, the overflow is based on a string and the null byte would break the input. Hope this helps
Awesome work. I’ve been looking for a resource like this off and on for years. Most other resources that bring in debuggers don’t communicate in a way that can be understood by someone seeking to learn. Keep up the good work. This is truly fantastic.
Amazing work!!!! Want to do all of them, now! I followed the instructions and I would like to move make it work on my win7, but I think I have to study much more 🙂 however this is f***ing interesting… As dovis said, I was able to get calc.exe shellcode/payload working (XP sp3) but not any shell (bind_tcp, reverse) with both x86/shikata_ga_nai and x86/alpha_upper encoders… I tired windows/exec too (explorer.exe) Many many thanks for this work and for the effort, it is always a pleasure to read such well organized informations 🙂
thanks sir i have heard alot about u so i’m attending ur own space to watch ur job kindly i’m very newbie for this scope and i want really to learn about how can i discover a vulnerability in the programms so many things in this tut , which i have no idea about it so if u have any reference to start in for the begineer to continue ur tutorials i’ll be very glad to u so many deffiniton which isn’t clear for me thanks peter van
i’ve written this scrpit in python (tested on winxp home sp3): junk = ‘A’ * 26051 #01b1f23a [removed] f.close() Edit : please post exploits in the forum – tx
Thanks for the nice tutorial, I had a small problem on the final step, getting shell with bind_tcp 4444 shellcode, I asked it here : https://www.corelan.be/index.php/forum/exploit-writing-general-questions/problem-with-tutorial-1-exploit-writing-getting-shell/ Thank you
Hello again 😀 Just to say that the src image pointing to “http://www.corelan.be:8800” dont work , especially at the beginning of the tutorial.
Hi Peter. First of all, I would like to thank you very much for dedicating part of your time writing these amazing tutorials. I’m studing hard for the Offensive Security Certified Expert (OSCE) exam and your tips are helping me a lot. Also, I can see that you are very attentive, anwsering all the questions, and I would like to thank you for this too. I have one question about the LEAVE instruction: when you say that “The epilog instruction is executed by a LEAVE instruction (which will restore both the framepointer and EIP)”, wouldn’t it be “which will restore both the framepointer and ESP”, as the EIP is restored by the RET instruction? Thanks again, sorry for my english mistakes, and congratulations for your job!
Hello sir, I am new to exploit development but i know how to do a reverse engineering on several softwares. As I have a problem regarding your first exploit tutorial, i have a confusion whether i open the rmplayer first and attach the process to debugger and then open the vulnerable file , or first open the immunity debugger ( my favorite) and then in that I open the RMplayer then open my vulnerable file . I am using win 2003 server plateform. One thing more I want one suggestion from you ..is there any book on ruby and python language tutorials which could help in the exploit development , as i am very new to the language like ruby and python. waiting soon for the reply Swapnil (India)
@ ghochu: there are links to pdf versions of the tutorials at the top of the pages. You must be logged in to download them. @ Swapnil: did you find the references to the book that you were asking about? I’m also interested on this kind of material. Thanks, Mateus Tymbu (Brazil)
Hi, Please correct me if i’m wrong. Stack layout: Parameters EIP Saved EBP Local Variables İf we override EIP with AAAAs, EBP should also be overridden (since it’s before (in the higher address)). But in debugger EIP is 41414141 but EBP is something else. Can you explain that?
Thank for reply, and for this great tutorial. Additionally images are loaded now, my firewall was blocking this port.
corelanc0d3r, I just registered here to congratulate him. Ur tutorial is awesome and well written. It’s a great initiative! Thanks.
Great tutorial! I was able to duplicate everything besides the Telnet example =/. I even went to metasploit and create the shell for bind_tcp, but still did not work. I guess i’ll keeping going and hope i don’t get stuck anywhere else. Thank you for the tutorials!
Hi, This is really great tutorial but I’m not getting this one thing How ESP is overwritten after EIP ? Can u explain that ?
Just a litte note, if your converter program expires, I would say that 00419359 would be a nice address to take a look. You will find it with NOProblem. pr0m
For those who have problems with creating shellcode, 1.)Try omitting “\x00” and “\x0a” in shellode 2.)For beginners, open Backtrack 5 and type this in terminal ” msfvenom -p windows/shell_bind_tcp -e x86/shikata_ga_nai -b ‘\x00\x0a’ -f perl EXITFUNC=seh LPORT=4444 ” a shellcode will be generated. msfvenom –tool to encode the payload -p –payload name -e –encode format -b –bad characters to omit(In this case “\x00” and “\x0a”) -f –programming format
Thanks for the tuturial, I want to add something, which is that writing return address to the instruction “jmp esp” that locates in program dll’s; not works because the address of the instruction is not static. the solution is to write return address to jmp esp instruction that locates in system dll’s (e.g : “kernel32.dll”) thats will work good. but the main problem is developing shellcode free of null-bytes. i don’t want to use others shellcodes, because “Hackers is not users, they are creators” I would like to thank you again for the tuturial best wishes
Thanks for this awesome tutorial.. I have a question..I’m not be able to see any related values in my esp..I’ve achieved to write eip using 40000 a’s and 5400 pattern but somehow when I entered “d esp” it always returns some other unrelated characters.My offset is 5377,so ı tried to write 45377 A,4 B and write 1000 C,my esp values never be 434343… What is that means?Am I doing something wrong?
Hi Peter, Fist of all thank you for all of your work, it is very helpful ! I’ve a little question about the figure : https://www.corelan.be/wp-content/uploads/2010/08/image3.png Why do you represent the stack above the heap ? I see regularly diagrams representing the memory in this way: http://www.cs.rit.edu/~hpb/Lectures/SIA/OS1/UsedGif/5_heap_and_stack.gif It confuse me a lot 😉 Than again. ++
