Do you plan other parts of this great tutorial series? I think porting the stack-based bof information to heap-based bof, integer overflow and format strings would be interesting for many. Also, more details on the rest of functionalities of WinDBG Byakugan extension and OllyDBG different plugins would be much appreciated.
If I can find some more time to continue the series, I’ll certainly consider it…. 🙂 So : Any one out there, willing to join forces & participate in writing more tutorials – let me know !
Great tutorial.. About previous msg … i m right now learning about fuzzing… file format fuzzing to be precise.. I would like to put in my inputs as well but.. i m no expert.. I would like to contribute.. but dont know how?
Hey cr01nk Any input, regardless of the level (beginner, intermediate, expert) is welcome. If you have enough material, you could write a guest article, based on your experience on fuzzing… We can review it together and we’ll put it on the website. If you don’t feel comfortable doing that, you can also open a forum topic about fuzzing, so other people can discuss the topic and share their own info I am currently thinking about writing my own file fuzzer… so the timing to start writing about fuzzers would be perfect Let me know what you want to do and we’ll make it happen
When I attach a process(trying with warftpd) to ollydbg I break at ntdll.dbgbreakpoint.When I press F9 the process terminates .Can anyone provide any suggestions
can you create a forum post about this ? (http://www.corelan.be:8800/index.php/forum/writing-exploits) thanks
Peter, Excellent, high quality work as always! Much appreciated, please keep ’em coming 🙂 FYI, for anyone having issues debugging the basicbof.exe from the SafeSEH part, one way to debug the application *and* send it special characters at the same time is : – in the scripting language of your choice – system(“debug.exe “+”C:\\path\\basicbof.exe “+”AAAA…”) Thanks!
To compile the code at the top of the article in gcc on Windows (using MinGW) I used: D:\MinGW\bin>g++ vuln.cpp -static -lws2_32 -o vuln.exe D:\MinGW\bin>g++ vuln.cpp -fstack-protector-all -static -lws2_32 -o notvuln.exe the -static flag is not required if you plan on running it on that system, but you might want it if you plan on compiling it on your main system then copying the exe over to a VM, and don’t wanna drag over a bunch of dll’s also. The -lws2_32 is necessary or you will get lots of errors. And of course the -fstack-protector-all flag is the equivalent of the /GS flag in VS 2008.
If anyone is looking for a copy of older version of MS VC++ Express Edition : Visual C++ 2005 Express Edition : http://go.microsoft.com/fwlink/?LinkId=51410&clcid=0x409 Visual C++ 2008 Express Edition : http://www.microsoft.com/express/Downloads/#2008-Visual-CPP
Hello Peter n, thanks for all your tutorial 🙂 I have a question about bypassing safeseh part : I dont understant how “jmp dword ptr [ebp+0x30]” can be equivalent to pop/pop/ret ,the nSEH is at esp+8 ,right ?Why you chose “ebp+30”, is this an arbitrary value? ^ ^ Thanks , sorry for my english .
im not understand it too i launch safeseh.exe in olly with $seh = “\xcc\xcc\xcc\xcc” on my system: ebp = 12F86C call [12F89C] = call 12FE7C its really EB F9, my overwritten nSEH look at ebp + 0c, ebp + 24 etc… = 12FE7C but why on EBP+30 is ref on nSEH? mb is some SEH chain definitions?
just look on the stack and at the registers. in most cases, EBP+30 points to a location that has a pointer to nseh, so you can simply call it.
i read Litchfield’s paper, but he write about it simple as u too, only “ebp+nn” but why this stack structure is organized what [ebp+30] is a refer to nSEH? if u know article about, say plz
Hi, great tutorial. 1. How I can use the stack cookie protection with devc++ or borland c++? 2. When I compile a file in VS2008 it generate a .exe plus 2 file for linked, so when I debug the .exe, I see a obfuscate code and a Ollydbg message saying that the PE is out of the .exe, How I can compile in VS2008 without this problem? Thanks in advance and forgive my poor english.
Hi I don’t think you can enable the protection in devc++…; not sure about borland c++ either. About VS2008 : don’t think you can change that behaviour either – just the way the compiler works I think
Hi, When you compile with VS2008 and open with Ollydbg, do you get a obfuscate?, if not, please give me a link to your version of Visual C++ 2008(if local better). Note: I am stopped in this point since a week and I really want to follow. Help me please. Thanks for your early reply.
Hi Peter, great tutorials, a small mistake in the chapter about partial overwrites to bypass ASLR though (I think): 0×12345678, it is stored like this : LOW HIGH 87 65 43 21 Should be: LOW HIGH 78 56 34 12
Another thing that might be a mistake (or I got it wrong, which is easily possible), also in the chapter about partial EIP overwrites: “So the exploit would only work if you can find an address that will do the jmp edx/… in the address space 0x011e00XX. And that limits us to a maximum of 255 addresses in the 0x011e range” Then all the instructions in the 0x011e01XX range are listed, but it should be the 0x011e00XX range if I think, which is the PE header. I checked only three different programs, but in none of them the disassembled PE header included any useful jump instructions, neither in the first 255 Byte, nor afterwards. So I guess you’d have to be really really lucky to be able to use that technique? Again, thanks a lot for those tutorials, they’re incredibly useful, very well written and comprehensible, great job!
your observation is correct…. in case of a strcpy(), you are very limited. If it would have been a memcpy(), you would be able to search for instructions in 0x011exxxx, giving you a lot more possibilities
Just a question, when you do this section - one jump (back) at nseh (7 bytes), which will put eip at the end of the buffer before hitting the SE structure, - execute a jump back of 400 bytes (-400 (decimal) = fffffe70 hex)). The number of nops before putting the shellcode was set to 25 (because the shellcode will not properly run otherwise) - we’ll put the shellcode in the payload before the SE structure was overwritten Why do you do a jump back of 400 bytes? Wouldn’t we need more to reach our shellcode? Like about 500 bytes? Thanks.
Hi peter, there is a little mistake in “Disabling HW DEP (Windows 2003 SP2) : demonstration” In the description of the screenshot… You have wrote :”So, the value at [ebp-4] is compared, a jump is made to 7c83f54″ Correct the address with 7c83f54e 🙂 e is missing any ways awesome effort
Hi Peter, I have gone through the SEHOP article by sysdream, they have just introduce the xor p/p/r but the article is not informative in it self , so can u please give me additional links when u get time ?
Hi Peter , when i opened the vulnerable.exe into windbg i got that error: ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll – ntdll!DbgBreakPoint: 7c90120e cc int 3 and when i typed the command “uf pr” , i got that error : Operation not supported by integrated managed debugging. error at ‘pr’ Can you tell me where’s the problem?
Hey Peter, I am also having trouble with the “uf” command in windbg. I have tried to do my best to look for the answer elsewhere, but it seems that there really isn’t a lot of documentation. Also, the command seems to work for the most part with everyone else. I feel like I am missing some kind of fundamental principle, but I don’t know what it is. Your help will be greatly appreciated. Thanks, Ian
To compile and debug, as per the tutorial, the ‘vulnerable server’ C++ code in Visual Studio C++ 2010 you’ll also have to disable Common Language RunTime support in the Project Properties by setting it to ‘No Common Language RunTime Support’. I also had to include: #include “stdio.h” #include “tchar.h”
This should fix the ‘Operation not supported by integrated managed debugging.’ Also using .sympath http://msdl.microsoft.com/download/symbols .reload Should fix the ‘ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll –’ error. P.s. is there an equivalent of ‘uf’ or ‘u’ in Immunity?
