Posts

Introduction to Windows User Mode Exploitation pt. 6

Image
 EggHunters with SEH LTER  Since we currently have gone through: - Vanilla Stack Buffer Overflow `TRUN` - Structured Exceptional Handler Stack Buffer Overflow `GMON` - Stack Buffer Overflow (Multistage exploit) using EggHunters  `KSTET` We we look at SEH but this time with Bad-Characters and use of Custom Encoders and a staged payload (with socket reuse) , I would suggest we use Mona as its still functional and also its allowed in the OSED exam (This serves as tutorial to someone who wants to learn Mona too) We start off by installing mona.  I use this handy script I have modified from [here](https://github.com/epi052/osed-scripts/blob/main/install-mona.ps1) : Loading Mona is simple, a few commands you should know:  `.load pykd.pyd` `!py mona` **It should be known Mona is its own stand alone tool, but it has been integrated into WinDBG with a wrapper around pykd.pyd, Mona has been integrated into ImmunityDBG too.** (also a good & longer [cheatsheet](https://...
Post a Comment
Read more

Introduction to Windows User Mode Exploitation pt. 5

Image
 Introduction to Windows User Mode Exploitation pt. 5 EGGHUNTERS KSTET So far we know the drill ... crash the application, threw 250 bytes or so at it : we can do better by analyzing the disassembled code above, we can see it first compares a 6byte header "`KSTET `" and then only copies 100bytes of our input, that will be later passed to `_Function2`  Looking at `_Function2` it seems it can only handle 72 bytes, meaning we can crash this, lets find the offset but first we check if we can crash it by randomly sending anything more than 100 i sent 253 We proceed with looking for the offset to control the `EIP`  so offset is at 70, we try it out and this is the result:  and we are spot on : Sadly we do not have enough space for a shell code , seeing we have very limited space , barely 20 bytes : we can use the 20 bytes to create a short jump to our 70 sized buffer but still that isn't enough, hence enters : `EggHunters` : this a first time shellcode that we can search (...
Post a Comment
Read more