Introduction to Windows User Mode Exploitation pt. 2

 Introduction to Windows User Mode Exploitation pt. 2


Exploiting Stack Overflows: In this module, we will focus on a CTF to learn how to do memory corruption vulnerability to control the execution flow of an application:

Enter [VulnServer](https://github.com/stephenbradshaw/vulnserver)!

But first, an introduction to Stack Buffer Overflows

`#include <stdio.h>`
`#include <string.h`


`int main(int argc, char *argv[]) 
`{ 
`char buffer[64]; 
`if (argc < 2) 
`{ 
`printf("Error - You must supply at least one argument\n"); 
`return 1; 
`} 
strcpy(buffer, argv[1]); 
return 0; 
`}

The code shown above contains a buffer overflow by the fact that the argv[1] which is supplied by the user as a string can be passed (using `strcpy`) overflowing the variable buffer which can only hold 64 bytes, since this input is unchecked on size we can crash or exploit the application by entering data to overwrite the return address. 




Back to [Vulnserver](https://github.com/stephenbradshaw/vulnserver)
About VulnServer :
*Vulnserver is a multithreaded Windows based TCP server that listens for client connections on port 9999 (by default) and allows the user to run a number of different commands that are vulnerable to various types of exploitable buffer overflows.*

*This software is intended mainly as a tool for learning how to find and exploit buffer overflow bugs, and each of the bugs it contains is subtly different from the others, requiring a slightly different approach to be taken when writing the exploit.*

*Though it does make an attempt to mimic a (simple) legitimate server program this software has no functional use beyond that of acting as an exploit target, and this software should not generally be run by anyone who is not using it as a learning tool.*

Approach 

- White Box , Black Box or Gray Box
- Static and Dynamic
- Reverse Engineering 
- Obfuscation implemented?

Lets have a mix of Black Box , Static and Dynamic just for the fun (*and learning process*) of it.

Vulnserver has two binaries, vulnserver.exe and essfunc.dll, running vulnserver on command prompt provides the following response : 


As per description vulnserver runs default on port 9999 , however we can confirm this with `nmap` by running a simple command 


We connect with netcat on port 9999 (`nc 192.168.160.37 9999`) to establish connection and pass our arguments, 

After we enter the HELP argument


This is mostly how we would proceed on a black box analysis, 
however due to time constraints and not covering fuzzing (for now) we subject ourselves to reverse engineering to figure the logic of the application.

Enter IDA Pro : 
There's many ways (which we wont cover : for now) to access the commands seen above and understand their logic, for now we will simply check on the strings values on IDA PRO (`Shift + F12`) 


which points us to : 



Our first command that we will interact with is the TRUN command , this offers a classic vanilla stack buffer overflow.

Onwards to part 3 : Analyzing the application

Comments

Post a Comment

Popular posts from this blog

Introduction to Windows User Mode Exploitation pt. 1

Image
Windows User Mode Exploit Development: General Course Information: Quick  bit of info about the course :  - Userland(mode I will use this interchangeably) oriented - 32 bit : Calling convention  - EIP (Extended Instruction Pointer) and SEH (Structured Error handler) overwrites : IP Instruction Pointer Immediate pointer to address being executed) , SEH Exceptions have a structure (List like) overwrite the exception handler address and you have control (challenge is identifying the SEH structure and second on list is SEH address?) - EggHunter - Custom Shellcode - IDA Pro - DEP (Data Execution Prevention) with ROP (Return Oriented Programming) - Bypassing ASLR (Address Space Layout Randomization) - How to create and use RW(read and write primitives) to achieve complex attacks Memory When a binary is executed , it allocates memory within the memory boundaries. lowest memory address (`32 bit 0x00000000`) and highest memory address (`0x7FFFFFFF`) used by applications (not kerne...
Read more

Introduction to Windows User Mode Exploitation pt. 6

Image
 EggHunters with SEH LTER  Since we currently have gone through: - Vanilla Stack Buffer Overflow `TRUN` - Structured Exceptional Handler Stack Buffer Overflow `GMON` - Stack Buffer Overflow (Multistage exploit) using EggHunters  `KSTET` We we look at SEH but this time with Bad-Characters and use of Custom Encoders and a staged payload (with socket reuse) , I would suggest we use Mona as its still functional and also its allowed in the OSED exam (This serves as tutorial to someone who wants to learn Mona too) We start off by installing mona.  I use this handy script I have modified from [here](https://github.com/epi052/osed-scripts/blob/main/install-mona.ps1) : Loading Mona is simple, a few commands you should know:  `.load pykd.pyd` `!py mona` **It should be known Mona is its own stand alone tool, but it has been integrated into WinDBG with a wrapper around pykd.pyd, Mona has been integrated into ImmunityDBG too.** (also a good & longer [cheatsheet](https://...
Read more

Introduction to Windows User Mode Exploitation pt. 5

Image
 Introduction to Windows User Mode Exploitation pt. 5 EGGHUNTERS KSTET So far we know the drill ... crash the application, threw 250 bytes or so at it : we can do better by analyzing the disassembled code above, we can see it first compares a 6byte header "`KSTET `" and then only copies 100bytes of our input, that will be later passed to `_Function2`  Looking at `_Function2` it seems it can only handle 72 bytes, meaning we can crash this, lets find the offset but first we check if we can crash it by randomly sending anything more than 100 i sent 253 We proceed with looking for the offset to control the `EIP`  so offset is at 70, we try it out and this is the result:  and we are spot on : Sadly we do not have enough space for a shell code , seeing we have very limited space , barely 20 bytes : we can use the 20 bytes to create a short jump to our 70 sized buffer but still that isn't enough, hence enters : `EggHunters` : this a first time shellcode that we can search (...
Read more