Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: AWBO Buffer Overflow Exercise

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default AWBO Buffer Overflow Exercise

    Hello,
    I'm pretty new to developing exploits and I'm trying the awbo exercises, which can be found at snort.org/vrt/tools/awbo.html ... I've successfully triggered the vulnerability (on the first exercise), which is a SEH overflow...

    At my current level of knowledge I'm stuck on 3 points:

    1 - The payload I need to jump to is before the SEH overflow
    2 - The opcodes to a JUMP SHORT do not work (bad chars I believe...), another problem is that I need to jump over 128 bytes before, so a SHORT won't work
    3 - Required opcodes to decode the payload seem to be blocked (x86/alpha_upper), I've also tested the x86/alpha_mixed...

    Is there any tool which generates a list of opcodes that I may insert as a payload and analise what are the bad chars?
    What about the other issues I've mentioned?

    Any help is appreciated! Thank you.

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    Hmmm, I'm pretty new to exploit development also. How about generating a string with the entire ascii set (omitting the null character of course). Send that in the buffer and check it out through the debugger. See what gets filtered and exclude those characters as bad. I guess you might need to run it through several times to get all the badchars.

    That's the advice given in the shellcoder's handbook in any case, and it seemed to work for me.

    I'd also appreciate any recommendations on a better way. Oh, thanks for the tip on the awbo exercises as well; I hadn't seen those before so extra practice ahead!

    As for the tool to find opcodes: msfpescan maybe?

    I'm very new to jumps so haven't had much experience there sorry. Is there such a thing as a LONG jump though or can you use two SHORT jumps?

    Cheers

  3. #3
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    Thanks for the help F1gureF0ur!
    I've made this script in order to generate the string and redirected its output to a file:
    Code:
    import sys
    
    sys.stdout.write("\"")
    i = 1
    while i < 255:
    	sys.stdout.write("\\x")
    	if i < 16:
    		sys.stdout.write("0")
    	sys.stdout.write(hex(i)[2:])
    	i += 1
    print("\"")
    Then I put that in my exploit and kept running it with blocks of the string and jotting the bad chars down(the ones that didn't appear on the memory where they should or got replaced with something else). I found some that got replaced with another string, don't really know whether it's a particularity of that exercise or not...

    Code:
    \x61 -> \x85
    
    \x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f -> \x3f
    
    \xa2 -> \x9b
    \xa3 -> \x9c
    \xa7 -> \x15
    \xa9 -> \x22
    \xaa -> \xa6
    \xac -> \xaa
    \xb0 -> \xf8
    \xb2 -> \xfd
    \xb3 -> \x33
    \xb8 -> \x27
    \xb9 -> \x31
    \xba -> \xa7
    \xbb -> \x3d
    \xbc -> \x2c
    \xbd -> \x2d
    \xbe -> \x2e
    \xbf -> \x3b
    \xc0 -> \x27
    \xdc -> \x5d
    \xdd -> \x5b
    \xde -> \x7e
    \xe3\xe4 -> \x30
    \xe2 -> \x5c
    \xe7 -> \x87
    Well, I've also tried to put these chars in another positions of the array, some got replaced again, some haven't... I'm pretty confused right now...

    These are the ones that did not appear in the memory:

    Code:
    \x07\x08\x0a\x0d\x13\x14\x1b\x25\x28\x29\x2b\x5e\x5f\x60\x7b\x7d\x7e\x7f\x81\x8d\x8f\x90\x9d\xa0\xa1\xa4\xa5\xa6\xa8\xab\xad\xae\xaf\xb1\xb4\xb5\xb6\xb7\xc3\xc4\xc5\xc6\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1
    Am I doing this the right way? Let me know if you tried this exercise and what did you do in order to solve the puzzle...

    Thank you again.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    I used a modified version of the jump code from this page last time I did an SEH overwrite, to get to the earlier section of my buffer from the section of memory after the SEH address.

    You'll probably be able to roll your own using the details at the link above, but if you like I can post the assembly and provide the method I used to convert it to shellcode (my rubbish assembly skills necessitated some nasty hacks, but it worked).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    That's a nice little article. Thanks lupin

    I also found a couple of the videos (webcasts) in the Offensive Security website resources section helpful with seh overflows. The apple QuickTime vid is good, as is the Surgemail overview.

    If anyone can point to any other good resources I'd be grateful!

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by F1gureF0ur View Post
    That's a nice little article. Thanks lupin

    I also found a couple of the videos (webcasts) in the Offensive Security website resources section helpful with seh overflows. The apple QuickTime vid is good, as is the Surgemail overview.

    If anyone can point to any other good resources I'd be grateful!
    Yes, the Quicktime Offensive Security video is a good one.

    Theres some more good stuff here, and here and the securityforest site that my previous link was from has some other good references.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    Im assuming awbo2.exe takes input via STDIN - in a command shell perhaps?
    Yes, that's correct.
    I could not redirect the output of that command to a file so I built a program(just gets input without any filters) in order to analise the memory after input. In fact, the problem is indeed on my script, since \xeb could not be found in the memory with the rest of the test string I sent...

    Can someone think about other methods of sending the attack string in this case?

    Thanks lupin for the help so far =)

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trojanrs View Post
    Yes, that's correct.
    I could not redirect the output of that command to a file so I built a program(just gets input without any filters) in order to analise the memory after input. In fact, the problem is indeed on my script, since \xeb could not be found in the memory with the rest of the test string I sent...

    Can someone think about other methods of sending the attack string in this case?

    Thanks lupin for the help so far =)
    Maybe write it to a binary file and then input the contents of the file into the awbo2.exe program via command line redirection.

    e.g.

    File "badbuffer" contains your data in binary format (use perl or python or a hex editor or your other tool of choice to create the file with binary data in it.)

    Then run awbo2.exe like so:
    Code:
    awbo2.exe <badbuffer
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    ok, I've created the binary file with a python script and checked it with an hex editor, everything was as I expected it to be, but when I ran the command the program crashed...
    Can I use this method with awbo2.exe attached to the debugger?
    I've also searched for some immunity script that could insert the string into stdin but no success there...

  10. #10
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trojanrs View Post
    ok, I've created the binary file with a python script and checked it with an hex editor, everything was as I expected it to be, but when I ran the command the program crashed...
    Can I use this method with awbo2.exe attached to the debugger?
    I've also searched for some immunity script that could insert the string into stdin but no success there...
    You're right of course, this method makes it difficult to attach a debugger.

    Haven't had a chance to try it yet, but something like this may work.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •