Lab 1: Crash RM2MP3 Converter

Lesson:

The software crashed, but so what? An exploit is really just trying to make the application do something it wasn’t intended to do. We will try and do this by controlling the Index/Instruction Pointer. A CPU register that contains a pointer to where the next instruction that needs to be executed is located.

Pointer instruction deep-dive example

pic1 pic2 pic3 pic4 pic5 pic6 pic7 pic8 pic9 pic10 pic11 pic12 pic13 pic14 pic15 pic16 pic17

General Purpose Registers:

  • EAX (Accumulator) – used for performing calculations; and used to store return values from function calls

  • Basic operations such as add, subtract, compare use this register

  • EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

  • ECX (Counter) – used for iterations; counts downward

  • EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculations

  • EAX (Accumulator) – used for performing calculations; and used to store return values from function calls Basic operations such as add, subtract, compare use this register

  • EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

  • ECX (Counter) – used for iterations; counts downward

  • EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculation

    Process Memory:

    When an application is started in a Win32 environment, a process is created and virtual memory is assigned to it

    In a 32-bit process, the address ranges from:

  • 0x00000000 to 0xFFFFFFFF

  • 0x00000000 – 0x7FFFFFFF = “user land”

  • 0x80000000 – 0xFFFFFFFF = “kernel land”

    Windows uses the flat memory model. This means the CPU can directly, sequentially, and linearly address all of the available memory locations, without having to use a segmentation/paging scheme

    pic18

    Process:

  • When a process is created, a Process Execution Block (PEB) and Thread Environment Block (TEB) are created

  • The PEB contains all “user land” parameters that are associated with the current process:

    • Location of the main executable

    • Pointer to loader data (can be used to list all DLLs/modules that are/can be loaded into the process)

    • Pointer to information about the heap

  • The TEB describes the state of a thread:

    • Location of the PEB in memory

    • Location of the stack for the thread it belongs to

    • Pointer to the first entry in the SEH (Structured Event Handler) chain

  • Each thread inside the process has one TEB

.text:

  • The text segment of a program image/DLL is read-only, as it only contains the application code

  • This prevents people from modifying the application code

  • This memory segment has a fixed size.

    .data:

  • The data segment is used to store global and static program variables

  • The data segment is used for initialized global variables, strings, and other constants

  • The data segment is writable and has a fixed size

    Heap segment:

  • The heap segment is used for the rest of the program variables

  • It can grow larger or smaller as desired

  • All of the memory in the heap is managed by allocator (and deallocator) algorithms

  • A memory region is reserved by these algorithms

  • The heap will grow towards a higher addresses.

    DDL:

  • In a DLL there are several parts of the .text segment:

  • The code

  • Imports (list of functions used by the DLL, from another DLL, or application),

  • Exports (functions it makes available to other DLLs applications)

    The Stack:

    The stack is a piece of the process memory, a data structure that works LIFO (Last-In-First-Out)

  • LIFO means that the most recent placed data (result of a PUSH instruction) is the first one that will be removed from the stack again (by a POP instruction)

  • A stack gets allocated by the OS, for each thread (when it is created)

  • When the thread ends, the stack is cleared as well

  • The size of the stack is defined when it gets created and doesn’t change

    The stack contains:

  • Local variables

  • Function calls

  • Other info that does not need to be stored for a larger amount of time As more data pushed onto the stack, the stack pointer is decremented and points at a lower address value

  • The stack starts at the bottom, from the very end of the virtual memory of a page and grows down (to a lower memory address)

  • A PUSH adds something to the top of the stack

  • A POP will remove one item (4 bytes) from the stack and puts it in a register

    Instruction deep-dive example

    pic20

    pic19

    pic21

    pic22

    pic23

    pic24

    pic25

    Time for some pracap!

    Assignment:

  • Step 0 – Set up environment (this should have already been done for you)

  • Step 1 - Create a ruby script that creates a .m3u file

  • Step 2 – Replace the content of “junk” with 10,000 A’s

  • Step 3 – Execute file and copy it over to target

  • Step 4 – Access file from target machine

  • Step 5 – Launch Immunity Debugger

  • Step 6 – Launch RM2MP3 Converter in debugger

  • Step 7 – Run program

  • Step 8 – Load crash[sid].m3u file

  • Step 9 – Increase the number of A’s in script until program crashed

Answers:

  • View associated .txt file

Last updated

Was this helpful?