Lab 1: Crash RM2MP3 Converter

PreviousLab 2: Sample Code NextLab 1: Getting a legitimate shell

Last updated 4 years ago

Was this helpful?

Lesson:

The software crashed, but so what? An exploit is really just trying to make the application do something it wasn’t intended to do. We will try and do this by controlling the Index/Instruction Pointer. A CPU register that contains a pointer to where the next instruction that needs to be executed is located.

Pointer instruction deep-dive example

General Purpose Registers:

EAX (Accumulator) – used for performing calculations; and used to store return values from function calls

Basic operations such as add, subtract, compare use this register

EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

ECX (Counter) – used for iterations; counts downward

EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculations

EAX (Accumulator) – used for performing calculations; and used to store return values from function calls Basic operations such as add, subtract, compare use this register

EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

ECX (Counter) – used for iterations; counts downward

EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculation

Process Memory:

When an application is started in a Win32 environment, a process is created and virtual memory is assigned to it

In a 32-bit process, the address ranges from:

0x00000000 to 0xFFFFFFFF

0x00000000 – 0x7FFFFFFF = “user land”

0x80000000 – 0xFFFFFFFF = “kernel land”

Windows uses the flat memory model. This means the CPU can directly, sequentially, and linearly address all of the available memory locations, without having to use a segmentation/paging scheme

Process:

When a process is created, a Process Execution Block (PEB) and Thread Environment Block (TEB) are created

The PEB contains all “user land” parameters that are associated with the current process:

Location of the main executable
Pointer to loader data (can be used to list all DLLs/modules that are/can be loaded into the process)
Pointer to information about the heap

The TEB describes the state of a thread:

Location of the PEB in memory
Location of the stack for the thread it belongs to
Pointer to the first entry in the SEH (Structured Event Handler) chain

Each thread inside the process has one TEB

.text:

The text segment of a program image/DLL is read-only, as it only contains the application code

This prevents people from modifying the application code

This memory segment has a fixed size.

.data:

The data segment is used to store global and static program variables

The data segment is used for initialized global variables, strings, and other constants

The data segment is writable and has a fixed size

Heap segment:

The heap segment is used for the rest of the program variables

It can grow larger or smaller as desired

All of the memory in the heap is managed by allocator (and deallocator) algorithms

A memory region is reserved by these algorithms

The heap will grow towards a higher addresses.

DDL:

In a DLL there are several parts of the .text segment:

The code

Imports (list of functions used by the DLL, from another DLL, or application),

Exports (functions it makes available to other DLLs applications)

The Stack:

The stack is a piece of the process memory, a data structure that works LIFO (Last-In-First-Out)

LIFO means that the most recent placed data (result of a PUSH instruction) is the first one that will be removed from the stack again (by a POP instruction)

A stack gets allocated by the OS, for each thread (when it is created)

When the thread ends, the stack is cleared as well

The size of the stack is defined when it gets created and doesn’t change

The stack contains:

Local variables

Function calls

Other info that does not need to be stored for a larger amount of time As more data pushed onto the stack, the stack pointer is decremented and points at a lower address value

The stack starts at the bottom, from the very end of the virtual memory of a page and grows down (to a lower memory address)

A PUSH adds something to the top of the stack

A POP will remove one item (4 bytes) from the stack and puts it in a register

Instruction deep-dive example

Time for some pracap!

Assignment:

Step 0 – Set up environment (this should have already been done for you)

Step 1 - Create a ruby script that creates a .m3u file

Step 2 – Replace the content of “junk” with 10,000 A’s

Step 3 – Execute file and copy it over to target

Step 4 – Access file from target machine

Step 5 – Launch Immunity Debugger

Step 6 – Launch RM2MP3 Converter in debugger

Step 7 – Run program

Step 8 – Load crash[sid].m3u file

Step 9 – Increase the number of A’s in script until program crashed

Lesson:

Pointer instruction deep-dive example

General Purpose Registers:

EAX (Accumulator) – used for performing calculations; and used to store return values from function calls

Basic operations such as add, subtract, compare use this register

EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

ECX (Counter) – used for iterations; counts downward

EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculations

EAX (Accumulator) – used for performing calculations; and used to store return values from function calls Basic operations such as add, subtract, compare use this register

EBX (Base) – does not have anything to do with the base pointer. It has no general purpose and can be used to store data

ECX (Counter) – used for iterations; counts downward

EDX (Data) – an extension of the EAX register Allows for more complex calculations (multiply / divide) by allowing extra data to be stored to facilitate those calculation

Process Memory:

When an application is started in a Win32 environment, a process is created and virtual memory is assigned to it

In a 32-bit process, the address ranges from:

0x00000000 to 0xFFFFFFFF

0x00000000 – 0x7FFFFFFF = “user land”

0x80000000 – 0xFFFFFFFF = “kernel land”

Windows uses the flat memory model. This means the CPU can directly, sequentially, and linearly address all of the available memory locations, without having to use a segmentation/paging scheme

Process:

When a process is created, a Process Execution Block (PEB) and Thread Environment Block (TEB) are created

The PEB contains all “user land” parameters that are associated with the current process:

Location of the main executable
Pointer to loader data (can be used to list all DLLs/modules that are/can be loaded into the process)
Pointer to information about the heap

The TEB describes the state of a thread:

Location of the PEB in memory
Location of the stack for the thread it belongs to
Pointer to the first entry in the SEH (Structured Event Handler) chain

Each thread inside the process has one TEB

.text:

The text segment of a program image/DLL is read-only, as it only contains the application code

This prevents people from modifying the application code

This memory segment has a fixed size.

.data:

The data segment is used to store global and static program variables

The data segment is used for initialized global variables, strings, and other constants

The data segment is writable and has a fixed size

Heap segment:

The heap segment is used for the rest of the program variables

It can grow larger or smaller as desired

All of the memory in the heap is managed by allocator (and deallocator) algorithms

A memory region is reserved by these algorithms

The heap will grow towards a higher addresses.

DDL:

In a DLL there are several parts of the .text segment:

The code

Imports (list of functions used by the DLL, from another DLL, or application),

Exports (functions it makes available to other DLLs applications)

The Stack:

The stack is a piece of the process memory, a data structure that works LIFO (Last-In-First-Out)

LIFO means that the most recent placed data (result of a PUSH instruction) is the first one that will be removed from the stack again (by a POP instruction)

A stack gets allocated by the OS, for each thread (when it is created)

When the thread ends, the stack is cleared as well

The size of the stack is defined when it gets created and doesn’t change

The stack contains:

Local variables

Function calls

Other info that does not need to be stored for a larger amount of time As more data pushed onto the stack, the stack pointer is decremented and points at a lower address value

The stack starts at the bottom, from the very end of the virtual memory of a page and grows down (to a lower memory address)

A PUSH adds something to the top of the stack

A POP will remove one item (4 bytes) from the stack and puts it in a register

Instruction deep-dive example

Time for some pracap!

Assignment:

Step 0 – Set up environment (this should have already been done for you)

Step 1 - Create a ruby script that creates a .m3u file

Step 2 – Replace the content of “junk” with 10,000 A’s

Step 3 – Execute file and copy it over to target

Step 4 – Access file from target machine

Step 5 – Launch Immunity Debugger

Step 6 – Launch RM2MP3 Converter in debugger

Step 7 – Run program

Step 8 – Load crash[sid].m3u file

Step 9 – Increase the number of A’s in script until program crashed

Lab 1: Crash RM2MP3 Converter

Lab 1: Crash RM2MP3 Converter

Lesson:

Pointer instruction deep-dive example

General Purpose Registers:

.text:

Answers:

Lesson:

Pointer instruction deep-dive example

General Purpose Registers:

.text:

Answers: