Lab 3: Locating EIP

PreviousLab 4: Shellcode?Nextimages

Last updated 4 years ago

Was this helpful?

Lesson:

pattern_create.rb

Open the tools folder in the metasploit framework3 folder (I’m using a linux version of metasploit 3)

You should find a tool called pattern_create.rb

Create a pattern of 10000 characters and write it into a file

locate pattern_create.rb

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 10000

Edit the ruby script and insert a new variable ($junk2) with our 10000 characters

Create the m3u file

Open this file in Easy RM to MP3, wait until the application dies again, and take note of the contents of EIP

At this time, eip contains 0x75483175 (note: little endian - we have overwritten EIP with 75 31 48 75 = u1Hu

pattern_offset.rb

Let’s use a second metasploit tool now, to calculate the exact length of the buffer before writing into EIP, feed it with the value of EIP (based on the pattern file) and length of the buffer

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10000 -q 75483175

6064

That’s the buffer length needed to overwrite EIP

So if you create a file with 20000+6064 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42

We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP totaling the 30000 A’s we initially threw

30000 (original payload) – 26064 A’s – 4 B’s = 3932 C’s

Let’s try. Modify the ruby script to create the new m3u file

Exploit:

In Immunity Debugger, you can see the contents of the stack, at ESP, by looking at the lower right hand window

EIP contains BBBB, which is exactly what we wanted

So now we control EIP, and On top of that, ESP points to our buffer (C’s)

Our exploit buffer so far looks like this:

Where are we?:

We control EIP

We can point EIP to somewhere else, to a place that contains our own code (shellcode)

But where is this space, how can we put our shellcode in that location, and how can we make EIP jump to that location?

In order to crash the application, we have written 26064 A’s into memory, we have written a new value into the saved EIP field (ret), and we have written a bunch of C’s

Where do we go from here?

When the application crashes, take a look at the registers and dump all of them (d esp, d eax, d ebx, d ebp, …).

If you can see your buffer (either the A’s or the C’s) in one of the registers, then you may be able to replace those with shellcode and jump to that location.

In our example, we can see that ESP seems to point to our C’s (remember the output of d esp above), so ideally we would put our shellcode instead of the C’s and we tell EIP to go to the ESP address.

Despite the fact that we can see the C’s, we don’t know for sure that the first C (at address 000ff730, where ESP points at), is in fact the first C that we have put in our buffer

We’ll change the ruby script and feed a pattern of characters (I’ve taken 144 characters, but you could have taken more or taken less) instead of C’s

Create the file, open it, let the application die and dump memory at location ESP

You know what time is it!

Assignment:

Step 1 – Locate pattern_create.rb

Step 2 – Create unique pattern of characters

Step 3 – Create a variable in [filename] with created string

Step 4 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 5 – Find what the offset is in the EIP register

Step 6 – Find pattern offset

Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 8 – Verify whether EIP equals “0x424242”

Lesson:

pattern_create.rb

Open the tools folder in the metasploit framework3 folder (I’m using a linux version of metasploit 3)

You should find a tool called pattern_create.rb

Create a pattern of 10000 characters and write it into a file

locate pattern_create.rb

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 10000

Edit the ruby script and insert a new variable ($junk2) with our 10000 characters

Create the m3u file

Open this file in Easy RM to MP3, wait until the application dies again, and take note of the contents of EIP

At this time, eip contains 0x75483175 (note: little endian - we have overwritten EIP with 75 31 48 75 = u1Hu

pattern_offset.rb

Let’s use a second metasploit tool now, to calculate the exact length of the buffer before writing into EIP, feed it with the value of EIP (based on the pattern file) and length of the buffer

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10000 -q 75483175

6064

That’s the buffer length needed to overwrite EIP

So if you create a file with 20000+6064 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42

We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP totaling the 30000 A’s we initially threw

30000 (original payload) – 26064 A’s – 4 B’s = 3932 C’s

Let’s try. Modify the ruby script to create the new m3u file

Exploit:

In Immunity Debugger, you can see the contents of the stack, at ESP, by looking at the lower right hand window

EIP contains BBBB, which is exactly what we wanted

So now we control EIP, and On top of that, ESP points to our buffer (C’s)

Our exploit buffer so far looks like this:

Where are we?:

We control EIP

We can point EIP to somewhere else, to a place that contains our own code (shellcode)

But where is this space, how can we put our shellcode in that location, and how can we make EIP jump to that location?

In order to crash the application, we have written 26064 A’s into memory, we have written a new value into the saved EIP field (ret), and we have written a bunch of C’s

Where do we go from here?

When the application crashes, take a look at the registers and dump all of them (d esp, d eax, d ebx, d ebp, …).

If you can see your buffer (either the A’s or the C’s) in one of the registers, then you may be able to replace those with shellcode and jump to that location.

Despite the fact that we can see the C’s, we don’t know for sure that the first C (at address 000ff730, where ESP points at), is in fact the first C that we have put in our buffer

We’ll change the ruby script and feed a pattern of characters (I’ve taken 144 characters, but you could have taken more or taken less) instead of C’s

Create the file, open it, let the application die and dump memory at location ESP

You know what time is it!

Assignment:

Step 1 – Locate pattern_create.rb

Step 2 – Create unique pattern of characters

Step 3 – Create a variable in [filename] with created string

Step 4 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 5 – Find what the offset is in the EIP register

Step 6 – Find pattern offset

Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 8 – Verify whether EIP equals “0x424242”

Lab 3: Locating EIP

Lab 3: Locating EIP

Lesson:

pattern_create.rb

You know what time is it!

Assignment:

Answers:

Lesson:

pattern_create.rb

You know what time is it!

Assignment:

Answers: