Lab 3: Locating EIP

Lesson:

pattern_create.rb

• Open the tools folder in the metasploit framework3 folder (I’m using a linux version of metasploit 3)

• You should find a tool called pattern_create.rb

• Create a pattern of 10000 characters and write it into a file

• locate pattern_create.rb

  /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 10000

• Edit the ruby script and insert a new variable ($junk2) with our 10000 characters

• Create the m3u file

• Open this file in Easy RM to MP3, wait until the application dies again, and take note of the contents of EIP

• At this time, eip contains 0x75483175 (note: little endian - we have overwritten EIP with 75 31 48 75 = u1Hu

  pattern_offset.rb

  Let’s use a second metasploit tool now, to calculate the exact length of the buffer before writing into EIP, feed it with the value of EIP (based on the pattern file) and length of the buffer

  /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 10000 -q 75483175

  6064

  That’s the buffer length needed to overwrite EIP

  So if you create a file with 20000+6064 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42

  We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP totaling the 30000 A’s we initially threw

  30000 (original payload) – 26064 A’s – 4 B’s = 3932 C’s

  Let’s try. Modify the ruby script to create the new m3u file

  Exploit:

• In Immunity Debugger, you can see the contents of the stack, at ESP, by looking at the lower right hand window

• EIP contains BBBB, which is exactly what we wanted

  So now we control EIP, and On top of that, ESP points to our buffer (C’s)

  Our exploit buffer so far looks like this:

  

  Where are we?:

• We control EIP

• We can point EIP to somewhere else, to a place that contains our own code (shellcode)

• But where is this space, how can we put our shellcode in that location, and how can we make EIP jump to that location?

  In order to crash the application, we have written 26064 A’s into memory, we have written a new value into the saved EIP field (ret), and we have written a bunch of C’s

  Where do we go from here?

  When the application crashes, take a look at the registers and dump all of them (d esp, d eax, d ebx, d ebp, …).

  If you can see your buffer (either the A’s or the C’s) in one of the registers, then you may be able to replace those with shellcode and jump to that location.

  In our example, we can see that ESP seems to point to our C’s (remember the output of d esp above), so ideally we would put our shellcode instead of the C’s and we tell EIP to go to the ESP address.

  Despite the fact that we can see the C’s, we don’t know for sure that the first C (at address 000ff730, where ESP points at), is in fact the first C that we have put in our buffer

• We’ll change the ruby script and feed a pattern of characters (I’ve taken 144 characters, but you could have taken more or taken less) instead of C’s

• Create the file, open it, let the application die and dump memory at location ESP

You know what time is it!

Assignment:

• Step 1 – Locate pattern_create.rb

• Step 2 – Create unique pattern of characters

• Step 3 – Create a variable in [filename] with created string

• Step 4 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

• Step 5 – Find what the offset is in the EIP register

• Step 6 – Find pattern offset

• Step 7 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

• Step 8 – Verify whether EIP equals “0x424242”

Answers:

• View associated .txt file