I know it’s been a lot of time since the last paper but this one gave me some headaches.

Download: Linux exploit development part 4 – ASCII armor bypass + return-to-plt

As you have probably expected this is the real application demo + video demo of my part 3 of the Linux exploit development series.

Technical paper: Linux exploit development part 3 – ret2libc
Demo paper: Linux exploit development part 3 (rev 2) – Real app demo ret2libc
Video demo:

Linux exploit development part 3 (rev 2) – Real app demo from sickness on Vimeo.

Question:
In short why another part 2 if we already have one?

Answer:
Recently I’ve been receiving feedback from people who have read the papers and amongst those _sinn3r and corelanc0d3r actually recommended I should also give examples using real vulnerable application.

About the paper:
I will not be repeating myself, this paper does not contain any theory in it. If you do not have the required knowledge I suggest you first read my part 2 paper before trying this: Linux Exploit Writing Tutorial Pt 2 – Stack Overflow ASLR bypass Using ret2reg

The paper can be found here and long with the paper I’ve also made a quick video demonstration:

Linux exploit development part 2 (rev 2) – Demo from sickness on Vimeo.

Hope you enjoy it and have fun

I’m not going to repeat myself from the paper, this will just be a short description of what the paper contains.

So in the previous tutorials our exploits were made on Backtrack 4 R2 now we are going to make them on Debian Squeeze (latest) because Backtrack does not have DEP enabled by default (PAE enabled kernel on 32 bits).

In short terms DEP or NX prevents some stack or heap memory spaces from being executed, it also prevents executable memory from being writable. This is very effective against buffer overflows that inject and execute malicious code. (More about NX here)

How to bypass this !? … -> Linux exploit development part 3 – ret2libc.pdf

As expected the part 2 of my tutorial series, I’m not going to repeat myself again, so without any other introductions here it is:

Linux Exploit Writing Tutorial Pt 2 – Stack Overflow ASLR bypass Using ret2reg

I’ve started to write a series of tutorials about exploit development on Linux, this is the first part which contains a Stack overflow, with hardcoded ESP address (I know it’s unreliable, that’s why it’s part 1).
Anyways here is the PDF: Linux exploit development part 1 – Stack overflow

Hope you enjoy it.

Not sure how many tried out this “fuzzer”, but the v0.3 is out with more pwnsauce.

Download link: http://code.google.com/p/sickfuzz/downloads/list
svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

New features:
- Some SPIKE tweak.
- Changed the SPIKE fuzzer.
- Modified the .spk scripts.
- More logs available.
- More detailed help screen as well as output.

Fixed bugs:
- Fixed tailing issue, now paths don’t have to end with “/”.
- Now stops when app crashes without going over the other scripts.

Install SPIKE and sickfuzz:

root@bt:~# apt-get install automake
root@bt:~# rm -rf /pentest/fuzzers/spike/
root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz
root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz
root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/

Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
Open up spike.c, there are 2 lines that look like this:

printf("tried to send to a closed socket!\n");

Each of these 2 lines contains a “return 0;” instruction on the next line, we will replace this instruction with “exit(1);” save the file and proceed.
(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)

snapshot_1
snapshot_2
snapshot_3
snapshot_4

Now we can proceed with SPIKE:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

If you get this error:

configure: creating ./config.status
cd && /bin/sh ./config.status Makefile
/bin/sh: ./config.status: No such file or directory
make: *** [Makefile] Error 127

Execute the following commands again:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

Should have worked now.

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd
root@bt:~# rm -rf /pentest/fuzzers/SPIKE/

root@bt:~# cd /pentest/fuzzers/
root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz

Also if you are interested g0tmi1k made a nice script to automate the hole process:
http://code.google.com/p/sickfuzz/downloads/list

For more info on using SPIKE check out lupin’s guides:
http://resources.infosecinstitute.com/intro-to-fuzzing/
http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

Before we get started let’s start with some basic knowledge which you might or might not know:

# What is fuzzing?

So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter “%Io&6….” ? (It’s not the best example I know but I think you get the picture).

# How does this help us?

Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc …
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.

Before we begin some few answers to some questions that most of you will ask:

1. Why did I make a fuzzer, there are other fuzzers out there ?

Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn’t intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.

2. Why is my fuzzer more special than other fuzzers out there ?

The answer is simple, it’s not! I didn’t make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.

Ok now that we have covered these basic questions let’s move on and see how it works and what features it has:

# What is sickfuzz?

sickfuzz is a wrapper around SPIKE written in python.

# How does it work?

It actually accepts CLI arguments and based on those it launches the SPIKE “generic_send_tcp”, with custom made .spk files.

# What other features does it have?

– tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.

– checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.

– It’s really fast and has a lot of mutations (SPIKE rocks!)

# What do I need to run it?
– SPIKE
– Wireshark (tshark + editcap)
– Python
– Web server victims

Also g0tmi1k made a cool video, demonstrating how to use it, check it out:

Download sickfuzz

Ok not at the end I want to thank all who helped me with the fuzzer:
ArchangelAmael
Nullthread
Dinos
corelanc0d3r
g0tmi1k

g0tmi1k’s blog post here.

This is a quick paper I wrote containing a tutorial on how to use !pvefindaddr made by corelanc0d3r, it does not cover the creating of an exploit only how this tool helps you in writing an exploit.

Download link: Exploit_writing_made_easy_with_pvefindaddr.pdf

Ok so in short, I was playing with ROP chained exploits, in particular I was making an exploit for WM Downloader.

I finally finished it and then asked corelanc0d3r from the Corelan team to test it. The exploits was good, but there were some ROP gadgets that differed so we tried to replace them and this came up: http://www.exploit-db.com/exploits/16072/

Everything seems ok … but something was weird, as you can see we have a ROP gadget containing:
# INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4

I had some issues with padding RETN 4, so I asked corelanc0d3r for a general padding rule, and then we realized that no one actually has one. ( Or not one that we know about. ) So we started documenting it and finally this came up: Corelan Site