Friday, 26 October 2012

ASCII only exploiting

So an interesting problem was given to a group of us this week. The vulnerable function in IE was controlled using an ASCII string. Most people took this as a sign that heap spraying was required and therefore used a string like "   " to point to heap space and hopefully their NOP sled.

I took the "crafty" approach and instead decided that the whole shell code could be contained in the string, not just the pointer.

msfencode (part of Metasploit) has an excellent encoder option that will encode only using alphanumeric characters. Unfortunately when you try this, you will get non alpha characters mixed in wherever it fails to find the right commands.

msfpayload windows/exec CMD=calc.exe R | ./msfencode -e x86/alpha_mixed

In this case, you will need to find a ROP gadget to move the address of the start of your shell code in to one of the registers. If you're lucky it will already be in one. You can then give it to msfencode as an argument:
 msfpayload windows/exec CMD=calc.exe R | ./msfencode BufferRegister=EAX -e x86/alpha_mixed
 If you need to go searching for ROP gadget there are a couple of tools that may help you. First check out Immunity's !gadget  command. Alternatively there's Mona, a Python add-on ( These were enough to go searching through for a non-ASLR'd gadget that moved the right value to the right register.

No comments: