Exploit Development Part 1: Introduction
This is the first part in a (modest) multi-part exploit development
series. This part will just cover some basic things like what we need to
do our work, basic ideas behind exploits and a couple of things to keep
in mind if we want to get to and execute our shellcode. These tutorials
will not cover finding bugs, instead each part will include a
vulnerable program which needs a specific technique to be successfully
exploited. In the fullness of time I intend to cover everything from
“Saved Return Pointer Overflows” to “ROP (Return Oriented Programming)”
of course these tutorials won’t write themselves so it will take some
time to get there. It is worth mentioning that these tutorials wont
cover all the small details and eventualities; this is done by design to
(1) save me some time and (2) allow the diligent reader to learn by
participating.
I would like to give special thanks to Offensive Security and Corelan, thanks for giving me this amazing and painful addiction!!
Immunity Debugger is similar to Ollydbg but it has python support which we will need to run plugin’s to aid us with our exploit development. It’s free; on the link just fill in some bogus info and hit download.
Mona.py – Download
Mona is an amazing tool with tons of features which will help us to do rapid and reliable exploit development. I won’t be discussing all the options here, we’ll get to them during the following parts of the tutorial. Download it and put it in Immunity’s PyCommands folder.
Pvefindaddr.py – Download
Pvefindaddr is Mona’s predecessor. I know it’s a bit outdated but it’s still useful since there are some features that haven’t been ported to Mona yet. Download it and put it in Immunity’s PyCommands folder.
Metasploit Framework – Download
We are going to use the Metasploit Framework extensively. Most of all we are going to be generating shellcode for our exploits but we are also going to need a platform that can receive any connections we might get back from the programs we are exploiting. I suggest you use Backtrack since it has everything we need but feel free to set up metasploit in any way you see fit.
Virtualization Software
Basically there are two options here VirtualBox which is free and Vmware which isn’t. If its possible I would suggest using Vmware; a clever person might not need to pay for it ;)). Coupled with this we will need several (32-bit) operating systems to develop our exploits on (you will get the most use out of WindowsXP PRO SP3 and any Windows7).
For
the purpose of these tutorials I think it’s important to keep things as
simple or difficult as they need to be. In general when we write an
exploit we need to find an overflow in a program. Commonly these bugs
will be either Buffer Overflows (a memory location receives more data
than it was meant to) or Stack Overflows (usually a Buffer Overflow that
writes beyond the end of the stack). When such an overflow occurs there
are two things we are looking for; (1) our buffer needs to overwrite
EIP (Current Instruction Pointer) and (2) one of the CPU registers needs
to contain our buffer. You can see a list of x86 CPU registers below
with their separate functions. All we need to remember is that any of
these registers can store our buffer (and shellcode).
I would like to give special thanks to Offensive Security and Corelan, thanks for giving me this amazing and painful addiction!!
(1) What we need
Immunity Debugger – DownloadImmunity Debugger is similar to Ollydbg but it has python support which we will need to run plugin’s to aid us with our exploit development. It’s free; on the link just fill in some bogus info and hit download.
Mona.py – Download
Mona is an amazing tool with tons of features which will help us to do rapid and reliable exploit development. I won’t be discussing all the options here, we’ll get to them during the following parts of the tutorial. Download it and put it in Immunity’s PyCommands folder.
Pvefindaddr.py – Download
Pvefindaddr is Mona’s predecessor. I know it’s a bit outdated but it’s still useful since there are some features that haven’t been ported to Mona yet. Download it and put it in Immunity’s PyCommands folder.
Metasploit Framework – Download
We are going to use the Metasploit Framework extensively. Most of all we are going to be generating shellcode for our exploits but we are also going to need a platform that can receive any connections we might get back from the programs we are exploiting. I suggest you use Backtrack since it has everything we need but feel free to set up metasploit in any way you see fit.
Virtualization Software
Basically there are two options here VirtualBox which is free and Vmware which isn’t. If its possible I would suggest using Vmware; a clever person might not need to pay for it ;)). Coupled with this we will need several (32-bit) operating systems to develop our exploits on (you will get the most use out of WindowsXP PRO SP3 and any Windows7).
(2) Overflows
EAX - Main register used in arithmetic calculations. Also known as accumulator, as it holds results
of arithmetic operations and function return values.
EBX - The Base Register. Pointer to data in the DS segment. Used to store the base address of the
program.
ECX - The Counter register is often used to hold a value representing the number of times a process
is to be repeated. Used for loop and string operations.
EDX - A general purpose registers. Also used for I/O operations. Helps extend EAX to 64-bits.
ESI - Source Index register. Pointer to data in the segment pointed to by the DS register. Used as
an offset address in string and array operations. It holds the address from where to read data.
EDI - Destination Index register. Pointer to data (or destination) in the segment pointed to by the
ES register. Used as an offset address in string and array operations. It holds the implied
write address of all string operations.
EBP - Base Pointer. Pointer to data on the stack (in the SS segment). It points to the bottom of the
current stack frame. It is used to reference local variables.
ESP - Stack Pointer (in the SS segment). It points to the top of the current stack frame. It is used
to reference local variables.
EIP - Instruction Pointer (holds the address of the next instruction to be executed)
