Limited characters, process and much more

Question 1

From what part of memory DLL’s can be used to choose PPR?

Answer 1

Either application DLL, application exe or system DLL’

Question 2

How to find all instances of shellcode?

Answer 2

Save the shellcode in bin file and compare with memory using MSF pattern and bin file comparison

Question 3

How can we troubleshoot the final shellcode before egg hunter jumps to it?

Answer 3

look into all memory regions where final shell code is and see it is unmodified. Setup breakpoints in egg hunter and diagnose

Question 4

Why do we use NOPS or NOP equivalent instructions?

Answer 4

Bcoz the encoded shellcode will get decoded. So it is good have NOPS or NOP like instruction to allow space for decoding

Question 5

How do we know whether an exploit broken or not bcoz of opcodes and how to verify it before?

Answer 5

For any code that we write, we need to know it’s opcode and ascii value to speculate the possibility of exploit getting broken

Question 6

What are things that we need to consider before choosing PPR?

Answer 6

It should not be compiled with safeSEH and it is subjected to limited charset. So pick an address in allowed ascii charset

Question 7

How will you search PPR address?

Answer 7

Either through mona or manually search through immunity

Question 8

How is limited charset different from ascii range?

Answer 8

Though ascii characters are printable, only few charters are allowed in certain buffer spaces like username, filename, etc. So we have a limited charset within ascii range

Question 9

What are the problems if shellcode is not executing?

Answer 9

It could be due to wrong architecture of shellcode or it could be some missing sys cal functions or it could be due to port numbers or it could be due to ESP alignment corruption

Question 10

Do we have to use alpha3 to encode egg hunter evrey time for limited charset scenario?

Answer 10

We should only use alpha3 egghunter only when we have limited nuffer above REt overw rite and final shell code is somewhere is memory, unmodified.

If the final shell code is below the RET overwrite then the final shell code can be encoded. We have plenty of room!!!!!

Question 11

Do we have to write custom code based on stack and memory?

Answer 11

No, custom code can be created based on chosen register and its offset with egg hunter starting byte. Just a common addition and subtraction.

Question 12

Why we use sub EAX and why not other registers?

Answer 12

Bcoz sub EAX comes under allowed limited charset

Question 13

What are the possible problems if the egg hunter is not executing?

Answer 13

It could be due to sys call code or it could be due to executing corrupt code or it could be due to absence of NOPS like instructions before the encoded egg hunter

Question 14

How can we position ESP at bottom to run custom decoded code?

Answer 14

By few pop functions

Question 15

How can we troubleshoot egg hunter?

Answer 15

We can troubleshoot egg hunter by looking into the starting EDX value and then see from where it begins.etup breakpoints in egg hunter and diagnose

Question 16

How do we find compatible characters?

Answer 16

We need to research and find the list of characters possible in the exploit .I.e filenames compatible depending upon the place where exploit is written ‘/‘ is not file compatible but still it will work in file name inside zip folder

Question 17

Alternate scenario to adjust ESP and jumping to final shell code?..”Hitting two birds in one stone”

The custom decoder will push bytecode to the stack. In order to be able to execute that bytecode, we will need to control the location where this code is written to, so we can get it to execute after it was reproduced. That location is esp.

So perhaps we can use the same value as esp and put that in ebx, and use it as base address for doing the math. That way, we may be able to do our math calculation and produce the desired address in ebx, based on that value

Answer 17

There are a number of ways to modify esp. We could copy a value from a register, or pop one from the stack. If we have a good start value in esp, we can easily put it in ebx as well.

Question 18

Why should you modify the egg hunter starting position?

Answer 18

Bcoz it takes lot of time to search through memory locations. Hence we should modify. Also there might be lot of chances to execute the corrupt code first

Question 19

How to choose the NOPS in limited scenario?

Answer 19

It is based on a register which is not a buffer register and also at times we should also look for other things like EDX in egg hunter (e.g. inc edx 42 and ins eax 40)

Question 20

Should we really care about egg - in character limitation scenario?

Answer 20

Yes if the egg contains bad character it might break the exploit

Question 21

How can we position ESP above RET overwrite to execute custom code?

Answer 21

By using some conditional jump statements

Question 22

How do you choose the buffer register for custom encoder?

Answer 22

Buffer can be chosen after we copy the egg hunter and see which registers are close by . The egg hunter can be again recreated using the identified new buffer

Question 23

How can we walk over PPR address?

Answer 23

We have to choose PPR in such a way that it aligns and execution pass through the code below

Question 24

If pop esp”/” in ESP alingment breaks the exploit then what would be another way?

Answer 24

Is to use POPAD to basically reduce down to ESP or junk fillers. If the number of instrcution in popad is not not enough to be filled in the stack below, then jump above ret overwrite and put them for enough room

Question 25

Wy do we use various junks in exploits?. What is the use of it?

Answer 25

[junk1]+[nseh]+[seh]+[code to align ebx & jump ebx]+[junk2]+[encoded shellcode]+[junk3] [297] [4] [4] [100 bytes] [x bytes] [fill]

where junk1 = offset to nseh, junk2 = amount of bytes needed to fill the space between the code to align ebx and the start location of that code + 100 bytes, and junk3 = the amount of bytes needed to fill the buffer up to 4064 bytes.

It can be used to calculate fixed locations to jumo for example,

0x0012FC04 + 100 bytes (0x64 bytes).

Question 26

What effect in exploit flow can PPR DLL can create in choosing app, system dll’s?

Answer 26

If OS dll are chosen, then it might have slight chances of not working in other machines If application exe is used, then exploit flow has to be taken care above the Ret overwrite If application DLL is used then it can be universal

Question 27

Why do we do a conditional jump in limited scenario?

Answer 27

Bcoz pointer to NSEH is a limited character set which will not accept short jumps

Question 28

Why do we use add EAX to make it zero?

Answer 28

t is a simple arithmetic. if Number1 AND number 2 is zero then ADD EAX,NUM1 and ADD eax,num2 is zero

Question 29

How do we find the bad characters in limited set?

Answer 29

t is very difficult to identify difference between the character conversion and bad character as both are generally called bad characters .The former basically get converted to something else but latter just truncates the flow . So it is always good to encode the shellcode using alpha numeric

Question 30

How can we find offset to conditional jumps in limited scenario?

Answer 30

By taking advantage of charset conversion

Question 31

What if, if you don’t have a conditional jump?

Answer 31

We can walk over the PPR and NSEH over to shellcode

Question 32

How can we find if PPR address cannot be used for walk through method “Unicode method”?

Answer 32

We have take the PPR values

0x6D7E4331

And assemble it as below,

0012FC00 3143 7E XOR DWORD PTR DS:[EBX+7E],EAX 0012FC03 6D INS DWORD PTR ES:[EDI],DX

and look inot eax and ebx registers to see if they cause address violation

Question 33

What is the difference between MSF pattern and bin file comparison?

Answer 33

MSF pattern already uses file compatible characters so it is always good to do bin file comparison to see if it that particular memory is also subjected to charset limitation

Question 34

How do we align ESP for executing custom decoded shellcode?

Answer 34

It can be aligned based on registers and stack values. The stack can be positioned either at top of Ret overwrite or bottom after SEH overwrite

Question 35

Why the buffer register cannot be eax for alpha code?

Answer 35

It is because eax is used in custom encoder and it is not possible to fix the value of eax to egg hunter starting point as it holds the decoded value

Question 36

Why do we use alpha3 over metasploit?

Answer 36

Bcoz metasploit getpc routine is not alpha numeric

Question 37

How do we write the custom encoded shellcode?

Answer 37

Basically we have to make EAX zero by few add instruction and then take 2’s complement and using sub we have to recreate those bytes

Question 38

What’s the issue of using poppad as opposed to pop?

Answer 38

Both can be used but if the buffer register for alpha code is used, it might change the offset that was previously calculated and we have to do the math again. Doing the math again popped is also a good way but custom decoder has to be written again. Instead pop is used which is totally acceptable

Question 39

Do we have to encode final shellcode?

Answer 39

Yes and may be. Yes using alpha encoder coz if it part of She overflow and characters should not interrupt the SEH chain May be it can be used as it is if it does not interrupt the SEH overwrite chain If it is below the overwrite we don’t have to normally encode

Question 40

What are the two major ways of overwriting and exploitation?

Answer 40

Direct RET and SEH method

Question 41

What should we do before placing custom encoded code in stack ?

Answer 41

First we have to align the ESP and then create custom encoder and finally run the decoded code

Question 42

If we cant adjust ESP by poping any values from stack ..how could we achieve it ?

Answer 42

By doing some conditional jumps to top and sliding between non equivalent instructions into reproduced custom code

Question 43

How can you get the list of all converted characters?

Answer 43

Basically we can take a portion of byte area and prepend a string and include it as part of buffer. Then later it can be searched in immunity to get to that memory location and find the conversions. “Need more research on this”

Question 44

If PPR compiled with safeseh is not found in application DLL.what would be the next approach?

Answer 44

To search in OS DLL range

Question 45

How to assemble instructions in mona plugin?

Answer 45

!mona assemble -s “pop eax#inc ebx#ret”

Question 46

How to use help function in mona?

Answer 46

!mona help

Question 47

Mona has a second configuration parameter, allowing you to always exclude certain modules from search operations. ?

Answer 47

!mona config -set excluded_modules “module1.dll,module2.dll” !mona config -add excluded_modules “module3.dll”

Question 48

what is global options in mona?

Answer 48

Global options allow you to influence and fine tune the results of any search command that produces a list of pointers.

Question 49

-n global option in mona?

Answer 49

If you use option -n, all modules that start with a null byte will be skipped. This will speed up the searches, but it might miss some results because the module might actually contain pointers that don’t start with a null byte. If this behaviour is too broad, and if you only want to exclude pointer with null bytes, then you should either use option -cp nonull or option -cpb ‘\x00’ (see below)

Question 50

-o global option in mona?

Answer 50

This option will tell mona to ignore OS module from search operations. As you will see in the documentation of each command, this is often the default behaviour. You will be able to overrule the behaviour using the -cm option (see later)

Question 51

-p global option in mona?

Answer 51

This option takes one argument : a numeric value. Option -p allows you to limit the number of results to return. If you only want 5 pointers, you can use option -p 5

Question 52

-m global option in mona?

Answer 52

This option allows you to specify the modules to perform the search operation on. If you specify -m, it will ignore all other module criteria (set by option -cm or set as default behaviour for a given command). You can specify multiple modules by separating them with comma’s.

Example : suppose you want to include all modules that start with “gtk”, all modules that contains “win” and module “shell32.dll”, then this is what the option should look like :

-m “gtk*,*win*,shell32.dll”

Question 53

-cm option in mona?

Answer 53

option -cm

This option allows you to set the criteria (c) a module (m) should comply with to get included in search operations.

The available criteria are :

aslr

rebase

safeseh

nx

os

If you want to include aslr and rebase modules, but exclude safeseh modules, you can use

-cm aslr=true,rebase=true,safeseh=false

(note : this will also include the non aslr and non rebase modules). You can use the “true” value to override defaults used in a given command, you can use “false” to force certain modules from getting excluded).

If you want more granularity, you can use the -m “module1,module1” option (basically tell mona to search in those modules and only those modules)

Question 54

-cp global option in mona?

Answer 54

option -cp

The cp option allows you to specify what criteria (c) a pointer (p) should match. pvefindaddr already marked pointers (in the output file) if they were unicode or ascii, or contained a null byte, but mona is a lot more powerful. On top of marking pointers (which mona does as well), you can limit the returning pointers to just the ones that meet the given criteria.

The available criteria are :

unicode (this will include unicode transforms as well)

ascii

asciiprint

upper

lower

uppernum

lowernum

numeric

alphanum

nonull

startswithnull

If you specify multiple criteria, the resulting pointers will meet ALL of the criteria. If you want to apply “OR” to the criteria, you’ll have to run multiple searches.

We believe this is a very strong feature. Especially with ROP exploits (where large parts of the payload consist of pointers and not just shellcode), the ability to finetune the pointer criteria is very important (and an often missing feature from other search tools).

Example : only show pointers that contain ascii printable bytes

-cp asciiprint

Question 55

-cpb global option in mona?

Answer 55

This option allows you to specify bad characters for pointers. This feature will basically skip pointers that contain any of the bad chars specified at the command line.

Suppose your exploit can’t contain \x00, \x0a or \x0d, then you can use the following global option to skip pointers that contain those bytes :

-cpb ‘\x00\x0a\x0d’

Question 56

-x option in mona?

Answer 56

This option allows you to set the desired access level of the resulting pointers. In most cases, pointers should part of an executable page, but in some cases, you may need to be able to look for pointers (or data) in non-executable area’s as well.

The available values for -x are :

*

R

RW

RX

RWX

W

WX

X

In all cases the default setting will be X (which includes X, RX,WX and RWX)

Question 57

bytearray in mona?

Answer 57

The “bytearray” option was implemented to assist exploit developers when finding bad chars. It will produce an array with all bytes between \x00 and \xff (except for the ones that you excluded), and writes the array to 2 files :

a text file containing the array in ascii format (bytearray.txt)

a binary file containing the same array (bytearray.bin)

Optional arguments :

• b : exclude these bytes from the array
• r : show the array in reverse (starting at \xff, end at \x00)

!mona bytearray -b ‘\x00\x0a\x0d’

Question 58

compare in mona?

Answer 58

-f : points to a binary file containing the bytes to locate and compare in memory

You can use this command to find bad chars (as explained earlier), but you can also use it to see if your shellcode got corrupted in memory.

You could, for example, write tag+tag+shellcode (egghunter egg) to a binary file and use the compare command to find the eggs and show if they got corrupted or not. If some of them do, others don’t, you’ll know if and how you have to tweak the start location of the hunter, or just use a checksum routine.

Question 59

various ways to jump accoriding to mona?

Answer 59

jmp reg

call reg

push reg + ret (+ offsets)

push reg + pop r32 + jmp r32

push reg + pop r32 + call r32

push reg + pop r32 + push r32 + ret (+ offset)

xchg reg,r32 + jmp r32

xchg reg,r32 + call r32

xchg reg,r32 + push r32 + ret (+ offset)

xchg r32,reg + jmp r32

xchg r32,reg + call r32

xchg r32,reg + push r32 + ret (+ offset)

mov r32,reg + jmp r32

mov r32,reg + call r32

mov r32,reg + push r32 + ret (+offset)

jmp r32

jmp [esp]

jmp [esp+offset]

jmp [r32]

jmp [r32+offset]

Question 60

List of modules which has no safe seh and aslr in mona?

Answer 60

This command is a wrapper around the “modules” command. It will show all modules that don’t have safeseh and aslr enabled by calling the modules function with global option -cm safeseh=false,aslr=false

Question 61

How to find distnace between to registers in mona?

Answer 61

This command will show the distance between 2 addresses, and will show the offset in hex which can be used to make a jump forward or backwards.

Mandatory arguments :

• a1 : the start address or register
• a2 : the end address or register