Friday, March 6, 2009

Reinventing the Wheel

Sometimes you out smart yourself, or maybe just give yourself too much credit.

I discovered a pretty vanilla stack-based buffer overflow in a product used by a client during a recent A&P assessment, and Rob Carter and I were working out proof of concept exploit code. The details of the flaw I can't post yet, but they're somewhat unimportant anyways. As I said, it's pretty vanilla, no /GS, no /SafeSEH, no DEP, no ASLR. The overflow does not allow us to clobber SEH, but does allow us to overwrite local variables that eventually gain us control of a return address and EIP (after supplying some writeable addys and getting around the payload restrictions).

Due to the way the vulnerability works, our payload on the stack gets truncated, so we can't just return to call esi or some such thing and run our shellcode. What we can do, is return to the stack and run some small stub that will allow us to hunt for our shellcode in other locations. Our payload in this case is all over the process's heaps.

So here is where out smarting myself, or giving myself too much credit comes into play... Rob and I thought, oh, great, let's just write something that queries the PEB for the heap list, and then walks the heaps looking for our payload.

Sounds simple, right? Well, there's a couple hoops to jump through (which Rob will likely discuss at some point on his blog), but really, it should be. We were pretty stoked when we got it working, but there's still some tweaks to make it reliable that we were working through that made it unreliable on my test systems (but not on Rob's). In any case, I wanted a PoC now, so I pulled up Skape's (Matt Miller's) paper on egg hunting and was pretty blown away about the level of detail that went into it. Also, skape's smallest egg hunter really kicked the crap out of me and Rob's in terms of size.

I guess the take away is, reinvent the wheel for the learning exercise, and for the off chance that you find something really good, but also realize, there's some pretty damn smart people out there, and in a crunch, go read uninformed.org or any skape papers. skape=smart.

-Nate

1 comment:

Rob said...

Posted about the heap-only egg hunter: http://r00tin.blogspot.com/2009/03/heap-only-egg-hunter.html