reversing

Executing Shellcode via Callbacks

What is a Callback Function?

In simple terms, itā€™s a function that is called through a function pointer. When we pass a function pointer to the parameter where the callback function is required, once that function pointer is used to call that function it points to itā€™s said that a call back is made. This can be abused to pass shellcode instead of a function pointer. This has been around a long time and there are so many Win32 APIs we can use to execute shellcode. This article contains few APIs that I have tested and are working on Windows 10.

Analyzing an API

For example, letā€™s take the function EnumWindows from user32.dll. The first parameter lpEnumFunc is a pointer to a callback function of type WNDENUMPROC.

The function passes the parameters to an internal function called EnumWindowsWorker.

The first parameter which is the callback function pointer is called inside this function making it possible to pass position independent shellcode.


(more…)

Data Packing

I was doing some random experiments using assembly and C. This is a simple example in packing 2 numbers inside a register in assembly. Let’s assume

$latex al < 2^{5}&bg=232225&fg=bbbbbb&s=4$
$latex bl < 2^{3}&bg=232225&fg=bbbbbb&s=4$

We want to store these 2 values inside the dl register. The dl register is of 8 bits, so 5 + 3 = 8 bits

Packing

1
2
3
4
; al < 2 ^ 5, bl < 2 ^ 3
mov al, bl
shl dl, 3
or  dl, bl  ; xor would also work fine

Unpacking

1
2
3
4
5
mov cl, dl   ; Make a copy of dl
and dl, 111b ; Extract lowest 3 bits (b)
mov bl, dl
shr cl, 3    ; Extract highest 5 bits (a)
mov al, cl

(more…)

Hiding Data Inside Memory Addresses

This is a small finding I found while I was experimenting on pointers in C. Usually in C the arithmetic on pointers depend on the size of the data types. If we initialize a int variable, the compiler will allocate 4 bytes in memory since its 32 bits. I assume you are well aware of these basics in C šŸ™‚ I wanted to store data inside the empty addresses allocated by int data type. This is a bit challenging in a high level programming language. Of course using inline assembly I could have achieved this. But I wanted to achieve this using native C operators.
To understand this letā€™s begin from a simple approach.

1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
 
int main() {
unsigned int var  = 100;
unsigned int var2 = 200;
printf("%u\n",var);
printf("%u\n",var2);
}

(more…)

Getting Shellcode from ARM Binaries

For x86 and x86_64 there are already commands for extracting shellcode and printing them nicely formatted. But when it comes to ARM none of them work would because of the way objdump would dump the opcodes. For example if this is my sample program:

.section .text

.global _start



_start:



    .code 32

    # Thumb-Mode on

    add     r6, pc, #1

    bx  r6



    .code   16

    # _write()

    mov     r2, #7

    mov r1, pc

    add r1, #12

    mov     r0, $0x1

    mov     r7, $0x4

    svc     0



    # _exit()

    sub r0, r0, r0

    mov     r7, $0x1

    svc 0



.ascii "Osanda\n"

(more…)

Solving Root-me Ptrace challenge

You can find the challenge from here. The challenge is to find the password for the elf 32 binary. This is how this looks at a glance.

View post on imgur.com


Letā€™s fire up GDB and check this out. Iā€™ll break main and run. We can see that arguments to ptrace() function is being pushed on the stack and ptrace is being called.

=> 0x080483fe <+14>:	sub    esp,0x14

   0x08048401 <+17>:	mov    DWORD PTR [ebp-0xc],0x80c2888

   0x08048408 <+24>:	push   0x0

   0x0804840a <+26>:	push   0x1

   0x0804840c <+28>:	push   0x0

   0x0804840e <+30>:	push   0x0

   0x08048410 <+32>:	call   0x8058a70 <ptrace>

(more…)

Egg Hunting Fun

In this vacation IĀ thoughtĀ of learning to use egg hunters in exploit development. This is just a small write up just after successful exploitation of my meterpreterĀ reverse_tcpĀ shellcode. This is the original exploit which was published in 2010 http://www.exploit-db.com/exploits/15834/. I wanted to implement a egg hunter code to search our shellcode with our tag throughout the heap, stack, etc. Egg hunters are used when we have a limited buffer space.

Download the vulnerable Kalbri server: http://www.exploit-db.com/wp-content/themes/exploit/applications/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip

I assume you have a good knowledge on developing stack based buffer overflow exploits, about registers, little-endianness,etc which is the very basics.

I developed this exploit under Windows XP SP2 using the USER32.dll which is a operating system dll to find a jump to esp (JMP ESP) command. This application doesn’t use any dlls so this is a platform dependent exploit.

As I mentioned earlier this is very brief Ā write up. Ā The offset is at 515 bytes . Our plan is toĀ overwriteĀ the EIP register with our JMP ESP address and we want jump back 60 bytes backwards to the starting point of our hunter so that it would be executed. Then it would search everywhere inside theĀ memory to find the tag and execute our shellcode. Opcode for jmp is EB and 60 bytes back means -60 is C4 so the shellcode would be \xeb\xc4.

(more…)