3 Quick Metasploit Tips

April 27, 2012 Leave a comment

1. Grepping msfvenom, msfpayload

To search through payloads in metasploit. One thing that doesn’t work is:

./msfvenom -l payloads |grep php

because output is directed to STDERR. So to search through metasploit modules from the command line, one way is to redirect STDERR to STDOUT.

./msfvenom -l payloads 2>&1 |grep php

2. Using ‘reload’, ‘jobs’, and ‘resource’ for module testing

When I was first modifying metasploit code, I restarted metasploit… which takes quite a bit of time and is a pain if you’ve only done like a one line change. But there’s a reload command that just reloads the module you’re working on, so that’s obviously much nicer.

Another couple commands that are handy for testing are ‘jobs’ and ‘resource’. ‘jobs’ will enumerate things that are running (and kill them, if you tell it to). ‘resource’ simply is a set of commands which will execute as if you entered them in the console. I used ‘resource’ for unit testing, and when I demo some more complicated attacks that will require actual code (coming soon), I’ll need to put that in a resource file.

3. Nop sled Generation

I recently ran into an exploit where the binary would look for repeating sequences (e.g. ‘x90x90…’), so I needed a custom nop sled. Also, I wanted to save the value of some registers. I was (coincidentally) pointed at Metasploit’s Opty2. The usage is:

> use nop/x86/opty2
msf nop(opty2) > generate -h
Usage: generate [options] length

Generates a NOP sled of a given length.

OPTIONS:

-b The list of characters to avoid: ‘x00xff’
-h Help banner.
-s The comma separated list of registers to save.
-t The output type: ruby, perl, c, or raw.

Filed under Security Tools Tagged with

Calculating an Integer Overflow

April 13, 2012 Leave a comment

I was playing an exploit game yesterday, and had to compute an exact value for an integer overflow, which made me think (when I’ve run into this before, I’ve just had to get ‘close enough’). In the binary, it compares some user input to the integer 9, which it must be “less than”

call _atoi
mov [ebp+var_C], eax
cmp [ebp+var_C], 9
jle short loc_8 ; process input and reach overflow

n is then multiplied by 4 to make room for 9 ints

shl eax, 2

var_c is then used as the n parameter in memcpy

void *memcpy(void *dest, const void *src, size_t n);

The vulnerability is possible (at least in part) to the shl, which can be used to wrap the integer and bypass the jle check. It’s fairly obvious there is an integer overflow here, and in fact, calculating n to be an exact value is also not difficult. So in my case I wanted n in the memcpy call to equal exactly 80.

The very first thing I did was to look at this http://en.wikipedia.org/wiki/Two’s_complement, which I remember having to do in school. It’s not complicated, but once you start throwing algebra in… anyway, so instead of using math I just wrote a wrapper program on the same machine.

#include <limits.h>
#include <stdio.h>

void main()
{
  //this should be 80. Sanity check
  int y =  -INT_MAX - INT_MAX + 78;
  printf("%dn", y); 

  printf("%dn", INT_MAX);
}

which prints

2147483647
80

Then just plop this in a calculator. Remember to divide by 4 to undo the multiply

>>> (-2147483647*2 + 78)/4.0
-1073741804.0

I entered this in the appropriate place, and set a breakpoint on the call to memcpy.

(gdb) x/d $esp+8
0xbffff2b8: 80

Success, we’ve managed to set n to 80. This one took more time to write out than to solve, but hey, maybe it will be useful for someone. Plus I needed a filler today… I have some cool stuff I’m working on, but it won’t be ready until at least next post, or maybe the post after :)

Filed under Reverse Engineering Tagged with , ,

Follow

Get every new post delivered to your Inbox.