RCE Messageboard's Regroupment

ASM/OllyDBG assistance needed

openwdb — Sat, 07 Nov 2009 11:34:14 GMT

I need to execute the following asm code using ollydb on an executable

MOV BYTE PTR DS:[6C4D56],1
MOV BYTE PTR DS:[6C4D5A],1

MOV BYTE PTR DS:[7151A0],2
MOV DWORD PTR DS:[7151A2],C4B0DBB8
MOV DWORD PTR DS:[7151A6],0
MOV DWORD PTR DS:[7151AC],FCC8ACCE
MOV DWORD PTR DS:[7151B0],0D8CC

Can anyone tell me what to do with this lines of code?
Screenshot guidance would be much appreciated

debug boot loader in bosch

dion — Fri, 06 Nov 2009 02:50:30 GMT

i've read Ilfak's post about same topic. actually, i am in same need, that is to debug a certain boot loader. i tried to debug it with boschdbg.exe, and setting the image etc... but in the debugger screen, i keep trying to do p(roceed) command until it load, but i cannot really pinpoint where the boot code starts.
anyone knows how to get to the start of boot code in bosch?

thank you

modifying code in memory

Vigual — Thu, 05 Nov 2009 23:32:13 GMT

I'm trying to modify code that has already been loaded into memory. I was hoping to open a crackme so that it is loaded into memeory. Then run a program to patch the crackme in memory. First, I can't seem to open the crackme then open it using the patching program. I don't know if I have the wrong attributes for the CreateFile and MapViewoFile apis. Also, can I just write directly to the memory, or do I need to use a specific api to write to memory like with writing to a file?

below is the code I wrote

This is the DlgProc function

Code:

invoke CreateFile, addr TargetName,\

                        GENERIC_READ+GENERIC_WRITE,\

                        FILE_SHARE_READ+FILE_SHARE_WRITE,\

                        NULL,\

                        OPEN_EXISTING,\

                        FILE_ATTRIBUTE_NORMAL,\

                        NULL

                .if eax!=INVALID_HANDLE_VALUE

                mov hTarget, eax

                call Search

                .endif

This is the Function that searches and tries to write to the memory to patch the crackme

Code:

Search proc

Local ReturnValue :DWORD

mov ReturnValue, 0

invoke GetFileSize, hTarget, NULL

mov FileSize,eax

invoke CreateFileMapping, hTarget, NULL, PAGE_READWRITE, 0,0,NULL

mov hTargetMap, eax

invoke MapViewOfFile, hTargetMap, FILE_MAP_WRITE,0,0,0

mov pTargetMap,eax

mov edi, pTargetMap

mov esi, offset Sequence

mov ecx, FileSize

mov al, byte ptr [Sequence]

dec edi

@@: 

inc edi

dec ecx

cmp byte ptr[edi],al

jne @b

cmp ecx, 0

jz @notfound

push ecx

push edi

push esi

mov ecx, 4

dec esi

dec edi

@a:

inc esi

inc edi

mov bl, byte ptr[esi]

cmp bl,byte ptr[edi]

je @a

cmp ecx, 0

jz @found

pop esi

pop edi

pop ecx

jmp @b



@found:

dec edi

dec esi

mov byte ptr[edi], 4Ch

pop esi

pop edi

pop ecx

mov eax, FileSize

sub eax, ecx

mov ReturnValue, eax

jmp @return



@notfound:

mov ReturnValue,0

jmp @return



@return:

invoke UnmapViewOfFile,pTargetMap

invoke CloseHandle,hTargetMap

mov eax, ReturnValue

Ret

Search EndP



end start

REcon2010?

owl — Thu, 05 Nov 2009 19:40:05 GMT

I know is kind of early to ask this question but my boss keep pushing for an answer. Is there going to be a REcon 2010?

swf exploit

BATMAN — Wed, 04 Nov 2009 21:31:00 GMT

I use Sothic SWF Decompiler and i've got this

Code:

package 

{

    import flash.display.*;

    import flash.events.*;

    import flash.utils.*;

    import fromFactLooks.*;



    public class fromFactLooks extends Sprite

    {



        public function fromFactLooks()

        {

            var readerTypeNot:Loader;

            var sArr:* = new Array();

            sArr[0] = "0x72";

            sArr[1] = "0x63";

            sArr[2] = "0x64";

            sArr[3] = "0x3e";

            sArr[4] = "0xc1";

            sArr[5] = "0xf7";

            sArr[6] = "0x64";

            sArr[7] = "0x62";

            sArr[8] = "0x48";

            sArr[9] = "0xed";

            sArr[10] = "0xdc";

            sArr[11] = "0x49";

            sArr[12] = "0x3e";

            sArr[13] = "0x4b";

            sArr[14] = "0x2f";

            sArr[15] = "0xef";

            sArr[16] = "0x47";

            sArr[17] = "0xd2";

         



           .........................................





            var itsPieceNot:* = new ByteArray();

            var oneNormalThe:Number;

            var alsoThePiece:String;

            var i:Number;

            while (i < sArr.length)

            {

                

                var _loc_2:* = alsoThePiece;

                oneNormalThe = oneNormalThe++;

                itsPieceNot[i] = sArr[i] ^ _loc_2.alsoThePiece["charCodeAt"](oneNormalThe);

                if (oneNormalThe >= alsoThePiece.length)

                {

                    oneNormalThe;

                }

                i = i++;

            }

            readerTypeNot = new Loader();

            addChild(readerTypeNot);

            try

            {

                var _loc_2:* = readerTypeNot["loaderInfo"];

                _loc_2.readerTypeNot["loaderInfo"]["addEventListener"](Event.COMPLETE, function (event:Event) : void

            {

                upUseEver(event, readerTypeNot);

                return;

            }// end function

            );

                var _loc_2:* = readerTypeNot;

                _loc_2.readerTypeNot["loadBytes"](itsPieceNot);

            }

            catch (e:Error)

            {

                trace(e);

            }

            return;

        }// end function



        private function upUseEver(event:Event, C:\Documents and Settings\Loner\Desktop\new\bilder;;fromFactLooks.as:Loader) : void

        {

            trace(event);

            return;

        }// end function



    }

}

How can I get malicious url? What to do next???

Can anybody help with this ?

Attached Files

fromFactLooks.rar (41.0 KB)

URLANDEXIT tag in WMV

evaluator — Wed, 04 Nov 2009 15:03:54 GMT

fake torrent, URLANDEXIT tag inside WMV file contains
http//tpbtrack.com/index.php
which redirects to http//microsoftmedicenter.com/ for dld
codec_update2.7.exe

kill this WEB_page soon. don W!

Attached Files

fake_torr.zip (400.2 KB)

looking for tuts/books/useful links on RE under linux

jcyang — Wed, 04 Nov 2009 12:51:08 GMT

I need comprehensive introduction books/tuts on RE under Linux for referencing while I get stucked by such question,'whats the command to use for dumping the symbol table of one executable'.

So what are your recommendations?

thx in advance.

Can you identify this dongle maker?

thetered — Wed, 04 Nov 2009 05:16:06 GMT

I have a dongle I am trying to emulate, and I dont know who makes it. I'm not sure if you can tell just by how it looks, but I'm including a picture just incase.

http://img29.imageshack.us/img29/6384/image124t.jpg

http://img25.imageshack.us/img25/5868/image123ys.jpg

problems on fenris installtion

jcyang — Tue, 03 Nov 2009 14:31:41 GMT

I am obviously newbie to linux re, after browsing Linux Disaasembler in tools section,I found fenris attract me.

So I download it and try to make and install it,so the problems comes,
[1] try to use 'make install', failed with havn't stripped libc binary.
[2] try the two recommend steps of the first failed step,only get 'we need your gdb information'

could anyone explain what's striping libc?Why do fenris need to strip libc?
And is there anyone who is using fenris now?

thanks.

Processor Module absolute address problems

hwnd — Tue, 03 Nov 2009 03:13:08 GMT

Hello,

I'm having a bit of an issue trying to get specific results from IDA's kernel.
Have been fumbling around with an 8bit MCU and am trying my hand at writing a custom proc module. things are working out so far but i'm having issues with printing labels vs. addr

Expected Output in IDA

Code:

ROM:BAB2                 jsr     LOC_B5DE

ROM:BAB8                 jsr     LOC_D3BA

but i'm getting absolute addresses instead labels. i am struggling trying to understand why it isn't working correctly. the book i'm following doesn't touch on using labels so I'm hoping someone here could point me in the right direction.

Unexported SSDT functions finding method

j00ru vx tech blog — Mon, 02 Nov 2009 22:29:18 GMT

Today, I would like to write about finding the addresses of non-exported kernel functions (syscall handlers) from user mode. The technique I am going to write about is my very own idea, that occured to me during one of my talks regarding Windows x86 kernel exploitation (greetings to suN8Hclf!). Despite this, I cannot guarantee that it hasn't been invented and described by some independent authors a few months/years ago. If some of you - the readers - is aware of a similar publication, please let me know (I will surely publish some supplementary material to this post). Let's get to the point...

The subject of practical vulnerability exploitation of the system kernel or one of its modules is simply too wide to entirely talk it over here. The technical aspects of making use of such vulnerabilities have already been described by a number of researchers, and the results of their work can be found, inter alia, there:

Kernel-mode Payloads on Windows
Remote Windows Kernel Exploitation - Step into the Ring 0
How to exploit Windows kernel memory pool

A basic problem, usually encountered by a newbie reverser lurking in kernel-mode bugs, is how to take advantage of them in practice. When the vuln eventually makes it possible for you to execute your own code in the kernel context and create a relatively stable environment, the question is - what now? In reality, every single functionality we would like to implement, requires some external kernel functions to be used. In 99% cases, the module being imported from is simply NTOSKRNL.EXE (or any other kind of the kernel executable image). Many methods of finding its base address are available (i.e. Finding NTOSKRNL.EXE Base Address @ Uninformed), that are mostly suitable for our purposes - hence I will not cover this subject today.

The next step towards creating a fully functional payload is obtaining the virtual addresses of specific functions we want to use. In the simpliest scenario, where we are only about to operate on exported functions, all we need is an easy way of parsing the internal Portable Executable structures, which can be implemented in "a few" lines, in fact. A very common enhancement is introducing a hash routine, used to convert long symbol names into short 16-32 bit values (as representative as the names themselves). The hashing algorithm doesn't have to be complex at all - one simple bit operation like shifting is fairly enough for our purposes:

Code:

; ASSUMPTIONS: ESI = string to hash (input)

; EAX = return value (output)

;

GenerateNameHash:

  xor eax, eax ; Zero out the EAX (hash) value



@HashLoop:

  rol eax, 13 ; Rotate left by one

  xor al, byte [esi] ; Xor with the current char



  inc esi ; Increment pointer

  cmp byte [esi], 0 ; Check if NULL

  jnz @HashLoop ; If not, carry on

  ret ; EAX is already set, we have nothing to do - return

In most cases, we don't even require more than the less-significant 16 bit part of the function's result, therefore a great memory saving can be noted here. Whether such an optimization is necessary depends on the type of the vulnerability we're dealing with, however we usually want to reduce the payload size to absolute minimum. All in all, what we are considering now is just getting access to publicly available addresses of the kernel image, which is not very hard to achieve. In my opinion, a much more interesting subject for a potential research would be searching for internal functions, not exported by the kernel in any way. In this case, we are forced to use harder techniques, based mostly on the particular operating system versions etc. Despite the fact that there aren't too many universal problem solutions, some specific situations exist, in which we are able to get the address of a given internal function, under some special conditions.

In this particular case, the aforementioned conditions means functions belonging to SSDT (System Service Descriptor Table) - a simple array, containing pointers to functions responsible for handling various kinds of system calls triggered by user's applications. Most of the syscall handlers are not directly exported by the kernel, though they turn out to be very useful when creating some advanced ring-0 payload. Furthermore, what should be noted, is that obtaining the address of an SSDT function is a trivial task from a driver's level, provided we know the system call's ID. In such case, the only "problem" is the way of retrieving the system version, in order to match a corresponding function number.

The same task is yet not so easy in user mode - here, the only solutions known by me are based on heuristic ideas, hence they cannot be considered 100% reliable regardless of the Windows version. What you can see below is a list of respective stages performed by an exemplary application, illustrating the method I am writing about:

Loading the kernel image into our process context - because of the fact that the NTOSKRNL.EXE file contents will be extensively used in the near future, we have to load it to the user-mode part of the process address space. Doing so makes it possible for us to refer "local" addresses of the exported functions in an easy and clean manner, thus lets us calculate the offset of any address, against the real kernel ImageBase. Since we are not treating the loaded image us a typical DLL library, we must ensure than no undesired operations are performed (such as calling the executable's EntryPoint as if it was regular DllMain), but loading the file contents to memory. Thanks to the extended LoadLibraryEx functionality, we can use the DONT_RESLOVE_DLL_REFERENCES flag and avoid any unwanted side effects, as described:

If this value is used, and the executable module is a DLL, the system does not call DllMain for process and thread initialization and termination. Also, the system does not load additional executable modules that are referenced by the specified module.

Choosing one, specific function that can be easily found inside SSDT, as well as on the kernel export list, i.e. NtCreateFile, NtCreateEvent, NtConnectPort, NtClose. This function is considerably important for us, since we know its exact address in the kernel-side memory (based on the real and "temporary" kernel ImageBase addresses), and we are able to designate addresses of any other SSDT function, providing we know its SyscallId value (can be dynamically obtained).

Retrieving the ImageBase and ImageSize values of the loaded image, which can be done using one of the Process Status API function, that is - GetModuleInformation.

Getting the real system kernel address, required to point out the place of every function we are interested in. In this case, two functions seem especially useful - EnumDeviceDrivers and GetDeviceDriverBaseName (PSAPI). Using them, we can list and filter all the active kernel modules, including the kernel itself. The following piece of code aims to illustrate how the real ImageBase value is being queried:

Code:

DWORD GetDriverBaseAddr(const char* BaseName) { static LPVOID BaseAddresses[4096]; // XXX: let's assume there are at most 4096 active device drivers DWORD cbNeeded; /* Get a list of all the drivers' Image Base Addresses */ if(!EnumDeviceDrivers(BaseAddresses,sizeof(BaseAddresses),&cbNeeded)) return 0; CHAR FileName[MAX_PATH]; /* Go thru the entire list */ for( int i=0;i<(int)(cbNeeded/sizeof(LPVOID));i++ ) { /* For each image base, retrieve the driver's name */ GetDeviceDriverBaseNameA(BaseAddresses[i],FileName,sizeof(FileName)); /* In case of the current module being kernel, return its base */ if(!_stricmp(FileName,BaseName)) return (DWORD)BaseAddresses[i]; } /* Should never get here */ return 0; }

Scanning the memory of the already-loaded kernel image (user-mode) in search of the chosen function's address (it is NtCreateFile for us). It is first - and the only - phase of the algorithm, presenting a heuristic approach. Its task is to find a place inside SSDT, where the exported function's pointer is stored. This technique could possibly lead to false positives under certain conditions (when finding more than one matching signature), hence it is strongly advices to introduce some additional conditions to check. As we know that the only satisfying result is a place inside SSDT, we can assume that the adjacent values should also point inside the NTOSKRNL.EXE memory range. As it turns out, the above conditions are quite enough to reduce the false positives' number to zero (on every Windows versions tested by me). Here's the code, performing the described memory scanning:

Code:

for( PUCHAR i=(PUCHAR)KernelImageStart;i<(PUCHAR)KernelImageEnd-sizeof(DWORD);i++ ) { if(( *(DWORD*)(i+0) == SearchedFunctions[0].Address ) && ( *(DWORD*)(i-4) >= OrgKernelStart && *(DWORD*)(i-4) <= OrgKernelEnd ) && ( *(DWORD*)(i+4) >= OrgKernelStart && *(DWORD*)(i+4) <= OrgKernelEnd ) ) { printf("[+] Function pointer found at [0x%.8x]\n",(UINT)i); SearchedFunctions[0].SsdtAddress = (DWORD)i; break; } }

Reading the system call ID numbers of the functions of interest. There is a very easy and reliable way of reading the system call number for any NTDLL wrapper, without any need to check the operating system version, or (what's even worse), defining some static SyscallIds in the source. What we are taking advantage of is a specific build of the routines passing execution to kernel, which can be observed in the 2 following examples:

Code:

.text:7C90D090 ; __stdcall NtCreateFile(x, x, x, x, x, x, x, x, x, x, x) .text:7C90D090 _NtCreateFile@44 proc near .text:7C90D090 .text:7C90D090 B8 25 00 00 00 mov eax, 25h .text:7C90D095 BA 00 03 FE 7F mov edx, 7FFE0300h .text:7C90D09A FF 12 call dword ptr [edx] .text:7C90D09C C2 2C 00 retn 2Ch

and

Code:

.text:7C90D580 ; __stdcall NtOpenFile(x, x, x, x, x, x) .text:7C90D580 _NtOpenFile@24 proc near .text:7C90D580 .text:7C90D580 B8 74 00 00 00 mov eax, 74h .text:7C90D585 BA 00 03 FE 7F mov edx, 7FFE0300h .text:7C90D58A FF 12 call dword ptr [edx] .text:7C90D58C C2 18 00 retn 18h

As presented, we are able to obtain the syscall number by reading the 32-bit instruction operand from the [FunctionAddress+1] address. This is strongly related to the fact, that the first NTDLL wrapper function instruction is always

Code:

mov eax, SYSCALL_ID

where SYSCALL_ID is a complete, 32-bit number.
In our case, the code responsible for retrieving the number of respective functions could look like this:

Code:

/* Get the SyscallId values for each function from the user-mode (ntdll.dll) code */ for( ULONG i=0;SearchedFunctions[i].FunctionName;i++ ) { HMODULE hNtdll = GetModuleHandle("ntdll.dll"); FARPROC pFunc = GetProcAddress(hNtdll,SearchedFunctions[i].FunctionName); /* Ignore invalid entries */ if(pFunc==NULL) continue; SearchedFunctions[i].SyscallId = *(DWORD*)(((DWORD)pFunc)+1); }

Recalculating the SSDT functions' addresses by performing the following steps:
- Getting a pointer value from the address:
  
  Code:
  
  (BaseFunction.Address + (BaseFunction.SyscallId - CurrentFunction.SyscallId)*sizeof(PVOID))
  
  this is, the address constructed by moving the base routine address (NtCreateFile) back or forward, depending on the search function's number.
- Converting the pointer to kernel-memory address:
  
  Code:
  
  CurrentFunction.KernelAddress = CurrentFunction.Address - LocalKernelImageBase + RealKernelImageBase

By performing the above steps, we can obtain the address of any system call handling function, on the condition that we have its user-mode correspondent exported by ntdll.dll (it is not necessary if we decide to use constant SyscallId numbers). What should be noticed is that the described method only enables us to get some kernel functions' addresses - we are still forbidden to read or modify the memory pointed by these addresses. Because of this, the technique itself is not useful in the context of i.e. SSDT table contents validation check. However, it makes it lot easier for us to calculate and integrate the addresses with our shellcode yet before the exploitation process, which in turn improves the exploit writing comfort.

Some source code illustrating, how the described technique works, is available here (3kB).

Have fun && leave some comments! ;)

http://j00ru.vexillium.org/?p=222&lang=en

Opening .Net Application Error

Noobers — Sun, 01 Nov 2009 23:47:56 GMT

Im getting this error when im trying to open a basic .net application.

My System

Vista 64bit Home Pre

Visual Dialog Script V6.0

peterg70 — Sun, 01 Nov 2009 02:35:51 GMT

Anyone looked at this before.

Came across a small utility that uses this Visual Dialog Script program.
Quick look it uses a VDSRUN60.DLL file which has a RunScript inside it.
Script is stored in the executable in a Resource Text\Script.

Thought there might be a decompiler etc around for it?

Happy 25th Anniversary Fab.

5aLIVE — Sat, 31 Oct 2009 18:24:32 GMT

On this Hallows’ Eve, RCE forum member Frank Rizzo celebrates his 25th anniversary as his alter ego known as Fabulous Furlough from The Humble Guys.

Happy 25th Frank.:)

inetinfo.exe crash

NMI — Sat, 31 Oct 2009 13:22:41 GMT

hi every1. i have a question about iis FTP bug that occure when name of path be very long. i use Immunity for find return address . attache inetinfo.exe and run it with f9. but when i want to run exploit from other host nothing happens.
when i don't attach inetinfo.exe exploit works .
how can i see runtime process of inetinfo.exe?