lunes, 30 de marzo de 2009

Small tools, Big hearts: A guide to Caring for your little tool

Dear Diary,
Bas always says that exploiting is nothing more than intelligent debugging. I agree, specially because I have probably a couple of weeks ahead schedule for more debugging...

So if that your case too, let me give you a hand:

Let said, you are planning your heap primitive. These days, you have to aim for something like the Lookaside single-list pointer, the Bitmask trick (a.k.a. a free chunk < 1024 and the only entry of that freelist or just a free chunk) or any other of the Brett Moore tricks.

The point is, that you need a special heap layout so when the actual overwrite happens, you modify exactly the chunk you plan to. That takes a lot of time, brain cells and a basket of try-error.
To help you reduce time, we wrote this simple hook script, that has been on ID for years:


!chunkanalizehook -a ADDRESS (exp)
ADDRESS of the place where you want to set a hook
(exp) expression to calculate the chunk address

The basic idea is, you set the script on the code address exactly before the actual overwrite is going to happen, and this will automatically dump you the chunk given by the "expression" argument and the next couple of chunks.
For example, let say you have this piece of code:

402020: MOV EDI,DWORD PTR DS:[EAX]
402022: SHR ECX,2
402025: REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]


When eip points to the opcode 402022, EDI will be the overwriting chunk data. So what you have to is set chunkanalize at the beggining of that chunk

!chunkanalizehook -a 0x402022 EDI - 0x8

And you can now run your exploit, each time that opcode gets executed, you will see on Immunity Debugger Log Window (Alt+L), the heap dump:


034CBC58 > Hit Hook 0x00402022, checking chunk: 0x034cbc58
===============================================
0x034cbc58> size: 0x00000520 (00a4) prevsize: 0x00000050 (000a)
heap: *0x00000000* flags: 0x00000001 (B)
0x034cc178> size: 0x00000410 (0082) prevsize: 0x00000520 (00a4)
heap: *0x00000000* flags: 0x00000000 (F)
next: 0x035fd930 prev: 0x034c0178
0x034cc588> size: 0x000002a8 (0055) prevsize: 0x00000410 (0082)
heap: *0x00000000* flags: 0x00000001 (B)


The first chunk is the overwritting chunk, the second one the one that soon is gonna get modified.
Seems I'm not lucky yet, hopefully you are

Peace,
Nico
PS: Take a look at the python script (PyCommands folder), it can be improved quite easily!

No hay comentarios: