-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathFSExploitMe.html
More file actions
438 lines (403 loc) · 22.4 KB
/
FSExploitMe.html
File metadata and controls
438 lines (403 loc) · 22.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
<!--
FSExploitMe.html -
By Brad.Antoniewicz@foundstone.com
A purposely vulnerable ActiveX control for learning exploitation.
Please see the Readme.txt
This is the main interface to FSExploitMe - Provides Lessons, etc...
SPOILER ALERT: You can easily come across the answers to the questions by viewing
this source. Don't be a jerk and cheat :)
On a side note.. supporting IE8 sucks
-->
<!--[if lt IE 9]>
<html class="lt-ie9" lang="en" >
<![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="en">
<!--<![endif]-->
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<!--
Using Foundation (http://foundation.zurb.com/) to make things pretty.
Yes, I know foundation a "mobile-first" framework and this will never be
viewed on a mobile device.. :)
-->
<!--[if lt IE 9]>
<link rel="stylesheet" href="css/foundation4/foundation.css"/>
<link rel="stylesheet" href="css/foundation4/fixes/ie8-foundation-tmayr-fix2.css"/>
<script src="js/foundation4/vendor/custom.modernizr.js"></script>
<style type="text/css">
.divider { display: none;}
.menuitem { padding-right: 16px; }
</style>
<![endif]-->
<!--[if gt IE 8]><!-->
<link rel="stylesheet" href="css/foundation5/foundation.css" />
<script src="js/foundation5/vendor/modernizr.js"></script>
<!--<![endif]-->
<link rel="stylesheet" href="css/FSExploitMe.css" />
</head>
<body>
<!-- Loads FSExploitMe.ocx -->
<object classid="clsid:00242CC8-A637-4311-AC16-D7B8632104DE"
codebase="FSExploitMe.ocx" id="FSExploitMe">
<BR><BR>
<h1>This only works with Internet Explorer</h1>
<b>You're going to have to allow Internet Explorer to run this ActiveX control by
clicking the Information Bar and selecting "Allow Blocked Content" and/or Clicking
"Yes" to the pop-up that says "[stuff]. Do you want to allow this interaction?"<BR><BR>
If you did that already and are still seeing issues, you likely need to install the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=5555">Microsoft Visual C++ 2010 Redistributable Package (x86)</a></b>
<br><BR><BR><BR><BR><BR>
</object>
<!-- Call ActiveX Methods from javascript rather then directly via onClick -->
<script src="js/Utils.js"></script> <!-- Various String Utilities -->
<script src="js/Answers.js"></script>
<script src="js/Lesson2.js"></script> <!-- File to be edited for Lesson 2 -->
<script src="js/Lesson3.js"></script> <!-- File to be edited for Lesson 5 -->
<div class="row">
<div class="twelve columns">
<nav class="top-bar">
<ul class="title-area">
<li class="name">
<h1><a href="javascript:unhide('divLessonIntro')">FSExploitMe</a></h1>
</li>
</ul>
<section class="top-bar-section">
<ul class="right">
<li class="divider"></li>
<li class="menuitem"><a href="javascript:unhide('divLesson1');">Lesson 1</a></li>
<li class="divider"></li>
<li class="menuitem"><a href="javascript:unhide('divLesson2');">Lesson 2</a></li>
<li class="divider"></li>
<li class="menuitem"><a href="javascript:unhide('divLesson3');">Lesson 3</a></li>
</ul>
</section>
</nav>
</div>
</div>
<div class="row">
<div class="large-12 twelve columns">
<div id="divLessons">
<div id="divLessonIntro" class="unhidden">
<h1>Welcome!</h1>
<p>
FSExploitMe is a purposely vulnerable <a href="http://www.microsoft.com/security/resources/activex-whatis.aspx">ActiveX
Control</a> to teach you about reverse engineering, vulnerability analysis, and exploitation on Windows. It's written to
support Internet Explorer, specifically IE8 and above, and has been tested on 32-bit/64-bit Windows 7. Might explode on Windows 8.
</p>
<p>
FSExploitMe is brought to you by <a href="http://www.foundstone.com/">Foundstone</a> and <a href="https://github.com/OpenSecurityResearch">Open Security Research</a> with inspiration from those <a href="http://www.trailofbits.com/">Trail of Bits</a> rock stars!
</p>
<h2>FSExploitMe Setup</h1>
<p>
<b>Important:</b> This makes your web browser vulnerable to attack. It's recommended to load it into a VM with no Internet Access<br><BR>
This is mostly a self-contained tutorial however there is some set up required. You'll need to copy <code>FSExploitMe.pdb</code> to the <code>C:\Windows\Downloaded Program Files</code> folder and within WinDbg run:
<ul>
<li><code>.sympath+ C:\Windows\Downloaded Program Files</code></li>
</ul>
You'll also need to install the <a href="http://www.microsoft.com/en-us/download/details.aspx?id=5555">Microsoft Visual C++ 2010 Redistributable Package (x86)</a>
</p>
<h2>Background</h1>
<p>Throughout these lessons we'll be introducing you to some of the basics of using WinDBG and IDA Pro. In order to get running, download and install the following:</p>
<ul>
<li>Debugging Tools for Windows</li>
<li><a href="https://www.hex-rays.com/products/ida/support/download.shtml">IDA Pro Free/Evaluation Versions (Either will do)</a></li>
</ul>
<p>Here are some tutorials if you've never used WinDBG:</p>
<ul>
<li><a href="http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html">WinDBG: Installation, Interface, Attaching, Help, Modules, and Registers</a></li>
<li><a href="http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-2.html">WinDBG: Breakpoints</a></li>
<li> <a href="http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-3.html">WinDBG: Inspecting memory, stepping through programs, and general tips/tricks</a></li>
<li><a href="https://www.youtube.com/watch?v=_ACDiW2I4ns">Dynamic Analysis with WinDBG and IDA (Video)</a></li>
</ul>
<p>If you're confused by these characters: <code>EAX ESP EIP</code>, then you may need to brush up on your x86:</p>
<ul>
<li><a href="http://opensecuritytraining.info/IntroX86.html">Open Security Training: Introductory Intel x86</a></li>
</ul>
<p>Good starting point if you're new to security:</p>
<ul>
<li><a href="http://isislab.github.io/Hack-Night/">NYU Poly ISIS Lab's Hack Night</a></li>
</ul>
</div>
<!-- Lesson 1 -->
<div id="divLesson1" class="hidden">
<h1>Lesson 1: WinDBG Hoops!</h1>
<p>We're going to be using WinDBG a bunch. So our first task is to get you used to some commands. Be sure to enable symbols in WinDBG by going to File->Symbols and adding <code>SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols</code>.
</p>
<h2 id="L1Q">Questions</h2>
<p>Attach WinDbg to this IE tab, set a breakpoint at <code><script>document.write(WinDbgFuncAddr)</script></code>, resume execution (<code>g</code>) then <a href="#L1Q" onclick="javascript:WinDbg()">click here</a> to trigger the breakpoint. From there answer the following questions. You won't be able to interact with IE unless you resume execution. You can trigger the breakpoint multiple times.</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L1Q1">
What address is <code>FSExploitMe.ocx</code> loaded at?
<script>document.write(L1A1Txt);</script>
</li>
<li id="L1Q2">
How large is the stack?
<script>document.write(L1A2Txt);</script>
</li>
<li id="L1Q3">
What is the starting address of the Process Heap?
<script>document.write(L1A3Txt);</script>
</li>
<li id="L1Q4">
What value of EIP?
<script>document.write(L1A4Txt);</script>
</li>
<li id="L1Q5">
Issue the command <code>u eip L10</code> - how much space is allocated for local variables on the stack?
<script>document.write(L1A5Txt);</script>
</li>
<li id="L1Q6">
Execute 5 instructions with <code>t 5</code> - what is the string value thats pointed to at the top of the stack?
<script>document.write(L1A6Txt);</script>
</li>
<li id="L1Q7">
<a href="#L1Q7" onclick="javascript:WinDbg()">Trigger the breakpoint</a> then execute 11 instructions with <code>p b</code> - This is the start of a loop, using only the instruction at <code>eip</code>, what is a valid guess as to how many times the loop will run for?
<script>document.write(L1A7Txt);</script>
</li>
<li id="L1Q8">
Execute all instructions up until the function's return with <code>pt</code> - what is the decimal value returned by function?
<script>document.write(L1A8Txt);</script>
</li>
<li id="L1Q9">
Is the value pointed to by <code>esi</code> on the Stack, Heap, or within the Text Segment?
<script>document.write(L1A9Txt);</script>
</li>
</ol>
</div>
<h2>Basics</h2>
<p>When you double click an executable the operating system loads the program code defined in the executable
from disk into memory and the CPU reads the code in memory to execute the functions of the program. To keep
track of what code the CPU is executing, the CPU maintains an internal variable (register) called <code>EIP</code>
which always points at the area in memory of the code being ran. </p>
<p>The "code" is in the <a href="http://en.wikipedia.org/wiki/Assembly_language">Assembly Language</a> where
the bytes (opcodes/instructions) of the program represent simple operations for the CPU to perform. The CPU
executes instructions very quickly. In fact, so quickly that if it needed to perform an operation on a value
stored in the system's memory, directly accessing that value in memory would cause a significant performance
impact. To get around this issue, the CPU loads values from system memory into special memory available within
the CPU itself. For each instruction, the CPU places the applicable value into a "general purpose" variable
(register) which is then used to complete the operation. Depending on the platform, there are a set number of
general purpose registers available within the CPU. On <a href="http://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture">
x86 systems</a>, there are 8: <code>EAX, ECX, EDX, EBX, ESP, EBP, ESI and EDI</code>. These registers are called
general purpose, but some of them have very specific uses. For instance, the <code>ESP</code> and <code>EBP</code>
registers always point to the top and bottom of the current function's stack frame. <code>ESI</code> and <code>EDI</code>
are used to point to the source and destination in a stream operation. <code>EAX</code> is used a little more
generally. It is also commonly used to store the return value of a function. </p>
<p>Inspecting an executable at the assembly level requires the use of a debugger or disassembler. We'd use a
debugger like WinDbg to interact with the program while its running, and a disassembler like IDA Pro to view it
while its not running.</p>
<h2>Attaching</h2>
<p>Our ActiveX Control (<code>FSExploitMe.ocx</code>) gets loaded as a module into Internet Explorer's memory space.
In order for us to debug the ActiveX Control, we need to load WinDBG and then "Attach" it to the
Internet Explorer Process. Attaching to the process essentially freezes Internet Explorer so that the user
can use WinDBG to inspect the state of the program. WinDBG is more or less useless unless its attached to a
process for debugging.</p>
<p>Internet Explorer has a main process and then a separate process for each tab. Assuming you just have one
tab open for this, attach to the second process by going to File - "Attach to a process" within WinDBG.
Once WinDBG attaches it will list out all of the loaded modules. Alternatively, you can use the <code>lm</code>
or <code>lmf</code> commands.</p>
<p>Keep in mind, this window will be "frozen" - in order to interact with it again, just enter <code>g</code> in the
command input field of the WinDBG and hit enter.</p>
<img src="img/WinDBG-CmdWindow.png"/>
</div>
<!-- Lesson 2 -->
<div id="divLesson2" class="hidden">
<h1>Lesson 2: Sploitin' the Stack</h1>
<p>
In this lesson we'll look to understand how the Stack works, how to triage stack-based vulnerabilities, and how to exploit them!
</p>
<h2 id="L2Q">Questions</h2>
<h3>Stack Behavior</h3>
<p>Attach WinDbg to this IE tab, set a breakpoint at <code><script>document.write(StackTimeFuncAddr)</script></code>, resume execution (<code>g</code>) then <a href="#L2Q" onclick="javascript:StackTimeSetup()">click here</a> to trigger the breakpoint. From there answer the following questions. You won't be able to interact with IE unless you resume execution. You can trigger the breakpoint multiple times.</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L2Q1">
What is the address of the first instruction in the calling function?
<script>document.write(L2A1Txt);</script>
</li>
<li id="L2Q2">
How many arguments are passed to the function where the breakpoint is set?
<script>document.write(L2A2Txt);</script>
</li>
<li id="L2Q3">
What might the function declaration and call look like? (e.g. <code>func(string a, int b)</code>).
<script>document.write(L2A3Txt);</script>
</li>
</ol>
</div>
<h3>Crash Triage</h3>
<p> <b>Important:</b> The links in the questions will crash your browser! Be sure to have WinDbg attached!</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L2Q4">
<a href="#L2Q4" onclick="javascript:StackSMASH(2000)">Smash the stack</a>, what registers <b>contain</b> attacker-controled data?
<script>document.write(L2A4Txt);</script>
</li>
<li id="L2Q5">
<a href="#L2Q5" onclick="javascript:StackSMASH(2000)">Stomp the stack</a>, What registers <b>point to</b> attacker-controled data?
<script>document.write(L2A5Txt);</script>
</li>
<li id="L2Q6">
<a href="#L2Q6" onclick="javascript:StackSMASH(514)">This time</a>, we'll send less data to the function - What is the address of the function that contains the vulnerability?
<script>document.write(L2A6Txt);</script>
</li>
<li id="L2Q7">
Set a breakpoint at the vulnerable function, then <a href="#L2Q7" onclick="javascript:StackSMASH(514)">trigger it again</a> - what is the size of the overflown buffer?
<script>document.write(L2A7Txt);</script>
</li>
</ol>
</div>
<h3>Lab: Exploit!</h3>
<p>Modify the functions within <code>js/Lesson2.js</code> to complete this section. See function comments within the file for more information. Be sure DEP is disabled!
<ul>
<li>From an elevated command prompt, execute <code>bcdedit.exe /set nx AlwaysOff</code> and reboot.</li>
</ul>
</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L2Q8">
Modify <code>L2Exercise1()</code> to pass <code>msfPatternString</code>. <a href="#L2Q8" onclick="javascript:L2Exercise1();">Trigger the vulnerability</a>, at what offset is EIP overwritten?
<script>document.write(L2A8Txt);</script>
</li>
<li id="L2Q9">
Modify <code>L2Exercise1()</code> to fill the stack with <code>41</code> and overwrite <code>eip</code> with <code>42424242</code>.
<script>document.write(L2A9Txt);</script>
</li>
<li id="L2Q10">
What is the address of a <code>jmp esp</code> (<code>ff e4</code>) instruction within the memory space allocated to <code>FSExploitMe</code>.
<script>document.write(L2A10Txt);</script>
</li>
<li id="L2Q11">
Modify <code>L2Exercise1()</code>, replace <code>42424242</code> with the address of <code>jmp esp</code> and add in the shellcode.
<script>document.write(L2A11Txt);</script>
</li>
<li id="L2Q12">
How does the instruction at <code><script>document.write(StackRet4)</script></code>change our exploit?
<script>document.write(L2A12Txt);</script>
</li>
<li id="L2Q13">
Structure the filler, <code>jmp esp</code>, and shellcode in <code>L2Exercise1()</code>. <a href="#L2Q13" onclick="javascript:L2Exercise1();">Click Here</a> to launch calc! <a href="#L2Q13" class="hint" onclick="javascript:toggle('L2A13');">Answer</a><br>
<script>document.write(L2A13Txt);</script>
</li>
</ol>
</div>
<h3>Fly Birdie</h3>
<p>We stop holding hands in the next question - Go for it!
</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L2Q14">
<a href="#L2Q14" onclick="javascript:L2Exercise2();">Click Here</a> to call <code>L2Exercise2()</code>. "Use IDA" is the only help you'll get :)
<script>document.write(L2A14Txt);</script>
</li>
</ol>
</div>
</div>
<!-- Lesson 3 -->
<div id="divLesson3" class="hidden">
<h1>Lesson 3: Heap Load of Fun</h1>
<p>
This Lesson we'll take a look at what objects look like on the heap, then triage and exploit it a use-after-free!
</p>
<h2 id="L3Q">Questions</h2>
<p>Enable the page heap and user mode stack trace. From an elevated command prompt run:</p>
<pre>
"<script>document.write(WinDbgPath)</script>gflags.exe" /i iexplore.exe +hpa +ust
</pre><br>
<h3 id="L3Q">Heap Objects</h3>
<p>Set a breakpoint at <code><script>document.write(StackTimeHeapAddr)</script></code>. Resume execution (<code>g</code>) and <a href="#L3Q" onclick="javascript:StackTimeSetup()">click here</a> to trigger the breakpoint.</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L3Q1">
What is the size of the heap block pointed to by <code>ecx</code>?
<script>document.write(L3A1Txt);</script>
</li>
<li id="L3Q2">
What is the class of the heap block pointed to by <code>ecx</code>?
<script>document.write(L3A2Txt);</script>
</li>
<li id="L3Q3">
What is the address of the first function within <code>ecx</code>'s class?
<script>document.write(L3A3Txt);</script>
</li>
</ol>
</div>
<!--
Hiding all of this, it's triaging a Heap overflow, but some reason I wrote
it as you would triage a Use-After-Free.
<h3>Heap Triage</h3>
<p><b>Important:</b> The links in the questions will crash your browser! Be sure to have WinDbg attached!</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L3Q4">
<a href="#L3Q4" onclick="javascript:UseAfterFree()">Trigger this</a> - What is the address of the call <code>HeapFree()</code>?
<script>document.write(L3A4Txt);</script>
</li>
<li id="L3Q5">
<a href="#L3Q5" onclick="javascript:UseAfterFree()">Crash it again!</a> - What is the allocation size of the heap block?
<script>document.write(L3A5Txt);</script>
</li>
</ol>
</div>
-->
<h3>Lab: Triage to Exploit</h3>
<p>Time to exploit! We'll start from the beginning with a fresh vulnerablity that you'll have to triage then we can exploit it. Be sure to disable the PageHeap and Usermode stack trace <b>after you've done your triaging</b>. When you're ready, disable it with:
<pre>
"<script>document.write(WinDbgPath)</script>gflags.exe" /i iexplore.exe -hpa -ust
</pre><br>
To exploit, modify the functions within <code>js/Lesson3.js</code> to complete this section. See function comments within the file for more information. Be sure DEP is disabled!
</p>
<div class="large-10 large-centered ten columns panel">
<ol>
<li id="L3Q6">
<a href="#L3Q6" onclick="javascript:L3Exercise1();">Trigger the use-after-free</a> where is the call to <code>HeapFree</code>?
<script>document.write(L3A6Txt);</script>
</li>
<li id="L3Q7">
Set a breakpoint on the call to <code>HeapFree</code>, what is the size of the freed element?
<script>document.write(L3A7Txt);</script>
</li>
<li id="L3Q8">
Modify <code>L3Exercise1()</code>, define <code>replacementBlock</code> with a string of that size (Step 1).
<script>document.write(L3A8Txt);</script>
</li>
</li>
<li id="L3Q9">
Disable the PageHeap and Usermode stack trace. Manually enable the low-fragmentation heap within <code>L3Exercise1()</code>(Step 2).
<script>document.write(L3A9Txt);</script>
</li>
<li id="L3Q10">
Replace the freed object (Step 3). <a href="#L3Q10" onclick="javascript:L3Exercise1();">Click Here</a> and IE should crash at <code>mov eax,dword ptr [edx] 41414141=????????</code>.
<script>document.write(L3A10Txt);</script>
</li>
<li id="L3Q11">
Call the HeapSpray function (Step 4), pass it the address of the second DWORD at <code>0x0a0a0024</code> and the shellcode.
<script>document.write(L3A11Txt);</script>
</li>
<li id="L3Q12">
Update the <code>replacementBlock</code> to point to <code>0x0a0a0024</code>. <a href="#L3Q12" onclick="javascript:L3Exercise1();">Click Here</a> to launch calc!
<script>document.write(L3A12Txt);</script>
</li>
</ol>
</div>
</div>
</div>
</div>
</div>
</body>
<!--[if lt IE 9]>
<script src="js/foundation4/vendor/jquery.js"></script>
<script src="js/foundation4/foundation.min.js"></script>
<script>
$(document).foundation();
</script>
<![endif]-->
<!--[if gt IE 8]><!-->
<script src="js/foundation5/vendor/jquery.js"></script>
<script src="js/foundation5/foundation.min.js"></script>
<script>
$(document).foundation();
</script>
<!--<![endif]-->
</html>