Advanced Windows Buffer Overflows

Lurene Grenier, Sourcefire VRT

At Defcon XIV, Immunity trotted out the first iteration of their NOP cert test, and I had the pleasure of giving it a test run. I still think it's a great indicator of ability, despite the Immunity tools focus; I'm not a user of any of their tools generally, but I managed to pull off the hardest level test in a modest time. It got us thinking on the way home, where does one go from the bar set by the NOP to get to the next level in terms of exploit development skill? In this vein I've thrown together a few windows executables, and in a nod to Gera of Core, they're called Advanced Windows Buffer Overflows (AWBOs).

We've set up a few ground rules and a basic set up to keep things moving along:

  1. All exploits are performed in Windows 2000 SP4 unless otherwise specified. Sometimes, otherwise will be specified.
  2. Exploits will use the provided shellcode, or ret2lib.
  3. You may not return to hard coded stack addresses.
  4. No source code will be provided - just like the NOP cert.

Standard tools used are cygwin with perl, and windbg, installation in vmware a plus. The shellcode provided is the amazing windows exec shellcode from metasploit set up to run calc.exe.

I can say that all of these are exploitable, and they run through a progression, so try to do each of them in the most straight forward way possible. We'll be skipping awbo1.exe as it's very similar to one of immunity's tests (as far as my memory serves). They'll be released slowly over the next few months. Feel free to send in your solutions, or ask for tips. All of the examples have been play tested by the VRT analysts team, and are assured to be exploitable.

"This next test could take a very, very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline."

Useful items

Test 1

Awbo2.exe download

"Please be advised that a noticeable taste of blood is not part of any test protocol"

Test 2

This time around you'll find a solution under Windows 2000 SP4, then you'll find a solution for Windows XPSP2.

Awbo3.exe download

"Most deadly errors arise from obsolete assumptions"

Test 3

This one might remind you of a certain back orifice parsing vulnerability you may be familiar with. It was asserted that this one couldn't be done in XPSP2, only in Win2k, but it really depends on how cl orders the stack before tossing the cookie in. Later, you'll get a chance to work on this with a mocked up stack cookie (awbo6) so keep that in mind here. For now though, lets stick to Win2k. The same rules apply here: no NOP sleds, no static stack return addresses.

Awbo4.exe download

Test 4

I really like this one. It'll be different than the last few, and might involve a bit of a brain stretch for those not familiar with exploit techniques that differ from the norm. It'll hurt. There's a bit of basic reversing, but that's not the problem.

Win2k please.

"This is very important" -- Olney

"If I were your husband I would take it." -- Winston Churchill, hon VRT

Awbo5.exe download