Finding alphanumeric jump addresses for buffer-overflow exploit development

Buffer-overflow exploit-development can sometimes be challenging for services which use protocols that have restricted character-sets.

In a previous blog on bad-characters, I talked about ways to encode payloads so that problem special characters can be avoided in exploit payloads.

Whilst that is fine for "introducing" code to the target system, an attacker also needs to hijack code execution to run the malicious payload. This is done by controlling EIP through putting a jump address within the buffer. This jump address perfectly overwrites EIP, (either directly as part of the function epilogue, or via a Structured Exception Handler) to redirect code execution to the malicious payload.

For very restrictive protocols (text-only for example) finding a working jump address in memory can be challenging.

Here is one approach to finding useable jump addresses, using a couple of Metasploit tools (and a bit of grepping).

Please remember to use these techniques only for legitimate educational and testing purposes and not maliciously.


Dumping memory

In this example, I am experimenting with a Windows application crash.

We can dump all the accessible memory for the target process, using memdump.exe, which is available in the MSF included with Backtrack 5 in the following directory:

/pentest/exploits/framework3/tools/memdump/

This tool needs to be transfered to the target Windows system and run on the target process in its crashed state, as follows:

memdump.exe <process id> <output dir>

This produces a directory full of files which can then be zipped, and transferred back to the Backtrack 5 system and unpacked.


Scanning the dump

To scan this process dump, we can use msfpescan to extract the jump addresses, from the memory locations which were available to the process.

This example would find a pop, pop, ret, for a SEH exploit:

/pentest/exploits/framework3/msfpescan -p -M ./dumpdir > scanresults.txt

Or here for example we look for the classic "jmp esp":

/pentest/exploits/framework3/msfpescan -j esp -M ./dumpdir > scanresults.txt

We can then sort through the results to remove addresses with characters that cannot be used in a restricted buffer


Removing unusable addresses


Grep can be used to filter these results in various ways.

Here we grep to remove addresses that contain null bytes, or 0x0a, and 0x0d (CR/LF characters).

cat scanresults.txt | grep ^0x | grep -v "^0x00\|0a\|0d" | grep -v "^0x..00\|0a\|0d" | grep -v "^0x....00\|0a\|0d" | grep -v "^0x......00\|0a\|0d" | sort




Here we grep for addresses which don't have any non-alphanumeric in any of the 4 octets:

cat scanresults.txt | grep ^0x | grep -v "^0x[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x..[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x....[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | grep -v "^0x......[0-2\|8-9\|a-f]\|3a\|3b\|3c\|3d\|3e\|3f\|40\|5b\|5c\|5d\|5e\|5f\|60\|7b\|7c\|7d\|7e\|7f" | sort

(That last one looks a bit horrible. There may be a shorter way to grep this,  but this is effective as a cut'n'paste hack)


The results look like this:

0x74723956 pop esi; pop ebp; retn 0x0004
0x74724a6b pop esi; pop ebp; retn 0x0004
0x74734e36 pop esi; pop ebp; retn 0x000c
0x7473526c pop esi; pop ebp; retn 0x000c

etc...

As you can see, these addresses contain only the usable characters.

So it would then be just a question of cross-referencing these addresses with the dlls you want to use (based on various criteria such as portability and protection bypass) and choosing ones that will work for the exploit.