Wednesday, August 19, 2009

Gray Hat Python Chapter 5 Mucho Love

Continuing on with my ramblings on Gray Hat Python, I'm now onto Chapter 5 and have slowed a bit down. The best advice I can give is what Justin gave at the end of Chapter 4.3.2: get a program with a known vulnerability and start loading it up in the examples. I didn't do this at first, which made Chapter 5 pretty difficult to follow.

I am using a milw0rm exploit with a different shellcode payload. This at least has helped in exercise 5.3.1 and 5.3.2. By the way, you will need to modify the code samples for both examples to get them working correctly.

Example 5.3.1 findinstruction.py diff

--- findinstruction-orig.py 2009-08-19 14:37:13.000000000 -0500
+++ findinstruction.py 2009-08-19 14:37:35.000000000 -0500
@@ -16,7 +16,7 @@
         access      = code_page.getAccess( human = True )
 
         if "execute" in access.lower():
-            imm.log("[*] Found: %s (0x%08x)" % ( search_code, hit ), address = hit )
+            imm.Log("[*] Found: %s (0x%08x)" % ( search_code, hit ), address = hit )
 
 
     return "[*] Finished searching for instructions, check the Log window."

This threw me off. According to the Immunity Debugger documentation, both immlib.Debugger.Log() and immlib.Debugger.log() have the same prototype:

Log(self, msg, address=0, highlight=False, gray=False, focus=0)
Adds a single line of ASCII text to the log window. source code  
 
log(self, msg, address=0, highlight=False, gray=False, focus=0)
Adds a single line of ASCII text to the log window.

But, running w/ imm.log() kept on throwing an error that 'address' was an unexpected keyword argument. This is more of a bug w/ the debugger than the program, methinks. At this time, though, I was not able to load up the Immunity forums, so it's hard to say.




Example 5.3.2 badchar.py diff

--- badchar-orig.py 2009-08-19 14:26:15.000000000 -0500
+++ badchar.py 2009-08-19 14:32:37.000000000 -0500
@@ -1,4 +1,5 @@
 from immlib import *
+import binascii
 
 def main(args):
 
@@ -12,15 +13,16 @@
     # Shellcode to verify
     shellcode        = "<>"
     shellcode_length = len(shellcode)
+    shellcode = binascii.b2a_hex(shellcode)
 
     debug_shellcode = imm.readMemory( address, shellcode_length )
     debug_shellcode = debug_shellcode.encode("HEX")
 
     imm.log("Address: 0x%08x" % address)
-    imm.log("Shellcode Length : %d" % length)
+    imm.log("Shellcode Length : %d" % shellcode_length)
 
-    imm.log("Attack Shellcode: %s"    % canvas_shellcode[:512])
-    imm.log("In Memory Shellcode: %s" % id_shellcode[:512])
+    imm.log("Attack Shellcode: %s" % shellcode[:512])
+    imm.log("In Memory shellcode: %s" % debug_shellcode[:512])
 
     # Begin a byte-by-byte comparison of the two shellcode buffers
     count = 0

For the above, once the changes are made, then modify the script to include your shellcode. I was having problems getting the lists to contain the same type of characters. shellcode[] was containing actual numbers / letters (e.g. \x41 or 'A') whilst debug_shellcode[] contained strings of the numbers (e.g. '41'). The variables just needed to be renamed to the ones used in the program. (I can't think for the life of me why Justin used 'canvas' ;-)
Posted by at 9:45 AM
Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive