[Here’s the second part of our series of Pen Test Tips that were featured on the Ultimate SANS Pen Test Poster. Last week, we featured some network Pen Test Tips by John Strand. This time around, Mr. Steve Sims shares some useful insights and resources on exploit development. –Ed.]
By Steve Sims
Recon – When fuzzing applications and kernels for potential vulnerabilities, monitoring is key in successfully identifying what caused a crash to occur. Failure to properly set up monitoring may render an otherwise exploitable condition to go unnoticed.
Scanning – When bug hunting, fuzzing is one of your best friends. It is critical to spend the upfront time understanding the protocol or file format you are testing. Even more important is the ability to apply proper code coverage analysis to determine if you are reaching the code segments desired. It is unlikely that you will find bugs in code that you do not execute during testing.
Exploitation – On modern operating systems there are many exploit mitigation controls with the goal of thwarting your attacks. An attacker must be armed with many techniques to defeat or circumvent these controls. Familiarity with Return Oriented Programming (ROP), C/C++ programming, and tools to navigate the complexities of the Windows heap and its allocators are essential.
Post-Exploitation – Once an exploitable condition is identified and a working exploit created, efforts must be made to make the exploit as stable as possible. Exploits that only work a fraction of the time are more likely to cause application and system crashes. Exploits should be responsibly disclosed to the appropriate vendor so that a patch is made available to protect their customers.
Notable Techniques – When abusing the Structured Exception Handling (SEH) service on Windows, almost all Windows modules (DLL’s), and many 3rd party modules are compiled with the SafeSEH protection. Try scanning the memory outside of the loaded modules for a Pop/Pop/Ret sequence up near Kernel memory at 0x7ffbXXXX. At this location it is often an NLS table mapping derived from ANSI/OEM code page data, as per Microsoft. You can most often find a code sequence here to bypass SafeSEH.
IDA* – A commercial software disassembler and debugger with a great amount of community support and free plugins, perfect for vulnerability hunting, code coverage testing, and exploit development. IDA provides many different views of a disassembled binary and the ability to graph out how and when functions are called in complex applications, as well as countless other features. By Hex-Rays http://www.hex-rays.com/index.shtml
WinDbg – A free Kernel mode (Ring 0) debugger allowing you to analyze the Windows Kernel and hunt for vulnerabilities. WinDbg comes with the Windows SDK or WDK and can help you determine the cause of the infamous Blue Screen of Death! By Microsoft http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx
Immunity Debugger – A free User mode (Ring 3) debugger with great community support. Immunity Debugger has many freely available Python plugins to aide you in bug hunting and exploit writing, as well as an easy-to-navigate GUI interface. By Immunity http://www.immunityinc.com/products-immdbg.shtml
Mona.py – A free exploit development plugin for Immunity Debugger and WinDbg written by corelanc0d3r and the corelan team. Mona has pretty much everything you need to find ROP gadgets, trampolines, unprotected modules, and many easy commands to navigate Windows memory. By Peter Van Eeckhoutte & Corelan Team http://redmine.corelan.be/projects/mona
BinDiff* – A commercial software diffing plugin to IDA. As patches are made to software it can be difficult to determine what code was modified. BinDiff, created by Zynamics and owned by Google, can help with pointing out code changes related to a patched vulnerability. By Google/Zynamics http://www.zynamics.com/bindiff.html
Sulley – A free fuzzing framework for Windows and Linux. Sulley allows you to easily write up a protocol template which you can use to select various fields and conditions for fuzzing, all while providing monitoring and automation. By Pedram Amini & Aaron Portnoy https://github.com/OpenRCE/sulley
GDB – A free command line *NIX application debugger. GDB provides you with the ability to debug and disassemble a program with easy to use commands and a lot of community support. GDB can debug applications written in C, C++, Objective C, Pascal, and some other languages. By GNU Project http://www.gnu.org/software/gdb
VMware* – A commercial virtualization product with many diverse applications. VMware Workstation, Fusion for Mac, and the freely available VMware Player allow you to take snapshots of an operating system in any state desired. The tool helps greatly with exploit development and bug hunting by quickly allowing you to revert to a known good state just before a crash occurs. By VMWare http://www.vmware.com
* These tools are available on a commercial (cost) basis.
Great Resources for Staying Current
Exploit Database – http://www.exploit-db.com
Daily Dave Mailing List – http://seclists.org/dailydave
Corelan Team – http://www.corelan.be
Twitter – @exploitdb | @daveaitel | @corelanc0d3r
Associated SANS Courses
SEC660: Advanced Penetration Testing, Exploits, and Ethical Hacking www.sans.org/sec660
SEC760: Advanced Exploit Development www.sans.org/sec760