Brief inside DEP and ROP

DEP is data execution prevent, it is some kind of windows protection. DEP was protecting with make the stack of windows application to be non executable, so if we put some payload in the stack then we don't allow to execute it. But we can bypass DEP protection with some method which available in Win32 APIs.

Some method to bypass DEP
VirtualProtect()
The VirtualProtect function changes the access protection of memory region become readable, writable, or executable in the calling process.
http://msdn.microsoft.com/en-us/library/aa366898(VS.85).aspx

VirtualAlloc()
This function will allocate new memory. One of the parameters to this function specifies the execution/access level of the newly allocated memory, so
the goal is to set that value to EXECUTE_READWRITE.
http://msdn.microsoft.com/en-us/library/aa366887(VS.85).aspx

Landing in an unicode application


After several time reading an article about unicode in corelan.be, now let me try how to do that with my own knowledge. Here i'm using the application GOM Player 2.1.33.5071, as we knew if it already exploited several months ago and we will find the exploit of it here, so i'm using the proof of concept how to crashing the application to explain how to build an exploit in it (unicode application).

Here is the POC :
#!/usr/bin/python
header = '<asx version = "3.0" ><entry><title>Download</title><ref href = "WWW.'
junk = "\x41" * 2046
footer = '"/></entry></asx>'

payload = junk

f = open('fuzzer.asx','w')
f.write(header+payload+footer)
f.close()

Just follow the applications flow

knftpd v1.0.0
In a concept if we are finding the application which have SEH protection in our process of an exploit development we must bypass the SEH protection first using POP,POP,RETN instruction and then we have control the EIP register at Next SEH position, but sometimes we must follow the applications flow.
Now we will try to do how to build an exploit with following the applications flow. We will use knftpd-v1.0.0 application. Hem, it's a sounds good to be practice materials in this case. I know if it already exploited in last year and the exploit can be found here, but here i'm trying to explain how to build an exploit at that application.
The application have overflow if we sending an overly long request to Multiple FTP command, so we can create fuzzer like below to have crash in that application :

Build an exploit in low space of your stack (Egg Hunter)


Sometimes if we're fuzzing an application, the application crashed and our fuzzer overwrited some register of it (the values of its register was replaced with our fuzzer) even the most dangerous is our fuzzer have overwrite the values in Instruction Pointer register (IP in 16bit or EIP in 32bit) so we have full control of it resgister which causes we can change flow of that application as we want.
Why be like that? It because EIP register was using to store a memory address (which called as offset) of command to be executed at next. What will happen if we send payload to the stack of that application and then we inserting a memory address of instruction to jump into the stack on EIP register?
Our payload will execute and it's owned. ^_^
To avoid it the developer usually using an "exception" which called as Structure Exception Handling (SEH) to protect the application.

How to read an opcode?

As a beginner, i'm usually confused about the generated shellcode by someone, sometimes i'm thinking what the mean of it, what is it a malicious or not. But after i've know the way how to read a shellcode, now i'm always try to read it before i'm using it.
For example i find a shellcode from here, they said that it's shellcode which will execute a /bin/sh, but i will check it by my self, i'm trying to read it in assembly language. We can learn the basic of assembly language from here.