Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/LJP-TW/Windows-Pwn-Step-by-Step
Let's get familiar with Windows pwn π
https://github.com/LJP-TW/Windows-Pwn-Step-by-Step
Last synced: 3 months ago
JSON representation
Let's get familiar with Windows pwn π
- Host: GitHub
- URL: https://github.com/LJP-TW/Windows-Pwn-Step-by-Step
- Owner: LJP-TW
- Created: 2020-02-24T04:10:31.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-02-24T04:36:46.000Z (over 4 years ago)
- Last Synced: 2024-01-16T23:25:17.344Z (5 months ago)
- Language: Python
- Size: 7.81 MB
- Stars: 38
- Watchers: 2
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Lists
- awesome-stars - LJP-TW/Windows-Pwn-Step-by-Step - Let's get familiar with Windows pwn π (Python)
README
Windows Pwn Step-by-Step
===
- [Intro](#Goal)
- [Environment](#Environment)
- [Tools](#Tools)
- [ExploitMe_1](#ExploitMe_1)
- [Reference](#Reference)# Intro
In Linux pwn, I often need to debug dynamically between chal and exploit scriptThe steps areοΌ
1. Add a `raw_input('>')` to exploit python script
2. Run exploit script
3. Find out chal process `pid`
- Linux
- `pidof chal`
- Windows
- Use tools (e.g. η«η΅¨ε, Process Explorer)
4. Attach debugger to this process with the `pid`
- Linux
- `gdb at $(pidof chal)`
- Windows
- Use tools (e.g. WinDbg)
5. The debugger stops at internal of something like `read()` of standard lib
- Windows
- There are many threads in process, and debugger may not stop at the thread executing `read()`
- Switch to this thread with command like `~0s`
6. Input `finish` (command of gdb), until the process return to some function like `main()`
- Windows WinDbg
- `Shift` + `F11`
7. Check whether my exploit script writes bytes to memeory correctly
- gdb
- `x/10xg $ebp-0x20`
- WinDbg
- `d @esp-0x20`Check out ExploitMe Demo ;)
# Environment
Version 1909 (OS Build 18363.657)# Tools
## [pwintools](https://github.com/masthoon/pwintools)
Basic pwntools for Windows written in python 2.7
### Deps
- [PythonForWindows](https://github.com/hakril/PythonForWindows)
```
git clone https://github.com/hakril/PythonForWindows.git
python setup.py install
```
- [capstone](https://www.capstone-engine.org/download.html)
```
pip install capstone
```
### Install
```
git clone https://github.com/masthoon/pwintools.git
```
- Revise [setup.py](#) from
```
install_requires=[
'PythonForWindows==0.4',
],
```
to
```
install_requires=[
'PythonForWindows==0.5',
],
```
```
python setup.py
```## WinDbg
Install `WinDbg Preview` in Microsoft $tore## ncat
`ncat` is part of `nmap`Install [nmap](https://nmap.org/download.html)
## ROPgadget
Install [ROPgadget](https://github.com/JonathanSalwan/ROPgadget)
```
pip install ropgadget
```The path is `C:\Python27\Scripts\ROPgadget`
![image](https://raw.githubusercontent.com/LJP-TW/Windows-Pwn-Step-by-Step/master/screenshot/0_ropgadget.png)
## η«η΅¨ε
You can use other process explorer tools as a alter
- η«η΅¨ε: http://bbs.huorong.cn/thread-7800-1-1.html## PE-bear
Install [PE-bear](https://hshrzd.wordpress.com/pe-bear/)# ExploitMe_1
`ExploitMe_1.exe` is a simple program with buffer overflow vulnThis is a similar example of [this book](https://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf), at page 89
The book also teaches you to build shellcode ;)
## Disable mitigation
- Disable `DEP`
Set VS2019 project property
- Linker
- Advanced
- Data Execution Prevention (DEP): No (/NXCOMPAT:NO)
- Disable `GS`
Set VS2019 project property
- Configuration Properties
- C/C++
- Code Generation
- Security Check: Disable Security Check (/GS-)
- Disable `ASLR`
Run [setting.bat](#)## Demo
First, let's disable `ASLR`
```
.\setting.bat
```
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/1_DisableASLR.png?raw=true)### Debug
1. Edit `exploit.py`
Add `raw_input('>')` at line7
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/2_editExploit.png?raw=true)
2. Run `exploit.py`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/3_runExploit.png?raw=true)
3. Find `pid`
In this demo, it's `3168`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/4_findPid.png?raw=true)
4. Attach to this process with WinDbg
- Check `Show processes from all users`![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/5_attach.png?raw=true)
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/5_attach2.png?raw=true)
- command `k`: Display the stack frame
- There is no something like `main`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/6_WinDbg_k.png?raw=true)- command `~`: See a list of all threads
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/6_WinDbg_~.png?raw=true)
- Switch to thread 0: `~0s`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/6_WinDbg_~0s.png?raw=true)
- Display the stack frame again
- `ExploitMe_1!main+0x4d` that's what I want to see!
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/6_WinDbg_k2.png?raw=true)
5. Return to main
- `Shift` + `F11`
WinDbg is stuck, waiting for input
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/7_WinDbg_gu.png?raw=true)
- Press Enter at exploit
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/8_enterExploit.gif?raw=true)
- `Shift` + `F11` until return to main
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/9_ret2Main.gif?raw=true)6. Check memory
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/10_checkMem.gif?raw=true)7. Continue process
- `F10`
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/11_continue.gif?raw=true)
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/12_ret.gif)#### Find gadget
1. Use ROPgadget to find gadgets in kernel32.dll
- In this demo we disable ASLR, so we can use gadget in dll
```
python \Python27\Scripts\ROPgadget --binary \Windows\SysWoW64\kernel32.dll > gadget
```2. Find `push esp ; ret`
```
0x6b86ade5 : push esp ; ret
```
3. Find Image base of `\Windows\SysWoW64\kernel32.dll`
- Use PE-bear
- Find out the Image base is `0x6b800000`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/13_pebear.png?raw=true)
- So the offset of `push esp ; ret` gadget is `0x6b86ade5 - 0x6b800000 = 0x6ade5`4. Do the steps of debug to step 5 again
- Then find out the where Kernel32 starts
- command `lm`: List modules
- Find out the base is `0x76f70000`
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/14_kernel32base.png?raw=true)
- So the gadget address is `0x76f70000 + 0x6ade5 = 0x76fdade5`5. Check gadget
![image](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/15_checkgadget.png?raw=true)
- Remember to revise exploit script### Pwn
![gif](https://github.com/LJP-TW/Windows-Pwn-Step-by-Step/blob/master/screenshot/16_pwned.gif?raw=true)# Reference
- [Modern Windows Exploit Development](https://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf)
- https://stackoverflow.com/questions/4946685/good-tutorial-for-windbg###### tags: `security`