The Shadow File

I’ve just added a module to Bowcaster that I think is cool. Actually, I just got around to finishing a module that was there all along. It’s a basic HTTP server module, but it has some unique features that make it suitable for serving payloads to remotely exploited targets. The connect-back server modules in Bowcaster are designed to run asynchronously so that they can be used right in line with your exploit code.

Update December 2014: 44CON has posted the videos from all 2013 talks online. Unfortunately, they don’t allow the videos to be embedded, so here’s a link. For my presentation at 44CON, entitled “Reversing and Exploiting BT CPE Devices”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk.

Note: I have a great job at a company called Tactical Network Solutions, based in Columbia, MD. I’m not looking for a new job. That’s not why I’m writing this post. I have way too much fun working with crazy smart people right where I am. I get a lot of recruiter email. Some are very thoughtful and are for companies that would be very cool to work for. I love those, and I want to high five those people for being such class acts.

Sometimes I need a MIPS Linux system that I can use for development and testing. Maybe I need to test some shellcode or debug a binary I’m analyzing. What I wish existed was a Raspberry Pi-like MIPS device. I’d love to have a bunch of small, sub-$50 devices that I could network together as a sort of desktop exploit lab. Unfortunately I don’t know of such a device. There is MIPS hardware you can get and install Linux on.

Nothing original here, but this is a great tip, so I want to share it. Thanks to @thegrugq for cluing me into this via Twitter. For everyone running OS X 10.7 or 10.8 on their Macs (and really, EVERYONE should be on 10.8; the security benefits are non-trivial) and are using FileVault 2 to encrypt your filesystems (you are, right?) here’s a good tip I picked up the other day:

In previous parts of the Bowcaster tutorial, I showed how to construct your buffer overflow using the OverflowBuffer class. I also mentioned there is another class, EmptyOverflowBuffer, that I would explain later. That class is going to be the topic of this post. When I started development of Bowcaster, I created it for myself and for the way I develop exploits and think about buffer overflows. The OverflowBuffer class works the way I think.

In part 1 of the Bowcaster tutorial I showed how to generate an overflow string with the OverflowBuffer class. In part 2, I showed how to populate your your overflow string with ROP gadgets. In part 3, I showed how to add Bowcaster’s connect-back payload for MIPS Linux to your overflow string. I also showed how to encode your payload using Bowcaster’s MIPS Linux-specific XOR encoder in order to sanitize restricted bytes.

Crossbow has been renamed to Bowcaster. It turns out “Crossbow” is a popular word. Who knew? A company in California has the word registered as a trademark in the US in connection with computer software. They might be cool with us using the word, since this is an open-source, noncommercial product, but we’ve decided to change the name just in case. Hopefully the new name is esoteric enough to avoid any naming conflicts, while still being cool and fun to say.

This is the third part in a multi part tutorial on using the Bowcaster exploit development framework to build a buffer overflow exploit. Here are part 1 and part 2. In the last part, we had built an exploit buffer and added a ROP chain that would flush the MIPS CPU cache, locate the stack (which is randomized), and return into it. Now it’s time to add a payload. Bowcaster provides a few MIPS Linux payloads, and the one we’ll use for this buffer overflow is the connect-back payload, which will yield an interactive shell.

This is the second in a multi-part tutorial on developing a buffer overflow exploit using Bowcaster. Here’s Part 1. In part 1, we had gotten a crash by sending a 2048-byte pattern to the vulnerable program. The saved return address had been overwritten with 0x41367241 and restored to the $ra register. That value is located at an offset of 528 in our overflow buffer. Now we need to start describing ROP gadgets and substituting them for parts of the 2048-byte overflow string.