MZ@ !L!This program cannot be run in DOS mode. $)YNym8 *m8 *m8 *+i*o8 **l8 *+i*l8 *+i*~8 *+i*o8 **n8 *m8!*\8 *`j*o8 *`j*l8 *`j*l8 *Richm8 *PELT  $ @p@46<P` 84@ .text `.rdatav @@.data@0@.rsrcP2@@.reloc`4@BU jjj @ P @h0@j hR EEƄjh 4@Q @ tEh(4@J3E@h@4@/hX4@j jP2 Ƅ kMUAU}5wDE@$`@92y+$E3h4@K3]Ð)@@"@0@>@@7@G@UEPh0M QUR @MU]UEPM QUR E]Uh(!@j hP kCtF St1AtkWtj @]Uh!@#]UhPj @Q @-@E@+UU@+EEMQh&@ ]U EPjhjEhMQj @UR @-@Eh'@eEPMQh*@ hhUR @]Uh+@#]Uh.@]Uh0@]UQEPM Qjjd @EUR @MUMURE PMQUPd @]UEEj @Ej @EE ;Ev4jMQU +UREEPMQ @}sUUUċE]UEEMMUEE}uM+MMUREPS]U EEE EMQUREP EE}uMQeEUR @E]UEE Ej @Ej @E} v1}v+jMQUREPMQ @}u U+UUϋE +E]UEj @Ej @E} vSE EEM;M s9jURjEPMQ @}uUUEMU;u붋E]% @MZf9@t34 <@@PEu f9@u3t@v 9@j(@@L @Yj4 @ l @xC@|C@L@@ p @@@@(D=@@u hX@\ @YI=@@u jX @Y3hW@H@@$<@@5D@@<@@h4@@h0@@h,@@H @8@@yjYj h5@3ۉ]dPpC@3t ;u3F3F95tC@u jzY:9tC@u,5tC@h @h @YYtE5 @@95tC@uh @h @xYYtC@u 3pC@=C@thC@XYt SjSC@ 4@@h @54@@50@@5,@@u $@@=(@@u6P @MEQPYYËeE$@@=(@@uPP @= @@u T @$@@EUE8csmu%xu@= t=!t="t =@t3]h@Y3%@ @%D @3UE3SVWH<AYt} p ;r H;r B(;r3_^[]Ujh5@h @dPSVW@@1E3PEdeEh@|tTE-@Ph@Rt:@$ЃEMd Y_^[]ËE3Ɂ8ËeE3Md Y_^[]UEMZf9t3]ËH<39PEu f9Q]Uee@@VWN@;t t У@@fEP$ @E3EE( @1E, @1EEP0 @ME3M3M3;uO@u G ȉ @@щ @@_^]Ã=|C@t3Vjj  @YYV4 @|C@xC@ujX^Ã&3^jh6@+e5|C@5 @։Eu u @YejYe5|C@։E5xC@։EEPEPu54 @P^ }u֣|C@u֣xC@E Ë}jYUuLYH]VW5@5@ tЃ;r_^VW5@5@ tЃ;r_^Vhh3V u^VVVVV%` @% @h @d5D$l$l$+SVW@@1E3PeuEEEEdËMd Y__^[]QUuuu uhV@h@@?]%t @%x @%| @% @% @% @% @; @@uD% @U @jlC@#u!=lC@YYuj Yh  Y]U$jtjY)PA@ LA@HA@DA@5@A@=@T`@5@)T 5) VULNERABLE FUNCTION ------------------- Send me exactly 1024 characters (with some constraints). DEBUGGING --------- For debugging greenhornd.exe, we're going to use WinDbg. How exciting! To start, launch WinDbg (x86) and select File->Open Executable. In the Open Executable window, browse to where you have greenhornd.exe saved. You'll need to check the "Debug child processes also" checkbox and specify the correct start directory (wherever you saved greenhornd.exe). Here are some WinDbg commands: CTRL+BREAK - Break in (or click the Break in button) g - Go t - Single Step p - Single Step Over r - Register state dc [address or register] - dump memory by dwords with ascii output db/dw/dd [address or register] - dump memory kb - extended stack trace bp [address] - Set a breakpoint bl - List breakpoints dt [type] [address or register] - Dump memory while applying a type (ex: dt _PEB 7ed1e000) lm - List loaded modules (libraries) !vprot [address] - Check the page permissions for a specified address For good debugging symbolyou'll want to type the following into the WinDbg Window: .sympath cache*c:\MySymbols;srv*http://msdl.microsoft.com/download/symbols .reload /f WinDbg should download all the debugging symbols available and start using them right away. For more help, check out this cheat sheet: http://windbg.info/doc/1-common-cmds.html Static Analysis --------------- Fire up IDA Free (or Pro) and load in this binary! You can ignore a lot of the setup functionas they deal with sandboxing this challenge. The functions of interest start at %08x. I'd start by checking all the stack variable sizes with alt+k! Address Space Layout Randomization ---------------------------------- ASLR on Windows works a lot like it does on Linux. The big difference ion Windowthe executable itself always rebases. No need to specify -fPIE! Unlike on Linux, Windows executables don't realy on PIC for relocation. The dynamic loader actually parses out a PE section called '.reloc' and applies the ASLR delta directly to that (after fixing up page permissions). On Windows 8.1, nearly every executable and library on the entire system is ASLR-compatible and the dynamic loader rebases them all independently. For more reading on Windows ASLR, check out this presentation: https://www.blackhat.com/presentations/bh-dc-07/Whitehouse/Presentation/bh-dc-07-Whitehouse.pdf Normally, you'd have to find an information disclosure to leak back program state (via an unitialized variable, a forced type confusion, or a use after free) to leak the ASLR slide. However, this is a greenhorn challenge, so your ASLR slide is: 0x%08x and the slide variable is stored at: 0x%08x. Shellcode --------- Shellcode on Windows is a little different than on Linux and FreeBSD. Shellcode rarely calls syscalls directly for two reasons: Microsoft renumbers them every service pack and the usermode libraries implement a lot more logic than their Linux counterparts.]nTo deal with thiWindows shellcode generally resolves the addresses of functions in kernel32.dll dynamically via a method called a PEB Scandown. You'll probably need to implement a PEB scandown payload for this service. You can read an old Phrack article on it here: http://phrack.org/issues/62/7.html (section 2.b.iii). This may work also, but no guarentees: http://shell-storm.org/shellcode/files/shellcode-260.php. NX/DEP ------ There are a few techniques to defeat NX/DEP on Windows! The most popular routes are to call VirtualProtect or VirtualAlloc with PAGE_EXECUTE_READWRITE set for fwProtect. The only issue iyou need to have a reference to the function in kernel32 or have it convienently imported for you in something you have an ASLR leak to. This looks like a decent resource: http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html You can also do something ugly like call WriteProcessMemory(). Bye! Wecome to the Greenhorn CSAW service! This service is a Windows 8.1 Pwnable! You're going to need a Windows 8.1 computer or VM to solve this one. If you don't have a Windows Key, I suggest using Amazon EC2: http://aws.amazon.com/windows/ Windows Exploitation is new to a lot of you, so this is a tutorial service! To start, let's install some software you'll need to follow along: Windows SDK for the debugging tools (http://msdn.microsoft.com/en-us/windows/desktop/bg162891.aspx) MSYS for nice command line tools (http://www.mingw.org/wiki/MSYS) IDA Free (https://www.hex-rays.com/products/ida/support/download_freeware.shtml) NASM for Windows (http://www.nasm.us/pub/nasm/releasebuilds/2.11.05/win32/) To continue, you're going to need the password. You can get the password by running strings from minsys (strings - greenhorn.exe) or locate it in IDA. Password: GreenhornSecretPassword!!!Incorrect Password. Password accepted. Greenhorn Menu: -------------- (D)ebugging (S)tatic Analysis S(h)ellcode (A)SLR (N)X/DEP (V)ulnerability (Q)uit Selection: Invalid entry P@@@@H@@5@RSDSFxuAc:\users\ryan0_000\desktop\greenhornd\greenhornd\Release\greenhornd.pdb @@9@L@@p67 68@ <7L7Z7p7777F:6:::999Z:8*888H8Z8b8l888888888 999*989B9T9d9~99977777778VirtualAllocVirtualFreebGetModuleFileNameAdGetModuleHandleAGetStdHandleOReadFileWriteFileKERNEL32.dll__iob_func;strncmpNexit#setvbufmemcpyfreemallocMSVCR120.dll)_vsnprintfk_XcptFilter_amsg_exit__getmainargs__set_app_type_exit/_cexit@_configthreadlocale__setusermatherr _initterm_e _initterm__initenv_fmode?_commode5?terminate@@YAXXZ__crtSetUnhandledExceptionFilter_lock_unlock._calloc_crt__dllonexit:_onexit_invoke_watsonC_controlfp_sz_except_handler4_commonP_crt_debugger_hook__crtUnhandledException__crtTerminateProcess!EncodePointer-QueryPerformanceCounter GetCurrentProcessIdGetCurrentThreadIdGetSystemTimeAsFileTimeDecodePointergIsDebuggerPresentmIsProcessorFeaturePresentN@D0 H`P} 0"0*0]0j0}0000 11H1`1d1h1l1p1t1x1|112222222 3K3U3b3w333334%4Q4x444w555566U6666666666666666777$707;7D7N7U7[7`7e7j7o7u7}77777777888#808?8G8O8c8i8n8v8|88888888888?9N9T999999:::::::+;3;?;P;[;`;e;|;;;;;;;;;: >>>">*>6>?>D>J>T>^>n>~>>>>>>> 0000044458555 6606