exploit_generator - Automated Exploit generation with WinDBG.

exploit_generator – Automated Exploit generation with WinDBG.

exploit_generator is a tool currently can automate the process of creating classic BoF exploits from crash PoCs. The PoC has to be written in specific format (see later), so the script can interact with it, but if it’s done, it can do the job. It will start the application, WinDBG, attach the process, etc…
As a first step it will run the crash PoC to determine the offset on the buffer, which overwrites EIP, and then discover the memory layout, how much space we have, which registers points to the buffer.Then it will start finding bad characters, which can’t be used in the exploit. The next step is to find out how to jump to the actual buffer with the help of registers identified before, it will try to find various assembly instructions in memory, which can do this for us. If needed we can tell the tool to search only non-ASLR enabled modules, so essentially it can also bypass ASLR with this method.
Once all of these are done, it will call metasploit to generate a calc.exe shellcode, and put the entire buffer together, and launch a working exploit. I differentiated two types of applications:
+ Network communication based
+ File based
In the 2nd case the file with the exploit has to be generated first, before launching the application, the tool can cover both types.

autoexploit

autoexploit

The typical steps to create a BoF exploit are:
1. Find EIP overwrite location (offset in the buffer)
2. Examine memory layout, registers
3. Somehow jump to the buffer with the help of registers
4. Find bad characters
5. Generate shellcode
6. Put it all together

Dependencies:
1. Install Debugger Tools for Windows from http://msdn.microsoft.com/en-US/windows/hardware/hh852363
2. Install an older version of Python (e.g.: 2.7.3), download from: https://www.python.org/downloads/windows/
3. Download latest 3.x version of pykd from https://pykd.codeplex.com/releases/view/614442
4. Extract the zip file contents
5. Copy the pykd.pyd file to “C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winext”

Verify Installation:
1. Launch a custom x86 application
2. Attach the debugger
3. Type: “.load pykd.pyd”, you shouldn’t get any errors showing up
a. In case WinDBG terminates, try an older version of Python
4. Type “r” to get the values stored in registers
5. Start Python in WinDBG, type: “!py”
6. Type: “hex(reg(‘eip’))”, you should get the same value for EIP, what you saw at step #4

Download from git:

Source: https://github.com/theevilbit