‘Bypassing MSB Data Filters for Buffer Overflows on Intel Platforms’

Summary

The short whitepaper below describes a technique to encode binary assembly code to printable characters. The technique described here is applicable for the x86 platform.’

Credit:

‘The original article can be found at: http://community.core-sdi.com/~juliano/bypass-msb.txt


Details

Introduction:
Buffer overflows aim to execute carefully chosen machine-native instructions on a target system. That code is a series of bytes that cross the full range of possible values. Unfortunately for many attackers, certain servers filter out or modify any values outside the range 21 to 7F hex. Examples are web proxies and e-mail servers that cannot handle non-printable ASCII values in their data. Their input filters mangle the incoming exploit code, and as a result destroy its functionality.

The author posed a challenge to several hackers one Saturday night, and this paper is the result. The algorithm presented here will encode any sequence of binary data into ASCII characters that, when interpreted by an Intel processor, will decode the original sequence and execute it.

The process is fairly simple: move the stack pointer just past the ASCII code, decode 32-bits of the original sequence at a time, and push that value onto the stack. As the decoding progresses, the original binary series is ‘grown’ toward the end of the ASCII code. When the ASCII code executes its last PUSH instruction, the first bytes of the exploit code are put into place at the next memory address for the processor to execute.

Terminology:
Printable – Any byte value between 0x21 and 0x7f. For multi-byte objects like words, each composite byte must be printable for the object to be considered printable.

What you need
A buffer filled with the exploit code to execute. Good examples for shellcodes can be found at Metasploit.org

Part I: Align exploit code
The exploit code *must* be aligned on a 32-bit boundary. Pre-pad or post-pad with NOPs to make it all tidy.

Part II: Construct ASCII code
The Intel assembly instructions AND, SUB, PUSH, and POP are sometimes encoded as single-byte, printable instructions.

Specifically, we use only printable operands (e.g. 0x21212121 -> 0x7f7f7f7f) and rely on these operations: (AND EAX, ########), (SUB EAX, ########), (PUSH EAX), (POP ESP). Using those operations, it is possible to set EAX to any value
that we wish, set ESP to any value we wish, and thus set any value into any stack-addressable memory location.

Step 1:
Clear EAX, as it is our only real ‘register’ and it is critical to know its starting value.
AND EAX, 5e5e5e5e
AND EAX, 21212121
ASCII: %^^^^%!!!!

Step 2, Option 1:
Set ESP to the other side of the bridge. In code, we’ll need to put a placeholder here. The correct value of ESP will be overflow_starting_address + ASCII_code_size + exploit_code_size, which will not be known until we’re done generating the ASCII code.
Once you have this address, put it into ESP like this:
SUB EAX, ########
SUB EAX, ########
PUSH EAX
POP ESP
ASCII: -****-****P (**** is a placeholder for later values)

Step 2, Option 2:
Alternatively, if you don’t know the memory address where the overflow will occur, you can calculate the offset from ESP to the beginning of the exploit code and simply code SUB instructions to wrap ESP to the correct end-of-code address. Once you have the offset from the original ESP (see Step 4 below), adjust ESP like this:
PUSH ESP
POP EAX
SUB EAX, ########
SUB EAX, ########
PUSH EAX
POP ESP
ASCII: TX-****-****P (**** is a placeholder for later values)

Step 3:
Create the units that will decode into exploit code… BACKWARD. Parse the last 32-bits first, and proceed toward the beginning
of the exploit buffer. PUSH operates in the opposite direction that code executes, so here’s where we reverse the process to correct for that.
SUB EAX, ######## (Using SUB, wrap EAX around until it
SUB EAX, ######## arrives at the value of the current 32-bit
SUB EAX, ######## section of your exploit code)
PUSH EAX
ASCII: -****-****-****P
…repeat as necessary…

Step 4:
Now that the ASCII code array is generated, count its size in bytes, add the size of the exploit array, and add the memory address where the overflow will occur. Using the same technique as for exploit code, derive the values for Step 2 to replace the **** values.

Part III: Inject ASCII code.
The Evil Empire’s IDS won’t know what hit it.

Comments:
Yes, this makes a huge buffer to inject. Obviously this code is to be used sparingly when you really, really need it. On the other hand, very few IDS’s will take note of an innocuous string of ASCII symbols in a username or password field. In fact, the packet may get a nice little pat on the back from the security system if this happens to be a password-field overflow. ‘Good job, user, for selecting a great password!”

Categories: Reviews