exploit generator: Automated Exploit generation with WinDBG

exploit generator – autoexp

A script to automatically create a working exploit from crash PoCs.

The motivations behind creating this simple tool were to show how powerful is to script WinDBG and to simplify the typical BoF (buffer overflow) exploit development process. As the method is basically the same every time, a lot of manual work can be saved by automating the process. There are plenty of helper scripts (far the best and well known is mona.py), but none of them does the entire job for you.

The typical steps to create a BoF exploit are:

1. Find EIP overwrite location (offset in the buffer)
2. Examine memory layout, registers
3. Somehow jump to the buffer with the help of registers
4. Find bad characters
5. Generate shellcode
6. Put it all together

These are the classic steps, and although there are corner cases, most of them work this way. This is a heavily manual process especially the part, when you start the debugger, attach the process, run your PoC code, discover memory layout, or debug errors you made, and then start again. When it comes to discovering bad characters, that is especially time intense.

The goal of creating this script/tool was to automate as much as I can, so no manual interaction is needed to create a working exploit from a crash PoC.

The script is written entirely in Python and uses the pykd library to interact with WinDBG. The library is specific to this debugger, so others can’t be used.

It is still in very early development stage, so there might be bugs, especially if interaction with the application is needed, and not all cases are covered.

Setting up the environment

1. Install Debugger Tools for Windows from http://msdn.microsoft.com/en-US/windows/hardware/hh852363
2. Install an older version of Python (e.g.: 2.7.3), download from https://www.python.org/downloads/windows/
3. Download latest 3.x version of pykd from https://pykd.codeplex.com/releases/view/614442
4. Extract the zip file contents
5. Copy the pykd.pyd file to “C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winext”

Verify Installation

1. Launch a custom x86 application
2. Attach the debugger
3. Type: “.load pykd.pyd”, you shouldn’t get any errors showing up
   1. In case WinDBG terminates, try an older version of Python
4. Type “r” to get the values stored in registers
5. Start Python in WinDBG, type: “!py”
6. Type: “hex(reg(‘eip’))”, you should get the same value for EIP, what you saw at step #4

Download

Copyright (c) <2016> theevilbit