HacktoBasics–x86WindowsBasedBufferOverflows,anintroduc:ontobufferoverflowsInstructor-DinoCovotsos– TelspaceSystems

@telspacesystems

Whoami?

WorkinthePenetra:onTes:ngspace(TelspaceSystems)

Approximately20yearsin

Tryingtokeepsomesortofwork/lifebalance!;)

Variousqualifica:ons–OSCP/OSCEetc

Agenda

-Introduc:ontotheworkshop(Wearehere!).-TheStackandRegisters.-Basicx86ASM.-Basicexploita:ontechniques.-Fuzzing.-Introduc:ontovarietyofSkeletonPythonscripts(copypastebufferoverflows,remotebufferoverflowsetc).

Agenda

-VanillaEIPoverwritesinImmunityDebugger.-Overwri:ngEIP,JumpingtoESP,execu:ngShellcode(generatedbyMetasploitorcompiledfromexploit-db/shellstorm).-Badcharactersandhowtodealwiththem.-Prac:calexample(CVE-2019-11395).

Agenda

-Introduc:ontoSEHexploita:ontechniques.-Introduc:ontoMona,basicasmjumpsandshellcoding.-Prac:calexample(CVE-2019-11395).

Agenda

-Whatareegghunters?-Exampleofaegghunterbeingu:lisedinaSEHexploit.-Ques:onsandAnswers.-References.

TheStackandRegisters(x86)

REF:hep://flint.cs.yale.edu/cs421/papers/x86-asm/asm.html

TheStackandRegisters(x86)The832bitGeneralPurposeRegisters:Accumulatorregister(AX).Usedinarithme:copera:onsCounterregister(CX).Usedinshii/rotateinstruc:onsandloops.Dataregister(DX).Usedinarithme:copera:onsandI/Oopera:ons.Baseregister(BX).Usedasapointertodata(locatedinsegmentregisterDS,wheninsegmentedmode).StackPointerregister(SP).Pointertothetopofthestack.StackBasePointerregister(BP).Usedtopointtothebaseofthestack.SourceIndexregister(SI).Usedasapointertoasourceinstreamopera:ons.Des:na:onIndexregister(DI).Usedasapointertoades:na:oninstreamopera:ons.

Basicx86ASMX86ASM(forthisworkshop):add/subxormovpushpopcalljmp(andcondi:onaljumps)

Basicexploita:ontechniques“Vanilla”EIPOverwrite:DirectEIPoverwritewithini:allongbuffer(noexcep:onhandlerorsimilar)StructuredExcepDonHandling(SEH)exploitaDon:Anexcep:onisaneventthatoccursduringtheexecu:onofaprogram,andrequirestheexecu:onofcodeoutsidethenormalflowofcontrol.Structuredexcep:onhandlingisamechanismforhandlingbothhardwareandsoiwareexcep:ons.OverwriteSEHwithaPOPPOPRETinstruc:on,ESPmovedtowardshigherinstruc:onstwicethenaRETisexecuted.

REF:heps://docs.microsoi.com/en-us/windows/desktop/debug/structured-excep:on-handling

Basicexploita:ontechniquesStructuredExcepDonHandling(SEH)exploitaDon(conDnued):Typicalstructure:“A”buffer+(NextSEH)/JMP+PPR+(nops)+shellcode

Basicexploita:ontechniquesEgghunters:Aegghunterisasmallpieceofshellcodethatsearchesmemoryforalarger,biggershellcodewhereitmaybepossibletoexecutesaidshellcode(i.e.incaseswherethereisonlyasmallamountofspaceavailableinthebuffer,thisisveryuseful)Egghunterssearchfora“TAG”whichisaunique4bytestring,inmemory.Wethencombineastringtogethersothatitisunique,suchasWOOTWOOTorsimilarwherewewanttoexecuteouractualshellcodeoncefound(i.e.weredirectexecu:onflow).

Basicexploita:ontechniquesEgghunters,example:loop_inc_page:

or dx, 0x0!f // Add PAGE_SIZE-1 to edxloop_inc_one:

inc edx // Increment our pointer by oneloop_check:

push edx // Save edxpush 0x2 // Push NtAccessCheckAndAuditAlarmpop eax // Pop into eaxint 0x2e // Perform the syscallcmp al, 0x05 // Did we get 0xc0000005 (ACCESS_VIOLATION) ?pop edx // Restore edx

loop_check_8_valid:jeloop_inc_page//Yes,invalidptr,gotothenextpage

is_egg:

moveax,0x50905090//Throwoureggineaxmovedi,edx//Seteditothepointerwevalidatedscasd//Comparethedwordineditoeaxjnzloop_inc_one//Nomatch?Incrementthepointerbyonescasd//Comparethedwordineditoeaxagain(whichisnowedx+4)jnzloop_inc_one//Nomatch?Incrementthepointerbyone

matched:

jmpedi//Foundtheegg.Jump8bytespastitintoourcode.

REF:hep://www.hick.org/code/skape/papers/egghunt-shellcode.pdf&heps://www.fuzzysecurity.com/tutorials/expDev/4.html

FuzzingGoogleDefiniDon:Fuzzingorfuzztes:ngisanautomatedsoiwaretes:ngtechniquethatinvolvesprovidinginvalid,unexpected,orrandomdataasinputstoacomputerprogram.Theprogramisthenmonitoredforexcep:onssuchascrashes,failingbuilt-incodeasser:ons,orpoten:almemoryleaks.ManualTesDng(GeneraDon,mutaDon,manualcodingetc)Tools:Spike,Boofuzz,Peach,Sulleyetc

FuzzingBasicSpikeTemplate:s_string_variable("USER");s_string(" ");s_string_variable(”FOO");s_string("\r\n");s_string("PASS");s_string_variable(”F00");s_string_variable("\r\n");

SkeletonPythonScriptsOnyourUSB/VMthereareaddi:onalscripts:Copy/PasteSkeletonPythonScripts(LocalBOFexample,SEH)Shellcode = “<SHELLCODE>” buffer = "A" * 884 + NSEH + SEH" + NOPS + shellcode + "D" * 8868 payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s bytes payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created”

SkeletonPythonScriptsSocketBasedSkeletonPythonScripts(LocalBOFexample,Vanilla)buffer = "A" * 5094 + ”JMP ESP" + NOPS + "C" * (882-len(shellcode)) print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n" print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("192.168.0.150", 110)) print s.recv(1024) s.send('USER ' + buffer + '\r\n') print s.recv(1024) s.send('QUIT\r\n') s.close() time.sleep(1) print "[*] Done, but if you get here the exploit failed!"

VanillaEIPOverwrite

41414141–TheMagicNumbers.

Ouraiminthispor:onoftheworkshopistooverwritetheEIPregisterbysendingalongstring,whichwillallowustoredirectprogramexecu:onflowtoshellcodeofourchoosing.Inthiscase,itwouldbecalc.exeorabindshell.

VanillaEIPOverwrite(MailCarrier)

VanillaEIPOverwrite(MailCarrier)

AeachingtotheMailCarrierprocess,usingImmunityDebugger(onyourVM)

VanillaEIPOverwrite(MailCarrier)

VanillaEIPOverwrites(MailCarrier)

SkeletonPythonScript,whichwillsend6000A’svia“USER”(onyourVM)

VanillaEIPOverwrite(MailCarrier)

Overwri:ngEIPwith“41414141”

VanillaEIPOverwrite(MailCarrier)

Genera:ngauniquepaeernwithmsf-paeern_createwithlength6000

VanillaEIPOverwrite(MailCarrier)

Pythonscript,withuniquepaeerntosendtoMailCarrier

VanillaEIPOverwrite(MailCarrier)

Execu:ngthescript,whichcarriestheuniquepaeern.

VanillaEIPOverwrite(MailCarrier)

ObtainingEIPoverwritewithauniquepaeern,wecopythisvaluetofindtheexactoffset.

VanillaEIPOverwrite(MailCarrier)

Usingmsf-paeern_offsetinordertoobtaintheexactoffset,inthiscase5094bytes.

VanillaEIPOverwrite(MailCarrier)

Wecreateour“B”buffer,toconfirmtheexactoffsetandEIPoverwrite.

VanillaEIPOverwrite(MailCarrier)

ConfirmingthecorrectoffsetandEIPoverwritevia42424242(“B”*4)

VanillaEIPOverwrite(MailCarrier)

WesearchforaJMPESPtooverwriteEIPwith,viamonawith“!monajmp–resp”

VanillaEIPOverwrite(MailCarrier)

AddingtheJMPtothePythonscript.

VanillaEIPOverwrite(MailCarrier)

Weplaceabreakpointatthataddress,andwaitforthebreakpointtobehit,confirmingjmp.

VanillaEIPOverwrite(MailCarrier)

Westepthroughtheinstruc:onsandconfirmthatwelandinour“C”buffer.

VanillaEIPOverwrite(MailCarrier)

Genera:ngourbind_tcpshellcode,withmsfvenom.

VanillaEIPOverwrite(MailCarrier)

PlacingitintoourPythonscript(1/2).

VanillaEIPOverwrite(MailCarrier)

PlacingitintoourPythonscript(2/2).

VanillaEIPOverwrite(MailCarrier)

Execu:ngourPythonscript(fullexploit).

VanillaEIPOverwrite(MailCarrier)

Obtainingourbindshellonport443.

VanillaEIPOverwrite(MailCarrier)

UsingMeterpretertoconnecttothebindshell.

SEHexploita:on

41414141–SDllthemagicnumbers,justdifferent!

Structuredexcep:onhandlingexploitscompromiseanapplica:onbyoverwri:ngthepointerofanexcep:onhandlerwithanaeackercontrolledaddress.The“StructuredExcepDonHandler(SEH)”isaprotec:onmechanismthatwasimplementedtomi:gatetheabuseofbufferoverflows,butitisahighlyflawedone.

REF:heps://www.fuzzysecurity.com/tutorials/expDev/3.html

SEHexploita:on

SkeletonPythonscripttoexploittheLISTcommand,postauthen:ca:on(test/test)

SEHexploita:on

Sending10000A’sviatheLISTcommand.

SEHexploita:on

EIPisnotoverwrieen,butwecon:nueprogramexecu:on.

SEHexploita:on

EIPisnowoverwrieen,theSEHchainourA’s.

SEHexploita:on

Inthesamewayasthepreviousexploit,weusemsftocreateauniquepaeernwith10000bytes.

SEHexploita:on

Pythonscriptwiththepaeern.

SEHexploita:on

SEHchainshowsoverwrite,wethenmatchthatwithmsf-paeern_offsetto6178bytes.

SEHexploita:on

Wemodifyourbuffertooverwritensehandsehwith“BBBB”and“CCCC”.

SEHexploita:on

SEHChainnowshowswecontrolnsehandsehaccordingly.

SEHexploita:on

Weuse“!monaseh”tosearchforaPOPPOPRETinstruc:on.

SEHexploita:on

OurPPRinstruc:onisthenaddedtoourexploit,withnsehaddedas“G”*4.

SEHexploita:on

WeplaceabreakpointatourPPRinstruc:on,tomakesureitisbeingexecutedproperly.

SEHexploita:on

WeexecuteourPPRinstruc:on,andjumptoour4“G”buffer,whichwecannowusetojump.

SEHexploita:on

Weusethese4bytes,toassembleaJMPSHORTtoavalueaierthehandler(EB12)

SEHexploita:on

WemodifyourPythonscripttoaddournsehjumpandsomenops(wewanttolandinthenops).

SEHexploita:on

Usingbreakpointsandsteppingthrough,wefinallylandinournopsandcanaddourshellcode.

SEHexploita:on

Usingmsfvenom,wegenerateourbindshellonceagain.

SEHexploita:on

Weaddthistoourfinalexploit(1/2).

SEHexploita:on

Weaddthistoourfinalexploit(2/2).

SEHexploita:on

WethenrunthefinalPythonexploit,andhopetogetabindshellonthetarget.

SEHexploita:on

Success,wehaveourbindshellwai:ngonport443.

SEHexploita:on

ConnectedtoourbindshellviaMSF.

Egghunters

Playingwithlimitedbufferspacecanbefun!Anegghunterisasmallpieceofshellcodethatwillsearchmemoryforaspecificpaeern.Oncethisisfound,itwillthenexecutethefullshellcodeinalargerareaofavailablebufferspace(some:mesdoneviaanotherstoredvariable).WewillexpandupontheSEHexploitfromthepreviousexample,withtheuseofaegghuntertofindourshellcode.

Addi:onalinforma:on:heps://www.corelan.be/index.php/2010/01/09/exploit-wri:ng-tutorial-part-8-win32-egg-hun:ng/

Egghunters

WestartwithourskeletonPythonscript,whichusesnseh,sehandnops(noshellcodethis:me).

Egghunters

Welandinournopsasexpected,whichwillallowustocreateandexecuteouregghunter.

Egghunters

Usingmsf-egghuntertogenerateouregghunter,withx00astheonlybadchar,tagofWOOT.

Egghunters

Addingtheegghuntertoourcode,alsoincludingtheWOOTWOOTtagjustaierini:al“A”buffer

Egghunters

Execu:ngourscriptwithourEgghunter,ifallgoeswellweshouldfindWOOTWOOTinmemory.

Egghunters

Ouregghuntertagisfound,wecannowplacenopsandshellcode!

Egghunters

Onceagain,wegenerateourshellcodeusingmsfvenom.

Egghunters

Addingtheshellcodetoourexploit(1/2).

Egghunters

Addingtheshellcodetoourexploit(2/2).

Egghunters

Runningourfinalexploitwithegghunterandshellcode.

Egghunters

Bysexngbreakpointsandsteppingthroughtheexecu:on,wecanseeouregghunter.

Egghunters

Wesetanotherstrategicbreakpoint,aierourWOOTWOOTisfoundinmemory,thencon:nue.

Egghunters

Toconfirm,wefindourtaginmemory,followedbyournopsandshellcode.

Egghunters

Wecon:nueexecu:on,findournopsandshellcodeexecutescorrectly.

Egghunters

Bindshellwai:ngonport443forustoconnectto.

Egghunters

Connec:ngtoourbindshell!

@telspacesystemswww.telspace.co.za

Referencesandthanksto:FuzzySecurityCorelan(Peter!)

OffsecMaeMiller(skape)

DEFCON(Jeff,Nikita,Highwiz,Toeenkophandallcrew)TheTelspaceSystemsCrew(heps://www.telspace.co.za)