exploit development with python
TRANSCRIPT
AGENDA
Memory
Stack/Buffer Overflow
Structured Exception Handler (SEH)
Escape from small space
Egghunter
Demo
Args./Environment
Stack
Unused Memory
Heap (dynamic data)
Static Data .data
Program Code .text
PROCESS MEMORY LAYOUT
High addresses
Top of memory
0xFFFFFFFF
Low addresses
0x00000000
Stack grows down by
procedures call
Heap grows up e.g. by
malloc and new
STACK BUFFER OVERFLOW
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv)
{
foo(argv[1]);
}
STACK BUFFER OVERFLOW
Unallocated stack
char c[12]
char *bar
Saved frame
pointer
(EBP)Return Address
(EIP)
Parent routine’s
stack
Memory addressStack growth
STACK BUFFER OVERFLOW
Unallocated stack
char c[12]
char *bar
Saved frame
pointer
(EBP)Return Address
(EIP)
Parent routine’s
stack
Memory addressStack growth
h e l l
\0o
STACK BUFFER OVERFLOW
Unallocated stack
Memory addressStack growth
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
\x08 \x35 \xc0 \x80
Fill the stack with ‘A’
Overwritten return address
at 0x80c03508
Parent routine’s
stack
Little
Endian
0x80c03508
WHAT IS SEH?
This structure ( also called a SEH record) is 8 bytes and has 2 (4
bytes each) elements :
a pointer to the next exception_registration structure (in essence,
to the next SEH record, in case the current handler is unable the
handle the exception)
a pointer, the address of the actual code of the exception handler.
(SE Handler)
LOOK AT THE SEH STRUCTURE
Beginning of SEH chain
SEH chain will be placed at the top of the main data block
It also called FS:[0] chain as well (on intel: mov [reg], dword ptr
fs:[0])
End of seh chain
Is indicated by 0xFFFFFFFF
Will trigger improper termination to the program
HOW SEH WORKS?Stack
TEB
FS[0]: 0012FF40 0012FF40
0012FF44
0012FFB0 : next SEH record
7C839AD8 : SE Handler
0012FFB0
0012FFB4
0012FFE0 : next SEH record
0040109A : SE Handler
0012FFE0
0012FFE4
FFFFFFFF : next SEH record
7C839AD8 : SE Handler
PROTECTIONS AGAINST SEH
XOR
before the exception handler is called, all registers are XORedwith each other, so it will make them all point to 0x00000000
DEP & Stack Cookies
Stack Cookies or Canary is setup via C++ compiler options
DEP will mark the memory stack to no execute.
It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7
Those two protections can make it harder to build exploits.
PROTECTIONS AGAINST SEH
SafeSEH
additional protection was added to compilers, helping to stop the
abuse of SEH overwrites.
It will check the original value of SEH, if it overwritten, SafeSEH
will try to bring it back to the original value.
ABUSING SEH
On direct RET technique:
Simply find an instruction to jump to the stack, done.
While on SEH Based:
You cannot simply jump to the stack, because the registers are XORed.
We can take advantage this exception handling condition by overwrite the SE Handler address.
The OS will know the exception handling routine, and pass it to next SEH record.
Pointer to next SEH will bring us to the shellcode.
Game over!
ABUSING SEH
In other words, the payload must do the following things:
Cause an exception. Without an exception, the SEH handler (the
one you have overwritten/control) won’t kick in.
Overwrite the pointer to the next SEH record with some jumpcode
(so it can jump to the shellcode)
Overwrite the SE handler with a pointer to an instruction that will
bring you back to next SEH and execute the jumpcode.
The shellcode should be directly after the overwritten SE Handler.
Some small jumpcode contained in the overwritten “pointer to
next SEH record” will jump to it).
ABUSING SEH When the exception occurred, the position on the stack will going like
this:
Possible value to overwrite SE Handler are POP something, POP
something and RETN to the stack.
It will POP address that sit at the top of the stack, POP it again to take
the second address, and RETN to execute the third address (which is
now at the top of the stack)
Top of stack
Our pointer to next SEH
address
ABUSING SEH
Image was taken from http://corelan.be
with permission from Peter van Eeckhoutte (Corelan)
ESCAPE FROM SMALL SPACE
Use Egghunter
“Staged shellcode”
Use small amount of custom shellcode to find the actual “bigger”
shellcode (the egg), by searching entire memory for the final
shellcode
EGGHUNTER
There are 3 conditions that are important in order for this
technique to work
We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode,
the egghunter.
The final shellcode must be available somewhere in memory (stack/heap/…).
You must “tag” or prepend the final shellcode with a unique string/marker/tag.
This means that we will have to define the marker in the egg hunter code, and
also write it just in front of the actual shellcode.
1ST SKELETON EXPLOIT: CRASH IT!
#!/usr/bin/python
from socket import *
junk = "\x41" * 10000
s = socket(AF_INET, SOCK_STREAM)
s.connect((‘x.x.x.x’,8000))
print "[+] Launching attack..”
s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")
s.close()
2ND SKELETON EXPLOIT: EIP
OVERWRITE
#!/usr/bin/python
from socket import *
junk = [random data generated from msf]
s = socket(AF_INET, SOCK_STREAM)
s.connect((‘x.x.x.x’,8000))
print "[+] Launching attack..”
s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")
s.close()
3RD SKELETON EXPLOIT: SMALL
SPACE
Egghunter
\x66\x81\xca\xff\x0f\x42\x52\x6a
\x02\x58\xcd\x2e\x3c\x05\x5a\x74
\xef\xb8\x77\x30\x30\x74\x8b\xfa
\xaf\x75\xea\xaf\x75\xe7\xff\xe7
4TH FINAL EXPLOIT
Exploit DB
http://www.exploit-db.com/exploits/19266/
Metasploit
http://www.exploit-db.com/exploits/19291/
http://www.metasploit.com/modules/exploit/windows/http/ezserver_http