2. $Whoami – Rodolpho Concurde (ROd0X)
Penetration Tester
Instructor I.T
Consultant of I.S – 13 years
EC-C|EH
Talks at Hack in the Box, MorterueloCON, Red Team Village, Stackconf, Bsides
Athens & Bsides SATX.
Author Hakin9 Magazine: Stack Overfow, Pentest Magazine: Covert Channel,
From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell.
https://www.linkedin.com/in/rodolphoconcurde
rconcurde@gmail.com
2
4. Types of targets
- Protocol: FTP, POP3, SMTP, Telnet, anyone!
- Application: Any INPUT of any application.
- File format: Any fle Format (.mp3, .m3u, mp4, …) for test the
software’s reader!
4
5. Types of Attacks
Fuzzers would try combinations of attacks on:
- numbers
- chars
- metadata
- pure binary sequences
Is sent for the target one list with sequence of dangerous string.
Example: (-999999999, alert`1`, top["al"+"ert"](1),
<a href="data:text/html;base64_,<svg/onload=u0061l
e%72t(1)>">X</a, 11000001000010010001100).
5
6. Types of Fuzzers - Characteristics
Dumb: any string combination;
Smart fuzzing:
Smart fuzzers are programmed with knowledge of the input
format, i.e. a protocol defnition or rules for a fle format.
- Mutation;
-- Through replay and MITM or Proxy
- Generation;
- Evolutionary.
Ref: https://www.f-secure.com/en/consulting/our-thinking/15-minute-guide-to-fuzzing
6
7. Buffer overfow
Buffer overfow is an anomaly where a program, while writing
data to a buffer, overruns the buffer's boundary and overwrites
adjacent memory locations.
Might be:
Heap based: place in the memory which allocate lot amount of
data and, dynamically;
Stack based: Allocate a limited or fxed size of data, such as,
data from local variables or functions.
7
8. B.0 Code Example
int main(int argc, char *argv[])
{
// Reserve 5 byte of buffer plus the terminating NULL.
// To overflow, need more than 5 bytes...
char buffer[5]; // If more than 5 characters input
// by user, there will be access
// violation, segmentation fault
// a prompt how to execute the program...
if (argc < 2)
{
printf("strcpy() NOT executed....n");
printf("Syntax: %s <characters>n", argv[0]);
exit(0);
}
……………………...
8
13. PoC
Vul software to File Format Fuzzing!
http://s2.download.net.pl/ASX-to-MP3-Converter-4063-6400-5319.exe
Opening in Immunityy Debugger the software in:
File -> Attach -> ASX2MP3Converter and Run the same with F9
13
14. PoC
Image demonstrated below, show the code used to fuzzing the vulnerable software.
Sending to the INPUT of the software the String reached in variable [$buffer].
The value of variable [$buffer] can be generated utilizing the tool of Metasploit
pattern_create.
14
15. PoC
Compiling the code with the command [perl asx2mp3.pl]
After, load the fle p0c.m3u in vul software, run the same in Immunity Debugger.
And we have a Stack Overfow!
15
16. PoC
The next step is utilize the pattern_offset to localize the Offset of EIP.
16
17. PoC
In Debugger, we make use of mona.py for see the modules utilized by the vulnerable
software. We need to fnd a address that make a JUMP from EIP to ESP, for in ESP we put
our shellcode. Let’s search some module that make JUMP ESP, frst let’s see the modules.
For this we will use the mona.py script:
https://raw.githubusercontent.com/corelan/mona/master/mona.py
You should make download of mona.py and paste at:
c:Program FilesImmunity IncImmunity DebuggerPyCommands
Let’s use the mona! Type in command bar of Immunity: !mona modules
We should fnd a module without mechanisms of protection.
17
18. PoC
Next step is fnd inside of msvos module, some expression that make a Jump to the ESP
Register; for this, frst we should obtain the assembly value referent the JMP ESP.
Now, the mona command to fnd this expression.
18
19. PoC
From this command is fnd the address 0x01ba135b, and it we should
insert in following exploit code.
19
20. PoC
Now we need to search for bad characters, depending on the application, type
of vulnerability and protocols in use, may be certain characters which are
considered "bad" and should not be used in your buffer or shellcode.
One example of bad characters is 0x00.
This character is considered bad because a null byte is also used to terminate a
string copy operation, which would truncate our buffer whenever which the null
byte appears.
For test if has more badchars in the software, close the software and the
Immunity, and reopen the Immunity and attach the software in the Immunity
again.
20
21. PoC
We will send the string bellow inside of our exploit code.
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
"x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
"x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff".
21
25. PoC
The character 0x00 and 0x0a we won’t send, because we already know that it is
a badchars and, for this, generate error in the software.
Our exploit code is like image below! We add variable badchars.
25
27. PoC
Setted a Breakpoint in EIP address with a double-click we see the fow of execution stop in
the address chosen.
For last, let’s generate our shellcode with the msfvenom tool and introduce it in exploit
code.
27