From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
1. From SEH Overwrite with
Egg Hunter to Get a Shell!
SPEAKER: Rodolpho Concurde
COMPANY: self-employed
2. $Whoami
Rodolpho Concurde (ROd0X)
•
Penetration Tester;
•
Instructor I.T;
•
Consultant of I.S – 13 years;
•
EC-C|EH;
•
Talks at: Hack In The Box, Ekoparty, Arab Security Conference, MorterueloCON,
Stackconf, Red Team Village, BSides Calgary, BSides Athens, etc.
•
Author at Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel,
From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell;
•
https://www.linkedin.com/in/rodolphoconcurde;
•
rconcurde@gmail.com
4. Exception Handler
Exception Handler is a chunk of code, from inside of an application
which have the objective to handle any exception that can occur
during execution of software.
The Exception Handler look like with:
5. An exception is an unexpected event (an error) that occurs in a running
system or program. When an exception occurs, the program's normal
flow of execution is interrupted. It is important that the application can
"handle" the exception or error to continue running normally.
The addresses of the "exception handlers" are stored on the stack.
The Windows Operating System has a default "handler" that catches
any exception that is not handled by the program. When Windows
handles an exception in an application, you will usually see the
message: "program has encountered a problem and needs to close".
6. The SEH works in chain and are localize in end of stack.
In the classic Buffer Overflow (vanilla), the exploit overwrites the
return address, without worrying about writing more bytes in the
stack, but with the SEH Overwrite technique, it is possible to obtain
more space for the shellcode, in order to have an exploit more stable.
7. Buffer overflow
Buffer overflow is an anomaly where a program, while writing
data to a buffer, overruns the buffer's boundary and overwrites
adjacent memory locations.
Might be:
Heap based: place in the memory which allocate lot amount of
data and, dynamically;
Stack based: Allocate a limited or fixed size of data, such as,
data from local variables or functions.
9. P0C
The attacker machine we’ll use the Kali 2020.3 and the vulnerable
software that we’ll use is the Easy File Sharing Web Server 7.2, which
is running on Windows XP Service Pack 3, and can be download at:
https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
10. P0C
Open the Immunity Debugger, after open the vulnerable software, and
in Immunity, click at File menu → Attach.
Choose the vulnerable software and click at Attach!
After click at Play or press F9 to run the vulnerable software inside the
Immunity.
11. P0C
We begin with the python fuzzing code.
This code will send 5000 “A” against the target IP in TCP port 80.
12. P0C
For see SEH chain, we should click at menu: View → SEH chain
As we can see in image, we have the field
Address and SE handler value overwrite
with 41414141, then click with: Right
button in 41414141 and Follow address in
stack.
13. P0C
In image below, we see the Pointer to next SEH record and SE handler
value overwrite with 41414141, this means that it worked, we overwrite
the SEH chain! 8-)
14. P0C
Now, we need to find how many characters are necessary to overwrite the SEH, to get
control of SEH chain. For this, we will use the tool pattern_create.
In Kali, at directory: /usr/share/metasploit-framework/tools/exploit → type:
./pattern_create.rb -l 5000
Pattern_create generated a lot amount of standardized characters.
Copy these characters generated, and paste in python exploit script, at variable
crash1.
15. P0C
So send the exploit code against the target as show the image below.
Click at View → SEH chain, and as show image below we have the
Address and SE handler overwrite.
16. P0C
Now, we will use the tool pattern_offset to find the offset of SE handler.
In directory /usr/share/metasploit-framework/tools/exploit, type as show
image below:
./pattern_offset.rb -l 5000 -q 46356646
17. P0C
We found the offset 4065! This means that we need 4065 bytes to overwrite
SEH. In image below, we put in variable crash1: 4061 * “A” + “B” * 4 +
“C” * 4, these means that we will fill SEH chain with 4 “B” and 4 “C”.
18. P0C
Again, send the exploit code against the target as show the image below.
Click at View → SEH chain, after right button at 43434343 and Follow
address in stack, as show image below.
19. P0C
As show image below, we have BBBB as Pointer to next SEH record,
and CCCC as SE handler.
20. P0C
Now we need to find in Immunity an instruction POP POP RETN, this instruction will as
show image below, make a return to the Pointer to next SEH record, the Pointer to next SEH
record, we will overwrite with a jump to our shellcode to get a reverse shell! 8-)
Take a look at image below!
21. P0C
Now we need to find in Immunity an address which have the instruction POP POP RETN, for
this, we will use mona.py script.
https://raw.githubusercontent.com/corelan/mona/master/mona.py
You should make download of mona.py and paste at:
c:Program FilesImmunity IncImmunity DebuggerPyCommands
Type in command bar: !mona seh, wait a minute till the Immunity process all.
22. P0C
Click at View → Log for see the log!
See the image below, “for more pointers,
open seh.txt...”
23. P0C
See the file seh.txt at folder Immunity Debugger.
We’ll use the address 0x100103fe, which is a POP esi, POP edi and RET,
with security mechanisms ASLR, Rebase, SafeSEH as False!
24. P0C
Now we need to find the OPCODE to instruction JMP SHORT 8, which will
be our jump to our shellcode! For this, we will use the tool nasm_shell,
as show image below. Type at directory:
/usr/share/metasploit-framework/tools/exploit#./nasm_shell.rb
nasm> JMP SHORT 8
And we have EB06 as show image below.
25. P0C
Now, as show image below, create a variable NSEH and put the value of
SHORT JMP with x90x90, which means NOP no operation, NOPs do
nothing. And variable SEH, with address to the POP POP RETN.
Type your exploit code like show image below!
26. P0C
Open the Immunity again, attach the vulnerable software inside of the
Immunity, and run the software again. Then, click with right button over
the code area, and Go to Expression, as show image below.
27. P0C
Now, type the address to the POP POP RETN: 100103fe and click at OK!
28. P0C
We found the address to the POP POP RETN; let’s now, put a Breakpoint
at address 100103fe to stop in this address; for this, click with right
button at 100103fe and click at Breakpoint → Toggle, like show image
below.
34. P0C
We know that have little space to our shellcode, for this we will use a
technique called “egg hunter”. Egg hunter is a small piece of shellcode
which searches for an actual bigger shellcode which the attacker was not
able to fit-in the available buffer space, for this, make use of this little piece
of shellcode "egg hunter" to redirect execution flow to shellcode bigger.
35. Now we need to search for bad characters, depending on the application,
type of vulnerability and protocols in use, may be certain characters which
are considered "bad" and should not be used in your buffer or shellcode.
One example of bad characters is 0x00.
This character is considered bad because a null byte is also used to
terminate a string copy operation, which would truncate our buffer
whenever which the null byte appears.
For test if has more badchars in the software, close the software and the
Immunity, and reopen the Immunity and attach the software in the
Immunity again.
P0C
36. P0C
We will send the string bellow inside of our exploit code.
"x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
"x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
"x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
"x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
"x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
"x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
"xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
"xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
"xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
38. P0C
Paste the egg hunter code in exploit code, add the payload2 =
badchars, add the egg hunter at crash1 variable and add w00tw00t +
payload2 at variable payload.
The w00t is a label to find our payload2.
41. P0C
In the image below, show the egg hunter code, and click with right
button at EDX and Follow in Dump, to show the dump – w00tw00t.
Remember, which w00t is a value that come before our shellcode.
Egg hunter
code
Make dump EDX
EDX dumped
42. P0C
JMP EDI, jump at end of our egg hunter code to our bigger shellcode!