SlideShare a Scribd company logo

From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde

R
Rodolpho Concurde

From SEH Overwrite with Egg Hunter to Get a Shell!

Technology
1 of 52
Download to read offline
From SEH Overwrite with Egg Hunter to Get a Shell! SPEAKER: Rodolpho Concurde COMPANY: self-employed
$Whoami Rodolpho Concurde (ROd0X) • Penetration Tester; • Instructor I.T; • Consultant of I.S – 13 years; • EC-C|EH; • Talks at: Hack In The Box, Ekoparty, Arab Security Conference, MorterueloCON, Stackconf, Red Team Village, BSides Calgary, BSides Athens, etc. • Author at Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel, From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell; • https://www.linkedin.com/in/rodolphoconcurde; • rconcurde@gmail.com
Agenda ● - SEH (Structured Exception Handler); ● - Buffer Overflow; ● - PoC ● – SEH Overwrite; ● – Short JMP; ● – Egg Hunter; ● – Bad Characters; ● – Reverse Shell; ● - Questions??
Exception Handler Exception Handler is a chunk of code, from inside of an application which have the objective to handle any exception that can occur during execution of software. The Exception Handler look like with:
An exception is an unexpected event (an error) that occurs in a running system or program. When an exception occurs, the program's normal flow of execution is interrupted. It is important that the application can "handle" the exception or error to continue running normally. The addresses of the "exception handlers" are stored on the stack. The Windows Operating System has a default "handler" that catches any exception that is not handled by the program. When Windows handles an exception in an application, you will usually see the message: "program has encountered a problem and needs to close".
The SEH works in chain and are localize in end of stack. In the classic Buffer Overflow (vanilla), the exploit overwrites the return address, without worrying about writing more bytes in the stack, but with the SEH Overwrite technique, it is possible to obtain more space for the shellcode, in order to have an exploit more stable.
Buffer overflow Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be: Heap based: place in the memory which allocate lot amount of data and, dynamically; Stack based: Allocate a limited or fixed size of data, such as, data from local variables or functions.
SEH
P0C The attacker machine we’ll use the Kali 2020.3 and the vulnerable software that we’ll use is the Easy File Sharing Web Server 7.2, which is running on Windows XP Service Pack 3, and can be download at: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
P0C Open the Immunity Debugger, after open the vulnerable software, and in Immunity, click at File menu → Attach. Choose the vulnerable software and click at Attach! After click at Play or press F9 to run the vulnerable software inside the Immunity.
P0C We begin with the python fuzzing code. This code will send 5000 “A” against the target IP in TCP port 80.
P0C For see SEH chain, we should click at menu: View → SEH chain As we can see in image, we have the field Address and SE handler value overwrite with 41414141, then click with: Right button in 41414141 and Follow address in stack.
P0C In image below, we see the Pointer to next SEH record and SE handler value overwrite with 41414141, this means that it worked, we overwrite the SEH chain! 8-)
P0C Now, we need to find how many characters are necessary to overwrite the SEH, to get control of SEH chain. For this, we will use the tool pattern_create. In Kali, at directory: /usr/share/metasploit-framework/tools/exploit → type: ./pattern_create.rb -l 5000 Pattern_create generated a lot amount of standardized characters. Copy these characters generated, and paste in python exploit script, at variable crash1.
P0C So send the exploit code against the target as show the image below. Click at View → SEH chain, and as show image below we have the Address and SE handler overwrite.
P0C Now, we will use the tool pattern_offset to find the offset of SE handler. In directory /usr/share/metasploit-framework/tools/exploit, type as show image below: ./pattern_offset.rb -l 5000 -q 46356646
P0C We found the offset 4065! This means that we need 4065 bytes to overwrite SEH. In image below, we put in variable crash1: 4061 * “A” + “B” * 4 + “C” * 4, these means that we will fill SEH chain with 4 “B” and 4 “C”.
P0C Again, send the exploit code against the target as show the image below. Click at View → SEH chain, after right button at 43434343 and Follow address in stack, as show image below.
P0C As show image below, we have BBBB as Pointer to next SEH record, and CCCC as SE handler.
P0C Now we need to find in Immunity an instruction POP POP RETN, this instruction will as show image below, make a return to the Pointer to next SEH record, the Pointer to next SEH record, we will overwrite with a jump to our shellcode to get a reverse shell! 8-) Take a look at image below!
P0C Now we need to find in Immunity an address which have the instruction POP POP RETN, for this, we will use mona.py script. https://raw.githubusercontent.com/corelan/mona/master/mona.py You should make download of mona.py and paste at: c:Program FilesImmunity IncImmunity DebuggerPyCommands Type in command bar: !mona seh, wait a minute till the Immunity process all.
P0C Click at View → Log for see the log! See the image below, “for more pointers, open seh.txt...”
P0C See the file seh.txt at folder Immunity Debugger. We’ll use the address 0x100103fe, which is a POP esi, POP edi and RET, with security mechanisms ASLR, Rebase, SafeSEH as False!
P0C Now we need to find the OPCODE to instruction JMP SHORT 8, which will be our jump to our shellcode! For this, we will use the tool nasm_shell, as show image below. Type at directory: /usr/share/metasploit-framework/tools/exploit#./nasm_shell.rb nasm> JMP SHORT 8 And we have EB06 as show image below.
P0C Now, as show image below, create a variable NSEH and put the value of SHORT JMP with x90x90, which means NOP no operation, NOPs do nothing. And variable SEH, with address to the POP POP RETN. Type your exploit code like show image below!
P0C Open the Immunity again, attach the vulnerable software inside of the Immunity, and run the software again. Then, click with right button over the code area, and Go to Expression, as show image below.
P0C Now, type the address to the POP POP RETN: 100103fe and click at OK!
P0C We found the address to the POP POP RETN; let’s now, put a Breakpoint at address 100103fe to stop in this address; for this, click with right button at 100103fe and click at Breakpoint → Toggle, like show image below.
P0C Now run the exploit code again!
P0C The software stopped the flow of execution, as we can see in image below, we have an Access violation; press Shift F7, after F9 to continue!
P0C Now, we stop at our Breakpoint 100103fe that is the begin of our POP POP RETN. Press F7 to pass step-by-step the POP POP RETN!
P0C Arriving the flow of program at RETN, we see the address indicated in the image below: Return to 01876fd4
P0C This address 01876fd4 is our JMP SHORT (/x90/x90/xeb/x06), is a jump to our NOPs.
P0C We know that have little space to our shellcode, for this we will use a technique called “egg hunter”. Egg hunter is a small piece of shellcode which searches for an actual bigger shellcode which the attacker was not able to fit-in the available buffer space, for this, make use of this little piece of shellcode "egg hunter" to redirect execution flow to shellcode bigger.
Now we need to search for bad characters, depending on the application, type of vulnerability and protocols in use, may be certain characters which are considered "bad" and should not be used in your buffer or shellcode. One example of bad characters is 0x00. This character is considered bad because a null byte is also used to terminate a string copy operation, which would truncate our buffer whenever which the null byte appears. For test if has more badchars in the software, close the software and the Immunity, and reopen the Immunity and attach the software in the Immunity again. P0C
P0C We will send the string bellow inside of our exploit code. "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
P0C Sending badchars against the target!
P0C Paste the egg hunter code in exploit code, add the payload2 = badchars, add the egg hunter at crash1 variable and add w00tw00t + payload2 at variable payload. The w00t is a label to find our payload2.
P0C See, the w00t is a default value to find our shellcode!
P0C Send the exploit code again!
P0C In the image below, show the egg hunter code, and click with right button at EDX and Follow in Dump, to show the dump – w00tw00t. Remember, which w00t is a value that come before our shellcode. Egg hunter code Make dump EDX EDX dumped
P0C JMP EDI, jump at end of our egg hunter code to our bigger shellcode!
Badchars, absence of none badchar! P0C
Now, we should generate our shellcode to gain a reverse shell. For this, we will use the tool msfvenom. Do as show image below! P0C
Copy the shellcode generated by msfvenom, and paste in your exploit code.
Restart the target in the Immunity, put the respective Breakpoint, and send the exploit code updated, against the target. P0C
See the code of exploit code is the same than code in Immunity! P0C
Shellcode to be execute in Immunity, against the target! P0C
Reverse shell at metasploit framework! P0C
Questions??
Thanks! Rodolpho Concurde rconcurde@gmail.com https://www.linkedin.com/in/rodolphoconcurde

Recommended

From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceRodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
First fare 2013 basic-labview
First fare 2013 basic-labviewFirst fare 2013 basic-labview
First fare 2013 basic-labviewOregon FIRST Robotics
 
Python introduction
Python introductionPython introduction
Python introductionLearnbay Datascience
 

Recommended

From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!From SEH Overwrite with Egg Hunter to Get a Shell!
From SEH Overwrite with Egg Hunter to Get a Shell!Rodolpho Concurde
 
Finding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceFinding 0days at Arab Security Conference
Finding 0days at Arab Security ConferenceRodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!NETWAYS
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Rodolpho Concurde
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit developmentPayampardaz
 
First fare 2013 basic-labview
First fare 2013 basic-labviewFirst fare 2013 basic-labview
First fare 2013 basic-labviewOregon FIRST Robotics
 
Python introduction
Python introductionPython introduction
Python introductionLearnbay Datascience
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionn|u - The Open Security Community
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?Mikee Franklin
 
Introduction to pic
Introduction to picIntroduction to pic
Introduction to picPRADEEP
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless WaySrushith Repakula
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...CodeOps Technologies LLP
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
Micro c lab3(ssd)
Micro c lab3(ssd)Micro c lab3(ssd)
Micro c lab3(ssd)Mashood
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkAnimesh Roy
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodePVS-Studio
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAristotelis Kotsomitopoulos
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Behavior Driven Development with Rails
Behavior Driven Development with RailsBehavior Driven Development with Rails
Behavior Driven Development with RailsMark Menard
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Tranning-2
Tranning-2Tranning-2
Tranning-2Ali Hussain
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

More Related Content

Similar to From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde

Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsD4rk357 a
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingTal Melamed
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?Mikee Franklin
 
Introduction to pic
Introduction to picIntroduction to pic
Introduction to picPRADEEP
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless WaySrushith Repakula
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...CodeOps Technologies LLP
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
Micro c lab3(ssd)
Micro c lab3(ssd)Micro c lab3(ssd)
Micro c lab3(ssd)Mashood
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkAnimesh Roy
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceSaumil Shah
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodePVS-Studio
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessThomas Gregory
 
Behavior Driven Development with Rails
Behavior Driven Development with RailsBehavior Driven Development with Rails
Behavior Driven Development with RailsMark Menard
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 

Similar to From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde (20)

Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-TestingJava Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
Java Hurdling: Obstacles and Techniques in Java Client Penetration-Testing
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
How secure is your code?
How secure is your code?How secure is your code?
How secure is your code?
 
Introduction to pic
Introduction to picIntroduction to pic
Introduction to pic
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless Way
 
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
AWS Lambda Hands-on: How to Create Phone Call Notifications in a Serverless W...
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Micro c lab3(ssd)
Micro c lab3(ssd)Micro c lab3(ssd)
Micro c lab3(ssd)
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Intimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit FrameworkIntimacy with MSF - Metasploit Framework
Intimacy with MSF - Metasploit Framework
 
Teflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surfaceTeflon - Anti Stick for the browser attack surface
Teflon - Anti Stick for the browser attack surface
 
Analysis of Godot Engine's Source Code
Analysis of Godot Engine's Source CodeAnalysis of Godot Engine's Source Code
Analysis of Godot Engine's Source Code
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
CyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation ProcessCyberLink LabelPrint 2.5 Exploitation Process
CyberLink LabelPrint 2.5 Exploitation Process
 
Behavior Driven Development with Rails
Behavior Driven Development with RailsBehavior Driven Development with Rails
Behavior Driven Development with Rails
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde

  • 1. From SEH Overwrite with Egg Hunter to Get a Shell! SPEAKER: Rodolpho Concurde COMPANY: self-employed
  • 2. $Whoami Rodolpho Concurde (ROd0X) • Penetration Tester; • Instructor I.T; • Consultant of I.S – 13 years; • EC-C|EH; • Talks at: Hack In The Box, Ekoparty, Arab Security Conference, MorterueloCON, Stackconf, Red Team Village, BSides Calgary, BSides Athens, etc. • Author at Hakin9 Magazine: Stack Overflow; Pentest Magazine: Covert Channel, From Fuzzing to Get a Shell and From SEH Overwrite to Get a Shell; • https://www.linkedin.com/in/rodolphoconcurde; • rconcurde@gmail.com
  • 3. Agenda ● - SEH (Structured Exception Handler); ● - Buffer Overflow; ● - PoC ● – SEH Overwrite; ● – Short JMP; ● – Egg Hunter; ● – Bad Characters; ● – Reverse Shell; ● - Questions??
  • 4. Exception Handler Exception Handler is a chunk of code, from inside of an application which have the objective to handle any exception that can occur during execution of software. The Exception Handler look like with:
  • 5. An exception is an unexpected event (an error) that occurs in a running system or program. When an exception occurs, the program's normal flow of execution is interrupted. It is important that the application can "handle" the exception or error to continue running normally. The addresses of the "exception handlers" are stored on the stack. The Windows Operating System has a default "handler" that catches any exception that is not handled by the program. When Windows handles an exception in an application, you will usually see the message: "program has encountered a problem and needs to close".
  • 6. The SEH works in chain and are localize in end of stack. In the classic Buffer Overflow (vanilla), the exploit overwrites the return address, without worrying about writing more bytes in the stack, but with the SEH Overwrite technique, it is possible to obtain more space for the shellcode, in order to have an exploit more stable.
  • 7. Buffer overflow Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Might be: Heap based: place in the memory which allocate lot amount of data and, dynamically; Stack based: Allocate a limited or fixed size of data, such as, data from local variables or functions.
  • 8. SEH
  • 9. P0C The attacker machine we’ll use the Kali 2020.3 and the vulnerable software that we’ll use is the Easy File Sharing Web Server 7.2, which is running on Windows XP Service Pack 3, and can be download at: https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe
  • 10. P0C Open the Immunity Debugger, after open the vulnerable software, and in Immunity, click at File menu → Attach. Choose the vulnerable software and click at Attach! After click at Play or press F9 to run the vulnerable software inside the Immunity.
  • 11. P0C We begin with the python fuzzing code. This code will send 5000 “A” against the target IP in TCP port 80.
  • 12. P0C For see SEH chain, we should click at menu: View → SEH chain As we can see in image, we have the field Address and SE handler value overwrite with 41414141, then click with: Right button in 41414141 and Follow address in stack.
  • 13. P0C In image below, we see the Pointer to next SEH record and SE handler value overwrite with 41414141, this means that it worked, we overwrite the SEH chain! 8-)
  • 14. P0C Now, we need to find how many characters are necessary to overwrite the SEH, to get control of SEH chain. For this, we will use the tool pattern_create. In Kali, at directory: /usr/share/metasploit-framework/tools/exploit → type: ./pattern_create.rb -l 5000 Pattern_create generated a lot amount of standardized characters. Copy these characters generated, and paste in python exploit script, at variable crash1.
  • 15. P0C So send the exploit code against the target as show the image below. Click at View → SEH chain, and as show image below we have the Address and SE handler overwrite.
  • 16. P0C Now, we will use the tool pattern_offset to find the offset of SE handler. In directory /usr/share/metasploit-framework/tools/exploit, type as show image below: ./pattern_offset.rb -l 5000 -q 46356646
  • 17. P0C We found the offset 4065! This means that we need 4065 bytes to overwrite SEH. In image below, we put in variable crash1: 4061 * “A” + “B” * 4 + “C” * 4, these means that we will fill SEH chain with 4 “B” and 4 “C”.
  • 18. P0C Again, send the exploit code against the target as show the image below. Click at View → SEH chain, after right button at 43434343 and Follow address in stack, as show image below.
  • 19. P0C As show image below, we have BBBB as Pointer to next SEH record, and CCCC as SE handler.
  • 20. P0C Now we need to find in Immunity an instruction POP POP RETN, this instruction will as show image below, make a return to the Pointer to next SEH record, the Pointer to next SEH record, we will overwrite with a jump to our shellcode to get a reverse shell! 8-) Take a look at image below!
  • 21. P0C Now we need to find in Immunity an address which have the instruction POP POP RETN, for this, we will use mona.py script. https://raw.githubusercontent.com/corelan/mona/master/mona.py You should make download of mona.py and paste at: c:Program FilesImmunity IncImmunity DebuggerPyCommands Type in command bar: !mona seh, wait a minute till the Immunity process all.
  • 22. P0C Click at View → Log for see the log! See the image below, “for more pointers, open seh.txt...”
  • 23. P0C See the file seh.txt at folder Immunity Debugger. We’ll use the address 0x100103fe, which is a POP esi, POP edi and RET, with security mechanisms ASLR, Rebase, SafeSEH as False!
  • 24. P0C Now we need to find the OPCODE to instruction JMP SHORT 8, which will be our jump to our shellcode! For this, we will use the tool nasm_shell, as show image below. Type at directory: /usr/share/metasploit-framework/tools/exploit#./nasm_shell.rb nasm> JMP SHORT 8 And we have EB06 as show image below.
  • 25. P0C Now, as show image below, create a variable NSEH and put the value of SHORT JMP with x90x90, which means NOP no operation, NOPs do nothing. And variable SEH, with address to the POP POP RETN. Type your exploit code like show image below!
  • 26. P0C Open the Immunity again, attach the vulnerable software inside of the Immunity, and run the software again. Then, click with right button over the code area, and Go to Expression, as show image below.
  • 27. P0C Now, type the address to the POP POP RETN: 100103fe and click at OK!
  • 28. P0C We found the address to the POP POP RETN; let’s now, put a Breakpoint at address 100103fe to stop in this address; for this, click with right button at 100103fe and click at Breakpoint → Toggle, like show image below.
  • 29. P0C Now run the exploit code again!
  • 30. P0C The software stopped the flow of execution, as we can see in image below, we have an Access violation; press Shift F7, after F9 to continue!
  • 31. P0C Now, we stop at our Breakpoint 100103fe that is the begin of our POP POP RETN. Press F7 to pass step-by-step the POP POP RETN!
  • 32. P0C Arriving the flow of program at RETN, we see the address indicated in the image below: Return to 01876fd4
  • 33. P0C This address 01876fd4 is our JMP SHORT (/x90/x90/xeb/x06), is a jump to our NOPs.
  • 34. P0C We know that have little space to our shellcode, for this we will use a technique called “egg hunter”. Egg hunter is a small piece of shellcode which searches for an actual bigger shellcode which the attacker was not able to fit-in the available buffer space, for this, make use of this little piece of shellcode "egg hunter" to redirect execution flow to shellcode bigger.
  • 35. Now we need to search for bad characters, depending on the application, type of vulnerability and protocols in use, may be certain characters which are considered "bad" and should not be used in your buffer or shellcode. One example of bad characters is 0x00. This character is considered bad because a null byte is also used to terminate a string copy operation, which would truncate our buffer whenever which the null byte appears. For test if has more badchars in the software, close the software and the Immunity, and reopen the Immunity and attach the software in the Immunity again. P0C
  • 36. P0C We will send the string bellow inside of our exploit code. "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10" "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20" "x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30" "x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40" "x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50" "x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60" "x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70" "x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80" "x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90" "x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0" "xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0" "xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0" "xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0" "xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0" "xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0" "xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"
  • 38. P0C Paste the egg hunter code in exploit code, add the payload2 = badchars, add the egg hunter at crash1 variable and add w00tw00t + payload2 at variable payload. The w00t is a label to find our payload2.
  • 39. P0C See, the w00t is a default value to find our shellcode!
  • 40. P0C Send the exploit code again!
  • 41. P0C In the image below, show the egg hunter code, and click with right button at EDX and Follow in Dump, to show the dump – w00tw00t. Remember, which w00t is a value that come before our shellcode. Egg hunter code Make dump EDX EDX dumped
  • 42. P0C JMP EDI, jump at end of our egg hunter code to our bigger shellcode!
  • 43. Badchars, absence of none badchar! P0C
  • 44. Now, we should generate our shellcode to gain a reverse shell. For this, we will use the tool msfvenom. Do as show image below! P0C
  • 45. Copy the shellcode generated by msfvenom, and paste in your exploit code.
  • 46.
  • 47. Restart the target in the Immunity, put the respective Breakpoint, and send the exploit code updated, against the target. P0C
  • 48. See the code of exploit code is the same than code in Immunity! P0C
  • 49. Shellcode to be execute in Immunity, against the target! P0C
  • 50. Reverse shell at metasploit framework! P0C