Skip to main content

Exploit Development Windows Part - 5



Writing the Exploit for the Discovered Vulnerability

  In exploit development, the execution flow of the vulnerable application depends on the return address of the stack pointer, if you cannot get hold of the stack pointer, all your efforts will be useless.
Finding Pointers

    To find the exact value of where the EIP register is overwritten with the 1000 “A”, or the buffer value of 1000 bytes we have sent, is called “Determining the offset”.

   To find the EIP offset, we need to go back to Metasploit to help us. Let’s quickly generate some set patterns with Metasploit and do the same fuzzing but, this time, we will send some set patterns instead of 1000 “A”s and then will again use Metasploit to find the offset for us.

  
   Creating a pattern with Metasploit.



  
    We will now use this pattern and fuzz the server again. Once successfully fuzzed, the EIP value will have four bytes from this pattern of 1000 bytes.
   At this stage, our fuzzer will now look like what is shown below. And you can see that we are now sending the pattern we have just created, instead of sending 1000 “A”s.



Let’s run the fuzzer and notice the EIP value.

   
     EIP value is now “34684133”. We will take this value and now be able to find the exact value of the offset where our EIP is getting over written. For this we will copy this value and use Metasploit to find the offset value for us, as shown below.

     
    We have used the Metasploit pattern_offset script, as shown above, to find the offset. The offset value it shows is 221, which means that EIP will be overwritten after exactly 221 bytes of buffer data. 
Let’s work on our fuzzer now and start working towards the exploit development phase.

Our exploit code now should look like what is shown below. 


    
    We have created a buffer of size 221. After that, we have EIP with 4 bytes and this holds 4 “C”s and next we have ESP of size 500 which is 500 “B”s. If the exploit works well, we should have 4 “C”s written to EIP and ESP should have “B”s as data.
We will now run the exploit and see the results.


    Something is wrong here, as we can only see that EIP has “42434343”, which means “BCCC”. Hhowever, we programmed our exploit to write 4 “C”s in EIP register, but we lost one byte somewhere while the buffer overflowed. It’s not a big issue as we only lost the one byte and it can be easily fixed by setting the offset size to 222. Let’s recode and re-exploit to see the results. Our exploit will now look like what is shown below.

   
  We have set the buffer size to 222 and then sent EIP and ESP. Let’s re-exploit and see the results in Immunity Debugger.


   
   Here you go, we now have EIP successfully over written with 4 “C”s, which means you now have complete control over the application and vulnerability is successfully discovered. But the exploit is still incomplete.

Calculating Space

What we have to find next are two key things. Ffirstly, we need to ensure the return address, i.e. the pointer, to the ESP register where we will keep our actual code and not just dummy data. Secondly, we need to ensure the total space we have for our shellcode.

To calculate the total space manually, let’s do some calculation.

We first send the 1000 bytes to generate the errors in the application, hence everything should happen within this 1000 bytes of space. Hhowever, out of this 1000 bytes, we use 222 bytes for the offset, so 1000-222= 778, but out of 778, 4 bytes are gone for EIP so we are left with 774 space with our shellcode.

But we don’t know where our stack is starting from, which means we need to ensure that we are not using any bytes while writing our shellcode into the ESP.
   Let’s have a quick look at the stack data we have after controlling the EIP register.
We will simply write the shellcode as: 

“1abcdefjhijkl2abcdefjhijkl3abcdefjhijkl4abcdefjhijkl5abcdefjhijkl6abcdefjhijkl” and the results in the Immunity Debugger.

At this stage, our exploit code should look like what is shown below.


   Once exploited with the above exploit, Immunity Debugger shows the following results.

  
    This shows that our stack highlighted in the above figure is starting from “hij..” instead of our “1ab..”, which means that we lost some 8 bytes. To ensure that we don’t use any bytes of our actual shellcode, we will put some pre-shellcode to ensure that our actual shellcode is not damaged. Our exploit will now look like what is shown below.


  
   
    We have set pre-shellcode of 8 bytes data, which is 8 “C”s, and then we will be sending the actual shellcode. Let’s exploit and see the results to ensure that we are not losing any bytes of our shellcode now.

  
   Great, you can now see that our shellcode is fitted exactly as we coded as you can see that our ESP is now starting from “1abcd..”
 Controlling EIP
   So far, we have been saying that you are controlling EIP but what do we mean when we use the term “Controlling EIP”? At this stage, controlling EIP means that you fully own the flow of application with your shellcode.

What we have so far:

• We know EIP offset
• We know space available for our shellcode
• We know 8 bytes needs to be in pre-shellcode
What we don’t have yet:

• Actual Shellcode
• Location of the ESP pointer
So, let’s first generate the shellcode very easily with the Metasploit help, as shown below. We will use the shell_bind TCP to port 9988. You can generate this shellcode with Metasploit very easily. The shellcode is shown below.


 Our exploit should look like what is shown below after using this shellcode.


  
   We now have a shellcode, which opens a port 9988, and allows us to connect back to the victim machine to get the shell successfully, once executed. But we don’t have the pointer to this shellcode, which is the pointer to ESP.

Writing PoC

            Without the return address of ESP, your exploit code is nothing but just a piece of software code. To make it a real proof of the concept, you need to have the return address so that you can prove that you have exploited the vulnerability and that it results in something you wanted to do with the exploitation. So without return address of ESP pointer, your whole effort ends up in nothing! Now,the question is how to find this. So far, we have been using Metasploit for assisting us in exploitdevelopment. Metasploit does have the power to find the ESP return address but it has its own limitation. We will use Mona.py to do the job for us.
To make it happen, simply use the following command, as shown below, and select any of the return addresses Mona.py gives you in return. However, do ensure that you run this command once you overwrite the ESP.

   
   You can see that Mona.py has found 54 pointers for us. Use any of these and pack the EIP value with any one of these. We will use the pointer value as shown in the below snapshot.


   
   To fix the value into the EIP register is very easy; break the value and reverse it, as shown below, to save in the variable called myeip





  
     Connecting to the port 9988 to get the shell and you can see port 9988 is now open



Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho...
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more