In this post, I'll try to exploit a software called "File Sharing Wizard" version 1.5.0 build 26-8-2008. This software have a SEH protection. So, I'll use the technique like when I exploit BigAnt server.
Lets get started..
- First thing to do is install the software on your xp machine.
- This is a file server, so we will use a remote exploit for our fuzzer.
- Hmm.. it is running on the http port (80). This means we can access it from our backtrack host.
- Authentication required, because I haven't create a user this means this software have a default username and password. Lets search it on the software.
- Found it. Enter on the authentication window.
- Main page.
- Because this software requires the user that want to use it to login, maybe we can attack it with our fuzzer from its username or password.
- Sniffing using Wireshark.
- Found nothing about the packet sent while login. Maybe this point can't be attacked. Lets search for the other point that can be attacked in the captured packets.
- Hmm.. looks like this command is vulnerable.
HTTP/1.1 200 OK
- Packet's details
- There is this "content-length" section. Maybe we can overload it with our own text to overflow it.
- Lets make the fuzzer.
Fuzzer:
- Execute it then see what happen in the software.
- It crashed.. :D
- See what happen in OllyDbg.
- The SEH Chain
- Shift+F9 to transmit the data to the EIP.
- Next step as usual we must create a pattern to determine from what byte the SEH is overwritten.
# cd /pentest/exploits/framework/tools./pattern_create 10000
- Then insert to the fuzzer.
Fuzzer:
- Execute then see what happen in OllyDbg with the software.
- Using pattern_offset to find the exact bytes.
# ./pattern_offset.rb 42386942
1044
- Lets try to overwrite SEH with our "DEADBEEF" data.
Fuzzer:
- Execute then see what happen in OllyDbg.
- Success..
- Next step we must find the modules that contain POP POP RETN command inside and does'nt have SafeSEH Protection integrated in it.
- After searching for some time, I decide to use oledlg.dll located in system32.
- Location of the POP POP RETN inside the module
- Ok, lets insert it to our fuzzer.
Fuzzer:
- Lets generate the payload. The payload will open a calculator when works.
- Insert it to our fuzzer.
Fuzzer:
- Execute it and then see what happened. If a calculator shows up after the fuzzer is executed that means the exploitation is successfull.
Unfortunatelly in my case, there is some problem, the exploit won't start and I have a difficult time searching for the bad characters.
But, as soon I find the right payload and fuzzer I will update immediatelly. ^_^b
"the quieter you become, the more you are able to hear.."
6 comments:
Our problem is not an Bad Character, but is cause nullbyte, however we use input of module that is will be change and avoid "00" character in module,I was try to change value of JUMP SHORT but that is not change anything to solve that problem, I also try in net-ninja.net clue but I found totaly failed cause that site/blog not give clear tutorial... that is not imposible to do but just harder...
hmm..
i think so, the problem is not on the bad character because when I use the payload from
http://litle-book.blogspot.com/2011/12/seh-based-buffer-overflow.html
its still not work.
yes, this morning i also try the tutorial in net-ninja.net but didn't solve the problem. =,=a
stress, finally i open the exploitdb for some clue and guess what, it still wont solve anything.. :(
exploitation success on Windows XP SP2 but didn't work with SP3, I think have some revision protection on SP3, maybe for solution is use another jump short and jump back in null byte after, then use egghunter (maybe) for make space for payload. my knowlegde about that now is dull, we need to learn more
i think egghunter is not the solution..
because when i open exploitdb, it says that we have a "huge" bytes data to store our payload.
i also think that is the problem, microsoft have patched the system in SP3. :P
the script i found in exploitdb also in SP2 not for SP3.
but still, it is not imposible to exploit it. and i'm totally agree with you that we should learn more and try harder.. :D
The addresses specified in a SEH list usually point to routines that perform actions such as displaying a dialog box that tells the end user that the program has experienced an exception, and terminating the application.
> Hollister UK : hmm...
still have to research it..
thanks for the info.. :)
Post a Comment