AdSense

Wednesday, November 2, 2016

STACK OVERFLOW / 1 - Exploiting SLMail email server


STACK OVERFLOW: EXPLOITING SLMAIL


- Layout for this exercise:





0 - Introduction

- The POP3 server of Seattle Lab Mail 5.5 suffers from an unauthenticated buffer overflow vulnerability when receiving a very long password. This vulnerability can be exploited in any version of Windows running the executable smail.exe.

- Related information:

https://www.cvedetails.com/cve/CVE-2003-0264/

https://www.rapid7.com/db/modules/exploit/windows/pop3/seattlelab_pass

https://www.exploit-db.com/exploits/638/




1 - Installing and running the SLMail service


- Launching the installer in the victim, a Windows 7 machine:
















- The service is started with administrative privileges:











- From the attacker Kali, checking that the service is running on the victim Windows:















2 -  Overwriting the stack

- Writing a basic Python exploit to overwrite the stack of the victim with 'A' characters:






- Giving execution permissions to the  exploit:



- Attaching SLmail process to Immunity Debugger:








- Let's notice that the PID would change any time the program is run:




- Running the program   .


- Launching the exploit from the attacker Kali to the victim Windows 7:





- The stack is overwritten and the program crashes because it is forced to access a non executable address (0x41414141 is the hexadecimal representation of AAAA).




- Both EIP and ESP are overwritten with 'A's:







3 - Controlling the EIP


- With the purpose of detecting where the EIP is overwritten an easily recognizable string of 3500 Bytes is created and sent. 

- This string holds a unique pattern created with a Ruby script. In that way, it will be very easy to recognize and detect the bytes that are actually overwritting the EIP.


etc ...


- The string is introduced in the Python exploit:




- Again, SLMail service is restarted and the process attached to Immunity Debugger.


- Launching the new exploit: 



- The program crashes, but now the EIP and ESP are overwritten with 39694438 and 44306A44:








- Using a Ruby script to detect the position where both 
39694438 and 44306A44 are located:







- Now, the Python script can be modified according to previous results:


i) the set of 'A's will reach up to the EIP location.
ii) EIP is will be overwritten with four 'B's.
iii) the rest of the stack will be overwritten with 'C's, where ESP points directly to the beginning of this section.




- Again, SLMail service is restarted and the process attached to Immunity Debugger.

- Launching the new exploit:




- As expected, the program crashes. EIP is overwritten with four 'B's, and ESP (0163A128) points to the start of the 'C' section. The 'C' area will be the best one to locate the future shellcode.









4 - Hunting bad characters

- Bad characters are those ones interpreted literally by the program, so that the program is truncated in the middle of the execution.

- With the purpose of identifying bad characters, a string with all the possible hexadecimal characters is created.




- The Python script is modified, introducing the AllChars string in the 'C's section:






- Again, SLMail service is restarted and the process attached to Immunity Debugger.

- Launching the new exploit:



- The program crashes as usual, because EIP points to a non executable area of 'B's:






However, a close inspection of the memory details that the buffer execution has been interrupted just after the four 'B's, just where the AllChars strings would begin to be executed. This means that the character '0x00' truncates the execution of the rest of the buffer:




- So, '\x00' should be removed from the exploit:







- Let's go on searching for more bad characters.

- Again, SLMail service is restarted and the process attached to Immunity Debugger.

- Launching the new exploit:









- Following in dump the evolution of the buffer execution:





- Now, the execution of the buffer has been interrupted just after '0x09', so we conclude that '0x0A' is also a bad character:





- Removing 
'0x0A' from the exploit:






- Again, SLMail service is restarted and the process attached to Immunity Debugger.

- Launching the new exploit:








- Now, the execution of the buffer has been truncated between '0x0C' and '0xE', so we conclude that '0x0D' is also a bad character:










- Removing 
'0x0D' from the script:






- Again, SLMail service is restarted and the process attached to Immunity Debugger.

- Launching the new exploit:









- Now the whole set of characters is correctly executed, so there are no more bad characters: 




- To sum it up, there are 3 bad characters that being interpreted literally by the compiler, their immediate effect consist on truncating the normal execution of the program. Once removed, the buffer is executed correctly.



0x00 = Null Byte = terminates a string copy operation.
0x0D = Carriage Return = resets to the beginning of a line of text.
0x0A = Line Feed = advances by the space of one line.


5 - Redirecting the flow execution

- The goal of this part of the attack is to find an stable way of redirecting the execution flow to the memory section (now, full of 'Ç's, and pointed by ESP), where the shellcode will be located. 

- One way of achieving that goal would be finding an instruction JMP ESP located in a memory section not subject of changes. Let's remember that techniques like ASLR or DEP rebase the memory address allocations in each reboot of the system. 


mona.py is a tool written in Python and available with Immunity Debugger that helps finding a reliable JMP ESP instruction.

- First, all modules are examinated, and SLMFC.DLL is identified as not having memory protection techniques: Rebase = False, SafeSEH = False, ASLR = False.









- Now, let's find the opcode of instruction of JMP ESP:




- Again, using mona.py, the module SLFC.DLL is searched until finding a JMP ESP instruction (opcode \xFF\xE$):





- One JMP ESP instruction is detected at address 5F4A358F: 




- Following the memory address 
5F4A358F:






- As indicated by mona.py, the JMP ESP is found at 
5F4A358F:




- Then, the set of four 'B's on the Python exploit is replaced by the memory address 
5F4A358F, introduced in reverse order '\8F\x35\x44\x5F', due to the fact that x86 processor architecture follows the Little Endian format (least significant byte occupying the lowest memory position):




6 - Generating a shellcode


msfvenom helps generating a shellcode, with these options:

a) payload: -p windows/shell_reverse_tcp
b) local host,  attacker's IP = LHOST = 10.11.0.203
c) local port, LPORT = 443, where the attacker listens for a shell reverse connection
d) format = -f c, language C
e) encoding = -e x86/shikata_ga_nai
f) EXITFUNC = thread, the execution of the shellcode does not shutdown smail.exe
g) bad characters = \x00\x0A\x0D





- The Python script is redefined to include the shellcode. Also, introducing a bunch of NOP (\x90) instructions for ensuring that the shellcode is going to actually be executed.




- The final exploit:



7 - Exploiting the victim


- Now, to test the exploit, the attacker sets up a listener session on port 443: 



Again, SLMail service is restarted:





- Launching the exploit, the attack is successful, because the attacker achieves a remote shell of the victim:





- Also, it can be checked that after running the exploit in the victim, the process SLmail.exe is still alive:







ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux


ALTERATION OF A PROGRAM AT RUNTIME - Example 2 - Changing output - Evans Debugger with Linux

EDB-Debugger (Evan's Debugger) is an analyzer, debugger and disassembler for multi architecture binary files with ELF format (executable and linkable format). EFL is the standard format for executable files, object code, shared libraries, and memory dump.

- The goal of the author, Evan Teran, was to create a similar tool to OllyDbg analyzer for usage with Linux systems. Although GDB (GNU Debugger) is available for Linux, this analyzer only works through command line, providing no GUI. 

- In this example EDB-Debugger will be used to alter the runtime operation of a program written in C language.

- First we create a simple program (prueba.c) in C language, the result of which is to print out the string HOLA:




- Compiling:




- Running, and the result is that the program prints the string HOLA in the console:




- To begin the analysis the executable file is loaded in the debugger EDB:




- Running the program, the output is the expected HOLA:




- Then we seek the location of the string HOLA within the program. The path is as follows: Plugins -> Binary Searcher -> Binary String Search Ctrl + F




- EDB allows to enter directly characters searched in ASCII. The result of that search string in hexadecimal is 48 4F 4C 41 = H O L A, located in the memory segment between positions 0804840F and 0804940F:




- Indeed, in previous memory position we find the following statement, one of whose operands is 0x414C4F48.




The operand is stored in Little Endian format (least significant byte at lowest memory position): 

0x414C4F48 = 48 4F 4C 41 = HOLA (in ASCII)

- In order to alter program operation at runtime, right clicking on previous instruction, and in the displayed menu choosing the Edit Bytes option:




This option allows to edit the ASCII code, and where it says HOLA to write BYE:




Instruction is altered, being the operand in Little Endian format 0x455942 the ASCII value of string character BYE:




- After running the program, we see that the output is now BYE:





ALTERATION OF A PROGRAM AT RUNTIME - Example 1 - Bypassing authentication


ALTERATION OF A PROGRAM AT RUNTIME - Example 1 - OllyDgb with Windows - Bypassing authentication

- The goal of this exercise is to alter the execution flow of a program at runtime. 

- The program is written in C language, and its normal operation consists of the user entering the password "PARIS" and the program showing the message "Password OK". In case of entering an invalid password the program answers "Password NOT OK".



- The alteration consists on bypassing the authentication so that any invalid password would be considered valid by the program. To solve this problem there are many alternatives.

- A simple solution resides on altering only 1 assembly instruction for the executable program, accessed through the debugger OllyDbg.

- First, we should study the code of the program in C language.

- The following statement prints on the screen the string "Password:" inviting the user to enter the password:

printf ( "Password");

- The program reads the password string that the user is entering, printing as the user is typing:

gets (password);

- The program compares the string "PARIS" (valid password) with the new string entered by the user.

if (strcmp (password, "PARIS") == 0)

- Then, depending on the result of the comparison, the program will jump either conditionally to print the message of invalid password ...

printf ( "Password NOT OK \ n");

... or calling the passwordOK() function ...

passwordOK ();

... whose code prints on the screen the valid password prompt:

printf ( "Password OK \ n");

- To solve the problem it can be introduced an unconditional jump (JMP, in assembler) to the memory address where passwordOK() routine begins just after the user has entered his password, and before it occurs the comparison with "PARIS".

- In this way it prevents the program to jump conditionally (JNZ, depending on the result of the comparison) to one place or another.

- Let's examine the solution in assembly language using the debugger OllyDbg.

- Once the executable file in OllyDbg loaded, we stand on the entry point of the program, pressing the blue triangle on the toolbar.

- In the analytical column, fragments of assembly language related to the corresponding program in C language are easily observed

- In this first fragment the program reads the password from the screen as the user is introduced.

- See how the program calls to the gets C language function in the memory address 00401378, using the CALL instruction <JMP.& msvcrt.gets.>:




Then, by calling the C function strcmp, assembler CALL <JMP. & Msvcrt.strcmp>, located in the memory address 0040138C, the program compares the password entered by the user with the string "PARIS". Depending on the result, it is run or not a conditional jump JNZ SHORT pac1.0040139F, because this instruction depends on the sign flag Z. That is, if the result of the comparison is 1 the flag z (Z flag = 1) is triggered, which means that the password entered by the user is different from "PARIS" and the message "password NOT OK" is printed on the screen.

- It is important to note that the destination address 0040139F of the conditional jump JNZ holds the routine printing screen message "Password NOT OK".





- Here, the entire code snippet recently commented:




- Now, to alter the program successfully, so that the program displays the message valid password regardless of its content, it will have to interrupt the flow of control of the normal program, executing an unconditional jump to the PasswordOK () function, just before that can run the comparison previously studied.

- It is therefore important to detect that the PasswordOK() function begins at the memory address 004013E6:




- To alter the program at runtime on the 0040138C instruction calling strmcpy (we do not want that instruction to be run), a right click is made in the displayed menu option, clicking Assemble:




- In the empty space the unconditional jump instruction JMP SHORT 004013E6 is introduced, which refers to the code snippet PasswordOK() routine, beginning as we saw in the memory address 004013E6. The jump is of SHORT type because it is a close jump within the same code segment, less than 127 bytes away.




- The debugger OllyDbg enters 3 NOP (0x90 in hexadecimal) to fill the empty spaces after replacing one instruction for the other one. This ensures an smooth execution of the program, avoiding the possibility of unwanted rewriting of some memory addresses:




The EIP register shows that the next instruction to be executed after 0040138C (unconditional jump JMP) instruction is 004013E6 where passwordOK() routine starts. Thus, successive values ​​of EIP and the instructions executed are:



- Finally, entering the passwordOK () routine:




- It is noticed that once the program is resumed, after the previous change, entering different erroneous passwords (such as "hello", "goodbye", or a string of different nonsense characters), however the program recognizes all of them as valid. So it can be considered that the implemented alteration achieved the desired objective of bypassing the authentication:






FORMAT STRING ATTACKS - Disclosure of information and DoS


0 - INTRODUCTION

- Format String vulnerabilities result from data entry in a program under the guise of "format strings". The format strings are characters used in the input and output functions to specify the conversion between a data set and a string of characters.

- Thus, vulnerability is a result of the interpretation by the program of data inputs as instructions or commands of language itself. The consequences of the attack would be for example the execution of arbitrary code, reading or dumping the stack as a protected information disclosure, and denial of service, all affecting the security and stability of the system.

- Although C and C ++ languages are prone to suffer from Format String attacks, other programming languages are also vulnerable to these attacks, such as Perl, PHP, Java, Ruby, etc ... 

- The below links offer information about Format String attacks in several different languages than C / C ++:

http://www.drdobbs.com/security/programming-language-format-string-vulne/197002914

http://www.drdobbs.com/security/programming-language-format-string-vulne/197002914?pgno=2

http://www.drdobbs.com/security/programming-language-format-string-vulne/197002914?pgno=3

http://www.drdobbs.com/security/programming-language-format-string-vulne/197002914?pgno=4


- During the resolution of this exercise the C language has been used  because it is traditionally which has suffered most attacks of Format String type.

- To explain the attack should be noted the following:

a) Function Format: ANSI C standard converts a variable primitive programming language as a format function representation in the form of readable string for a human being. For example: printf, fprintf, sprintf, etc ... are examples of language functions in format C. Such functions are called variadics, and characterized by accepting a variable number of arguments. As we will be seen below, the arguments can be of two types: on the one hand the argument that characterizes the format output, on the other hand the values to be formatted.

b) Format String: this is the set of arguments used in the function format and are composed of text and parameters ASCIIZ (ASCII Code 0, strings ending in 0) type. Its utility is to specify and control the representation of variables. They are quoted, for example: printf ( "Today is November day %d. \ n", 22);

c) Conversion Character: this is the parameter that defines the type of conversion to be performed by the format function. For example %d (integer, reads an integer from memory), %f (Floating point, reading a real number format from memory), %c (char, a single character), %s (string, reading from the memory of a string of characters), %x (reading from the stack an hexadecimal number), etc ...

- As mentioned above, the attack would be implemented by inserting entries maliciously crafted, what would not be adequately validated by the program, so that the behavior function format would be different than expected.

- Regarding comparison with Stack Overflow attacks, both attacks seem interested in making a malicious usage of the stack. However, while the attack Stack Overflow is specially designed to rewrite the contents of the stack, forcing the program to execute arbitrary instructions, the Format String attack focuses on using converters from C language, for example %s, %x, etc ..., so that the stack interpreters the converters as part of the entered parameter in the function as an argument.

- The consequences of an Stack Overflow attack usually result in altering the flow control program, which executes its instructions leading to different outputs from initial purpose. However, Format String attacks are oriented either to the disclosure of information stored in certain memory locations or the denial of service (DoS). Both cases can be checked in detail in the following example.


1 - FORMAT STRING ATTACK - EXAMPLE - Disclosure of information and DoS

- To ilustrate the Format String attack a simple program (fs.c) written in C will be used.

- The original purpose of the program is simply to return to the screen the argument entered by the user at the command line.

- However, the program contains proprietary information ("INFORMACION 1" and "INFORMACION 2") that might be disclosed using a Format String attack.

- Editing and compiling the program in a Linux enviroment:




- Let's examine the code of the program. Two pointers (*s1 and *s2) are defined to memory locations that store certain reserved information:



Also, an instruction has been introduced which aims simply to print out the argument argv [1] inserted by the user via the command line: 

printf (argv [1]);


- Thus, the purpose of the program in not at all intended to "reveal" the information stored in s1 and s2, but simply return to the screen the argument entered by the user. 

- However, let's see how through manipulation of the command line input the result can be very different than expected.

- First, let's enter a string in the command line argument, which is printed below the screen, according to the proper purpose of the program:



- However, let's see what happens when the arguments are entered by the user conversion characters.

- Introducing %s:



- Introducing %s%s:



- Introducing HOLA%s%s:




- It is observed that by introducing in the command line the converter %s a "revelation of information" (information disclosure, information leakage) occurs, so that the program behavior differs from the original purpose of it.

- As defined in the program, pointers *s1 and *s2 are stored on the stack in consecutive positions, prior to argument argv [1] expected to be received by the line command.

- Thus, upon receiving as input the conversion character %s, the printf function reads from the stack the nearest string, printing it. Upon receiving %s%s it performs the same operation with the two strings stored in the stack.

- To check the above concepts and analyze the contents of the stack the gdb GNU debugger  will be used on the program.

- The disassembly of the main function shows that the call to printf function occurs in the memory address 0x08048433:




- Setting a breakpoint just before the call to printf, at the above address 0x08048433:




-The program is run with the input argument HOLA:



- The content of the stack is analyzed:




Arguments received by the printf routine are stored in the lower memory addresses of the stack:




- The stack would have the following content, from low to high memory, placing the esp pointing to the direction 0xbffff598, which contains the string HOLA introduced by command line:




This explains that while printf reads arguments stored on the stack they are consecutively printed on the screen. In this case only HOLA because it has been executed the gdb command (gdb) run HOLA:




- Now, what would happen in case of introducing into the program many string parameters, beyond the values stored on the stack? The program would begin to read meaningless memory addresses, printing strange characters:





Finally, in case of entering more converters % s the result would be the failure of the program (segmentation fault), because it would be trying to access invalid addresses. For example:




- See the same result in gdb:




The program finishes running with a SIGSEGV signal indicating an invalid memory access, or segmentation fault.




In this late case the attack would result into a denial-of-service attack (DoS), since the program fails without performing the purpose for it was written.

- Another interesting converter for conducting String Format attacks is converter % x, which reads the stack in hexadecimal values.

 - Let's see what happens with gdb running on four %x converters :










- At that point of the execution, the contents of the stack are:




- The program runs to the end, and the output matches the contents of the stack, except the first memory location (whose content will be seen soon):



The first contents of the stack (lowest memory addresses) are the converters themselves %x% x%x%x, introduced as parameters:




- It can be observed the same result running the program directly from the command line, with fout %x converters arranged in the form of 0x%08x. The result would be the dump of the stack content

- It means that the memory addresses stored on the stack in hexadecimal format would be obtained:




Since the program output matches the contents of the stack it is concluded that the information disclosure attack has been successful.