Buffer Overflow Vulnerability w/ restricted characters
Kali Linux
Windows Vista
Vulnerable application: vulnserver.exe (LTER)
Vulnserver.exe is meant to be exploited mainly with buffer overflows vulnerabilities. More info about this application and where to download it can be found here:
~~~~~//********//~~~~~~
For the LTER command, there are two ways to exploit the buffer overflow vulnerability, however, both exploits will have similar restricted characters
- Part 1: Vanilla Buffer Overflow w/ Restricted Characters
- Part 2: SEH base Buffer Overflow w/ Restricted Characters.....click here for Part 2
Let's get started...
Fuzzing
Similar to the GMON write-up, I used boofuzz to do the initial fuzzing.
...and after crashing the program, we recreate the crash using the follow Proof-of-Concept
We get a pretty vanilla buffer overflow where the EIP has been overwritten with 41s
Also note that ESP currently points to our buffer. This is key once we figure out an address to redirect our EIP
Now we will need to determine our offset and see exactly which part of our buffer overwrites the EIP register.
As usual, this is accomplished using Metasploit's patter_create.rb to generate 3000 unique characters.
Update our POC with our unique characters, send the exploit, and examine the crash in immunity debugger.
Here we can see that EIP has been overwritten with the following values: 386F4337
Metasploit's pattern_offset.rb can be used to determine the offset with this value.
Once we determine the offset, we update our POC again
We send the POC one more time and examine the crash...if our offset is correct, EIP should be overwritten with x42s
In this case, we can see 42424242 were successfully loaded into the EIP register
Finding bad characters
Now that we are able to redirect our EIP...we will need to find an address to redirect the EIP. Since we know that ESP register points to our buffer, we will be looking for a JMP ESP address.However, before we choose an address, we will need to verify if there are any bad characters.
We update the POC with the following 256 unique hex characters
After running a few
test, it's verified that anything over 7F is being subtracted by 7F as we can
see below in our dump….such that x80 -
x7F = x01
This means we will
not be able to use any hex characters over 7F
Allowed characters:
x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f
Now we will need a
call esp or jmp esp address…this will ultimately call our 'Cs' where our reverse shell will be loaded while Kkeeping in mind the restricted characters.
We find the following address using mona.py in immunity debugger
We find the following address using mona.py in immunity debugger
FF E4 = jmp esp
Address: 62501203
We can verify this address is a JMP ESP by searching it
At this point, we can updated our EIP to redirect to this JMP ESP address
As we follow the crash in immunity, we can see that EIP has been successfully overwritten with our JMP ESP address
...once we take the JMP ESP, we are redirected to the top of our Cs
Reverse shell time!
We will need to create our revere shell to encode it with x86/alpha_mixed in order to avoid the restricted characters
We update our POC
one last time
Again we follow the jmp
esp and we hit the beginning of our reverse shell. We let the code execution continue and successfully get a reverse shell in our Kali listener.
Final Proof-of-Concept
Comments
Post a Comment