O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
EXPLOIT
DEVELOPMENT
WITH PYTHON
Tom Gregory
id:python Gathering
27 April 2013
AGENDA
 Memory
 Stack/Buffer Overflow
 Structured Exception Handler (SEH)
 Escape from small space
 Egghunter
 Demo
Args./Environment
Stack
Unused Memory
Heap (dynamic data)
Static Data .data
Program Code .text
PROCESS MEMORY LAYOUT
High ...
STACK BUFFER OVERFLOW
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
in...
STACK BUFFER OVERFLOW
Unallocated stack
char c[12]
char *bar
Saved frame
pointer
(EBP)
Return Address
(EIP)
Parent routine...
STACK BUFFER OVERFLOW
Unallocated stack
char c[12]
char *bar
Saved frame
pointer
(EBP)
Return Address
(EIP)
Parent routine...
STACK BUFFER OVERFLOW
Unallocated stack
Memory addressStack growth
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A
A A A A...
WHAT IS SEH?
This structure ( also called a SEH record) is 8 bytes and has 2 (4
bytes each) elements :
 a pointer to the ...
WHAT IS SEH?
Image was taken without permission from http://images.google.com
LOOK AT THE SEH STRUCTURE
Beginning of SEH chain
 SEH chain will be placed at the top of the main data block
 It also ca...
HOW SEH WORKS?
Stack
TEB
FS[0]: 0012FF40 0012FF40
0012FF44
0012FFB0 : next SEH record
7C839AD8 : SE Handler
0012FFB0
0012F...
PROTECTIONS AGAINST SEH
XOR
 before the exception handler is called, all registers are XORed
with each other, so it will ...
PROTECTIONS AGAINST SEH
SafeSEH
 additional protection was added to compilers, helping to stop the
abuse of SEH overwrite...
ABUSING SEH
On direct RET technique:
 Simply find an instruction to jump to the stack, done.
While on SEH Based:
 You ca...
ABUSING SEH
In other words, the payload must do the following things:
 Cause an exception. Without an exception, the SEH ...
ABUSING SEH
 When the exception occurred, the position on the stack will going like
this:
 Possible value to overwrite S...
ABUSING SEH
Image was taken from http://corelan.be
with permission from Peter van Eeckhoutte (Corelan)
ESCAPE FROM SMALL SPACE
 Use Egghunter
 “Staged shellcode”
 Use small amount of custom shellcode to find the actual “bi...
EGGHUNTER
 There are 3 conditions that are important in order for this
technique to work
 We must be able to jump to (jm...
ENOUGH TALKING!
1ST SKELETON EXPLOIT: CRASH IT!
#!/usr/bin/python
from socket import *
junk = "x41" * 10000
s = socket(AF_INET, SOCK_STREA...
2ND SKELETON EXPLOIT: EIP
OVERWRITE
#!/usr/bin/python
from socket import *
junk = [random data generated from msf]
s = soc...
3RD SKELETON EXPLOIT: SMALL
SPACE
 Egghunter
x66x81xcaxffx0fx42x52x6a
x02x58xcdx2ex3cx05x5ax74
xefxb8x77x30x30x74x8bxfa
x...
4TH FINAL EXPLOIT
 Exploit DB
 http://www.exploit-db.com/exploits/19266/
 Metasploit
 http://www.exploit-db.com/exploi...
EOF
tom@spentera.com
Próximos SlideShares
Carregando em…5
×

Exploit Development with Python

1.896 visualizações

Publicada em

A small example of how python can be used during exploit development. This was an event prepared by Indonesia Python Community.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Exploit Development with Python

  1. 1. EXPLOIT DEVELOPMENT WITH PYTHON Tom Gregory id:python Gathering 27 April 2013
  2. 2. AGENDA  Memory  Stack/Buffer Overflow  Structured Exception Handler (SEH)  Escape from small space  Egghunter  Demo
  3. 3. Args./Environment Stack Unused Memory Heap (dynamic data) Static Data .data Program Code .text PROCESS MEMORY LAYOUT High addresses Top of memory 0xFFFFFFFF Low addresses 0x00000000 Stack grows down by procedures call Heap grows up e.g. by malloc and new
  4. 4. STACK BUFFER OVERFLOW #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); // no bounds checking... } int main (int argc, char **argv) { foo(argv[1]); }
  5. 5. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth
  6. 6. STACK BUFFER OVERFLOW Unallocated stack char c[12] char *bar Saved frame pointer (EBP) Return Address (EIP) Parent routine’s stack Memory addressStack growth h e l l 0o
  7. 7. STACK BUFFER OVERFLOW Unallocated stack Memory addressStack growth A A A A A A A A A A A A A A A A A A A A A A A A A A A A x08 x35 xc0 x80 Fill the stack with ‘A’ Overwritten return address at 0x80c03508 Parent routine’s stack Little Endian 0x80c03508
  8. 8. WHAT IS SEH? This structure ( also called a SEH record) is 8 bytes and has 2 (4 bytes each) elements :  a pointer to the next exception_registration structure (in essence, to the next SEH record, in case the current handler is unable the handle the exception)  a pointer, the address of the actual code of the exception handler. (SE Handler)
  9. 9. WHAT IS SEH? Image was taken without permission from http://images.google.com
  10. 10. LOOK AT THE SEH STRUCTURE Beginning of SEH chain  SEH chain will be placed at the top of the main data block  It also called FS:[0] chain as well (on intel: mov [reg], dword ptr fs:[0]) End of seh chain  Is indicated by 0xFFFFFFFF  Will trigger improper termination to the program
  11. 11. HOW SEH WORKS? Stack TEB FS[0]: 0012FF40 0012FF40 0012FF44 0012FFB0 : next SEH record 7C839AD8 : SE Handler 0012FFB0 0012FFB4 0012FFE0 : next SEH record 0040109A : SE Handler 0012FFE0 0012FFE4 FFFFFFFF : next SEH record 7C839AD8 : SE Handler
  12. 12. PROTECTIONS AGAINST SEH XOR  before the exception handler is called, all registers are XORed with each other, so it will make them all point to 0x00000000 DEP & Stack Cookies  Stack Cookies or Canary is setup via C++ compiler options  DEP will mark the memory stack to no execute.  It was introduced since Windows XP SP2 and Windows 2003, enabled by default on Windows Vista and 7  Those two protections can make it harder to build exploits.
  13. 13. PROTECTIONS AGAINST SEH SafeSEH  additional protection was added to compilers, helping to stop the abuse of SEH overwrites.  It will check the original value of SEH, if it overwritten, SafeSEH will try to bring it back to the original value.
  14. 14. ABUSING SEH On direct RET technique:  Simply find an instruction to jump to the stack, done. While on SEH Based:  You cannot simply jump to the stack, because the registers are XORed.  We can take advantage this exception handling condition by overwrite the SE Handler address.  The OS will know the exception handling routine, and pass it to next SEH record.  Pointer to next SEH will bring us to the shellcode.  Game over!
  15. 15. ABUSING SEH In other words, the payload must do the following things:  Cause an exception. Without an exception, the SEH handler (the one you have overwritten/control) won’t kick in.  Overwrite the pointer to the next SEH record with some jumpcode (so it can jump to the shellcode)  Overwrite the SE handler with a pointer to an instruction that will bring you back to next SEH and execute the jumpcode.  The shellcode should be directly after the overwritten SE Handler. Some small jumpcode contained in the overwritten “pointer to next SEH record” will jump to it).
  16. 16. ABUSING SEH  When the exception occurred, the position on the stack will going like this:  Possible value to overwrite SE Handler are POP something, POP something and RETN to the stack.  It will POP address that sit at the top of the stack, POP it again to take the second address, and RETN to execute the third address (which is now at the top of the stack) Top of stack Our pointer to next SEH address
  17. 17. ABUSING SEH Image was taken from http://corelan.be with permission from Peter van Eeckhoutte (Corelan)
  18. 18. ESCAPE FROM SMALL SPACE  Use Egghunter  “Staged shellcode”  Use small amount of custom shellcode to find the actual “bigger” shellcode (the egg), by searching entire memory for the final shellcode
  19. 19. EGGHUNTER  There are 3 conditions that are important in order for this technique to work  We must be able to jump to (jmp, call, push/ret) & execute “some” shellcode, the egghunter.  The final shellcode must be available somewhere in memory (stack/heap/…).  You must “tag” or prepend the final shellcode with a unique string/marker/tag. This means that we will have to define the marker in the egg hunter code, and also write it just in front of the actual shellcode.
  20. 20. ENOUGH TALKING!
  21. 21. 1ST SKELETON EXPLOIT: CRASH IT! #!/usr/bin/python from socket import * junk = "x41" * 10000 s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  22. 22. 2ND SKELETON EXPLOIT: EIP OVERWRITE #!/usr/bin/python from socket import * junk = [random data generated from msf] s = socket(AF_INET, SOCK_STREAM) s.connect((‘x.x.x.x’,8000)) print "[+] Launching attack..” s.send ("GET /" + payload + "HTTP/1.0rnrnrn") s.close()
  23. 23. 3RD SKELETON EXPLOIT: SMALL SPACE  Egghunter x66x81xcaxffx0fx42x52x6a x02x58xcdx2ex3cx05x5ax74 xefxb8x77x30x30x74x8bxfa xafx75xeaxafx75xe7xffxe7
  24. 24. 4TH FINAL EXPLOIT  Exploit DB  http://www.exploit-db.com/exploits/19266/  Metasploit  http://www.exploit-db.com/exploits/19291/  http://www.metasploit.com/modules/exploit/windows/http/ezserver_http
  25. 25. EOF tom@spentera.com

×