PRACTICAL SEH : EASY CHAT SERVER EXPLOITATION part 1

This time to learn and practice about attack vector exploit Easy Chat Server SEH application. It is different from the exploitation of the Big Ant server SEH apllication.

Tools :

- Wireshark

- Ollydbg

- Easy Chat Server running on Windows

First time we must try the error for the application.

Easy Chat Server On Windows

Easy Chat Client

First time we must recognize the application and try with error, in the picture above I try login with with accounts that have been registered. Now i will try login with user account unregistered, before tried i run the wireshark to sniffing the packet and to know the header and port which later will be the reference for making the fuzzer.

Easy Chat Client On Backtrack

With the login page of easy chat client i will try to login with username and password with 1000 character A. Lets generate the 1000 characters A and lets see in the wireshark and application (got error or not). 

Python generate

Lets see the wireshark and Easy chat server, the easy chat server application haven't error. 

Wireshark Network Analyze

We have the network packet traffic and get the path of the header, ok try once againt with litle characters fill into the easy chat client login page, i will login with username "ABC" and Password "ABC" too. So we analyze with wireshark of the packet sent. 

Try with unregistered account

Wireshark

The wireshark get the packet sent the client to the server with ABC, look the path. Lets make the fuzzer, the A character that will send as many as 25000 to the server via port 80.

Fuzzer 1

Lets running Ollydbg and attach the easy chat server application, and look the process after we run the fuzzer.

Wireshark capture HTTP traffict

Olly dbg

From the picture above seen any changes in memory at OllyDbg, this is SEH application so lets to view the SEH chain. here we know the SEH chain put the exception of the overwrite.

SEH chain

Bypass the SEH Chain

Bypass SEH chain

The EIP overwrite with 41414141. Go to the stack memory  and follow in the dump.

Follow in the dump

Ceck with metasploit tools, msfpescan to find the Dll Characteristic and the result is null.

Msfpescan

Find the POP, POP, RETURN address

POP POP RETURN

Using pattern to generate characters, in this phase i need 25000 many characters.

Patern Create

Lets fill the output of generate pattern into the fuzzer

Fuzzer2

Run the fuzzer and and see what happens, 

After fuzzing 2

By picture above and know the address of SEH chain, next we use the pattern again to know whereis the byte.

Pattern Offset

Edit the fuzzer and running it.

Fuzzer 3

Lets see the result.

Result CCCC

Oh, Im forget to decrease the nop range from output pattern offset -> byte (220 - 4), Ok know change the fuzzer with 216. And running again. and he SEH chain change with 41414141

Fuzzer 4

Result

Lets check and breakpoint in the POP POP RETURN address. And fuzzing again.

Breakpoint

After fuzzing what did not happen.

Not good enought

Its means we must find the other POP POP RETURN address from the modules are loaded by the application, here there libeay32.dll and ssleay32.dll. First time i choose the libeay32.dll, by testing one by one on the pop address we can find out where the actual address of the POP that we can make a stepping stone to exploit, if it is not contained within the module that matches the address then repeat with the other modules. more traditional feel and takes patience but this is the REAL ART.

LEBAY.DLL

The Address

Choose the address in 4 bytes are not zero (0) bytes of value in the first. n the module above I do not find a match then I tried to do it again in another module.

sslALAY.dll

POP Address

 Edit the fuzzer with the POP POP RETURN address,

Fuzzer 5

 Run the fuzzer and check the SEH chain

SEH chain pop pop retn

Next check in the left abpve from ollydbg there is cc and 90, push the f7 on the keyboard.

Olly dbg CC

Look in the address dump to acounting hexa decimal.

CC

Lets count the hexa decimal 

Count the address

The next step run and fill the result hexa decimal and payload from msfweb into fuzzer.

Start Service

Generate Payloads

The Out Put

Breakpoint the address of POP POP RETURN and run the fuzzer....so lets the result. 

Expired

This is really weird, why?
application expired today though I installed it and the time trial for 30 days, but why not a day goes outdated applications...I will try again...Comming soon