Tuesday, February 28, 2012

PRACTICAL SEH : EASY CHAT SERVER EXPLOITATION part 1

This time to learn and practice about attack vector exploit Easy Chat Server SEH application. It is different from the exploitation of the Big Ant server SEH apllication.
Tools :
- Wireshark
- Ollydbg
- Easy Chat Server running on Windows

First time we must try the error for the application.
Easy Chat Server On Windows
Easy Chat Client
First time we must recognize the application and try with error, in the picture above I try login with with accounts that have been registered. Now i will try login with user account unregistered, before tried i run the wireshark to sniffing the packet and to know the header and port which later will be the reference for making the fuzzer.
Easy Chat Client On Backtrack
With the login page of easy chat client i will try to login with username and password with 1000 character A. Lets generate the 1000 characters A and lets see in the wireshark and application (got error or not). 
Python generate
Lets see the wireshark and Easy chat server, the easy chat server application haven't error. 
Wireshark Network Analyze
We have the network packet traffic and get the path of the header, ok try once againt with litle characters fill into the easy chat client login page, i will login with username "ABC" and Password "ABC" too. So we analyze with wireshark of the packet sent. 
Try with unregistered account
Wireshark
The wireshark get the packet sent the client to the server with ABC, look the path. Lets make the fuzzer, the A character that will send as many as 25000 to the server via port 80.
Fuzzer 1
Lets running Ollydbg and attach the easy chat server application, and look the process after we run the fuzzer.
Wireshark capture HTTP traffict
Olly dbg
From the picture above seen any changes in memory at OllyDbg, this is SEH application so lets to view the SEH chain. here we know the SEH chain put the exception of the overwrite.
SEH chain
Bypass the SEH Chain
Bypass SEH chain
The EIP overwrite with 41414141. Go to the stack memory  and follow in the dump.
Follow in the dump
Ceck with metasploit tools, msfpescan to find the Dll Characteristic and the result is null.
Msfpescan
Find the POP, POP, RETURN address
POP POP RETURN
Using pattern to generate characters, in this phase i need 25000 many characters.
Patern Create
Lets fill the output of generate pattern into the fuzzer
Fuzzer2
Run the fuzzer and and see what happens, 
After fuzzing 2
By picture above and know the address of SEH chain, next we use the pattern again to know whereis the byte.
Pattern Offset
Edit the fuzzer and running it.
Fuzzer 3
Lets see the result.
Result CCCC
Oh, Im forget to decrease the nop range from output pattern offset -> byte (220 - 4), Ok know change the fuzzer with 216. And running again. and he SEH chain change with 41414141
Fuzzer 4
Result
Lets check and breakpoint in the POP POP RETURN address. And fuzzing again.
Breakpoint
After fuzzing what did not happen.
Not good enought
Its means we must find the other POP POP RETURN address from the modules are loaded by the application, here there libeay32.dll and ssleay32.dll. First time i choose the libeay32.dll, by testing one by one on the pop address we can find out where the actual address of the POP that we can make a stepping stone to exploit, if it is not contained within the module that matches the address then repeat with the other modules. more traditional feel and takes patience but this is the REAL ART.

LEBAY.DLL
The Address
Choose the address in 4 bytes are not zero (0) bytes of value in the first. n the module above I do not find a match then I tried to do it again in another module.
sslALAY.dll
POP Address
 Edit the fuzzer with the POP POP RETURN address,
Fuzzer 5
 Run the fuzzer and check the SEH chain
SEH chain pop pop retn
Next check in the left abpve from ollydbg there is cc and 90, push the f7 on the keyboard.
Olly dbg CC
Look in the address dump to acounting hexa decimal.
CC
Lets count the hexa decimal 
Count the address
The next step run and fill the result hexa decimal and payload from msfweb into fuzzer.
Start Service
Generate Payloads
The Out Put
Breakpoint the address of POP POP RETURN and run the fuzzer....so lets the result. 
Expired
This is really weird, why?
application expired today though I installed it and the time trial for 30 days, but why not a day goes outdated applications...I will try again...Comming soon


0 comments:

Post a Comment