Analyzing and Writing a Local Exploit 2

In this article we will learn about Analyzing and Writing a Local Exploit.

We mentioned in the previous article that there are five steps to exploit an app locally. We have already discussed the first two steps of the local use technique in the previous article. Now in this article we will complete the exploit by performing the remaining steps. Let’s look at the following noteworthy points where we ended our previous article.

The EIP register is overwritten after 260 characters.
The top of the stack points past the 280 mark.
A bad character is simply a list of unwanted characters that can break shellcode.

(Note: We will not explain “bad character” in detail here. Please refer to previous articles for more information.)

First we will need to generate a list of all the characters that can be used to generate the exploit. We can do this by writing a simple C program. You can download the badchar.c file here:

In the above screen shot, we have written a C program. Let’s compile and run this program to generate the character list.

Image: 2

Notice in the above screen shot that at first we compiled the badchar.c file. After that, we have run the program and as a result, the character list has been generated. Now, we will copy this character list and append it into the Python script as we did in the previous articles.

Image: 3

We can see in the above screen shot that we have appended the character list in the Python script after the B’s. Now, we will save this Python script and run this script to generate the exploit.plf file with the changes.

Image: 4

We run the exploit.py script on the terminal and a new exploit.plf file is generated on the desktop. We then copied this to the shared folder so it would be available on computer A.

Now let’s launch the Blaze DVD player with the debugger and open the exploit.plf file on the DVD player and the following are the steps to take to identify the bad characters.

Open the exploit.plf file with your DVD player software.
If an input interrupt occurs, parse the stack values ​​in the debugger.
If so, find the character that violates it.
Remove the character from the list and go back to the first step again.
If the input is no longer corrupting, the rest of the characters can be used to generate shellcode.
Let’s do the above steps one by one.

First, let’s open the same file using the debugger.

In the screenshot above, when we open the exploit.plf file with the full list of characters, we see that the program crashes as expected. But if we look carefully in the stack, we can see that the EIP is overwritten by 42424242, which is B (in hexadecimal), but then we can see some random numbers in the stack instead of a list of characters.

In the screenshot above, when we open the exploit.plf file with the full list of characters, we see that the program crashes as expected. But if we look carefully in the stack, we can see that the EIP is overwritten by 42424242, which is B (in hexadecimal), but then we can see some random numbers in the stack instead of a list of characters.

Therefore, it is possible that our first character in the character list will be the wrong character for the program. So remove the first character from the Python script and note the character in a separate file for future use and save the exploit.py file.

Now we run the Python script again to generate the exploit.plf file and copy this file to the share so that it is available on machine A.

Then we run the DVD Blaze Player software with the debugger again. We can do this by pressing CTRL+F2 and opening the exploit.plf file again with the debugger.

As we can seen in the above screen shot, the program is again crashed but when we closely look into the stack, we can see some characters in the stack.

Image: 8

In the above screen shot that, after the 09 the stack is again corrupted. So, the next character would be a bad character for the program. We will remove the next character after 09 in the Python script and generate the exploit.pdf file again.

Now, we will have to continue these steps until all the input data along with the C’s come back into the stack.

After doing the same steps 2 more times, we got the stack output according to our expectations.

Image: 9

It confirms that we have the following bad characters according to the program.

x00x0ax1a

So we have 3 bad characters in the program. Now we proceed to the next step, which is to generate the exploit and payload.

Usage and Payload Generation:
In this step, we first need to change the execution control by writing a JMP instruction, then we will generate the shellcode using the Metasploit modules. Finally, we would put these instructions into a Python script as shown below.

• In the Python script, BBBB will be replaced by the address of the JMP instruction.
• C will be replaced by a Python script.

So let’s start the process by writing a JMP instruction. After removing the character list, the Python script will look like this.

Now we will generate the exploit.plf file again by running the exploit.py script in the terminal and copy the file to the share so that it is available on machine A.

Run the Blaze DVD player software with the debugger and open the exploit.plf file with the DVD player.

As we can see in the above screen shot, that the software is again crashed in the machine A. When we closely look into the debugger we can see the following notable things.

Image: 12

As shown in the figure above, the address of the top of the stack (ESP) is 0012F390, which has 00 at the beginning of the address, but we cannot use this address because it has 00, which is a bad character for the Program. We have already identified the bad characters in the previous steps.

Let’s identify the JMP ESP instruction for the program as we did in Part 6 of the article series. (/stack-based-buffer-overflow-in-win-32-platform-part-6-dealing-with-bad-characters-jmp-instruction/)

Note: We will not explain step by step how to write a JMP instruction; if you want to read it in detail, you can read part 6 of this series of articles.

Now we restart the program in the debugger on computer A and press ALT+E. A window will then open that contains a list of all the DLL files used by the program. We can use any DLL file that contains the JMP ESP instruction. In our scenario, we will use the “NTDLL.DLL” file to identify the JMP ESP instruction. So, open this file by double clicking on it and pressing CTRL+F, then the search box will open as shown below.

Image: 13

As can be seen in the above screen shot that we have written JMP ESP in the Find command box, now we will hit the enter key.

Image: 14

As shown in the above screen shot, that JMP ESP instruction is highlighted, and we can see the corresponding address on the left hand side, which does not contain any bad characters. So, we can use this address as a JMP instruction. Now, write down this address in reverse order.

“/xed/x1e/x94/x7c”

Now, we will replace it in the Python script with B’s and create a break point here to verify the same in details. We can create the breakpoint by pressing the F2 key

Image: 15

We can see in the above screen shot that we have created a break point on the machine A at the JMP ESP instruction. We have also replaced the B’s on the machine B in the Python script with the JMP instruction.

After putting the JMP instruction in the Python script, let’s append some NOP sled in the Python script. The function of NOP sled is ‘no operation’. It means that whenever the NOP sled is encountered in a program the CPU does not perform any actions and would pass the execution control to the next instruction. The NOP sled is defined by “90”. So, let’s add 40 NOP sled in the Python script after the JMP instruction.

Image: 16

As can be seen in the above screen shot, we have added NOP sled in the Python script, now we need to generate the shell code and replace the shell code with the C’s in the Python script. So, let’s open the terminal on the Machine B and write the following command on the terminal to generate the shell code of the reverse TCP payload. (NOTE: We can use any payload according to the requirement, as of now, we are using reverse TCP payload)

• msfvenom -p windows/shell_bind_tcp -f c -a x86 -b “x00x0ax1a″

(In this command we have used –b “x00x0ax1a”. It means that while generating the payload, the characters that are given with the –b option will be ignored. We have identified these bad characters in previous steps)

Image: 17

As can be seen in the above screen shot, after running the command, the shell code is generated according to payload and bad characters are ignored. Now, we will copy this shell code and replace C’s with the shell code.

Image: 18

As we can see in the above screen shot, we have copied the shell code in the Python script. Now, we will save this Python script and run the Python script after that the exploit.plf file will be generated. Now, copy this file in the share folder so that it would be available on the machine A.

Now, open this exploit.plf file with the DVD player.

Image: 19

As can be seen in the above screenshot that the program did not crash but it reached the location where we had created the break point. When we closely look into the Hex dump and stack, we can see that everything we have set in the Python script is successfully implemented in the stack. Now, let’s click on F9 key to continue the execution of the program.

Image: 20

As can be seen in the above screen shot, the program did not crash this time. This is great news for us. It means we have successfully exploited the application. Let’s verify it by connecting from the machine B.

Image: 21

In the above screen shot, we can see that we have the reverse connection on the attacker machine. Let’s verify the same by running the DVD player software with the debugger and try to connect from the machine B.

Image: 22

As can be seen in the above screen shot, this time we ran the DVD blaze player software with the debugger and the program did not exit and when we connect to the machine B we got the reverse connection shell on the attacker machine. This verifies that we have successfully exploited the application.

Also Read:Contemporary UEFI Bootkits by Blackhat Pakistan 2023

References[Analyzing and Writing a Local Exploit]:

• https://www.exploit-db.com/exploits/32737/
• https://www.exploit-db.com/exploits/26889/
• https://www.owasp.org/index.php/Buffer_overflow_attack
• http://en.wikipedia.org/wiki/C_file_input/output
• http://www.exploit-db.com/
• http://www.pentesteracademy.com/
• https://www.corelan.be/
• http://en.wikipedia.org/wiki/NOP_slide
• http://www.securitytube.net/
• https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom