Tuesday, April 12, 2011

Linux Exploit Development Pt 2 (rev 2) - Real App Demo (part 2)

Question:
In short why another part 2 if we already have one?

Answer:
Recently I've been receiving feedback from people who have read the papers and amongst those _sinn3r and corelanc0d3r actually recommended I should also give examples using real vulnerable application.

About the paper:
I will not be repeating myself, this paper does not contain any theory in it. If you do not have the required knowledge I suggest you first read my part 2 paper before trying this: Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg

The paper can be found here and long with the paper I've also made a quick video demonstration:

Linux exploit development part 2 (rev 2) - Demo from sickness on Vimeo.



Hope you enjoy it and have fun :)

Friday, April 8, 2011

Linux exploit development part 3 - ret2libc

I'm not going to repeat myself from the paper, this will just be a short description of what the paper contains.

So in the previous tutorials our exploits were made on Backtrack 4 R2 now we are going to make them on Debian Squeeze (latest) because Backtrack does not have DEP enabled by default (PAE enabled kernel on 32 bits).

In short terms DEP or NX prevents some stack or heap memory spaces from being executed, it also prevents executable memory from being writable. This is very effective against buffer overflows that inject and execute malicious code. (More about NX here)

How to bypass this !? ... -> Linux exploit development part 3 - ret2libc.pdf

Saturday, March 26, 2011

Saturday, March 19, 2011

Linux exploit development part 1 - Stack overflow.

I've started to write a series of tutorials about exploit development on Linux, this is the first part which contains a Stack overflow, with hardcoded ESP address (I know it's unreliable, that's why it's part 1).
Anyways here is the PDF: Linux exploit development part 1 - Stack overflow

Hope you enjoy it.

Saturday, March 12, 2011

Installing and Tweaking SPIKE and sickfuzz v0.3

Not sure how many tried out this "fuzzer", but the v0.3 is out with more pwnsauce.

Download link: http://code.google.com/p/sickfuzz/downloads/list
svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz

New features:
- Some SPIKE tweak.
- Changed the SPIKE fuzzer.
- Modified the .spk scripts.
- More logs available.
- More detailed help screen as well as output.

Fixed bugs:
- Fixed tailing issue, now paths don't have to end with "/".
- Now stops when app crashes without going over the other scripts.

Install SPIKE and sickfuzz:

root@bt:~# apt-get install automake
root@bt:~# rm -rf /pentest/fuzzers/spike/
root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz
root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz
root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/


Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).
Open up spike.c, there are 2 lines that look like this:

printf("tried to send to a closed socket!\n");

Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.
(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)

snapshot_1
snapshot_2
snapshot_3
snapshot_4

Now we can proceed with SPIKE:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make


If you get this error:

configure: creating ./config.status
cd && /bin/sh ./config.status Makefile
/bin/sh: ./config.status: No such file or directory
make: *** [Makefile] Error 127


Execute the following commands again:

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make


Should have worked now.

root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/
root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd
root@bt:~# rm -rf /pentest/fuzzers/SPIKE/

root@bt:~# cd /pentest/fuzzers/
root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz


Also if you are interested g0tmi1k made a nice script to automate the hole process:
http://code.google.com/p/sickfuzz/downloads/list

For more info on using SPIKE check out lupin's guides:
http://resources.infosecinstitute.com/intro-to-fuzzing/
http://resources.infosecinstitute.com/fuzzer-automation-with-spike/

Thursday, March 3, 2011

sickfuzz - HTTP fuzzer.

Before we get started let's start with some basic knowledge which you might or might not know:

# What is fuzzing?

So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).

# How does this help us?

Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...
NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.

Before we begin some few answers to some questions that most of you will ask:

1. Why did I make a fuzzer, there are other fuzzers out there ?

Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.

2. Why is my fuzzer more special than other fuzzers out there ?

The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.

Ok now that we have covered these basic questions let's move on and see how it works and what features it has:

# What is sickfuzz?

sickfuzz is a wrapper around SPIKE written in python.

# How does it work?

It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.

# What other features does it have?

- tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.

- checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.

- It's really fast and has a lot of mutations (SPIKE rocks!)

# What do I need to run it?
- SPIKE
- Wireshark (tshark + editcap)
- Python
- Web server victims

Also g0tmi1k made a cool video, demonstrating how to use it, check it out:



Download sickfuzz

Ok not at the end I want to thank all who helped me with the fuzzer:
ArchangelAmael
Nullthread
Dinos
corelanc0d3r
g0tmi1k

g0tmi1k's blog post here.

Sunday, February 6, 2011

Exploit writing made easy with !pvefindaddr.

This is a quick paper I wrote containing a tutorial on how to use !pvefindaddr made by corelanc0d3r, it does not cover the creating of an exploit only how this tool helps you in writing an exploit.

Download link: Exploit_writing_made_easy_with_pvefindaddr.pdf

Sunday, January 30, 2011

ROP retn+offset and impact on stack setup.

Ok so in short, I was playing with ROP chained exploits, in particular I was making an exploit for WM Downloader.

I finally finished it and then asked corelanc0d3r from the Corelan team to test it. The exploits was good, but there were some ROP gadgets that differed so we tried to replace them and this came up: http://www.exploit-db.com/exploits/16072/

Everything seems ok ... but something was weird, as you can see we have a ROP gadget containing:
# INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4

I had some issues with padding RETN 4, so I asked corelanc0d3r for a general padding rule, and then we realized that no one actually has one. ( Or not one that we know about. ) So we started documenting it and finally this came up: Corelan Site

Friday, January 7, 2011

VBox DEP issue.

First of all here is a quick demo about the issue:

DEP Issue on VBox from sickness on Vimeo.



Ok now that you have seen the demo:

A lot of people Enable DEP on VirtualBox but did anyone test it to see if it works properly ? Well guess what it doesn't !

*How ?
Well I wanted to test some DEP bypass methods, and I just have this habit before actually trying to bypass DEP, I turn it off and test that app with a simple exploit (usually to launch calc.exe) but I forgot to turn DEP off, it remained on and when I launched the exploit I did not receive a DEP error and the calculator got executed, you can take a look at the quick video demo to check it out.

*What I did.
I started trying different things to make it work like upgrading to the latest VBox, made sure that my CPU supported NX, Enable PAE/NX from Vbox, reinstall the guest OS with PAE/NX enabled from the beginning, and others. Everything seemed ok but DEP was not working, I tried using tools like NXTEST which actually told me that DEP wasn't enabled so I tried the same configuration on Vmware and what do you know … it worked!
After saying that Vmware DEP works I asked a few people to help me confirm this Vbox issue. From the feedback of these tests I learned that only 32 bit CPU's are affected by this, DEP works on 64.

*Reason for this issue.
So after saying this issue I have reported it to the guys at Vbox who after a while told me that they have figured out what is causing the problem, it's normal but they have not documented it yet. (Great, because DEP not working is not such a big deal, what could happen !?)
QUOTE:
“For raw mode we do NOT enable NX protection by default. I'm currently not
aware of the exact reason but I believe this is to keep the code simpler
or there are some compatibility issues.”
(Yet this is not documented)

*Fix.
In order to fix this you need the following:
-NX and PAE support ( cat /proc/cpuinfo and check the flags for nx pae )
-A PAE enabled kernel ( which doesn't make much sense to me, Vmware DEP works without a PAE enabled kernel and NX and PAE are 2 different things from my point of view, but I might be wrong. )
-You also need to invoke a command from the terminal to enable NX because apparently the option “Enable PAE/NX” from Vbox doesn't work ( not sure why they included it in the first place)

Ok so in order to fix DEP in Vbox, your CPU must support NX and PAE, you must run a PAE enabled kernel and:
Open a terminal with the same privileges as your Virtual machines and type in:

"VBoxManage list vms"

You will get something like this: "Windows" {xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}
Now issue the following command considering Windows as the name of your VM (Virtual Machines must be stopped ):

"VBoxManage setextradata “Windows” VBoxInternal/CPUM/EnableNX 1"

Now start the VM and DEP should work.

Author: sickness

Saturday, January 1, 2011

Blog status update.

Due to recent events I do not have enough time to keep my blog updated very frequently, I will maintain it for the people who seek information from it and will post as soon as I have time.