SEH Based Overflow Exploit Tutorial. Introduction. This tutorial will cover the process of writing an SEH based buffer overflow exploit for a known vulnerability in the Vulnserver application. Vulnserver is a Windows server application that deliberately includes a number of exploitable buffer overflow vulnerabilities, and was designed to act as a target application to teach and practice basic fuzzing, debugging and exploitation skills. More information on Vulnserver, including a download link, is available here: http: //grey- corner. This tutorial covers how to confirm that a SEH stack based overflow vulnerability is exploitable, as well as how to actually develop the exploit. The process of initially discovering vulnerabilities however is not covered in this tutorial. To learn one method by which such vulnerabilities can actually be discovered, you can check out a previous Vulnserver related article on fuzzing, available here: http: //resources. This tutorial will also assume that the reader has a reasonable level of skill in using the Olly. Dbg or Immunity Debugger debugging applications, as well as a basic knowledge of X8. For those who are new to these debuggers, or who may feel they need a refresher in assembly, the required skills are covered in the following links: http: //resources. 15 Steps to Hacking Windows Using Social Engineering Toolkit and Backtrack 5. Actually this hacking method will works perfectly with DNS spoofing or Man in the Middle. Today we will learn about 5 Steps Wifi Hacking - Cracking WPA2 Password. A lot of readers send many request regarding how to crack wireless WPA2 password in our. Metasploit is the world's most used penetration testing software. Uncover weaknesses in your defenses, focus on the right risks, and improve security. Lastly, you will require a basic knowledge of how stack based buffer overflows are exploited. This is covered under the following links: http: //resources. E2%8. 0%9. 4- introduction/http: //resources. System requirements and setup. The following software is required to follow along with this tutorial: A 3. Windows System. I would suggest sticking to reasonably recent windows desktop systems such as Windows XP SP2 and up, Windows Vista or Windows 7, as these are the systems that I have personally tested. Windows 2. 00. 0 desktop and server based systems may also work, but there are no guarantees. Vulnserver on your Windows system. You can obtain information about the program (which should be read before use) and download it from here: http: //grey- corner. Olldy. Dbg 1. 1. 0 on your Windows system. You can also use Immunity Debugger if you prefer, but just keep in mind your screenshots will appear slightly different to mine, and certain steps in this tutorial regarding Olly. Dbg plugins may not be able to be performed. Olly. Dbg can be obtained here: http: //www. An installation of the Olly. SSEH Olly. Dbg plugin installed within Olly. Dbg on your Windows system is preferred, but not essential. For those who do not have this plugin installed (perhaps because they are using Immunity Debugger) an alternate method of performing the tasks enabled by this plugin is provided. The plugin can be obtained from here: http: //www. Olly. SSEHAn instance of the Perl script interpreter. You can run this on either your Windows machine or on a Linux attacking system. Linux systems should already have Perl preinstalled, but if you want to run it on windows you can obtain a Perl install for free from here: http: //www. A recently updated copy of Metasploit 3. You can again run this on either your Windows machine or on a Linux attacking system, although I recommend running it on a Linux system. See the following paragraphs for more detail. If you run Back. Track 4 R2 for an attacking system, Metasploit is included. Otherwise Metasploit can be obtained for Windows and Linux from here: http: //www. My personal setup while writing this tutorial was to execute Metasploit commands and run my exploit Perl scripts from a Linux Host system running Ubuntu, with Vulnserver running in a Windows XP SP2 Virtual Machine. This means that command syntax provided in this document will be for Linux systems, so if you are following along on Windows you will have to modify your commands as appropriate. I have chosen to run Metasploit and Perl from Linux because components of the Metasploit framework can be broken by many of the common Anti Virus solutions commonly installed on Windows systems. If your Windows system is running a firewall or HIPS (Host Intrusion Prevention System), you may need to allow the appropriate traffic and disable certain protection features in order to follow this tutorial. We will be creating an exploit that makes Vulnserver listen for shell sessions on a newly bound TCP port, and firewalls and possibly HIPS software may prevent this from working. Certain HIPS software may also implement ASLR, which could also be problematic. Discussing firewall and HIPS bypass techniques is a little beyond the scope of this tutorial, so configure these appropriately so they don’t get in the way. I am also assuming for the purposes of this tutorial that your Windows system will not have hardware DEP enabled for all programs. The default setting for Windows XP, Windows Vista and Windows 7 is to enable hardware DEP for essential Windows programs and services only, so unless you have specifically changed your DEP settings your system should already be configured appropriately. See the following links for more information: http: //en. Data. This functionality is only available on Windows Vista Service Pack 1, Windows 7 and Windows Server 2. Windows Server 2. See below for instructions on how to disable this: http: //support. My Windows Vulnserver system will be listening on the address 1. TCP port 9. 99. 9, so this is the target address that I will use when running my Perl scripts. Make sure you replace this with the appropriate values if your Vulnserver instance is running elsewhere. A note about using different Windows Operating Systems versions: Be aware that if you are using a different version of Windows to run Vulnserver than the Windows XP Service Pack 2 system I am using, some of the values you will need to use when sizing the buffers in your exploits may differ from mine. Just ensure that you are following the process I use in determining buffer sizes, rather than copying the exact values I use, and you should be fine. I have indicated in the tutorial the areas in which you need to be concerned about this. Overview of the Process. We will be using the following high level exploitation process in order to take control of this program: Get control of the EIP register which controls which code is executed by the CPU, setting it to a value of our choosing,Identify some code that will fulfil our goals for the exploit, and either find it on the target system or insert it into the program ourselves using the exploit, and. Redirect EIP towards our chosen code. As in the previous article in this series on exploiting buffer overflows (see the links in the Introduction), this list of requirements acts as both the steps required to actually write the exploit, as well as determining if the vulnerability is exploitable. We will assess the given vulnerability to determine if these particular steps are possible, and once this is confirmed we will know that exploitation is possible and be well on our way to producing a working exploit. As mentioned during the Introduction, you should already be somewhat familiar with the general way in which buffer overflow exploits are written before you attempt this tutorial. When compared to simple stack based buffer overflows, SEH based exploits require a few new twists to the exploit development process. These new twists will be the main focus of this tutorial, and the more basic exploit development skills will be assumed knowledge. These basic exploit development skills are covered in the previous entry in this series. Assessing the vulnerability. The vulnerability we will be attempting to exploit is a stack based buffer overflow in the parameter of the GMON command of Vulnserver. We can trigger an exception in the program by sending a GMON command with a parameter consisting of a very long (~4. To demonstrate this, we can use the following script, which will send “GMON .” followed by 4. A” characters to a specified IP address and port provided as command line parameters. As we progress through the exploit development process, we will slowly modify this basic POC script into a full blown exploit. Save the following as gmon- exploit- vs. IO: :Socket. if ($ARGV. Then, execute the script as follows to generate the exception within the debugger. Vulnserver$ perl gmon- exploit- vs. Welcome to Vulnerable Server! Enter HELP for help. You should be greeted with the following in the debugger – an Access violation error will be shown at the bottom of the screen, and execution of the program will be paused within the debugger. If you are familiar with the more basic style of stack based buffer overflows, as discussed in the previous tutorial, the first thing you may notice here is that the EIP register does not point to an address made up of bytes taken from within the data we sent. If this was the case, we would expect to see the EIP register containing the hex equivalent of the ASCII character “A”, which is \x. What will happen if we allow the debugger to handle this error though? Press Shift and F7, F8 or F9, the key sequence used to pass exceptions through to the debugged program, and see what happens. The debugger should then display something similar to the following screenshot. This is more like it. We now have an EIP register that points to 4. A” characters we sent to the program, and an access violation when executing code at that address. This is very similar to what we would see when reproducing a stack overflow that has overwritten a return address stored on the stack. Why did we only gain control of EIP only after we allowed the program to handle the first exception though? To understand this, we need to discuss the Structured Exception Handling functionality in the Windows Operating System. Structured Exception Handling. Structured Exception Handling is a method that the Windows Operating System uses to allow its programs to handle serious program errors resulting from either software or hardware problems. Tutorial – Publish ASP. NET Web API in IIS 8. Windows 8. 1 – Hint. Desk. Some of my previous posts involved in web services made by ASP. NET Web API and I have received some feedback that it’s difficult to make the code run. The readers don’t know how to publish the sample web service which is included in source file. Therefore in this post I will show you how to publish a ASP. NET Web API service to localhost (your local computer). The tutorial is written for my current environment with Windows 8. IIS 8. 5. If you have another system and don’t find out how to follow a certain step in tutorial, make a comment below. Maybe I can help. Source code. 1. 1. Visual Studio. I’m using Visual Studio 2. Ultimate Update 3. My web services base on templates of this version of Visual Studio therefore if you have another version of Visual Studio, maybe you have to install templates to open the solution. However, for following version you don’t need to install any prerequisite– Visual Studio 2. Visula Studio 2. 01. If you’re using Visual Studio 2. Windows Update run until there is no required updates anymore. Windows Update will automatically get and install all updates for Microsoft products including your Visual Studio. Try to open the solution, if Visual Studio still can’t load it, go to http: //www. ASP. NET SDK and install. The SDK contains all of libraries and templates required for ASP. NET MVC. 1. 2. Nuget. In previous step, we prepare an environment so that we can load ASP. NET Web API project in Visual Studio. The ASP. NET Web API libraries and its all dependencies are delivered and versioned through Nu. Get. Therefore if your Visual Studio still don’t have this plugin installed, let’s install it from http: //www. When the plugin is installed successfully, you’ll have a menu . After downloading the source file, if you can’t compile the project, don’t be angry. Right click on the solution, click on “Rebuild Solution”, Nu. Get will download all missing packages and the solution will be compiled successfully. Internet Information Services (IIS)2. Installation. In the first part, I show you the prerequisites to compile a web service made by ASP. NET Web API. Now you need a web server to host your web service. All you have to do is installing IIS on your local computer. In Control Panel –> Programs and Features –> Turn Windows features on or off –> Internet Information Services and then activate the features as following images. That’s all. If you’re lucky, after installation, open your web browser, enter http: //localhost, you’ll get you’ll get a welcome screen of IIS2. Publishing. To publish a web service to IIS, remember to start your Visual Studio under Administrator. Right click on project and choose publishing. On next window, create a new profile if you still don’t have any. For connection settings, you can use the following setting for example. The “Site name” consists of 2 components : the website and the application name. You can change the application name as you want, but the website “Default Web Site” should work in most of cases if you don’t change anything in IIS. To check if the publishing progress is successful, open IIS Manager. On the left panel, expand the tree node of server to “Default Web Site”, there is a sub node with name of your application. Note that the icon must be an application icon (a sheet on earth). If the icon is a folder icon, that means the publishing failed, you have to convert to application by right click on folder and “Convert to application”2. Permission. After publishing the web service to IIS, if the web service allows user to upload files to server, you have to configure permission in App. Browse to C: \inetpub\wwwroot\. Error. If you are lucky, you won’t receive any error during publishing. However I just write down some typical errors and their solutions which you may encounter. IIS + Windows 7 + “HTTP Error 5. The service is unavailable”Solution: IIS Manager –> Application Pools –> Default. App. Pool –> Advanced Settings - > “Load User Profile” = false. IIS + Windows 7 + “HTTP Error 5. Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid”In web. All. Managed. Modules. For. All. Requests=”true”/> Solution. ASP. NET 4 was not registered in IISHad to run the following command in the command line/run. Windows. %windir%\Microsoft. NET\Framework\v. 4.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |