SEH Overflow + Egg hunter in 1 go!

Standard

Hello pee-ple,

As the OSCP PWK course only covered basic stack-based overflow exploitation, I decided to learn about SEH overflows and the concept of egg hunters!

I will not be talking about the theory behind those 2 in this post.
Instead, I will be writing up how to exploit them.

I will re-write the existing exploit from scratch and hopefully it might be helpful to some of you haxxers out there!

Pre-requisite:
Understanding of Buffer Overflows (Simple stack based)
Configured Immunity Debugger and Mona.py
Read up on nSEH/SEH Overflow concepts
Read up on EggHunter concepts

Existing exploit available at –
https://www.exploit-db.com/exploits/40178/

Vulnerable application that we are attacking –
https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe

My target VM:
Windows XP SP3

My attacking VM:
Kali Linux

Let’s begin~!

Set up with Immunity Debugger and Mona.py

setup1

The application will crash with 4500 of junk buffer.
After sending 4500 junk buffer, press Shift + F9 to pass the exception and you should see that the EIP register is overwritten by “A”s

pattern_create.rb -l 4500
pattern_offset.rb -q $overwritten_eip_value
offset = 4065

Minus 4 from the offset to overwrite it with “C” buffer instead for the SEH handler
Your exploit PoC should look something like this:

junk = “A” * 4061 + “B” * 4 + “C” * 4 + “D” * 431

“B” -> nSEH
“C” -> SEH

Launch the exploit PoC, it should trigger an access violation, continue by passing it with Shift+F9, you should notice that the EIP are overwritten with 43434343 (“C”*4)

poc1

Now we should look for the address of a POP POP RETN instruction so we can land onto our “B” * 4 (nSEH) buffer. Run “!mona seh” on the Immunity Debugger console.

!mona seh

Locate your Immunity Debugger folder (Example: C:\Program Files\Immunity Inc\Immunity Debugger)

sehppr

It will contain all the POP POP RET addresses, choose 1 that does not contain any dangerous bytes such as \x00

I decided on the address 0x1002379d

Replace the “C” * 4 with the PPR address that you have chosen

Restart your Immunity Debugger and reattach the process by pressing CTRL + F2, go to your PPR address 1002379d and set a breakpoint.

Rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 buffers after stepping over the POP POP RETN instructions.

4

Step over the POP POP RETN with F7.

5

Awesome.

Now we need to jump backward into our “A” buffers
“\xEB\xC4\x90\x90” will jump backwards 60 bytes (-60bytes on calculator)

Update your PoC exploit and replace the “B” * 4 with “\xEB\xC4\x90\x90”

Your PoC exploit should look something like this.

6

Set a breakpoint at your chosen PPR address again and rerun your updated PoC exploit. Shift + F9 to pass the exception first, then Step over with F7, you should end up at the “B” * 4 which is now replaced with “\xEB\xC4\x90\x90” (jump backward 60bytes) and by stepping over again, you should land in the “A” buffers.

The “\xEB\xC4\x90\x90” in Immunity Debugger.

7

Stepping over with F7 should land you into the “A” buffer.

8

Nice. You are all set to send your Egg Hunter tag, shellcode, and everything else in 1 go!

Generate your Egg Hunter tag with the following command on Immunity Debugger console.

!mona egg -t p0rn

Copy paste the generated 32 bytes hex codes into your PoC exploit.

9

Generate your shellcode with msfvenom:
msfvenom -p windows/exec cmd=calc.exe -e x86/alpa_mixed -f -c

Your final exploit PoC should look something like this:

10

All is set, embrace teh calculator!

11

Neat!

Note that there are other ways to pwn this application. Just having my own way of fun.
I have decided to exclude my full exploit code so that you can try it out yourself!

I know that SEH Overflows and Egg Hunter concept are obsolete. But…… It is always good to learn new stuff! Well at least for me.

Stay safe people!

~9emin1

MITRE STEM CTF: Cyber Challenge 2016

Standard

Hello people!

I managed to participate in my first ever Capture the Flag event. It was fun, and challenging at the same time. I took part in this with one of my buddies (KiaM). So yeah our little ‘team’ consists of just us.

Our main objective was of course, to learn and gain experience. And for sure we did 🙂

I will be doing the write up of the challenges solved by me and my friend. Cheers!

Link to said CTF –
https://ctftime.org/event/330
http://mitrecyberacademy.org/competitions/
https://scoreboard.mitrestemctf.org/

Grab Bag – 10 points
==========
Welcome! 10 points

Knowing the flag format is important! It will help you a lot with this challenge. Read the rules and come on back!
==========
This was pretty simple and straight-forward, morale boost I suppose.

1

Grab Bag – 100 points
==========
Supa Hot Fire 100 points

Your obnoxious neighbor just installed a IP enabled household heating controller. You were able to get into his home network since he still uses a WEP key. Time to get him back with a harmless prank of burning out the heating coils in his house.
==========
The interface provided.

main
So basically we have to play around the switches D0-D9 and fake overheating. The switches can be clicked to switch between HIGH/LOW.

We’ve got to find a configuration that will cause a sustained increase in temperature.
Let’s lookup CD74HC4067.

Turns out it’s an Integrated Circuit. We’ll look for the Data Sheet and find the Truth Table to see how it works.
2

For the left circuit we want channel 11 to be selected. We set D0, D1, D3 to HIGH.
For the right circuit we want channel 6 to be selected. We set D5, D6 to HIGH.
The flag is revealed at the bottom right.

3

Grab Bag – 150 points (1)
==========
Its Over 150 points

Your friend thinks he’s really good at sending hidden messages, time to prove him wrong.
==========
This was solved using an online photo editor. For this challenge the flag will actually be 7 characters instead of the usual 8. (Was told ahead on the CTF website itself)

Upload the PNG provided to http://www194.lunapic.com/editor/
1
Not so straight-forward.
Add filters, select Neon lights, and the real flag will be displayed.
2

 Grab Bag – 150 points (2)
=========
Traffic Dots 150 points

Traffic Dots are devices used in roadways around the world for detecting car presence at intersections as well as highways. They communicate with the traffic light controller over an unprotected 2.4ghz connection. They report how many cars have passed as well as if a car is present over the sensor. These are battery powered devices that are put under roads and are expected to last from 5 to 10 years on battery. The more cars that go over the sensor the faster the battery will drain. The software to configure the Traffic Dots is openly given out by the manufacturer and through some clever social engineering you managed to get access. You put the software on your laptop and got the proper radio technology to use the software. You are near an intersection where the traffic is very busy in one direction but not the other. There has to be a way to increase traffic by modifying these Traffic Dots which may result in someone running a red light due to impatience
==========
Our objective is to “result in someone running a red light due to impatience”.

The traffic dots that have the most cars run over them communicate with the traffic light controller and the controller assigns more time for traffic in that direction.

By switching making the traffic light controllers that the traffic dots report to, we can create a situation that someone might run a red light due to impatience, as they would have expected to have more time.

tis1

Freq: The connection frequency
Volt: The amount of battery remaining. The lower the voltage, the busier the road.

From the voltages, we can clearly see that traffic in the East-West directions is higher than North-South.

Let’s swap the frequencies.
tis2

We use 2.440 as an intermediate swap frequency as there is no in-built function to swap dot frequencies.

Once you have swapped:

W1 with N1, W2 with N2, E1 with S1, E2 with S2,

The flag will be revealed.

tis3

Grab Bag – 200 points
==========
Alien Contact 200 points

After many years of investing funds into the search for extraterrestrial life it has finally paid off! We have managed to capture what we believe is a broadcast from an alien radio station. Why not give it a look?
==========
This challenge was about analyzing the spectrum in a .wav audio file.

apt-get install audacity
launch audacity
open the .wav file with audacity
select “View Spectogram”

1

2

Crypto – 50 points
==========
… Not! 50 points

The key is not MCA-3CD9E73E.
==========
3CD9E73E
Converted to binary: 0011 1100 1101 1001 1110 0111 0011 1110
After performing NOT binary operation: 1100 0011 0010 0110 0001 1000 1100 0001
Conversion to hex: C32618C1

Flag = MCA-C32618C1

Incident Response – 100 points
==========
PCAP Examination 100 points

Scenario:
One morning before the daily IT team meeting, Joseph Adams inadvertently installs malware posing as a software update onto his corporate Windows VM. The malware beacons out to a Linux machine outside the corporate network and the waiting attacker uses Joe’s Windows 7 VM as a pivot point to reach the rest of the internal, corporate network.

The attacker locates a Linux-based file server and uses credentials that Joe had stored in an unencrypted plaintext file to log in to the file server.

The attacker locates a Truecrypt file on the file server, exfiltrates the file, and replaces the original file with a second file that he/she has uploaded.

When Joe returns from his morning meeting, he notices the attacker is still connected to his VM. He immediately logs in to the hypervisor, suspends the VMs, and retains the volatile memory (raw/DD) and virtual hard disk (VMDK) files from the affected machines for forensic analysis.

Later that afternoon, the attacker contacts the company’s CIO Office and offers up the original file and password for ransom.

The corporate CIO would like the internal IR Team to investigate whether the exfiltrated Truecrypt file can be recovered without having to pay the ransom.

Evidence
Archive Password: fV9kilIT29ITiGrZkvrOjZ4ENEK82O5ble4F9l5imirhDZ92COp9uPEZTCjNrAY
Prove that you have found the stolen file by providing its sha1sum
==========
Always good to get an overall view of the traffic present.
Wireshark Menu Bar > Statistics > Protocol Hierachy

tis1
We can see a significant amount of FTP Data being present.
Apply the display filter ‘ftp’ to get a closer look.

tis2

At 17994, we can see a file ‘pictures.zip’ being transferred, with filesize 4194304 bytes.
Let’s apply display filter ‘ftp-data’ to obtain the file.

tis3

On 17995, using right-click > Follow > TCP Stream , we will see the data contained within the packets that are involved with this stream.

tis4

We can see that the amount of data in the ‘Entire conversation’ is 4194 kB, which matches the file size of pictures.zip as we would expect.
Now we show the stream data as ‘RAW’, and click ‘Save as…’

tis5

The sha1sum gives us the answer. (flag)
tis6

Incident Response – 200 points
==========
Windows Volatile Memory Analysis 200 points

Show that you have discovered the attackers persistence mechanism by providing the sha1sum of the registry key used.
==========
We will make use of Volatility, a built-in forensics tool available in Kali Linux.

First step, to get a profile of the image. (Win7SP0x86)
1

Next, we can proceed on to examine the hivelist.
I chose to use the vol.py instead of the Volatility command due to some weird errors.
If you want to use vol.py, make sure that you are in the volatility folder as shown.

2

We can proceed to discover what are the registry keys used for the attacker’s persistence.
To auto run a malicious file when Windows boots up, the usual place an attacker will tamper with is the CurrentVersion\Run registry path.
We will proceed to use the function printkey -K

3

We can see that the .vbs script seems very suspicious, and the key associated is “exWaMEoIW”

The flag for this challenge:

4

Incident Response – 300
==========
Didn’t take down the question 😦
But the challenge was basically finding the password of a .db file and getting the sha1sum of it
==========
The password can be found from Incident Response – 200 by doing a lsadump.
ir300

Essentially that’s the key step. The rest is just mounting the 2 .dd images, one of which was encrypted. The screenshot contains the password to the encrypted image, and the employee database is in there.

Web – 100 points
==========
Crisscross 100 points

Our favorite Harry Potter fan site seems to be experiencing some problems, see if you can help us figure out why.
==========
The provided URL.
whatsapp-image-2016-09-18-at-00-52-49

View page source…
whatsapp-image-2016-09-18-at-00-53-22

Pretty straight forward. The flag was revealed at the
/whereISend/allYourPasswordsAndStuff
directory.

Web – 150 points
==========
Welcome Home 150 points

You just got back from a long trip and seem to have forgotten the PIN to your home security system. Guess you’ll just have to break in…
==========
URL provided.
Possible usernames: guest, JohnSmith.
whatsapp-image-2016-09-18-at-00-55-15
Another possible username? donutsAreGr8, we will just take note for now.

whatsapp-image-2016-09-18-at-00-55-51
Ok, So basically if we succeed in logging in, we will be redirected to /login/$username/$pin

whatsapp-image-2016-09-18-at-00-59-37

I went on to look at the request/response via Burp Suite proxy. I discovered that if the request was wrong, I will be presented with a 30X HTTP status code, and then redirected back to /home.
Since the PIN is only 4 digits, it was feasible to attempt brute-force.

First, make use of the tool ‘crunch’ to create a 0000-9999 word list.
I went on to launch gobuster, a brute-forcing tool.

The first user I tried on was ‘guest’, it was discovered that guest’s PIN is ‘1234’ and the status code returned was 200. The homepage of the user guest indicates that the flag is in another user’s home.

The next user I tried on was ‘JohnSmith’, after going through the entire word list, JohnSmith’s PIN was not discovered. I figured out my approach was most likely correct, since I am able to obtain guest’s PIN.

I tried the user donutsAreGr8 instead, and boom!
1

2

The user ‘JohnSmith’ was a distraction, and my approach was right 🙂

========================================================================

Ok, that’s all the challenges me and my buddy managed to solve.
We concluded at 1510 points total.
The full categories of this CTF were:
Binary
Crypto
Forensics
Grab Bag
Incident Response
Web

I was quite disappointed with myself as I did not progress well enough in the Web category. I am excited to see the full solution write up!

I definitely had fun and learned a few new stuff as well.

Cheers people~

-9emin1

Incident Handling

Standard

Since I’m currently studying for my SANS SEC504 course, I’ve decided to make a post about the Incident Handling part of it.

So what exactly is Incident Handling all about?
It is the action, or plan that you will take to deal with an incident that took place.

Examples of Incidents:

  • Computer Systems Infection/ being compromised
  • Cyber-theft
  • Denial of Service
  • Basically any events that occurred which causes potential damage or harm.

The six incident handling steps are Preparation, Identification, Containment, Eradication, Recovery and finally, Lessons Learned.

 

Preparation Overview

What is preparation all about? The main goal of this step is to get everything ready to handle an incident. Main focus on what to prepare:

  • The right people
  • Strategies
  • Support
  • Emergency Communication Plan
  • Tools (Hardware/Software

 

Identification Overview

So, where does the detection that leads to Identification come from? Mostly from people notifying you, or from firewalls and intrusion detection systems. You can also spot an incident from logs, which is why they are important. The main places which you should look at are:

  • Processes, services, scheduled tasks
  • Network usage rate
  • Accounts

Always remember that you must know what is the norm of an organisation in order to effectively and efficiently detect the anomaly.

 

Containment Overview

After you successfully identify an incident, you will proceed to contain it. As obvious as it sounds, containment is all about preventing the incident from worsening. Containment should include 3 sub-phases. The short-term containment(1), to quickly contain the incident while you create forensics image/back-up for analysis (2), and finally you can deploy the long-term containment(3).

Containment is to allow production to carry on, while you continue to build a clean system during eradication phase.

 

Eradication Overview

This is my favorite step out of the six. In this step, you will attempt to get rid of everything which caused the incident in the first place. You will also try to trace the incident back and also investigate how the incident happened. Interesting!

The BEST way for a complete eradication is to wipe the drive, reformat and rebuild the system from the original. This will prevent any re-infection. So what is next?

You will then improve your defense! You deserve to get attacked again if the same trick works twice. True?

Following which you should then do a vulnerability analysis to check for flaws on the systems. This method will ensure that all the neighboring systems does not have the same security flaws that caused the incident.

 

Recovery Overview

After eradication you will move on to recovery. In this phase, you will proceed to put the impacted systems back into production! Simple.

You must remember to always validate the system, ask for test plans and baseline documentation. Make sure that everything is working properly before you leave. Get a sign off from the respective management. Cover your own a$$.

Don’t forget to continue monitoring and conduct regular follow-ups!

 

Lessons Learned Overview

Nice, now you are at your final phase. Lessons Learned phase should consist of 2 parts: Report and Meeting

Lessons Learned Report:

  • Start as soon as possible
  • Document everything
  • Have everyone that is involved to sign off

Lessons Learned Meeting:

  • As soon as practical
  • Review the report together
  • Finalize Executive Summary
  • Areas for improvement

 

Now that I’ve covered the main concept of Incident Handling, does it interest you? If it does, you should probably check out the SANS SEC504 GCIH course for more information! The course also covers interesting topics such as Hacker tools, techniques and exploits. You will be able to perform Reconnaissance, Scanning, Exploitation to gain access, Maintain the access, and also Covering your Tracks! No more being a script kiddie. Hacking 101.

Please note that the information that I’ve covered above is very brief! You should conduct your own research or reading if you are interested in the various topics

-9emin1

more scriptkidd1e.wordpress.com

Standard

I figured it would be best to update what I’ve learned once every week.

  1. being able to keep track of my progress
  2. motivate myself to keep learning

What can you expect from this site?

Content related to Cyber Security

-9emin1