Friday, 3 December 2010

Data mining Backtrack 4 for buffer overflow return addresses

So, if you are reading this blog you are probably aware of the online exploit database sponsored by Offensive Security, which currently holds over 15,000 exploits, from the present back to the mid 1990's.


There are some advantages to using this database online, such as the ability to download some of the vulnerable applications for testing purposes.

However, there is already a local copy of all of these exploits on Backtrack 4, held in /pentest/exploits/exploitdb and subdirectories - which has some other advantages we explore here i.e. mining it for useful information.


The advantages of a local copy of the database

In addition to the convenience of having the exploits already downloaded, there are other things that you can do by having a local copy. (A few weeks back, I used this local copy to do some analysis of Language trends in exploit development )

Here I am going to explore a couple of ways we could retrieve previously found return addresses, using the knowledge stored in files on backtrack.


Updating the exploit database

First get your copy of the exploit database up-to-date.

cd /pentest/exploits/
svn co svn://www.exploit-db.com/exploitdb


You should see the new files and changes whiz past as you get your copy of Backtrack up to the latest revision of the exploit database.


Basic exploit searches

Cool, so we will test the update by looking for something recent in the index file. I will do a quick search for an exploit from this week, the ProFTP remote root exploit.

cd exploitdb
grep -i "ProFTPD" files.csv | grep -i "remote root"
107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21
110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 - 1.2.9rc2 Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21
3021,platforms/linux/remote/3021.txt,"ProFTPD <= 1.2.9 rc2 (ASCII File) Remote Root Exploit",2003-10-15,"Solar Eclipse",linux,remote,21
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC Remote Root Exploit",2010-11-07,Kingcope,linux,remote,0

There are a few in there, but I have highlighted the one from this week (15449) in red.


Searching for specific code within the database

We are up-to-date, so what interesting things can we do with all this exploit data?

How about we search all the files for some piece of information we might want to know?

Let's take the example of looking for "JMP ESP" addresses (used in buffer-overflows to control code execution). Quite often, good information on this is available in the comment sections of the exploits.

First we will search for all the files that might contain offset addresses, using fgrep to recursively search and list any files containing the phrase "jmp esp":

fgrep -r -l -i "jmp esp" *

This produces a long list of files (including some I don't want)

...truncated for brevity...
platforms/windows/remote/10394.py
platforms/windows/remote/4316.cpp
platforms/windows/remote/9319.py
platforms/windows/remote/.svn/text-base/9853.rb.svn-base
platforms/windows/remote/.svn/text-base/4316.cpp.svn-base
platforms/windows/remote/.svn/text-base/3650.c.svn-base

 ...truncated for brevity...

We will filter out anything with "svn-base" and count what we have left:

fgrep -r -l -i "jmp esp" * | grep -v "svn-base" | wc -l

232



Extracting and filtering the data

We have 232 files potentially containing "jmp esp" addresses, let's grab those suckers.

We'll wrap our filenames in a "for" loop, to pull just the lines we want, out of the files we are interested in.

for file in $(fgrep -r -l -i "jmp esp" * | grep -v "svn-base"); do grep "jmp esp" $file; done

This produces a big blob of data, but, say we are interested to find addresses for Windows XP SP 2:

for file in $(fgrep -r -l -i "jmp esp" * | grep -v "svn-base"); do grep "jmp esp" $file; done | grep -i "Win XP SP2"

[ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp user32.dll 

$ret = "\xED\x1E\x95\x7C"; #jmp esp en ntdll.dll,win xp sp2(spanish) 
"\xb3\x57\x04\x7d"  # jmp esp @ shell32.dll - Win XP SP2

Well, that gives 3 options, one for Spanish, two for English. Pretty handy if you don't happen to have a Windows XP SP2 system lying around waiting to help you develop your exploit for that version - all thanks to exploit developers who comment their code nicely.

(there are several more if you mess with the final grep expression to try different ways of writing "WinXP sp2").


Mining Metasploit

Of course, you could run similar operations on the Metasploit modules. First update Metasploit:

msfupdate

Then we can run the following command (which gives another handy set of return addresses):


for file in $(fgrep -r -l -i "jmp esp" /pentest/exploits/framework3/modules/*); do grep -i "jmp esp" $file; done | sort -u | grep -i "xp sp2"

  #0x773f346a # XP SP2 comctl32.dll: jmp esp
 #[ 'Windows XP SP2 English', { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll
 'Ret1' => 0x00420B45, # jmp esp on XP SP2 (iexplore.exe)
 'jmp esp' => 0x774699bf, # user32.dll (xp sp2 and sp3)
 [ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp / user32.dll
 [ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
 [ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
 [ 'Windows XP SP2 Pro German', { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
 [ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp
 [ 'Windows XP SP2 Universal', { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP
 [ 'Windows XP SP2/SP3 English', { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll
 ['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
 ['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
 ['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp


Of course you can add the grep -B or -A options, to get lines before and after the line containing what you searched for.

There are probably many other uses for this type of searching. Looking for strings like "jmp esp" is just one example.

Please leave a comment if you find this helpful, or if you can think of any other applications for these techniques.

4 comments:

  1. Very useful.
    Thanks!

    ReplyDelete


  2. خدمات نقل الاثاث متعددة لدينا حيث يوجد لدينا خبرة في كيفية التعامل مع العملاء في تنفيذ اعمال فلدينا مدينة مكة افضل شركة نقل اثاث بمكة التي تتميز بالدقة في تنفيذ اعمال وتوصيل الاثاث من الباب لاننا نمتلك عمال متميزون في شركة نقل عفش بمكة فعليكم التواصل معنا من اجل الاستفادة من الخدمات التي نقدمها كل هذا ايضا تلاقه في مدينة الدمام من خلال التواصل مع شركة نقل اثاث بالدمام التي تمتلك فنين متميزين في اعمال الفك والتركيب كما لديها اسطول سيارات مجهز يساعدها علي الوصول الي منزلك الجديد فكل شئ يكون جاهز مع شركة نقل عفش بالدمام التي اثبتت انها نقل شركة لديها خبرة كبيرة في مجال نقل الاثاث
    كما يوجد لدينا خبرة في خدمات نقل الاثاث بجدة من خلال
    شركة نقل اثاث بجدة
    شركة نقل عفش بجدة

    ReplyDelete

  3. بسم الله الرحمن الرحيم نحن فى شركة الكمال تقوم بافضل انواع التنظيف العام وتنظيف الفلل بافضل انواع العالميه التى تحافظ على السيراميك

    شركة الكمال
    شركة تنظيف بالطائف
    شركة تنظيف فلل بالطائف
    شركة تنظيف بجازان
    شركة تنظيف فلل بجازان
    شركة تنظيف بحائل
    شركة تنظيف فلل بحائل
    ونحن فى خدماتكم اربعه وعشرون ساعه وكل هذا بافضل الاسعار واقل التكلفة

    ReplyDelete
  4. In the name of God the Merciful We in the light of UK companies offer the best services in all cleaning Katenziv in apartments , boards and cabinets and Villas
    شركة نور المملكة
    شركة تنظيف بمكة
    And also we provide insect control for all insects flying and crawling and rat extermination
    شركة مكافحة حشرات بجازان
    We also offer moving furniture needed by everyone because of the expiration of the lease time or travel service
    شركة الصفرات لنقل الاثاث بالرياض
    And safety and God's mercy and blessings
    كما يوجد لدينا ايضا تنظيف المجالس والكنب والسجاد والموكيت باحدث الطرق الموجودة وافضل المواد التى تقضى البقع والاوساخ
    شركة تنظيف مجالس وكنب بحائل
    شركة تنظيف سجاد وموكيت بحائل
    وكل هذا بانسب الاسعار واقل التكلفة ونحن نعمل فى خدماتكم 24ساعه


    ReplyDelete