Friday, 3 December 2010

Data mining Backtrack 4 for buffer overflow return addresses

So, if you are reading this blog you are probably aware of the online exploit database sponsored by Offensive Security, which currently holds over 15,000 exploits, from the present back to the mid 1990's.


There are some advantages to using this database online, such as the ability to download some of the vulnerable applications for testing purposes.

However, there is already a local copy of all of these exploits on Backtrack 4, held in /pentest/exploits/exploitdb and subdirectories - which has some other advantages we explore here i.e. mining it for useful information.


The advantages of a local copy of the database

In addition to the convenience of having the exploits already downloaded, there are other things that you can do by having a local copy. (A few weeks back, I used this local copy to do some analysis of Language trends in exploit development )

Here I am going to explore a couple of ways we could retrieve previously found return addresses, using the knowledge stored in files on backtrack.


Updating the exploit database

First get your copy of the exploit database up-to-date.

cd /pentest/exploits/
svn co svn://www.exploit-db.com/exploitdb


You should see the new files and changes whiz past as you get your copy of Backtrack up to the latest revision of the exploit database.


Basic exploit searches

Cool, so we will test the update by looking for something recent in the index file. I will do a quick search for an exploit from this week, the ProFTP remote root exploit.

cd exploitdb
grep -i "ProFTPD" files.csv | grep -i "remote root"
107,platforms/linux/remote/107.c,"ProFTPD 1.2.9rc2 ASCII File Remote Root Exploit",2003-10-04,bkbll,linux,remote,21
110,platforms/linux/remote/110.c,"ProFTPD 1.2.7 - 1.2.9rc2 Remote Root & brute-force Exploit",2003-10-13,Haggis,linux,remote,21
3021,platforms/linux/remote/3021.txt,"ProFTPD <= 1.2.9 rc2 (ASCII File) Remote Root Exploit",2003-10-15,"Solar Eclipse",linux,remote,21
15449,platforms/linux/remote/15449.pl,"ProFTPD IAC Remote Root Exploit",2010-11-07,Kingcope,linux,remote,0

There are a few in there, but I have highlighted the one from this week (15449) in red.


Searching for specific code within the database

We are up-to-date, so what interesting things can we do with all this exploit data?

How about we search all the files for some piece of information we might want to know?

Let's take the example of looking for "JMP ESP" addresses (used in buffer-overflows to control code execution). Quite often, good information on this is available in the comment sections of the exploits.

First we will search for all the files that might contain offset addresses, using fgrep to recursively search and list any files containing the phrase "jmp esp":

fgrep -r -l -i "jmp esp" *

This produces a long list of files (including some I don't want)

...truncated for brevity...
platforms/windows/remote/10394.py
platforms/windows/remote/4316.cpp
platforms/windows/remote/9319.py
platforms/windows/remote/.svn/text-base/9853.rb.svn-base
platforms/windows/remote/.svn/text-base/4316.cpp.svn-base
platforms/windows/remote/.svn/text-base/3650.c.svn-base

 ...truncated for brevity...

We will filter out anything with "svn-base" and count what we have left:

fgrep -r -l -i "jmp esp" * | grep -v "svn-base" | wc -l

232



Extracting and filtering the data

We have 232 files potentially containing "jmp esp" addresses, let's grab those suckers.

We'll wrap our filenames in a "for" loop, to pull just the lines we want, out of the files we are interested in.

for file in $(fgrep -r -l -i "jmp esp" * | grep -v "svn-base"); do grep "jmp esp" $file; done

This produces a big blob of data, but, say we are interested to find addresses for Windows XP SP 2:

for file in $(fgrep -r -l -i "jmp esp" * | grep -v "svn-base"); do grep "jmp esp" $file; done | grep -i "Win XP SP2"

[ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp user32.dll 

$ret = "\xED\x1E\x95\x7C"; #jmp esp en ntdll.dll,win xp sp2(spanish) 
"\xb3\x57\x04\x7d"  # jmp esp @ shell32.dll - Win XP SP2

Well, that gives 3 options, one for Spanish, two for English. Pretty handy if you don't happen to have a Windows XP SP2 system lying around waiting to help you develop your exploit for that version - all thanks to exploit developers who comment their code nicely.

(there are several more if you mess with the final grep expression to try different ways of writing "WinXP sp2").


Mining Metasploit

Of course, you could run similar operations on the Metasploit modules. First update Metasploit:

msfupdate

Then we can run the following command (which gives another handy set of return addresses):


for file in $(fgrep -r -l -i "jmp esp" /pentest/exploits/framework3/modules/*); do grep -i "jmp esp" $file; done | sort -u | grep -i "xp sp2"

  #0x773f346a # XP SP2 comctl32.dll: jmp esp
 #[ 'Windows XP SP2 English', { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll
 'Ret1' => 0x00420B45, # jmp esp on XP SP2 (iexplore.exe)
 'jmp esp' => 0x774699bf, # user32.dll (xp sp2 and sp3)
 [ 'Win XP SP2 English', { 'Ret' => 0x77D8AF0A } ], # jmp esp / user32.dll
 [ 'Windows XP SP2 - EN', { 'Ret' => 0x0fa14ccf } ], # jmp esp expsrv.dll xpsp2 en
 [ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll
 [ 'Windows XP SP2 Pro German', { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
 [ 'Windows XP SP2 Spanish', { 'Ret' => 0x7c951eed } ], #jmp esp
 [ 'Windows XP SP2 Universal', { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP
 [ 'Windows XP SP2/SP3 English', { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll
 ['Windows XP SP2 French', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
 ['Windows XP SP2 German', { 'Rets' => [ 1787, 0x77d5af0a ]}], # jmp esp
 ['Windows XP SP2 Polish', { 'Rets' => [ 1787, 0x77d4e26e ]}], # jmp esp


Of course you can add the grep -B or -A options, to get lines before and after the line containing what you searched for.

There are probably many other uses for this type of searching. Looking for strings like "jmp esp" is just one example.

Please leave a comment if you find this helpful, or if you can think of any other applications for these techniques.

7 comments:

  1. Very useful.
    Thanks!

    ReplyDelete
  2. تسليك المجاري بالقواطع الدوارة :
    ـ من أحدث آلات شركة تسليك مجاري وأكثر ها تطورا ، آلة القواطع الدوارة ، وهي عبارة عن محرك ضخم يتحكم في قضيب معدني قوي ينتهي برأس دوارة ذات زوائد حادة أو قواطع تعمل بحركة دائرية داخل أنبوب الصرف بغرض سحق النفايات المتصلبة بالداخل وبمساعدة الماء يكون من السهل التخلص منها بسريانها في اتجاه الخروج الطبيعي من الشبكة .
    ـ وهذه التقنية لها تأثير جيد طويل الأمد على حالة الصرف من حيث القضاء على جميع أسباب الانسداد لفترات طويلة بشرط الالتزام بسلوكيات الاستخدام الصحيحة .


    أفضل شركة تسليك مجاري بالدمام

    ـ و القواطع الدوارة وسيلة لمواجهة أشد حالات توقف شبكات الصرف عن العمل والذي يوصف بتوقف الماء تمام عن الحركة ، ويحتاج استخدام هذا النوع من الآلات إلى المهنية والحرص الشديد لعدم الإضرار بالأنابيب .

    ReplyDelete
  3. عزيزى العميل اهلا ومرحبا بك فى موقع مؤسسة الحرمــين للمقاولات العامة والعوازل
    شركه عزل فوم بالاحساء و الرياض
    الموقع الرائد فى عالم الخدمات المنزليه والاول بالمملكه العربيه السعوديه لما يتمتع به من خدمات مميزه ، فالبرغم من اننا مؤسسه ربحيه الا ان مزاولة نشاطتنا


    شركه عزل فوم بجدة


    شركه عزل فوم بمكة



    شركه عزل فوم بالرياض كلها مرتبط على نحو وثيق بتلبية طلبات وحاجات عملائنا ولتحقيق ذلك الهدف نقدم لك كافة الخدمات الشامله بالالتزام الصارم وبأرقى المعايير المهنيه المتطوره
    فلدينا خبره طويله فى مجال مكافحة الحشرات والكشف عن التسربات وتسليك المجارى وعزل الاسطح وترميم وصيانه المنازل وتخزينه بكفاءة منقطعة النظير ، لا تتردد واتصل
    بموقع مؤسسة الحرمــين فخدماتنا ليس لها بديل واسعارنا ليس لها مثيل ،ولدينا فريق عمل يتصل مع العملاء على جسور الثقه
    والصدق والامانه فى العمل ، وهدفنا هو ارضاؤك وراحتك ، لا تقلق ونحن معك
    لا تجهد نفسك ونحن تحت امرك ورهن اشارتك .
    أبرز خدمات مؤسسة الحرمــين للمقاولات العامة بالدمام والرياض

    شركه عزل فوم بالدمام

    ReplyDelete
  4. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  5. It's an Amazing post ever. Thanks for insightful post for preparing Job exam.

    ReplyDelete