The Ethical Hacker Network - Can this be exploitable?

pizza1337

Full Member

Offline

Posts: 156

Resource is Power.

Can this be exploitable?

« on: May 04, 2010, 01:40:19 PM »

For Visual Basic .NET

Code:

Imports System
Imports System.IO
Imports System.Net
Imports System.Net.Sockets
Imports System.Text
Imports Microsoft.VisualBasic

Class MyTcpListener

   Public Shared Sub Main()

   Dim server As TcpListener
   server = Nothing
   Try
   ' Set the TcpListener on port 666.
   Dim port As Int32 = 666
   Dim localAddr As IPAddress = IPAddress.Parse("0.0.0.0")

   server = New TcpListener(localAddr, port)

   ' Start listening for client requests.
   server.Start()

   ' Buffer for reading data
   Dim bytes(1024) As Byte
   Dim data As String = Nothing

   ' Enter the listening loop.
   While True
   Console.Write("Waiting for a connection... ")

   ' Perform a blocking call to accept requests.
   ' You could also user server.AcceptSocket() here.
   Dim client As TcpClient = server.AcceptTcpClient()
   Console.WriteLine("Connected!")

   data = Nothing

   ' Get a stream object for reading and writing
   Dim stream As NetworkStream = client.GetStream()

   Dim i As Int32

   ' Loop to receive all the data sent by the client.
   i = stream.Read(bytes, 0, bytes.Length)

   While (i <> 0)
   ' Translate data bytes to a ASCII string.
   data = System.Text.Encoding.ASCII.GetString(bytes, 0, i)
   Console.WriteLine("Received: {0}", data)

   ' Process the data sent by the client.
   data = data.ToUpper()
   Dim msg As Byte() = System.Text.Encoding.ASCII.GetBytes(data)

   ' Send back a response.
   stream.Write(msg, 0, msg.Length)
   Console.WriteLine("Sent: {0}", data)

   i = stream.Read(bytes, 0, bytes.Length)

   End While

   ' Shutdown and end connection
   client.Close()
   End While
   Catch e As SocketException
   Console.WriteLine("SocketException: {0}", e)
   Finally
   server.Stop()
   End Try

   Console.WriteLine(ControlChars.Cr + "Hit enter to continue....")
   Console.Read()
   End Sub 'Main

End Class 'MyTcpListener

got it from http://msdn.microsoft.com/en-us/library/system.net.sockets.tcplistener.aspx

I know i can crash the program with

perl -e 'print "X" x5510' > data.txt
telnet (SERVER_IP) 666 < data.txt

is it possible to generate exploit for something like that? or am I just on the wrong path?


« Last Edit: May 04, 2010, 01:43:31 PM by pizza1337 »	Logged

~~Knowledge~~ Resource is Power.

zeroflaw

Full Member

Offline

Posts: 184

Re: Can this be exploitable?

« Reply #1 on: May 04, 2010, 02:21:17 PM »

I wasn't able to crash the program the way you described. I'm not into Visual Basic but it looks like its not possible to write past the buffer.

Code:

' Loop to receive all the data sent by the client.
i = stream.Read(bytes, 0, bytes.Length)

The length of the byte array is 1024, and it looks like the stream.Read function will only read that amount of bytes. I think if you send the application more data it will just ignore the rest of the bytes.

What error did you get when the app crashed?


	Logged

Ketchup

Hero Member

Offline

Posts: 1006

Re: Can this be exploitable?

« Reply #2 on: May 04, 2010, 02:39:04 PM »

I think that stream.Read() function is fine for VB. In C++ you would need to read a buffer one less than the size of the byte array to accommodate the null byte string terminator. I believe vb.net terminates strings automatically though.


	Logged

~~~~~~~~~~~~~~
Ketchup

pizza1337

Full Member

Offline

Posts: 156

Resource is Power.

Re: Can this be exploitable?

« Reply #3 on: May 04, 2010, 02:42:10 PM »

Quote from: zeroflaw on May 04, 2010, 02:21:17 PM

I wasn't able to crash the program the way you described. I'm not into Visual Basic but it looks like its not possible to write past the buffer.

Code:

' Loop to receive all the data sent by the client.
i = stream.Read(bytes, 0, bytes.Length)

A first chance exception of type 'System.IO.IOException' occured in system.dll
the program'(3396) consoleapplicatioin1.exe: managed' has exited with code 0 (0x0).


	Logged

~~Knowledge~~ Resource is Power.

Ketchup

Hero Member

Offline

Posts: 1006

Re: Can this be exploitable?

« Reply #4 on: May 04, 2010, 03:26:26 PM »

I just compiled the code and tried what you did. I do not get a crash. Only 1025 bytes are read and spat back out at a time. The program just loops until all the data is read, but only reads 1025 bytes at a time.


	Logged

~~~~~~~~~~~~~~
Ketchup

pizza1337

Full Member

Offline

Posts: 156

Resource is Power.

Re: Can this be exploitable?

« Reply #5 on: May 04, 2010, 03:51:03 PM »

weird i tried it on two computer, it crashes

http://blip.tv/file/3578319

i guess i am doing something wrong.

what are some places i could learn better about finding overflows or problems and making exploits?


	Logged

~~Knowledge~~ Resource is Power.

Ketchup

Hero Member

Offline

Posts: 1006

Re: Can this be exploitable?

« Reply #6 on: May 04, 2010, 04:22:17 PM »

The exception occurs when the program attempts to write the information back to the socket. This likely indicates that your test host is blocking the connection or something similar. Check firewall settings and anti-virus settings that may be blocking the connection. Also try using another port, like 8080.

Either way, your error does not appear to be related to the size of the buffer.

<edit>Pizza, read n1p's article on the front page of eh.net. it's great and it has every bit to do with what you are doing.</edit>


	Logged

~~~~~~~~~~~~~~
Ketchup

sil

Hero Member

Offline

Posts: 536

Re: Can this be exploitable?

« Reply #7 on: May 06, 2010, 02:09:56 PM »

[quote author=pizza1337 link=topic=5421.msg28109#msg28109 A first chance exception of type 'System.IO.IOException' occured in system.dll
the program'(3396) consoleapplicatioin1.exe: managed' has exited with code 0 (0x0).
[/quote]

Why don't you try running a debugger in the background and attach to the process to find out whether or not you can do anything with it:

Code:

First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\IBM\XXXXXXXX\SomethingWasHere.dll -
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:00000000=????????
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:00000000=????????
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00c583a6 mov edx,dword ptr [eax]

Basic Block:
00c583a6 mov edx,dword ptr [eax]
Tainted Input Operands: eax
00c583a8 mov edx,dword ptr [edx+10h]
Tainted Input Operands: edx
00c583ab lea ecx,[esi+4]
00c583ae push ecx
00c583af push eax
Tainted Input Operands: eax
00c583b0 call edx
Tainted Input Operands: edx, StackContents

Exception Hash (Major/Minor): 0x10163335.0x10634435

Stack Trace:
SomethingWasHere+0x83a6
SomethingWasHere+0xaeb8
Instruction Address: 0x0000000000c583a6

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at SomethingWasHere+0x00000000000083a6 (Hash=0x10163335.0x10634435)

The data from the faulting address is later used as the target for a branch.
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:00000000=????????
0:000> r eax=deadbabe
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:00000000=????????
0:000> r eax=deadbabe
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:deadbabe=????????
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10 mov edx,dword ptr [eax] ds:0023:deadbabe=????????
0:000> r eip=eax
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=deadbabe esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
deadbabe ?? ???
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffdeadbabe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x4e42002f.0x2059002f

Stack Trace:
Unknown
Unknown
SomethingWasHere+0xaeb8
Instruction Address: 0xffffffffdeadbabe

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0xffffffffdeadbabe called from SomethingWasHere+0x000000000000aeb8 (Hash=0x4e42002f.0x2059002f)

User mode DEP access violations are exploitable.

The following WinDBG sessions demonstrates control over EIP, EBX, etc., due to a crash. I removed the program name because its going through CERT right now, nevertheless I started fuzzing the application, caused an exception and followed through on finding a method to exploit after the exception. All I needed to do was show proof of concept as I was solely seeking to report an advisory not provide a 'weaponized' exploit

eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=deadbabe esp=0013ece4 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
deadbabe ??


	Logged

http://www.infiltrated.net/mgz/puppylecter.jpg

Pages: [1] Go Up

« previous next »