.

Can this be exploitable?

<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue May 04, 2010 1:40 pm

Can this be exploitable?

For Visual Basic .NET
  Code:
Imports System
Imports System.IO
Imports System.Net
Imports System.Net.Sockets
Imports System.Text
Imports Microsoft.VisualBasic


Class MyTcpListener

    Public Shared Sub Main()

        Dim server As TcpListener
        server = Nothing
        Try
            ' Set the TcpListener on port 666.
            Dim port As Int32 = 666
            Dim localAddr As IPAddress = IPAddress.Parse("0.0.0.0")

            server = New TcpListener(localAddr, port)

            ' Start listening for client requests.
            server.Start()

            ' Buffer for reading data
            Dim bytes(1024) As Byte
            Dim data As String = Nothing

            ' Enter the listening loop.
            While True
                Console.Write("Waiting for a connection... ")

                ' Perform a blocking call to accept requests.
                ' You could also user server.AcceptSocket() here.
                Dim client As TcpClient = server.AcceptTcpClient()
                Console.WriteLine("Connected!")

                data = Nothing

                ' Get a stream object for reading and writing
                Dim stream As NetworkStream = client.GetStream()

                Dim i As Int32

                ' Loop to receive all the data sent by the client.
                i = stream.Read(bytes, 0, bytes.Length)

                While (i <> 0)
                    ' Translate data bytes to a ASCII string.
                    data = System.Text.Encoding.ASCII.GetString(bytes, 0, i)
                    Console.WriteLine("Received: {0}", data)

                    ' Process the data sent by the client.
                    data = data.ToUpper()
                    Dim msg As Byte() = System.Text.Encoding.ASCII.GetBytes(data)

                    ' Send back a response.
                    stream.Write(msg, 0, msg.Length)
                    Console.WriteLine("Sent: {0}", data)

                    i = stream.Read(bytes, 0, bytes.Length)

                End While

                ' Shutdown and end connection
                client.Close()
            End While
        Catch e As SocketException
            Console.WriteLine("SocketException: {0}", e)
        Finally
            server.Stop()
        End Try

        Console.WriteLine(ControlChars.Cr + "Hit enter to continue....")
        Console.Read()
    End Sub 'Main

End Class 'MyTcpListener


got it from http://msdn.microsoft.com/en-us/library ... tener.aspx

I know i can crash the program with

perl -e 'print "X" x5510' > data.txt
telnet (SERVER_IP) 666 < data.txt

is it possible to generate exploit for something like that? or am I just on the wrong path?
Last edited by pizza1337 on Tue May 04, 2010 1:43 pm, edited 1 time in total.
Knowledge Resource is Power.
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Tue May 04, 2010 2:21 pm

Re: Can this be exploitable?

I wasn't able to crash the program the way you described. I'm not into Visual Basic but it looks like its not possible to write past the buffer.

  Code:
' Loop to receive all the data sent by the client.
                    i = stream.Read(bytes, 0, bytes.Length)



The length of the byte array is 1024, and it looks like the stream.Read function will only read that amount of bytes. I think if you send the application more data it will just ignore the rest of the bytes.

What error did you get when the app crashed?
ZF
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 2:39 pm

Re: Can this be exploitable?

I think that stream.Read() function is fine for VB.  In C++ you would need to read a buffer one less than the size of the byte array to accommodate the null byte string terminator.  I believe vb.net terminates strings automatically though. 
~~~~~~~~~~~~~~
Ketchup
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue May 04, 2010 2:42 pm

Re: Can this be exploitable?

zeroflaw wrote:I wasn't able to crash the program the way you described. I'm not into Visual Basic but it looks like its not possible to write past the buffer.

  Code:
' Loop to receive all the data sent by the client.
                    i = stream.Read(bytes, 0, bytes.Length)



The length of the byte array is 1024, and it looks like the stream.Read function will only read that amount of bytes. I think if you send the application more data it will just ignore the rest of the bytes.

What error did you get when the app crashed?


A first chance exception of type 'System.IO.IOException' occured in system.dll
the program'(3396) consoleapplicatioin1.exe: managed' has exited with code 0 (0x0).
Knowledge Resource is Power.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 3:26 pm

Re: Can this be exploitable?

I just compiled the code and tried what you did.  I do not get a crash.  Only 1025 bytes are read and spat back out at a time.  The program just loops until all the data is read, but only reads 1025 bytes at a time.
~~~~~~~~~~~~~~
Ketchup
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Tue May 04, 2010 3:51 pm

Re: Can this be exploitable?

weird i tried it on two computer, it crashes

http://blip.tv/file/3578319

i guess i am doing something wrong.

what are some places i could learn better about finding overflows or problems and making exploits?
Knowledge Resource is Power.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue May 04, 2010 4:22 pm

Re: Can this be exploitable?

The exception occurs when the program attempts to write the information back to the socket.   This likely indicates that your test host is blocking the connection or something similar.   Check firewall settings and anti-virus settings that may be blocking the connection.   Also try using another port, like 8080.  

Either way, your error does not appear to be related to the size of the buffer.

<edit>Pizza, read n1p's article on the front page of eh.net.  it's great and it has every bit to do with what you are doing.</edit>
~~~~~~~~~~~~~~
Ketchup
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu May 06, 2010 2:09 pm

Re: Can this be exploitable?

[quote author=pizza1337 link=topic=5421.msg28109#msg28109 A first chance exception of type 'System.IO.IOException' occured in system.dll
the program'(3396) consoleapplicatioin1.exe: managed' has exited with code 0 (0x0).
[/quote]

Why don't you try running a debugger in the background and attach to the process to find out whether or not you can do anything with it:

  Code:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\IBM\XXXXXXXX\SomethingWasHere.dll -
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00c583a6 mov edx,dword ptr [eax]

Basic Block:
    00c583a6 mov edx,dword ptr [eax]
       Tainted Input Operands: eax
    00c583a8 mov edx,dword ptr [edx+10h]
       Tainted Input Operands: edx
    00c583ab lea ecx,[esi+4]
    00c583ae push ecx
    00c583af push eax
       Tainted Input Operands: eax
    00c583b0 call edx
       Tainted Input Operands: edx, StackContents

Exception Hash (Major/Minor): 0x10163335.0x10634435

Stack Trace:
SomethingWasHere+0x83a6
SomethingWasHere+0xaeb8
Instruction Address: 0x0000000000c583a6

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at SomethingWasHere+0x00000000000083a6 (Hash=0x10163335.0x10634435)

The data from the faulting address is later used as the target for a branch.
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
0:000> r eax=deadbabe
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:00000000=????????
0:000> r eax=deadbabe
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:deadbabe=????????
0:000> g
(4b74.4b54): Access violation - code c0000005 (!!! second chance !!!)
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=00c583a6 esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SomethingWasHere+0x83a6:
00c583a6 8b10            mov     edx,dword ptr [eax]  ds:0023:deadbabe=????????
0:000> r eip=eax
0:000> g
(4b74.4b54): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=deadbabe esp=0013ece4 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
deadbabe ??              ???
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffdeadbabe
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x4e42002f.0x2059002f

Stack Trace:
Unknown
Unknown
SomethingWasHere+0xaeb8
Instruction Address: 0xffffffffdeadbabe

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0xffffffffdeadbabe called from SomethingWasHere+0x000000000000aeb8 (Hash=0x4e42002f.0x2059002f)

User mode DEP access violations are exploitable.


The following WinDBG sessions demonstrates control over EIP, EBX, etc., due to a crash. I removed the program name because its going through CERT right now, nevertheless I started fuzzing the application, caused an exception and followed through on finding a method to exploit after the exception. All I needed to do was show proof of concept as I was solely seeking to report an advisory not provide a 'weaponized' exploit

eax=deadbabe ebx=00000001 ecx=77529bac edx=0013ed04 esi=0013ef1c edi=00000001
eip=deadbabe esp=0013ece4 ebp=ffffffff iopl=0        nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00010202
deadbabe ?? 

Return to Programming

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software