MS08_067 exploit analysis – part I

Written by  on December 23, 2015 

In this case of study we’ll look inside the MS08_067 vulnerability and write an  effective exploit for exploiting it. MS08_67 is one of the most exploited vulnerabilities in the modern history of hacking. I was announced on 2008 and classified as CRITICAL, actually it still can be found and exploited.

So in this analysis we’ll start writing a simple exploit for it, using an egghunter. Then in future posts we’ll do some other cool stuff like evading dep or using it to distribute a worm through the network.

The exploit writing process starts just at the end of the fuzzing process. After some fuzzing we can find that the following packet can break the execution of smb service.

0

After writing a simple python script that uses smb to send the evil packet to the target and using it we can see the stat of the registers(using ollydbg) after the crash.

2

After seeing that we can overwrite the EIP register, we can try to locate wich bytes overwrite that. Using metasploit we can generate a pattern to send to the program.

3

After sending the pattern to the program, the pattern_offset tool will give us the right bytes.

4

pattern_offset and pattern_create are located inside the metasploit directory. Using pattern_offset will give the offset that overwrites EIP register to us.

5

At this point we can edit our template-exploit code to see if we can control EIP.

6

And after re-seding that to the program we can notice that we control EIP register.

7

We can also see that EDX points to a buffer controled by our evil C’s ESP may be a valid candidate too. I’ve chosen the EDX register because that register points just at the end of a large buffer, so we can land there using a jmp edx and then perform a short jump backwards to execute some shellcode there.

We can find a valid jmp edx by running a search on some dll using olly.

8

After re writing the exploit with these new details, we can see that EIP is overwriten with our jmp edx addr.

9

And after running the jmp we land inside our desired buffer.

10

A short jump backwards will lead us to a larger buffer space. If you want to understand how short jumps(forward and backwards) work: http://thestarman.pcministry.com/asm/2bytejumps.htm

11

After re launching the exploit with our new jump we can see that we go backwards.

12

After jumping backwards we reach our larger buffer space.

13

As our new buffer is not enough to allocate our backdoor shellcode in we can use it to place and run an egghunter and try to allocate our backdoor in some other place. If you need to know more about working with egghunters read this: http://www.nologin.com/Downloads/Papers/egghunt-shellcode.pdf

14

If we place the egghunter inside the buffer and re send the exploit packet we can see that it fits perfectly.

15

We used the egg: “w00t” and the piece of code to locate was put at the beggining of the packet(see the exploit code at the end of the post)

After finding the egg, the egghunter leads us to the code.

16

And here we go:

17

So now we can edit the packet, increase the size of our exploit’s buffer and then place some backdoor there.

18

After re launching the packet we can see that it works perfectly

19

So now we can generate the backdoor using msfpayload

20

And place that inside our exploit code.

21

Now if we re launch the exploit code

22

After running the egghunter, it leads us to our backdoor and after running the backdoor we get a shell.

23

Game over P-)

Exploit code: http://pastebin.com/hzkyMEAc

Category : exploiting

Leave a Reply

Your email address will not be published. Required fields are marked *