In the previous part of this case of study, we developed a valid exploit for the ms08_067 vulnerability. We used a windows xp sp2 box with the DEP feature disabled as the target. In this second part we will attack some more useful and realistic target, a windows server 2003 sp with DEP(hardware DEP NX) enabled. We will adapt our exploit to avoid the DEP feature and we’ll get a shell inside the box.
First of all, let’s check what happens when we use our previous exploit with a DEP enabled box:
DEP feature has marked that memory section as non executable, so we are not able to run code from there.
As DEP feature can be disabled in execution time with a function called LdrpCheckNXCompatibility. If we call NtSetInformationProcess(ntdll) with a few parameters we may be able to disable DEP in execution time for a specific memory region. We can use olly to search for a call to that function.
That function requieres 4 parameters to be pased NtCurrentProcess(handle), ProcessExecuteFlags(0x22), ExecuteFlags(pointer) and sizeof(executeFlags)(pointer size). mov dword ptr[ebp-4],2 needs a valid memory address it will disable dep from there.
As we have just seen we need that valid address to be on ebp.
At this time if we look closer to EIP register at the crash moment, we are able to see that EIP register is under our control
Also EDI register is under our control too, it points to an address containing our evil buffer.
From now, we can use memdump.exe from metasploit to dump the memory of svchost.exe process (server process) and we can search for custom instruction sequences using metasploit. We have to work with EBP register, so we can look for the right instructions using nasm shell and msfpescan
We we get our desired opcodes we can use msfpescan with the dumped memory.
After getting the candidate addresses from msfpescan, we have to check if they are valid!
If they are invalid, we’ll have to look for some other sequence.
So we select a valid address
We perform a quick check
And we add it to our exploit template
And we check that we land there after launching the template
And as the sequence ends with a RET instruction, after running that we get to the next instruction sequence to be ran
note that this time we are able to run the dep disable sequence as ebp contains a valid address
At this point EIP is still under control
After launching the sequence we also get to a RET instruction
And after checking the registers at that moment we note that ESP is writable and points at the end of a large buffer
We can place the egghunter inside that large buffer, and overwrite esp with a short jump backwards
After editing the exploit template and launching the exploit again, we run the sequence, get to the egghunter and use it to get to the shellcode.
And of course, we get a shell
I wont provide the exploit code, if you understood the post you must be able to write that by yourself