Blinded Stack Overflow: Just Another Common Technique
1. Blinded Stack Overflow Exploit:
Just Another Common Technique
Thomas Gregory | Director and Partner at PT Spentera
tom@spentera.id | @modpr0be
Indonesian Bug Hunter Lounge Meetup 2018
2. Who we are2
• Marie Muhammad
• Security researcher
• Penetration tester and Red
team operator
• Bug hunter
• Hold OSCP, OSCE, CRTE
• marie@spentera.id
• @f3ci
• Found the 0day
• Thomas Gregory
• Director and Partner at Spentera
• Cybersecurity Consultant
• Vulnerability Discovery and 0day
Exploit Development
• Vulnerability Assessment and
Penetration Testing
• Metasploit framework exploit
developer
• Hold OSCP, OSCE, ISO
27001:2013 LA
• tom@spentera.id
• @modpr0be
• Just exploiting further
8. Fuzzing: Identifying Entry point8
• Zahir is a desktop client application, one of the identifying
entry point approach is file format fuzzing.
• Identifying entry points:
• Menu Buka Data, a function to read from a local database or Firebird
database.
• Menu Membuka File Backup, a function to open an existing backup
• Menu Import Data dari Zahir versi 6.0, a menu to open data from
previous Zahir version.
• Menu Import Data dari file lainnya, a menu to open data from CSV
format file.
• Menu Import Transaksi, a menu to open data from CSV format file.
20. How SEH works20
(1) Exception terjadi+-----------------------+
|
|
(3) next SEH membawa kembali ke SEH-------------------------------------+
| | |
| V v
+------------------------------+ +--------+ +----------+ +--------+ +----------+
|AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |Next SEH| |SE Handler|
+------------------------------+ +--------+ +----------+ +--------+ +----------+
Junk / buffer ^ |
| |
| |
+-----------+
(2) SE Handler membawa kembali ke alamat SEH berikutnya
21. How SEH exploit works21
(1) Exception terjadi+-----------------------+
|
|
(3) next SEH membawa kembali ke SEH-------------------------+
| | |
| V v
+------------------------------+ +--------+ +----------+ +--------------------------------+
|AAAAAAAAAAAAAAAAAAAAA....AAAAA| |Next SEH| |SE Handler| |DDDDDDDDDDDDDDDDDDDDDDDDDDD....D|
+------------------------------+ +--------+ +----------+ +--------------------------------+
Junk / buffer ^ | Shellcode
| |POP REG
| |POP REG
| |RETN
| |
+-----------+(2) POP POP RET membawa kembali ke next SEH
22. Mona help during the exploit development22
# Load mona.py into WinDBG
0:000> .load pykd.pyd
# Same as Metasploit pattern_create.rb and pattern_offset.rb
0:000> !py mona pc
0:000> !py mona po <offset>
# Compare memory for bad characters
0:000> !py mona ba -cpb ‘x00’
0:000> !py mona cmp -f bytearray.bin -a <start address>
24. aftermath
• Mitigation
• Don't process files with CSV extension from untrusted parties,
• Double check if trusted parties provide files with CSV extension,
• Always update the operating system and your endpoint security.
• Solution
• There is no solution from Zahir at the moment.
• Vulnerability report
• Zahir was contacted but no security related response.
• Submitted to National Cyber Security Operation Center under
Indonesia National Cyber and Encryption Agency (BSSN)
• Assigned CVE 2018-17408
24