Basic windows 7 exploitation analysis

As a System Administrator i realized that we can move through different specializations even it is not our primary role, that is interesting because one can never say that is bored!

I have seen many tutorials about exploit analysis, more about linux and less about windows but all of them very good.  I have studied this subject for a long time but only now i will share some words which may probably have been already said, but i hope this post helps somebody to understand with another example.  In the other hand, i share how i did things (which compiled i used, debugger)  there are many ways to do the same and that is not teached in books.

  1. Get a Windows 7 Professional.
  2. Get a ansi c compiler: Dev-Cpp but can also be Visual Studio 2017.
  3. A debugger (Ollydbg or Immunity).

Create a vulnerable program in C:

Screenshot from 2017-08-10 14-55-59

This is the source, you can copy and paste it:

#include <stdio.h>
#include <string.h>
void doit(char *buffer) {
 int i = 0;
 for(i = 0; i < 30; i++) {
 buffer[i] = 'A';
 printf("Done doit %s !\n", buffer);
void main() {
 char buffer[10];
 printf("Done main!\n");

Now if you compile and test it the program will crash:

Screenshot from 2017-08-10 14-58-51

Lets debug the program and see how this bug can be exploited:

Open the test2.exe file with the debugger of your choice, i will show the examples with Immunity Debugger.  Then step forwared with F8, the .exe will do some initial stuff:

Screenshot from 2017-08-10 15-16-23

The debugged program is displayed in Assembler.  When a function is called in Assm, this is done with the “CALL” instruction, when a Call instruction is executed then the Next line of the code (the next one after the function call) will be stored in the Stack.  This is done so the program can keep from the point where it left, when the function call finishes its work.  This step in particular is done automatically, i guess it is done by the CPU but i am not sure.

When a function is called, the Stack is used to store:

  1. Internal buffers and variables
  2. Saved EBP
  3. The return address

Our stack looks like this in this moment:

Screenshot from 2017-08-10 15-30-14

Then this function doit() is called:

Screenshot from 2017-08-10 15-36-36

Again, the “call” instruction automatically stores the Return Address and the Stack looks like this:

Screenshot from 2017-08-10 15-45-10

As told before, the function saves the Return Address into the STACK, then it saves the EBP (Base Pointer) and space for the variables.  Look that the Stack is a FIFO (First In First Out) Stack.

Screenshot from 2017-08-10 15-58-47

In this function, 30 characters ‘A’ (0x41 in hex) are stored into a variable of size 10, this causes the out of bounds overwrite.  Look the previous picture, where the return address was located in SP:28FECC now it says 41414141 (these are the ‘A’s) and this will cause the program to try to jump to that address and an error.

Screenshot from 2017-08-10 16-01-53

But not so fast, when the function ends, the “LEAVE” instruction is executed and the control of the program returns to the place it came from (Stack Pointer: 28FE9C) this is done by the RET instruction that takes the address in the SS:SP (Stack Segment:Stack Pointer) and continues there.  In this case it is 0040155A.

Screenshot from 2017-08-10 16-11-33

Finally, once in the Instruction Pointer 0040155A the instructions are a LEAVE and finally a RETN.  The LEAVE at 00401566 expects a return address at 0028FEC8 but there we wrote illegally a lot of ‘A’ (0x41 hex) which will exploit the program.

Screenshot from 2017-08-10 16-17-04

Like before, the RET instruction says “where should i go now ?”  It knows that the address should be in SS:SP but our SS:SP is contaminated with noice…. so occurs a Stack Based Buffer overflow.

Some private browsing tips

In my previous post i recommended about two firefox plugins to truly surf through Internet whoes pages have social network embedded widgets that only report about our presense in those pages and if we are lucky, only that, but i also identifies us because the propagation of cookies.
In this post i will give some recommendations about how to stop Firefox from surfing the web without us knowing it.  The other day i was analyzing what happens in the background in the network with Firefox open, and i was worried for a minute or two because i saw connections going out of my computer but i was not surfing anything…  i had one page open, so i closed it incase that that page had some javascript with a loop doing some connections without me knowing…. but the connections kept being done.

Disclaimer: These steps may do produce undesiderable behavior in your browser, these are notes i have written for myself and am sharing to help anybody that could benefit from them.

How to stop Firefox from automatically making connections without my permission

1) Clean all the live bookmarks if any.
2) Disable auto update (Edit -> Preferences -> Update ->
Never check for updates (not recommended: security risk) 
and uncheck Update Search Engines)

3) Disable auto update for plugins (Tools -> AddOns -> Extensions
At the top of the tab, click the Tools for All Add-ons menu and uncheck Update Add-ons Automatically, then select Reset All Add-ons to Update Automatically.)

4) Anti-phishing list updating (Edit -> Preferences -> Security ->
Block reported web forgeries. and
Block reported attack sites)

5) Add-on blocklist updating, Add-on metadata updating, Link prefetching
In the location bar write: about:config and set:
extensions.blocklist.enabled -> false
extensions.getAddons.cache.enabled -> false
network.prefetch-next -> false

Hacking DHCP in a home network

For good or bad at home i do have a cable provided, it is the traditional service where a coaxial cable is connected to the TV.  Some days ago a technician from the TV cable company came and installed a decoder.  This decoder is a device that connects between the coaxial and the television enabling a better quality of images, it also includes a software with Youtube and applications to watch TV through Internet.

The problem: This decoded is connected to the home network (LAN) but it do not permits to set a static IP address, the only way is that the device obtains an IP/network mask/router ip and dhcp servers through DHCP.
The real problem is that i take very seriously what i enable and not in my home network, each new service is something i worry about.  I wanted to avoid a DHCP server.

How to avoid having to install a DHCP server and make the decoder work ?
Not making it work is no an option.  Solution: Create a DHCP minimalistic server with less than 200 lines, a script if possible, simple to start and close, having control on each IP i assign to each MAC address.

The RFC describes how this protocol works, a picture will help understanding how the program works.

                Server          Client          Server
            (not selected)                    (selected)

                  v               v               v
                  |               |               |
                  |     Begins initialization     |
                  |               |               |
                  | _____________/|\____________  |
                  |/DHCPDISCOVER | DHCPDISCOVER  \|
                  |               |               |
              Determines          |          Determines
             configuration        |         configuration
                  |               |               |
                  |\             |  ____________/ |
                  | \________    | /DHCPOFFER     |
                  | DHCPOFFER\   |/               |
                  |           \  |                |
                  |       Collects replies        |
                  |             \|                |
                  |     Selects configuration     |
                  |               |               |
                  | _____________/|\____________  |
                  |/ DHCPREQUEST  |  DHCPREQUEST\ |
                  |               |               |
                  |               |     Commits configuration
                  |               |               |
                  |               | _____________/|
                  |               |/ DHCPACK      |
                  |               |               |
                  |    Initialization complete    |
                  |               |               |
                  .               .               .
                  .               .               .
                  |               |               |
                  |      Graceful shutdown        |
                  |               |               |
                  |               |\ ____________ |
                  |               | DHCPRELEASE  \|
                  |               |               |
                  |               |        Discards lease
                  |               |               |
                  v               v               v
     Figure 3: Timeline diagram of messages exchanged between DHCP
               client and servers when allocating a new network address

Para los más curiosos, recomiendo estos recursos para leer acerca de DHCP:
Esta es una imagen que armé mientras estudiaba el funcionamiento de este viejo protocolo:

Script server source here.


Compile keepass 2.0.3 on Linux

KeepassX webpage states: “KeePassX is an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License.”

These steps have been executed on a Debian Linux 8.6.0 but for an experienced System Administrator/Hacker this should be trivial.

First you should have these packages installed:

apt-get install cmake g++ libqt4-core libqt4-dev libgcrypt-dev zlib1g zlib1g-dev

Now you can download the latest keepassX package and compile it:

tar zxvf keepassx-2.0.3.tar.gz
cd keepassx-2.0.3/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/usr/local ..

As root:

make install

Now you could for example, add the access on a fluxbox window manager:
It works.