I have slowly been piecing together some ideas for test machines. I like to think from the base system up to the vulnerabilities to gain an initial foothold. This process has been super helpful for me to understand the exploitation and enumeration process a bit more. One of my recent obsessions has been restricted shells and coming up with some interesting workarounds. One for causing pain on the tester hacking into the machine but two to find clever ways in and out of a low privilege user shells. Below are some of my favorite resources on the subject:
So as part of my OSCP labs I wanted to focus on a few machines with buffer overflows. So I decided to tackle brainpan. After downloading and uploading the .ova file I began a basic scan of my network with:
nmap -sP 192.168.0.*
Locating the VM on the network. I start the enumeration process with nmap and gobuster.
nmap -O -A -p- 192.168.0.168
Seems to be two ports open, one of which is an HTTP service and another unidentified service on port 9999. Let’s explore the HTTP web interface and run gobuster, but first I will attempt to identify port 9999 with telnet.
I attempted to login with the username root. I was given ACCESS DENIED. No luck I tried a string of AAAAAAA…s but no luck. So I decided to move on.
On the 10000 port We find an interesting image about safe and practical coding. Hmmmm… Leads me to believe maybe our little abyss port might have something to do with this. I moved on to running gobuster to enumerate some of the directories on this machine.
Quickly we see that there is a directory called bin. Let’s browser to this directory and see if we can find anything useful. Looks like there is an executable file.
I will download the executable to a windows machine and investigate it a bit further.
Now that I have the executable on my machine up and running I will need to scan it and see what operations are happening on the Windows machine from my Linux attacker machine.
After locating the IP address of the Windows machine and running the .exe file I have verified that this 9999 port or abyss has something to do with the brainpan.exe file. I will try to establish a connection below with our python proof of concept script and see if I can crash the program.
#!/usr/bin/python import socket import sys junk = "A" * 500 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) connet = s.connect((sys.argv[1], 9999)) s.recv(1024) s.send(junk)
We can see we have successfully attempted to connect with our junk A’s.
Now let’s see if we can increase the size of the junk buffer and cause a crash on the remote program. A buffer overflow is what we should be looking for in this program. We will need to do quite a few other things to catch a shell but let’s see what we can establish on this machine.
So I changed my proof of concept code form 500 A’s to 1000. We get a successful crash on the machine and we can now begin controlling EIP, finding a jump point, and establishing bad characters for our shellcode.
Crashing the Program
So we will start brainpan.exe and then attach immunity debugger.
Once we have done that we will attempt to crash the program again but instead of A’s we will use msg-pattern create to make a pattern we can easily use to identify the EIP registry.
Now I will run this script and investigate the amount of characters it will take to write over EIP. Using !mona in Immunity Debugger I will run this script below once I cause the crash:
!mona findmsp
We can see our EIP is at character number 524
Now we will re-write our code to include 524 A’s and then 4 B’s after to gain control of EIP.
We have now verified that we can gain control over EIP with 4 B’s in its place. Now all we need to do is find an unprotected module for our jump point in ESP, find bad characters in our shell code, and use msf-venom to build our reverse TCP connection.
Finding Modules / JMP ESP
We have located an unprotected module in brainpan.exe. Now we will need to use !mona to find a JMP ESP address. Running the command below in immunity:
!mona find -s “\xff\xe4” -m brainpan.exe
We find a find a JMP ESP instruction at memory address 311712F3. I will add a comment to our code and begin searching for bad characters for our shell code.
I am currently 2/3rds of the way through my OSCP labs. I have started going back through all the buffer overflow examples I have found that will help me attack the 25 point machine on the test. Currently I have worked through the FreeFloat, SyncBreeze, and VulnServer to help me along my journey. So I wanted to start documenting my BOF training on my blog. Both as a resource for others and a documentation for myself.
I started PenTesting in 09/10′ during college. I dedicated one of my one of my 3 month internships by going through the c0relan.be tutorials. Mostly on my own server at the school and on my dedicated VM WinXP machine at the time. These tutorials are a great resource though somewhat outdated they lay out the basics of exploit development and I highly encourage anyone interested in exDev to use them as an educational tool.
Fuzzing MiniShare
We first need to create our basic fuzzing program to help crash the Minishare Server and locate the offset of EIP.
I like to use the sys.argv value to help recreate the program at another point and input my own values. It gives me a bit more control and flexibility with the exDev process. You can slowly increment the amount of A’s pushed onto the server until it crashes. Once we have found the necessary amount of A’s to crash the program we can begin to control the EIP register.
Controlling EIP
Once we have been able to successfully crash the program we now need to control the EIP register and begin to build out our exploit a bit more. Using pattern create we can generate a series of chars that will help us understand the offset of the EIP register. We want to use the same amount of chars that initially crash the program.
msf-pattern_create -l 2000
Copy paste the pattern info into the proof of concept fuzzing program. I also create a new version of my exploits to better reference the evolution of the exploit at a later date.
We will then run the program, attach it to Immunity, and crash the application again using our new string of 2000 chars.
Once the program has crashed with our generated pattern go to the search bar and use !mona in Immunity and run the command:
!mona findmsp
We will then be able to locate the EIP offset and it will give us a unique dump of other potential registers of interest.
Our EIP register is offset at 1787 characters. So we now can gain control over EIP and can insert our 4 hexidecimal B’s to verify this control.
Below is our new exploit:
We will now use this simple exploit to see if we can gain control over EIP to then begin building out a place to put our shellcode. Open up the program again and attach Immunity. Be sure to press the play button to get the program out of the paused mode and running.
Run your exploit and you should crash the program and hit a breakpoint in the program. Be sure your 4 B’s are overwriting EIP like below.
Finding Bad Characters
Once we have gained control of EIP we will want to begin looking for any bad characters while creating our shellcode. So we will generate all hexidecimal characters from x01 to xff. Like below:
Placing this into our skeleton exploit after the A’s. Run the program again and attach Immunity. Run the exploit again observe the crash and Follow the Dump of ESP to locate any bad characters.
To start off we have xOD as our first bad character. We will take out xOD and run the exploit again. And observe any other bad char in the shellcode.
Be sure to make a comment in your skeleton code for future reference. This is just a good practice overall so if you continue with exDev it will be easier for other to read your code in the future.
Run the program again. attach Immunity, and run your skeleton exploit.
We can see that we do not get any other bad characters. So now we will need to find a register to jump to so we can run our shellcode. Below is our set of bad characters:
Finding JMP ESP & Generating Shellcode
When we crash MiniShare we want the contents of ESP to be executed by EIP. ESP will be the beginning of our shellcode that will want to execute to gain access to the Windows 7 machine. This can be done by executing a JMP ESP instruction. We will the program and Immunity using !mona to find our JMP ESP address.
We will go to our right click drop down module:
search > all modules
JMP ESP
We will use the USER32.ddl address of JMP ESP:
764b4e5b
Then we will generate our payload using msfvenom
msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0d' -f c
Take your generated shellcode and place it into your working exploit after the nops.
A note on nops
NOPS:
No operations are an important part of shellcode, imagine trying to point to a single address, that holds our shellcode,
when the possibility of pointing to the correct address is slim, Nops make it easier, because they do nothing, they just
go down until the next instruction, so imagine your shellcode in the environment, and we point to the wrong address
which just so happens to have our NOPS:
0xbffffca8: NOP
0xbffffcac: NOP
0xbffffcb2: SHELLCODE
