vault backup: 2025-03-16 18:59:42
This commit is contained in:
boris
@@ -1,53 +1,53 @@
|
||||
1. **Introduction**
|
||||
|
||||
|
||||
- Definition and reminder of key concepts from the previous week:
|
||||
- Buffer Overflow: A process using more memory than it has been allocated.
|
||||
- The Stack: Last-In-First-Out (LIFO) data structure where CPU registers can be stored and retrieved.
|
||||
- ESP (Extended Stack Pointer): Points to the top of the stack at a lower memory location.
|
||||
- EIP (Extended Instruction Pointer): Stores the address of the next instruction to be executed.
|
||||
2. **Fuzzing**
|
||||
|
||||
|
||||
- Fuzzing involves sending malformed data into an application input and watching for unexpected crashes.
|
||||
- It helps discover vulnerabilities by sending varying lengths of data to identify buffer overflow conditions.
|
||||
- Fuzzing tools and resources: FuzzDB (https://github.com/fuzzdb-project/fuzzdb).
|
||||
- Fuzzing tools and resources: FuzzDB (<https://github.com/fuzzdb-project/fuzzdb>).
|
||||
3. **Fuzzing Example: SLMail 5.5.0 Mail Server**
|
||||
|
||||
|
||||
- Installed the vulnerable SLMail application.
|
||||
- Used a Python fuzzer script (`fuzzer.py`) from Kali Linux to send varying-length passwords to the POP3 server.
|
||||
- Employed Immunity Debugger to monitor the SLMail process and observe the stack overwrites.
|
||||
4. **Controlling EIP (Extended Instruction Pointer)**
|
||||
|
||||
|
||||
- Sent a unique, non-repeating string of 2900 bytes to identify the specific characters that overwrite the EIP register.
|
||||
- Used Metasploit’s `pattern_create.rb` and `pattern_offset.rb` scripts to find the exact position of the overwritten EIP.
|
||||
- Modified the buffer in the Python exploit script to control the EIP register: `buffer = "A" * 2606 + "B" * 4 + "C" * 90`.
|
||||
5. **Find Space in Memory for Shellcode**
|
||||
|
||||
|
||||
- Dumped the memory at the time of the crash to identify a suitable location for placing shellcode.
|
||||
- Used Metasploit’s `msfvenom` tool to generate a payload for a reverse shell, ensuring it excluded bad characters identified earlier.
|
||||
- Increased the length of the buffer to accommodate the generated shellcode.
|
||||
6. **The Problem of Bad Characters**
|
||||
|
||||
|
||||
- Identified bad characters (e.g., null byte `0x00`, newline `\n` `0x0A`, carriage return `\r` `0x0D`) that could truncate the shellcode or cause other issues.
|
||||
- Sent all possible characters (0x00 to 0xff) as part of the buffer and observed how they were dealt with by the application after the crash.
|
||||
7. **Generating the Shellcode Payload**
|
||||
|
||||
|
||||
- Used Metasploit’s `msfvenom` tool to generate a shellcode payload with excluded bad characters.
|
||||
- Included the generated shellcode payload into the Python exploit script.
|
||||
8. **Redirecting the Execution Flow**
|
||||
|
||||
|
||||
- Searched for a “JMP ESP” instruction or the two-instruction sequence “PUSH ESP; RET” within SLMail’s modules using Immunity Debugger and Mona.py script.
|
||||
- Found a suitable JMP ESP instruction at address `5F4A358F` in the SLMFC.DLL module.
|
||||
- Replaced the overwritten EIP ("B"s) with the discovered JMP ESP address in the exploit script.
|
||||
9. **NOP Sled**
|
||||
|
||||
|
||||
- Added a sequence of No Operation (NOP) instructions (`0x90`) at the beginning of the shellcode to create a “NOP sled.”
|
||||
- This allowed for some flexibility in transferring execution to the shellcode without precisely controlling branching.
|
||||
10. **Getting a Shell**
|
||||
|
||||
|
||||
- Set up a netcat (nc) listener on the attacker machine to receive incoming connections from the exploited target.
|
||||
- Ran the exploit script against the SLMail application, and upon successful exploitation, obtained a shell on the target machine.
|
||||
11. **Assignment Task 1**
|
||||
|
||||
|
||||
- Students were tasked to develop a working exploit for the `VulnNewApp.exe` application using the provided proof-of-concept script (`vulnapp_POC_script.txt`) and document their process in a report, including screenshots of each step.
|
||||
|
||||
Throughout the lecture slides, the document emphasizes hands-on learning and practical exercises using tools like Kali Linux, Immunity Debugger, Metasploit Framework, and Python scripting. It covers essential concepts in exploit development, buffer overflows, and fuzzing to help students understand and apply these techniques in network penetration testing.
|
||||
Throughout the lecture slides, the document emphasizes hands-on learning and practical exercises using tools like Kali Linux, Immunity Debugger, Metasploit Framework, and Python scripting. It covers essential concepts in exploit development, buffer overflows, and fuzzing to help students understand and apply these techniques in network penetration testing.
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
- Start SLmail on Windows 7 VM.
|
||||
- Run Immunity Debugger as an administrator. To make the font more legible, right-click on the black area > appearance > font > OEM.
|
||||
4. **Attach SLmail to ID:**
|
||||
- In Immunity Debugger, go to `File > Attach...`, select the SLmail process, and click 'Open'.
|
||||
- In Immunity Debugger, go to `File > Attach…`, select the SLmail process, and click 'Open'.
|
||||
- Set the debugger to "Running" state by clicking on the "Running" button in the toolbar.
|
||||
5. **Run the fuzzer:**
|
||||
- Open a terminal on Parrot OS and navigate to the scripts directory.
|
||||
@@ -41,10 +41,10 @@
|
||||
- Use `!mona find -s "\xff\xe4" -m slmfc.dll` to search for the FF E4 opcode in slmfc.dll and choose an address (e.g., `0x5f4a358f`) as the new EIP.
|
||||
14. **Prepare exploit script:**
|
||||
- Replace `Bs` in the exploit script (e.g., `exploit.rb`) with the address chosen earlier.
|
||||
- Add a NOP sled (e.g., `\x90` _16_) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout.
|
||||
- Add a NOP sled (e.g., `\x90` *16*) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout.
|
||||
- The exploit script should look something like this: `"\x90" * 16 + "\xff\x\xe4" + "\xbe\xxx\xxxx\xxx\xxx"`. Replace `Bs` with the chosen address.
|
||||
15. **Start netcat listener:**
|
||||
- On Parrot OS, run `nc -lvp 443` to start a netcat listener on port 443.
|
||||
16. **Run exploit:**
|
||||
- Execute the prepared exploit script with `ruby exploit.rb <Windows 7 VM IP address> 49500`.
|
||||
- Once the exploit triggers, you should get a shell on the Windows 7 VM.
|
||||
- Once the exploit triggers, you should get a shell on the Windows 7 VM.
|
||||
|
||||
@@ -6,14 +6,15 @@ Stack = LIFO structure where CPU registers are stored at and retrieved from
|
||||
Can inject malicious code using buffer overflow
|
||||
|
||||
# Fuzzing
|
||||
- Sending malformed data into application input and watching for unexpected crashes. Unexpected crash indicated application might not filter certain input correctly.
|
||||
|
||||
- To develop an exploit for application X on OS Y,
|
||||
- Sending malformed data into application input and watching for unexpected crashes. Unexpected crash indicated application might not filter certain input correctly.
|
||||
- To develop an exploit for application X on OS Y,
|
||||
- X, Y and debugger needed on same VM
|
||||
- Another VM to fuzz the target VM
|
||||
- Cant do remotely on running server (though if developed correctly, exploit should work on any instance of application X running on OS Y)
|
||||
|
||||
## SLMail
|
||||
|
||||
Using a python script, we can repeatedly connect to the POP3 server, attempting to send varying length growing buffer to the password field each time
|
||||
Unauthenticated user can attempt to login providing a long password.
|
||||
|
||||
@@ -23,20 +24,18 @@ The EIP register has been overwritten with opur input buffer of A's (\\x41)
|
||||
As EIP register controls execution flow of application, if we make our exploit buffer carefully, could divert execution of the program to a place in memory where reverse shell code can be introduced in memory.
|
||||
|
||||
## Controlling EIP
|
||||
|
||||
- Getting control of the EIP register is an important part of exploit development
|
||||
- Need to find out which A characters ended up in the EIP and identify the location of 4 unique bytes that overwrite the EIP Register.
|
||||
- Can send 2900 bytes of unique non-repeating characters.
|
||||
- User pattern_create.rb script in Kali to generate such a string:
|
||||
- `/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2900`
|
||||
|
||||
- Using this unique stream of characters, instead of our 2900 A's into our python script, check EIP overwrite in debugger.
|
||||
- Note ESP and EIP register values in next crash
|
||||
- EIP has been replaced by the 39694438 hex characters, equivalent to 8Dj9
|
||||
|
||||
- We need to find exact position of these characters.
|
||||
- Can now use the pattern_offset.rb script along with the create script to discover the offset of these specific 4 bytes in our unique byte string.
|
||||
- `/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2900 -q 39694438`
|
||||
|
||||
- Sending this new buffer to SLMail POP3 server produces a crash in the debugger.
|
||||
- Check ESP and EIP registers
|
||||
- This time ESP has different value to first crash
|
||||
@@ -44,7 +43,8 @@ As EIP register controls execution flow of application, if we make our exploit b
|
||||
- How to direct execution flow?
|
||||
- Would like to include our own shell code inside buffer and redirect program flow to execute our shell code.
|
||||
|
||||
### Find Space in memory for Shell Code
|
||||
### Find Space in Memory for Shell Code
|
||||
|
||||
- By dumping memory at time of crash, ESP register points directly to beginning of our buffer of C's. Seems like a convenient location to place shellcode as easily accessible through EIP register.
|
||||
- Metasploit framework can automatically generate shellcode payloads, standard Reverse Shell payload requires around 350-400 bytes of space.
|
||||
- Need to increase length of buffer to make room for reverse shell.
|
||||
@@ -57,11 +57,10 @@ As EIP register controls execution flow of application, if we make our exploit b
|
||||
- Depending on application, vuln type, and protocols, there may be certain characters that are considered bad and should not be used in our buffer, return address or shell code.
|
||||
- Common example is null (0x00). Characters truncate shellcode in memory
|
||||
- Easy way to check this is sending all possible characters, from 0x00 to 0xff as a part of our buffer and see how these characters are dealt with by the application after the crash occurs.
|
||||
|
||||
- A file containing all the possible hex characters can be found on Blackboard.
|
||||
- When including these in python exploit code, we will see the characters that get truncated in Immunity Debugger
|
||||
- One observation is that resulting memory dump for the ESP register shows that the character 0x0A seems to have truncated the rest of the buffer than comes after it.
|
||||
|
||||
### Generating Shellcode Payload
|
||||
|
||||
- Metasplot Framework provides us with tools and utilities that make generating complex payloads a simple task.
|
||||
- Metasplot Framework provides us with tools and utilities that make generating complex payloads a simple task.
|
||||
|
||||
Reference in New Issue
Block a user