4.0 KiB
4.0 KiB
-
Introduction
- Definition and reminder of key concepts from the previous week:
- Buffer Overflow: A process using more memory than it has been allocated.
- The Stack: Last-In-First-Out (LIFO) data structure where CPU registers can be stored and retrieved.
- ESP (Extended Stack Pointer): Points to the top of the stack at a lower memory location.
- EIP (Extended Instruction Pointer): Stores the address of the next instruction to be executed.
- Definition and reminder of key concepts from the previous week:
-
Fuzzing
- Fuzzing involves sending malformed data into an application input and watching for unexpected crashes.
- It helps discover vulnerabilities by sending varying lengths of data to identify buffer overflow conditions.
- Fuzzing tools and resources: FuzzDB (https://github.com/fuzzdb-project/fuzzdb).
-
Fuzzing Example: SLMail 5.5.0 Mail Server
- Installed the vulnerable SLMail application.
- Used a Python fuzzer script (
fuzzer.py) from Kali Linux to send varying-length passwords to the POP3 server. - Employed Immunity Debugger to monitor the SLMail process and observe the stack overwrites.
-
Controlling EIP (Extended Instruction Pointer)
- Sent a unique, non-repeating string of 2900 bytes to identify the specific characters that overwrite the EIP register.
- Used Metasploit’s
pattern_create.rbandpattern_offset.rbscripts to find the exact position of the overwritten EIP. - Modified the buffer in the Python exploit script to control the EIP register:
buffer = "A" * 2606 + "B" * 4 + "C" * 90.
-
Find Space in Memory for Shellcode
- Dumped the memory at the time of the crash to identify a suitable location for placing shellcode.
- Used Metasploit’s
msfvenomtool to generate a payload for a reverse shell, ensuring it excluded bad characters identified earlier. - Increased the length of the buffer to accommodate the generated shellcode.
-
The Problem of Bad Characters
- Identified bad characters (e.g., null byte
0x00, newline\n0x0A, carriage return\r0x0D) that could truncate the shellcode or cause other issues. - Sent all possible characters (0x00 to 0xff) as part of the buffer and observed how they were dealt with by the application after the crash.
- Identified bad characters (e.g., null byte
-
Generating the Shellcode Payload
- Used Metasploit’s
msfvenomtool to generate a shellcode payload with excluded bad characters. - Included the generated shellcode payload into the Python exploit script.
- Used Metasploit’s
-
Redirecting the Execution Flow
- Searched for a “JMP ESP” instruction or the two-instruction sequence “PUSH ESP; RET” within SLMail’s modules using Immunity Debugger and Mona.py script.
- Found a suitable JMP ESP instruction at address
5F4A358Fin the SLMFC.DLL module. - Replaced the overwritten EIP ("B"s) with the discovered JMP ESP address in the exploit script.
-
NOP Sled
- Added a sequence of No Operation (NOP) instructions (
0x90) at the beginning of the shellcode to create a “NOP sled.” - This allowed for some flexibility in transferring execution to the shellcode without precisely controlling branching.
- Added a sequence of No Operation (NOP) instructions (
-
Getting a Shell
- Set up a netcat (nc) listener on the attacker machine to receive incoming connections from the exploited target.
- Ran the exploit script against the SLMail application, and upon successful exploitation, obtained a shell on the target machine.
-
Assignment Task 1
- Students were tasked to develop a working exploit for the
VulnNewApp.exeapplication using the provided proof-of-concept script (vulnapp_POC_script.txt) and document their process in a report, including screenshots of each step.
- Students were tasked to develop a working exploit for the
Throughout the lecture slides, the document emphasizes hands-on learning and practical exercises using tools like Kali Linux, Immunity Debugger, Metasploit Framework, and Python scripting. It covers essential concepts in exploit development, buffer overflows, and fuzzing to help students understand and apply these techniques in network penetration testing.