Exploiting a Windows-Based Buffer Overflow
2021-04-13 09:05:31 Author: wiki.ioin.in(查看原文) 阅读量:220 收藏

Ravishanka Silva

This article is based on exploiting a simple buffer overflow in Windows using Vulnserver. If you don’t have an idea about buffer overflows, read my previous article about exploiting a Linux buffer overflow here, https://ravi5hanka.medium.com/privilege-escalation-in-linux-via-a-local-buffer-overflow-dcee4f9b4a49

Tools and OSs Used

Initial Step

In the victim, install immunity debugger and extract the contents of Vulnserver zip. Then run Vulnserver.exe as administrator.

running vulnserver.exe as admin

Then open immunity debugger as administrator, and attach the vulnserver process to immunity debugger by, File > Attach > vulnserver > Attach.

Attaching vulnserver process to debugger

Then the debugger will look like following.

After attaching vulnserver process to debugger

Click on F9 key to change its state from paused to running. Then you need the IP of the victim(use ipconfig command in CMD). We know that Vulnserver opens a port at 9999(read the readme.md file of vulnserver). Then move to your attacker machine and connect to vulnserver via netcat.

Connecting to vulnserver via netcat

As you can see, HELP command shows the commands which we can use with vulnserver. So, let us proceed with the attack, step by step.

NOTE: In each and every step after Spiking, close the debugger and, open vulnserver and debugger again as administrator, and re-attach the process and run it.

Spiking

In this step we identify the vulnerable parameter. We can issue bunch of characters to each and every command above and see whether the program crashes. If it crashes we can identify it as vulnerable.

Let us take STATS command. First, create a spike script as follows.

spike script for STATS command

Then use generic_send_tcp to send the above script, as follows.

generic_send_tcp with STATS.spk

Look at the immunity debugger when executing the above. You will come across that nothing strange happens. As we did above, you can test all the parameters.

Let us take TRUN parameter. You need to change the spike script as follows.

TRUN.spk

Then use generic_send_tcp as we did earlier, this time, with TRUN.spk and observe the immunity debugger. You will encounter a crash as follows.

Debugger crashes

If we look at the registers section, you can see that some important memory locations are overwritten with bunch of “A”s, as follows.

Registers are overwritten with “A”s

This means that there is a vulnerability here, which we can exploit further. Hex value of EIP 41414141 represents the ascii characters “AAAA”. This means that the EIP is 4 bytes long.

Fuzzing

We have identified “TRUN” as the vulnerable parameter. Fuzzing is similar to spiking. However, rather than attacking different parameters, we are attacking specifically the vulnerable parameter TRUN, in order to get an idea about the location where the crash happens.

Use the following python program to perform fuzzing.

Python program used for fuzzing

Give execute permissions to the above program and run it. While running, observe the vulnserver. Once it finished saying “Connection closing”, as follows,

hit ctrl+c immediately in your terminal, in order to interrupt execution of the program, as follows.(This is needed because the program won’t automatically stop.)

As you can see, the crash happened at approximately 3000 bytes. Registers section of the debugger will look like following.

As you can see, it did not overwrite the EIP register. So, our objective is to find where exactly the EIP at. If we can control the EIP, we can point it to our malicious code and gain a reverse shell.

Finding the Offset

We have to find the exact byte location of EIP. First create an unique exploit string with pattern_create.rb tool which is provided by Metasploit as follows.

Generating an exploit pattern with msf tool

As we know that the byte length is about 3000, we have to give it with -l switch as shown above. You will be given a lengthy pattern as the result. Copy and paste it to the python program used previously, making some minor changes as follows.

offset.py

Execute the above program, and observe the immunity debugger. You will encounter a crash. What we need to focus here is the value of EIP as follows. It is needed to find the exact byte location.

hex value of EIP

Now we need to use another msf tool called pattern_offset.rb in order to find the exact byte location of offset(EIP), as follows. Remember to provide the above found value with -q switch.

Exact byte location of EIP

So, this means that we can control the EIP at 2003 bytes.

Overwriting the EIP

Now we know that there are 2003 bytes right before you get to the EIP, and EIP itself is 4 bytes long. Let us try to overwrite that 4 specific bytes.

Previously used python program can be used for this, with some modifications as follows.

overwriteEIP.py

If everything is fine, value of EIP should be 42424242(hex value of “BBBB”). So, run the above program and observe the debugger. You will see the following.

EIP value = 42424242

This means that, EIP is overwritten with “BBBB”, and now we control the EIP.

Finding Bad Characters

Now we need to ensure that whatever we send to vulnserver is read correctly. If there is even one character which is not read correctly, our exploitation will be a failure. Thus, we can send every possible character and check what happens to them. We can use mona.py for this purpose. You may need to manually add mona python program to immunity debugger. Follow this, https://github.com/corelan/mona.

Give the command !mona bytearray in immunity debugger and you will be given all possible characters from \x00 to \xff and it is saved in a text document inside the installation folder of the immunity debugger.

output of “!mona bytearray” command

Copy and paste those characters to the previous python script as follows. As \x00 is always a bad character, we need to remove it.

badchars.py

Run the above program and observe the debugger. What we should focus on is the hex dump. So, right click on ESP register and click “Follow in Dump”.

hex dump

As you can see, there are no bad characters; the numbers are there as it is.(If there are bad characters, there will be numbers which are out of order). So, the only bad character is \x00.

Finding the Right Module

Now, we need to find a file(eg: dll) inside a program which has no memory protection mechanisms such as ASLR , DEP etc. Previously used mona.py can be used for this purpose.

Use the command !mona modules in the debugger and you will come across that there is a dll file called essfunc.dll, which has no memory protections.

Output of the command “!mona modules”

We can send the payload with shellcode and use JMP ESP(JUMP TO THE ESP REGISTER) instruction to jump to our shellcode. So, let’s check whether there are available JMP ESP instructions available in associated with essfunc.dll, by using !mona jmp -r esp -m “essfunc.dll” command as follows.

!mona jmp -r esp -m “essfunc.dll”

Get the first return address value, 625011af and use it in the python program as follows. We are going to overwrite the EIP with the above found address. Remember to use it in reverse order, as the x86 architecture is little endian.

jmpESP.py

Before running the above program, put a breakpoint in the debugger at 625011af.(After finding the address, click F2 to add the breakpoint).

breakpoint on 625011af

Then run the above python program. Observe the debugger, and you will see the following.

EIP is overwritten with 625011af

This means that we could overwrite the EIP with the return address of JMP ESP. So, now we only have to point it to our shellcode.

Generating Shellcode

Now we need a shellcode, in order to use with the above python exploit. You can generate a shellcode with msfvenom as follows.

Generating shellcode

As shown above, you have to define the payload type to gain a reverse shell , define your attacker machine’s IP and port , file type as c , architecture as x86 and since we only have \x00 as the bad character, define it here. You will be given a lengthy shellcode as the output. Copy it.

Getting the Reverse Shell

Paste the above shellcode to the python program as follows.

revShell.py

The above program will send a bunch of “A”s until it reaches EIP and the EIP will be overwritten with the return address of JMP ESP. Thus, vulnserver will execute JMP ESP instruction and it will be pointed to our shellcode. In addition, you need to add a NOP slide(“\x90”*32) in between the return address of JMP ESP and shellcode for the safe execution of the exploit.

Now we don’t need the debugger. So, close it and reopen only the vulnserver as administrator.

Then create a netcat listener using the port which was used when creating the shellcode(in my case 5555). At this point you may need to turn off your windows defender firewall.

Then execute the above created python exploit, and take a look at the listener.

Reverse shell

VOILA!!! We are given a reverse shell of our Windows victim machine.

Try this yourself and you will definitely enjoy it. Connect me on LinkedIn, https://www.linkedin.com/in/ravishanka-silva-a632351a0/

HAPPY HACKING!!!


文章来源: https://wiki.ioin.in/url/jdvN
如有侵权请联系:admin#unsafe.sh