1. We need to develop a script to crash the server.
2. The attacker sends the Proof of Concept (POC) resulting in an overwrite of EIP on he victim machine.
3. Now to rewrite our POC, create a metasploit generic string. Always maintaining buffer length of 2220 bytes.
4. Rewrite POC to include our generic string.
5. Re-send our POC.
6. Observe the result on the victim machine.
7. Now we have the information required to determine our "offsets"
8. Rewrite our POC to include the new discoveries. Again maintaining buffer length of 2220 bytes.
9. Resend our POC, and try to overwrite EIP with "ASCII B's" or 42's
10. Great we control EIP! Now how to redirect the execution flow of the program, to execute code of our choosing?
By finding a relative jump to a system dll we can ensure that the program will execute our code (shellcode)
Fortunately for us Windows is so kind to include such a dll. Navigate to "SHELL32.dll" to find our jump to where we overwrite our buffer. In this case we will look for a "JMP ESP in SHELL32.dll"
11. Once we locate our JMP ESP in shell32.dll set a "breakpoint" on this register.
12. Rewrite POC to include new information.
13. Resend POC, and the debugger freezes the execution flow at our breakpoint jmp esp 7CA58265
14. Hit Shift+F9 to step through our breakpoint
15. This is the space where our shellcode may be executed. Let's try to generate shellcode using metasploit, include it into our POC and gain remote code execution over our victim machine.
16. Include this shellcode into our POC and resend it.
17. Before the Attacker sends the final exploit to the victim he sets up a netcat listener on port 443.
18. Finally the attacker is set to send the final exploit. This time he will not restart the debugger!
19. As expected our netcat listener recieves our return shellcode in the form of Administrator Windows Command prompt.
I feel very grateful that I read this. It is very helpful and very informative and I really learned a lot from it.
ReplyDeleteOTH Gold