First the attacker enumerates machine's on the internet, using nmap etc... Attacker finds a machine running BigAnt Server 2.52. Second, after conducting more enumeration on the target machine the attacker sets up a test machine to mirror our target machine. In this situation I have used a Windows XP machine, set up as a virtual machine. Third, in this case I will refer to our test machine as 'victim' with an ip address of 172.16.94.133, the attacking machine will be known as 'attacker' with an ip address of 172.16.94.173.
Attach debugger to running process "AntServer.exe"
Skeleton exploit to send to the "victim" machine
Send skeleton exploit to the victim machine, and the debugger halt the execution flow of the program with an overwrite of the ESI register of A's, or as seen above in our skeleton exploit "\x41"
Still in the debugger go to view > seh chain. Notice our seh chain has been overwritten by all A's or "\x41" as well!
Go back to main window and select SHIFT + F9, and we pass the seh exception with an overwrite of EIP, again with all A's or "\x41"
On the attackers machine we generate a 2500 byte generic string using metasploit.
Add the generic string, we generated from metasploit, to out skeleton exploit. Resend the rewritten skeleton exploit.
This time ESI gets overwritten with a value of 6Cb7
Again go to view > seh chain. seh value 42326742
Using the above two values, 6Cb7 and 42326742, we can use metasploit to determine our 'offsets.'
The debugger will halt the execution flow of the program, SHIFT+F9 will pass the exception and overwrite EIP with the four A's or "\x41" * 4 as predicted in the above script.
Using a Windows DLL to overwrite the structured exception handler. Go to C:\WINDOWS\system32 and copy vbajet32.dll > to the metasploit DIR in the attacking machine. On the attacker machine run command "msfpescan -i vbajet32.dll" Reference the DLLCharacteristics, note the output
0x0000000 this means we can use this DLL to locate a seh overwrite address.
In the main debugger windows go to "E" in between L and M.on the main task bar of Ollydbg.
Click on the "E" button and double click on "vbajet32.dll" now right click and choose "Search for" > "Sequence of Commands" a pop up box will appear. Type into the box:
POP r32
POP r32
RETN
Press "Find"
Copy the POP POP RETN values.
Set a "breakpoint" on the POP POP RETN address, by pressing SHIFT +F2.
Set up netcat listener on port 443 and resend skeleton exploit. Resend exploit with no Debugger attached to running process on victim machine.
A quick "ipconfig" on the victim machine to confirm exploitation.
Now we have a working exploit to send across the internet to exploit the machine originally found in our enumeration phase.
No comments:
Post a Comment