In the previous article, we mentioned that there are five steps to exploit an application locally. We have already covered first two steps of the local exploitation technique in the previous article. Now, in this article we will complete the exploit by performing rest of the steps. Let’s take a look at the following notable points where we ended our previous article.

  • EIP register is overwritten after the 260 character.
  • Top of the Stack is pointing after the 280 character.

A bad character is simply a list of unwanted characters that can break the shell code.

(Note: We are not going to explain “bad character” in detail here. Please read the previous articles for more information.)

First, we will have to generate a list of all the characters that can be used to generate the exploit. We can do this by writing a simple program in C language. You can download badchar.c file here:

Image: 1

In the above screen shot, we have written a C program. Let’s compile and run this program to generate the character list.

Image: 2

Notice in the above screen shot that at first we compiled the badchar.c file. After that, we have run the program and as a result, the character list has been generated. Now, we will copy this character list and append it into the Python script as we did in the previous articles.

Image: 3

We can see in the above screen shot that we have appended the character list in the Python script after the B’s. Now, we will save this Python script and run this script to generate the exploit.plf file with the changes.

Image: 4

We run the exploit.py script on the terminal and a new exploit.plf file is generated on the desktop. After that, we have copied this to the shared folder so that it would be available on the machine A.

Now, we will run the Blaze DVD player with the debugger and open the exploit.plf file on the DVD player and following are the steps which need to be preformed to identify the bad characters.

  • Open the exploit.plf file with the DVD player software.
  • Analyze the stack values in the debugger if the input breaks.
  • If so, find the character that breaks it.
  • Remove the character from the list and go back to the first step again.
  • If input no longer breaks, the rest of the characters could be used to generate the shell code.

Let’s follow the above steps one by one.

First of all, we open the same file with the debugger.

Image: 5

In the above screen shot, when we open the exploit.plf file with the entire character list, we see that the program has crashed as expected. But when we closely look into the stack we can see that EIP is overwritten with 42424242 which is B’s (in hexadecimal) but after that we can see some random numbers in the stack instead of the character list.

Image: 6

Therefore, it may be possible that our first character in the character list will be the bad character for the program. So, let’s remove the first character from the Python script and note down the character in a separate file for further use and save the exploit.py file.

Now, we run the Python script again to generate the exploit.plf file and copy this file to the shared folder so it would be available on the machine A.

Then, we will re-start the DVD Blaze Player software with the debugger. We can do it by pressing the CTRL+F2 key and open the exploit.plf file again with the debugger.

Image: 7

As we can seen in the above screen shot, the program is again crashed but when we closely look into the stack, we can see some characters in the stack.

Image: 8

In the above screen shot that, after the 09 the stack is again corrupted. So, the next character would be a bad character for the program. We will remove the next character after 09 in the Python script and generate the exploit.pdf file again.

Now, we will have to continue these steps until all the input data along with the C’s come back into the stack.

After doing the same steps 2 more times, we got the stack output according to our expectations.

Image: 9

It confirms that we have the following bad characters according to the program.

\x00\x0a\x1a

So, we have 3 bad characters in the program. Now, we will proceed to the next step that is Generating the Exploit and Payload.

  • Generating The Exploit and Payload:

In this step, at first, we need to change the execution control by writing the JMP instruction after that we will generate the shell code with the Metasploit Modules. Finally, we would put these instructions in the Python script as given below.

  • In Python script, BBBB will be replaced by the JMP instruction address.
  • C’s will be replaced by the Python script.

So, let’s start the process by writing the JMP instruction. After removing the character list, the Python script will look like.

Image: 10

Now, we will re-generate the exploit.plf file by running the exploit.py script on the terminal and copy the file on the shared folder, so that it would be available with the machine A.

Let’s run the Blaze DVD player software with the debugger and open the exploit.plf file with the DVD player.

Image: 11

As we can see in the above screen shot, that the software is again crashed in the machine A. When we closely look into the debugger we can see the following notable things.

Image: 12

As shown in the above screen shot, the Top of the Stack (ESP) address is 0012F390 which has the 00 in the starting of the address, but we can’t use this address as it has the 00, which is a bad character for the program. We have already identified the bad characters in previous steps.

Let’s identify the JMP ESP instruction for the program as we did in Part 6 of the articles series. (http://resources.infosecinstitute.com/stack-based-buffer-overflow-in-win-32-platform-part-6-dealing-with-bad-characters-jmp-instruction/)

Note: We are not going to explain step by step how to write the JMP instruction; if you want to read this in details you can read Part 6 of this article series.

Now, we restart the program on the debugger in the machine A and press ALT+E following. After this, a window will open which contains all the DLL files list that is used by the program. We can use any DLL file that contains the JMP ESP instruction. In our scenario we will be using “NTDLL.DLL” file to identifying the JMP ESP instruction. So, let’s open this file by double clicking on it and press CTRL+F, after this, a search box will open as given below.

Image: 13

As can be seen in the above screen shot that we have written JMP ESP in the Find command box, now we will hit the enter key.

Image: 14

As shown in the above screen shot, that JMP ESP instruction is highlighted, and we can see the corresponding address on the left hand side, which does not contain any bad characters. So, we can use this address as a JMP instruction. Now, write down this address in reverse order.

“/xed/x1e/x94/x7c”

Now, we will replace it in the Python script with B’s and create a break point here to verify the same in details. We can create the breakpoint by pressing the F2 key

Image: 15

We can see in the above screen shot that we have created a break point on the machine A at the JMP ESP instruction. We have also replaced the B’s on the machine B in the Python script with the JMP instruction.

After putting the JMP instruction in the Python script, let’s append some NOP sled in the Python script. The function of NOP sled is ‘no operation’. It means that whenever the NOP sled is encountered in a program the CPU does not perform any actions and would pass the execution control to the next instruction. The NOP sled is defined by “\90”. So, let’s add 40 NOP sled in the Python script after the JMP instruction.

Image: 16

As can be seen in the above screen shot, we have added NOP sled in the Python script, now we need to generate the shell code and replace the shell code with the C’s in the Python script. So, let’s open the terminal on the Machine B and write the following command on the terminal to generate the shell code of the reverse TCP payload. (NOTE: We can use any payload according to the requirement, as of now, we are using reverse TCP payload)

  • msfvenom -p windows/shell_bind_tcp -f c -a x86 -b “\x00\x0a\x1a″

(In this command we have used –b “\x00\x0a\x1a”. It means that while generating the payload, the characters that are given with the –b option will be ignored. We have identified these bad characters in previous steps)

Image: 17

As can be seen in the above screen shot, after running the command, the shell code is generated according to payload and bad characters are ignored. Now, we will copy this shell code and replace C’s with the shell code.

Image: 18

As we can see in the above screen shot, we have copied the shell code in the Python script. Now, we will save this Python script and run the Python script after that the exploit.plf file will be generated. Now, copy this file in the share folder so that it would be available on the machine A.

Now, open this exploit.plf file with the DVD player.

Image: 19

As can be seen in the above screenshot that the program did not crash but it reached the location where we had created the break point. When we closely look into the Hex dump and stack, we can see that everything we have set in the Python script is successfully implemented in the stack. Now, let’s click on F9 key to continue the execution of the program.

Image: 20

As can be seen in the above screen shot, the program did not crash this time. This is great news for us. It means we have successfully exploited the application. Let’s verify it by connecting from the machine B.

Image: 21

In the above screen shot, we can see that we have the reverse connection on the attacker machine. Let’s verify the same by running the DVD player software with the debugger and try to connect from the machine B.

Image: 22

As can be seen in the above screen shot, this time we ran the DVD blaze player software with the debugger and the program did not exit and when we connect to the machine B we got the reverse connection shell on the attacker machine. This verifies that we have successfully exploited the application.

References: