New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the Ultra Mini HTTP bof exploit #3027
Conversation
After exploiting this application manually I decided to make this an MSF exploit, only to find that other people had beaten me to it. However, the existing exploit was broken in a few ways, and this commit makes those problems go away. They include: * Correct use of alpha chars in the buffer leading up to the payload which results in bad chars being avoided. Bad chars muck with the offsets because they get expanded. * Adjustment of the payload so that it runs in another thread instead of in the thread of the request handler. This prevents the session from being killed after the hard-coded 60-second timeout that is baked into the application. * The handler thread terminates itself so that the process doesn't crash. * Extra targets were added based on the machines I had access to.
There are prepend and prependencoder options for adding stuff before/after encoding? |
The problem with those is that they don't tell me how big the final payload is prior to encoding. Right? I know I can throw something in there, but I need to calculate stuff based on the size of the resulting payload that the user has chosen. And I can't specify that at runtime. Ideally, |
ah bummer! |
Could this module be used with Prepend Migrate (fixes pending), or the InitialAutoRunScript migrate technique to get out before the 60seconds? |
Yes it could. However it isn't necessary in this case given we have the |
Processing! |
# we re-encode, including the thread creation stuff and the chosen payload | ||
# as we don't currently have the ability to "prepend raw" stuff to the front | ||
# of the buffer prior to encoding. | ||
buf << encode_shellcode_stub(new_thread + payload.encoded) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to encode payload.encoded
again.
buf << encode_shellcode_stub(new_thread)
buf << payload.encoded
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jlee-r7 I didn't do this because I didn't want to assume the
location/offset of the final payload would be consistent across all runs of
the exploit. I wasn't sure if that was a safe assumption or not. I also
thought that if for some reason the decoder stub changed over time, or if a
different encoder was used, then this would be better.
Thanks for the feedback! I still have so much to learn.
I must to say I'm with @Meatballs1 here, using
So landing after applying the @jlee-r7 feedback! |
Thank you @jvazquez-r7 for testing and landing! And thank you for your |
After exploiting this application manually I decided to make this an MSF exploit, only to find that other people had beaten me to it. However, the existing exploit was broken in a few ways, and this commit makes those problems go away. They include:
The exploit uses the application addresses where possible for things like
VirtualAlloc
,CreateThread
andTerminateThread
so that they're portable across instances.This exploit doesn't bypass ASLR because the
EIP
overwrite would need to contain an address which doesn't contain aNULL
byte.NULL
bytes result in the payload being truncated and appends\r\n
resulting in a bad address anyway.I need the likes of @wchen-r7 and @jvazquez-r7 to show me the ways of bypassing ASLR in cases like this so that it can be exploited on more up to date operating systems.
I need to be able to prepend a custom set of shellcode to the payload because this allocates memory, creates the new thread, and shuts the current thread down nicely. However I couldn't see a way of getting this included with the chosen payload before it is encoded. As a result, the payload appended to the custom shellcode encoded, and ends up being double-encoded. This isn't a huge issue as it doesn't really add much weight to the payload and there's plenty of space for it to move.
Tested on Windows 2k Server, Windows XP SP0/SP2/SP3, Windows 2003 Server, all 32-bit. Payloads that were tested are bind/reverse meterpreter, bind/reverse vncinject, bind/reverse shell.
My first MSF exploit, so let me know if I'm doing anything stupid!
Shout out to @todb-r7 ... I told you I'd bring my work into MSF :)