Advanced Exploitation Techniques — Part 3
Walkthrough of Egg hunting with known vulnerability
Tutorial 1 — Boiling the Egg
Welcome to the third module of this advanced exploitation technique course. So far we have gone through discussing buffer overflows in depth, how egg hunters work and the core concepts on both of these topics. In this module we will be mainly focused on presenting how you can use egg hunters practically in an exploit code when you run short of memory space for your larger shell code.
In the previous module we have shown how the “Mona.py” command is used to generate egg hunter code. However, we haven’t gone far from the initial stage which generates the need for egg hunters.
While spending more time on Ability FTP Server and Bison FTP Server, I realized that we will be able to get egg hunter working for both applications so I decided to go with Ability Server itself as we used that earlier in our workshop as well for explaining buffer overflows and it’s worthwhile to keep the same pace.
Let’s see how it goes with this application we are now using in this course. So far we have been playing with Ability FTP Server for buffer overflows. Let’s run how to code egg hunters while exploiting Ability FTP Server.
What is the prerequisite?
If you have not completed the previous two modules and you are new to exploit development, it is strongly recommended that you should first complete the first two modules and practice exploit development for any of the two FTP servers we have been playing with and then jump here to have hands-on experience with egg hunters.
This module is focused on lab exercise so we are more inclined towards testing and exploiting here, as we believe that the core concepts have been presented in the previous two modules.
We will be using the following main tools to complete the lab exercise of this module for presenting the walkthrough on egg hunters. If you are not familiar with any of these tools so far then you are in the wrong room!
Exercise 1 — Mixing Egg Hunter
You can download the vulnerable application from the below link, however, don’t use the available exploit. Remember that you have to develop the exploit on your own if you really want to practice; this vulnerability is in APPE command.
Download link: http://www.exploit-db.com/exploits/693/
Fuzzing the Ability FTP Server
You should use the fuzzing technique we have discussed in detail in module one while exploiting the Ability FTP Server and utilize your skills to find the offset and return address on your own. However, we are squeezing the work as we have already tested this in our lab environment for the above two things.
Okay, let’s give the PoC Code for this vulnerability with the egg hunter added so that we can explain as well.
Don’t get worried with the new things shown in the PoC code we will explain this to you indeed.
As we have been explaining that egg hunting is basically staged shell code, you can notice we have two stages in the PoC code. Information we have prior to mix the egg hunter:
● Offset value which is 968 bytes
What we need to mix the egg hunter code:
● Typical egg hunter code (generated by mona.py)
● Where to put egg hunter code
● Add egg hunter code at top of larger shellcode
● Most importantly arrange the stack to that our egg hunter search
the larger shellcode as explained above
We know the size of our egg hunter code is 32 bytes and the location to put this egg hunter code is before EIP register get overwritten so we will subtract 32 bytes from the offset value and add the egg hunter code before EIP gets overwritten as shown below.
That’s the code of my egg hunter which will look for tag w00tw00t and then execute the code after this tag.
Now stage one of my shell code given below
“myStage1 = junk1 + egg_hunter”
where junk1 is now 936 bytes + egg hunter code which makes the offset value again to 968 bytes after which EIP will be overwritten. So now we will add return address which you can generate by the following commands as shown below. At this stage one, our egg hunter code would be embedded in the memory to start the work.
Select any one value from the discovered values for jumping to ESP. Okay, now it’s time to worry about stage2 shell code. Again, you can use any size of shell code now as we are using egg hunter to execute this code, which is independent of memory. Now let’s look at stage2
“myStage2 = “w00tw00t” + nops + buf”
Here you can see the tag “w00tw00t” is added on top of the buffer then padding the stage2 with nops and then the actual shell code is added. This is the stage2 shell code, which will be sent sequential for exploitation. So time to use this code and get the results. We have exploited the Ability Server again with our advanced exploit PoC code and below is the result again as shown.
Now, was the egg hunter really executed? Well, it is indeed, or else the shell code at stage2 wouldn’t be launched.
That’s the demo for coding and mixing egg hunter in your exploit, see you in the next module.
Originally published at https://learncybersec.blogspot.com.