 Hello everyone, my name is John Hammond and I would like to start out this video with the quick shout-out some love to my buddy overflow So overflow is sharing and releasing out to the world a beginner malware analysis course You can find on his website It is only 39 pounds and it is an awesome beginner friendly course with five hours and more of video material discussing x86 assembly Analyzing visual basic macros extracting configurations and learning all about different kinds of encryption algorithms So I love this course because it is super duper hands-on Everything that you're doing is going to be walked through along with overflow in his actual demonstration of reversing some malware analyzing what it really does and Each section is dedicated to its own kind of snippet of video So they're all really bite-sized super easy to digest and you can see this gets into some really good stuff Dot net information x86 assembly of course using Ida Pro the free rendition using a debugger checking out common API attacks and moving into real-world case studies and different examples that you can see out There in the real world. So I really really recommend you guys go check out this course Honestly, I'm a big fan. In fact, if you want to use my discount code Just my name John Hammond all caps no spaces you can get 15% off But there is a catch. It is the first 150 people to use this discount code So if you're interested in the beginner malware analysis course, please go check it out link in the description and on the video for some reason I don't know why because you can't really copy and paste that but please go check it out. Thanks so much Okay, now let's get to the video so in this video I want to show you guys the hter function and that command within vault server and how we can exploit it and it caused it to With some shellcode Sunday reverse shell connection back to us so that we can control the machine and interact with it as a Victim compromise program. So if you haven't heard of vault server before I really recommend you go check it out You can find it online. I think it's Steven Bradshaw that it created check out his github download it It's a simple dot exe executable that is a simple command line Server where it'll open up a socket on the network that you can connect to and you can interact with simple command line functions or commands And each of them is intentionally vulnerable in a specific way So you can learn practice and educate yourself on how to exploit them I use phone server a lot when practicing for the OSCE or the offensive security certified expert exam So I want to showcase a little bit of it here Okay, so I have this set up with a windows 7 virtual machine that is going to act as our server running volume server So I'm going to fire up my command prompt And I'll move into the directory that I have volume server Downloaded into and I'll go ahead and run the volume server dot exe So it's going to start that program grab its DLL which it does need and you can actually abuse that later on in some Other functions and it's going to wait for client connections. Okay, so as this is the server We are the client or our attacker machine I'm going to end up just using my host because I'm connecting through a virtual machine right now But we do need to know the actual IP address of this target of this host So I'll fire up another command prompt down here Just verify what the IP address is and in my case it is 192.168.205.137 Okay, so now that this program is running We don't know how it's vulnerable or where What sort of code path do we need to go down or what input or payload will actually crash this service? So let's go ahead and write something that will fuzz the application to send it a bunch of garbage input Variables of random data nonsense and noise that will eventually have it topple over or spit up and throw up So I'm gonna do that back on my host with a simple Python script I'm gonna end up using Bufas. So let me make a directory I'll just call it HDR as that is the command I'm going to end up exploiting and I'll create a Bufas fuzzer script I'm gonna use sublime text here. So now that I have this Python script created. I will add my shebang line I'm gonna be using Python 3 because Python 2 is very dead Don't use that anymore and I'll import everything from Bufas If you haven't installed downloaded or worked with Bufas before again, really recommend you go check that online I think it came out of the sully project and originally before that obviously a lot of people have seen spike That's a pretty common fuzzer and it's used to that syntax s underscore for a lot of the commands and functions that it does And we'll actually see that just as well within Bufas. So let's go ahead and get started We need to actually know the information for the target. So I'll just specify some variables for this I'll say my host is 192.168 and that was 205.137 and vone server listens on port quad 9 So now we want to actually connect boilerplate Bufas stuff. I Admittedly don't know the Bufas syntax all that well So forgive me if I look over at my notes every now and again because I do need to actually go ahead and create What's called a session and inside of that you have a target that is passed as a keyword argument And inside of that you have a connection which is created with a socket connection And again, I don't admittedly have all of the syntax memorized So forgive me for kind of darting my eyes to go make sure that's correct here We just specify the host in the port and the protocol it's going to end up using which in our case is simply TCP I'll save this and I'm using black the Python linter So it automatically kind of readjusted my format here But hopefully you can read that and that's all clean now that we have that session We can create a mode For what Bufas actually going to work with and that mode can be really anything we can call it whatever we want What I tend to do is I just call it the name of the function that I'm abusing so I'll go ahead and say s underscore Initialize and it just takes a string argument I'll call it hter and that's just what we're gonna have Bufas used as kind of a profile or really understanding the context of what it's going to do for its procedure when it goes and Fuzz is the application now. Let's go ahead and explain it how it's actually going to fuzz So we need to specify how it will send its information to the remote target to the actual victim here We're gonna specify that with a string because obviously what we're gonna type in and the input for the program is going to be Something that we would send as a string actually. Let me show you that let me make sure that comes across Okay, let me do 192 168 205 137 on port 999 I'll go ahead and netcat to that so you can see what the vulnerable server looks like if I want to help You can see all these different commands that we're gonna end up working with all of them actually don't do anything they're just intentionally vulnerable they don't actually serve a purpose but the Hter command you can see that is something that we could run with an argument so only to specify that as the Kind of skeleton framework for how boo fuzz is gonna fuzz the application. It'll send in anything or a bunch of fuzz data So that's how that looks. Let's go ahead and create that I'm gonna specify hter as the command that we'll use here, and then we actually need to specify a delimiter But we need to make sure that each of these that we send along are not we're actually going to fuzz So boo fuzz needs a keyword argument fuzzable and we can just set that to false But the limiter to specify that in our argument will actually be Again a space and that should be false because we don't want to fuzz that information what we do want to fuzz We'll come after that so I'll specify that as a string and we can say really anything here Because that is the information that it is going to fuzz And we don't need to specify that fuzzable keyword argument because it will be true by default We don't need that in this case Now boo fuzz will know okay That is the point inside of the payload inside of the input that we are going to actually fuzz that service with Now that that's created we can go ahead and connect with our session Plug it in and use this specific mode what we've initialized that kind of profile for us So let's do that. Let's do session dot connect and it's s get to actually retrieve That specific mode and we've defined it up here. Let's just say Specify how the fuzz syntax works This is our fuzz points Great, and now that we have connected to the service Using that mode we can go ahead and finally session dot fuzz and we'll send a bunch of data send a bunch of nonsense Okay Now that we've created that we can go ahead and mark it as executable if you want because we have our shebang line Or we can simply run Python 3 and the name of our script So when I send this it's going to send a lot of data a bunch of stuff is going to that remote service and Sometimes we won't get a whole lot back or it'll choke and slow down Because if we go look at the server side it received all these connections and then it crashed So we know okay. We have fuzz the program. We found a sensitive input Something unique that will cause the program to crash and throw up a bit. So I'm curious now Where does that actually happen? How does that happen within the program? So what we can do is we can hook vone server up to a debugger And I'm going to actually use a muni debugger to go ahead and do that It's going to keep telling me that my windows is not safe. I don't care now. We can open up a muni debugger Let's open a new program. I'll open vone server can navigate to it and you can see now immunity will open up on the top left side You have our Disassembly of the program the top right you can see the registers and their values as we move through this program We have a little dump here and you can see the stack the very very bottom right Which you can't see because my face is in the way. It is currently paused This green or excuse me yellow little indicator that the program is not running So we need to go ahead and hit that big red play button on the top I think the key word for that is a hot key for that is what is it f9? No, no, no, it should show me Okay. Yeah f9. I hit f5 and totally said f9. Did I say f5 or f9? Whatever the program is now running and now we can go ahead and send our fuzz script and have it Break up and beat up the program again. So let's clear the screen Fire up boofo's and eventually if we were to hop back to our program We don't see it get anything just yet Is boofo still going? Looks like he's taking a break. Oh sending more stuff nothing yet Okay, there we go now we crashed all I needed to do was tell windows to shut up So his instruction pointer is currently one one one one one Or eight ones which is really interesting because normally if we're fuzzing we might see some other values And we do this manually sometimes as we set a bunch of a's we'll have hex four one four one four one four one But this is a problem because we're just getting ones so We could see maybe where we're actually sending that why we're getting ones as our values here So boofo's it will save its results in a little sequel light database for us, which is really really cool Let's move into boofo's See with this and it actually stores them as sequel light databases So this is when I initially ran it. This is when I ran it the second time You can see just that timestamp is a little bit later So let's go ahead and open that up in a sequel light browser And I need to specify the proper file 46. Okay Now if I were to browse data in the steps table We can take a look at what we've actually sent the program data is what's going to end up filling with a bunch of this information and seemingly Do we have anything that actually sent a lot of ones? And keep scrolling down until we find anything interesting You can see all the interesting things that it tries to send like some specific commands For one kind of language or something that it might trip on etc Okay, now we see we're sending a lot of ones hter They sent 130 bytes 131 bytes they sent 10,000 30 bytes They sent 41,000 bytes all of which were ones. So let's try and create Maybe a kind of script on our own a standalone script that will go ahead and Have this program crash. So let's try that. I'm gonna go ahead and move back a directory. So I'll call mine attacker.py and I'm going to Start a shebang line And I'm gonna use Pwn tools because I like that so from Pwn import all let's say our host can equal Everything that we have had thus far 137 the port number can simply be Quad 9 and let's say s can equal remote of host and port. So let's send a payload So we'll go ahead and create that and I want that to actually be An array of data that I'm gonna send so we need to use bytes here because we're using Python 3 So I'll use that be prefix for all of our strings I'll specify a space following that I'm actually gonna turn black off because I want to be able to create this How I would like it. Let's just send one this that number one I guess 4,000 times and I'm gonna go ahead and join this together So now I finally have a full payload and if I were to print that out you could see it print out payload I Will Python 3 attacker You can see okay We have a bunch of ones that we're just printing out and we can connect to that service Successfully, let's go ahead and send that. Let's do s dot send Payload and just to make sure that we don't lose our connection in case we didn't crash the service I'm not actually say s dot interactive rather than s dot close at the end. So Now let's see what we got Looks like this program is crashed. So let's go back to our server restart it with an immunity debugger and Now let's send our script Theoretically we sent it. Okay, and we did get it to crash Okay, so all of the ones seemingly are crashing the Service, but it's strange because it's not getting the hexadecimal representation of the ones here It's not getting a little Indian format like if I were to go back to my prompt here. Let's fire up idle When we normally send data When we normally check out a Bunch of A's that we might hammer a program with we would want to know what the actual Hexadecimal value is it's being packed in the little Indian format and is being filled in that EIP or the instruction pointer register In this case, we're not having that happen because if I were to check out the ordinal value in the hexadecimal representation of a one character It's hex three one The three isn't in there. It's just straight one one one one, which is really really weird if I were to send a Bunch of A's would have had that same effect Let me know if it's just the size of the input that is causing it to crash. Where is my sublime text? Let's just send a bunch of A's and see if that sends it So control F2 if you're actually an immunity debugger that is the hot key to restart the service Control F2 and then F9 to run it I'll go back and I'll run our script Back to it. You can see it did crash and literally filled inside of the instruction pointer is the value a Not four one four one four one. So this is interesting. This is kind of a Different twist that we haven't seen before on some binary exploitation stuff what we can do though We could still track down and figure out where the sweet spot is Where we're overriding the instruction pointer and we could still actually get it to run some shell code We can still abuse this. So let me show you how we can do that I'm gonna go ahead and create a Ciclic pattern of length 4,000 bytes. I'm gonna use Pone Ciclic to do it and looks like I need to specify What is that? Oh, it doesn't need an argument. It just needs to know How long it wants to be without that tack L. So now I've generated a 4,000 set of patterns, but Because this is all using the actual letters here and They're gonna be represented within the register as that value Not the hexadecimal representation It's gonna be much harder to track down how and where the sweet spot or the threshold or the offset is Where we actually start to clobber the instruction pointer like we want in a regular buffer overflow attack So what we can do is we can actually specify an alphabet for our cyclic pattern to use I can use that with tack a when I use the Pone tool cyclic And I'm gonna use just the netters one two three four five six seven eight nine and I'll use ABC EF Okay, now that I've created 4,000 of these things These values on their own could be used and Determined where the actual payload might be Let me use this. Let's go switch to our Our script here and let's say our cyclic pattern Can equal a byte string of all of this Because it's not gonna be interpreted in that hexadecimal way we can say we generated that with Let me go back, please to my terminal You can use this value here And let's use the cyclic pattern Rather than that long string of a's or ones instead now Restart the service run it again so we can go fire off our script A tacker dot pi we've sent it along and it has crashed And now we have a unique string This seven B137 a13. So let's take this selection Have it our clipboard and we can say where is this going to exist within that long cyclic pattern? Let's use Pone cyclic. I'll use that same alphabet. I use before ABC D E F and I'll specify where is this string within The pattern the problem is It's got to be four bytes in length, but we're using the actual Actual value in that case. So let's just use the latter most half and it could find it there at 2043 So that's gonna be our sweet spot. Let's try that. Let's see if we can actually fill up Now that we know an offset is 2043 let's specify this command is how we found that let's specify B's of a 2043 times and let's specify a new Instruction pointer. Let's use BBB and I guess we'll need to fill it with eight characters in that case So we can use that offset variable that we just created Now we don't need that cyclic pattern anymore But let's see if we actually found the right threshold in the right spot for where we're clobbering the instruction pointer Troll F2 F9 Back to our script we can go ahead and fire that off And now you can see okay, it looks like we have BBB BBB We have a few a's in there. So we'll tweak that just a little bit That's again at the very very end. So we should we should clear out those two bytes that we don't need 21 that's good Just a little trial and error to make sure okay. Are we getting the correct offset that we want? Let's run this again Run our script Now you can see okay. We have successfully Fully closed up that instruction pointer with BBB BBB So we've actually found the sweet spot as to where we are clobbering the instruction pointer Despite the fact that it's going to actually use the real value not the hexadecimal representation of it So now we can clean up our script a little bit I actually want to make sure that we include All of the bytes that we thought that we would have used to crash the service with because typically that's good practice And it actually comes in handy for us when we do this because then we'll be able to see okay Now we can move to this next technique when we're doing our exploitation Of when we're defining our payload. So I do actually want to include another buffer Simply of C's rather than a's so we kind of know where we're working with here And let's go ahead and specify that coming after the new eip and let's actually define a new eip Variable here for us. I'll just use four B's again Let me switch that to new eip and then we can go ahead and specify We'll use the total length As the number of C's that we have minus so we were subtract out everything else. We've already included in our payload So our absolute payload length Has to end up as this total value of 4000 bytes. So we remove the total length We remove the length of the kind of this prefix here. Let's actually specify that as another value Let's specify command prefix that can be that value. So we'll include that and Hope we can dynamically say the length of the command prefix minus the length of our offset Minus the length of oh actually since offset is an integer We don't need to subtract that as length It's already a number and then we can specify the length of our new eip So now we'll make sure that our payload has to equal 4000 bytes still get our offset still ruin and clobber eip. So that should work well for us. Um, let me Clear this up. So okay back to running just fine. Let's run our script And now that we've fired off that payload we can go check this out. Okay, so we have Pause the program. We've caused it to crash our instruction pointer is filled with the value that we can control now we need to be able to Potentially place in some shellcode, but how can we place in the shellcode? Where are we going to put it? Well, we should figure out where our buffer or that input that we're sending is actually Being stored in the program You might be able to notice it down here now if we're looking at the stack Because this stack pointer esp is actually being filled with the values that we're sending After our eip overwrite you can see all these c's that is our c buffer If I right click this follow in dump Scroll up just a smidge here. You can see all of our a's prior our b's being our new instruction pointer And all of the c values that we have following that so now What we can do is we can find some instruction Within the binary that will act as our new instruction pointer and we'll call that And we'll have it do something that gives us more control We'll have us jump Have the programs instruction pointer go to a location that we want to specify. In fact, we'll have it jump to esp or This address here that is being filled with our buffer That way we can control the c buffer with potentially something else potentially shellcode So let's go ahead and specify and find out how we can do that. Let's use mona to Find a jump esp instruction That's uh, so the command here is mona with an exclamation point prefix jmp to jump and then r for register and then esp So esp now, okay looks like mona would tell us and then it would hide away Uh, I see this happen a lot when that happens I just like to run mona itself with an exclamation point and then I can scroll up In the results and kind of see what it had told me to begin with after I moved through all this help file So, okay, there we go. Now we can see some entries for our jump esp instructions They're all within this, uh, dll that we have loaded because of vuln server And we can access any one of these which will come in handy for us. So let's go ahead and grab this guy Let's copy to clipboard the address And let's go back to our script now and we can say the new instruction pointer will go ahead and equal the value of this address Packaged into little endian format. So we'll use p32 from pwn tools. We have that Gone headed imported But we know we have the restriction where the bytes that we send are being interpreted as their literal value Not in their hex representation But we know they should be typically in their hex representation So what we can do is we can hex lefi or convert this packed little endian representation of the address into hex I'll do that with the benasci module. I'll import benasci and then we can go ahead and say new eip Will equal benasci dot hex lefi That value so now that we have our new eip we should be able to follow through with that within our immunity debugger So let me go back to that code here. I'll hit alt c. I'll hit control f2 So I can restart the service. I'll hit f9 so it can run I'll click into the disassembly and I'll hit control g So I can go to a position and I'll paste in the address of what we're going to set a break point on Which is that jump esp instruction? Because now we want to make sure when we send our payload when we fire off our attack script We will call that or set our instruction pointer to that So we will jump to the instruction pointer jump to esp And reach our c buffer that we know we can control So let's go ahead and actually fire this off now that we have that working script Let's run our attack script go check it out in our debugger and we can see oh We have hit our break point program is paused if I were to hit f 7 which is to step you can see okay now. We're hitting our c buffer Great. This is actually returning the int 3 Interrupt assembly instruction because it adds literally including the c's in there That's kind of bad for us But anyway, we're going to end up replacing that with shellcode We know now that we are at least inside of our c buffer. You can see it can't actually execute It's facing an interrupt command. So let's go ahead and modify this. Let's change this now Well, we can go ahead and use shellcode So we need to go ahead and create some shellcode that will call back to us So we need to know our actual ip address. I'll use ip adr Um, and I am 205. So 205.1 should be my actual ip address. So let's go ahead and let's use msf venom tag p specify payload, let's say windows reverse or I think it's shell underscore reverse tcp We'll specify our l host can equal our ip address our l port can set anything that we particularly want And we want to do something particularly interesting now because we know that this is in fact going to be interpreted as Hex or it's raw real value. We need to get it to be read in in its hex representation So I'm going to use tack f so I can specify the format that's going to print out to me And I'm going to specify hex is what we want to see Okay, so now it has spat out our shellcode. The problem is We have some null bytes in there. I kind of forgot to mention that tack b Remove bad bytes, and we certainly don't want any backslash x 00 or the hexadecimal kind of backslash x notation for that byte of a null byte So let's go ahead and remove that make sure that's not in there Okay, now we have this payload which we can go ahead and copy move into our script and let's just say shellcode Can equal all the bytes representation of that I do want to grab that syntax So we can keep track of it in our script. This is how we generated our shellcode And now we could potentially just include our shellcode Inside that c buffer, but we should include a little bit of padding We should include a buffer or kind of like a cushion for our jump Instruction to actually land safely on our shellcode Typically you do this with a knob sled or a no op and that instruction is typically backslash x 90 or nine zero and hex so what we can do because we know that we need to pass this as real bytes We're going to end up sending that as b nine zero times. Let's say a hundred. It doesn't matter How much we really use here? We just need some knob sled So we'll have no operation repeatedly repeatedly repeatedly and we will slide down that sled until we reach our shellcode So let's go ahead and include that shellcode actually. Let me specify this as a another value here Let's say knob sled I was going to say padding, but I guess we don't have to And then we can include our knob sled And our shellcode is being included in there So we'll have to subtract out our knob sled now that we're using that And we'll have to subtract out our shellcode Good enough Okay So theoretically now we should execute that reverse shell callback to us on port quad 4 Let's go ahead and see if it will work for us What I'm going to do is I'm going to restart immunity debugger Start the process I'm going to create a new shell down here where I can listen on port quad 4 And I'll fire off our script and there we go. We get a shell just like that So what we did was we Took note of the fact that this htr function was doing interesting things where it would literally read in the raw Literal value that we would pass along and not encoded into the little endian or hexadecimal representation It would still be packed. It would still be little endian, but we would need to pass along Actual hexadecimal bytes for what we were going to end up using all of our raw bytes needed to still be in that hexadecimal format So our program could actually read it and understand it now that we have our shell We could bop around actually work on that target remote system. So Okay, that's all I really wanted to showcase in this video. Thank you guys for watching. I hope you enjoyed I know this was a long one. I hope I kind of mentioned some interesting things Or uh, I guess I for those of you that are kind of advanced or used to this You've probably seen a lot of this before and me explaining every little thing might not have helped But for some of you that didn't have as much familiarity with this maybe my explanations did help So, uh, thank you guys so much for watching. I really hope you enjoyed this video. Hey, please go check out overflow's course It's really awesome beginner malware analysis. It's it's good stuff Like comment and subscribe. See you guys in discord server. See you later