This was the slide representation for my training session at OWASP Seasides 2020. This entails all the workflow for the session, but please understand that this is not a lab manual and won't entail the details on Step-by-step execution of the attack. You can find my youtube video pertaining to this session here
https://www.youtube.com/watch?v=ZhZAKWpykTo
4. Agenda for today
● Understanding the exploitation process
○ Using Buffer Overflow to overwrite the EIP
○ Using msfVenom generated payloads
● Understanding the need for writing Windows Custom shellcode
● Writing Custom Shellcode scripts and integrating it to our POC
○ Pop a Calculator
○ Pop a Text Message with custom body
● What Next?
@shahenshah9999
14. Environment Setup
● Exploit Development: Kali
● Debugging Machine: Windows 10 and Windows 7
● Vulnerable Software: Minishare and FreeFloat FTP
● Function locator: Arwin
15. Things to keep in mind
● The shellcode we write will be OS Specific
● This technique is only possible because the OS DLLs are not subject to Address Space Layout
Randomization
● Google & MSDN are your best friends
16. What are Windows APIs?
Windows APIs are dynamic-link libraries (DLLs) that are part of the Windows
operating system. You use them to perform tasks when it is difficult to write
equivalent procedures of your own.
For example, Windows provides a function named FlashWindowEx that lets you
make the title bar for an application alternate between light and dark shades.
@shahenshah9999
17. What is Windows Shellcoding?
Shellcode is basically a list of carefully crafted instructions that can be executed once
the code is injected into a running application.
Windows Shellcoding is the art of writing own custom shellcode scripts to call certain
Windows API Functions.
@shahenshah9999
18. Why should I learn Windows Shellcoding
● Evade msf signatures
● Get a foothold for ROP
● Prove the vulnerabilities
● Fundamentally understand crafting parameters to Windows API
● Creating a prototype POC
@shahenshah9999
19. First lets have a look at the shellcode
generated by msfvenom
● Msfvenom –p windows/exec CMD=calc.exe –b “x00x0Ax0D” –f c (For popping calculator)
● msfvenom -p windows/messagebox TEXT="Pop The Box!" TITLE="B33F" -b "x00x0Ax0D" -f c
(for popping Message Box)
20. Let’s test these payloads on both,
Windows 7 and Windows 10 Machines
21. Okay, so it failed
The reasons for this now working -
1. Windows SmartScreen protection
2. Windows Defender detecting such naive exploit scripts
3. Windows Advanced Threat Protection detecting the MSF signature against its
database.
@shahenshah9999
22. Is there no Vulnerability?
No, The Vulnerability does exist at the application level. It is due to the system level
protection that disallows the attacker to run remote commands on the target machine.
Explaining this to a non-tech savvy personnel would be really tough. Hence, it
becomes essential to write a POC for the exploit that is detected.
The only way to evade the signatures of the pre-existing exploit scripts is to write
your own exploit script to execute commands on the target.
@shahenshah9999
23. Windows API kicks in
The way your shellcode executes commands, or as for that matter, any application in
the Windows OS executes any command is by interacting with Windows API function
calls. There are multiple ways to interact with Windows API function calls.
● Using Powershell commands
● Integrating the C/C++ functions predefined to your application
● Using the libraries which have the C# code, for developing windows app
● Using VB .NET functionality in vbs
● Directly passing the shellcode to the kernel to get executed
@shahenshah9999
24. Executing the Windows API function call
In this, we will be submitting the Windows API function calls through our exploit
script, instead of executing scripts in powershell, or something similar. In this, we are
writing the preloaded shellcode to get executed by Windows.
@shahenshah9999
25. Popping Windows Calculator
Hereby, we start by writing our own custom shellcode. There are a series of steps to
be followed before we can finally integrate our custom created shellcode to the exploit
script
@shahenshah9999
27. ASM and opcode
● When you write your own shellcode you obviously have to deal with assembly and opcode. You will
need some basic knowledge in assembly, nothing too dramatic though. The main point, being that
your shellcode will be written in opcode. So you might have to ask yourself, how do I get the opcode
for an instruction?
● Immunity Debugger does this for you. Put a breakpoint to the NOP Sled of you shellcode and start
writing the shellcode, Immunity will basically act as a dictionary for the shellcode ‘translation’
28. WinExec
● Before we start to do anything, we must fully understand the functionality of WinExec function by
reading the MSDN page for this.
● Use the Arwin binary to locate the address for the function within the DLL
31. Things to remember
● The stack grows downward so we need to push the last argument first
● lpCmdLine contains our ASCII command but WinExec doesn’t want the ASCII itself it want a pointer
to the ASCII string.
32. Lets do the similar procedure for Popping
a Message Box