For my first pentesting certification exam I have to prepare the virtual lab in order to locally analyze a vulnerable binary and build a BOF-exploit, which I then have to use against a remote target machine. As far as I know I will not have any access on the target host except the vulnerable service. So it wont be possible to analyze the program on the target machine, as in the labs and the BOF exam prep course of tryhackme. I will have to setup an own local target machine, run the binary there, analyze it, prepare the exploit and run it against the remote target machine.
Now I am facing multiple problems while setting up my local virtual test environment.
I installed both, a Windows 7 32-Bit and a Windows 10 32-Bit virtual machine. On both machines I installed Python 2.7.1, Immunity Debugger and mona.py. On Windows 7 there was no Defender running, on Windows 10 I disabled Defender Real-Time-Protection.
Afterwards I uploaded the binary to both machines and went through the standard process of building an OSCP-level stack-based BOF-exploit:
- Crashing the program with a fuzzer
- Identify the offset to the return address
- Identify bad characters
Next, I wanted to uso mona.py to find a JMP ESP instruction (or something similar) as I always did in the labs. Now the problems started. mona.py returned 0 pointers when I entered the following command:
!mona jmp -r esp -cpb "\x00\x0a\0d"
Usually (in the labs I did) I got a list of possible JMP ESP commands with the memory addresses. But in my own environment I got the following mona-output:
0BADF00D !mona jmp -r esp -cpb "\x00\x0a\x0d"
---------- Mona command started on 2022-07-16 17:59:06 (v2.0, rev 616) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D - Bad char filter will be applied to pointers : "\x00\x0a\x0d"
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D [+] Querying 1 modules
0BADF00D - Querying module 32bitftp.exe
6ED20000 Modules C:\Windows\System32\rasadhlp.dll
0BADF00D - Search complete, processing results
0BADF00D [+] Preparing output file 'jmp.txt'
0BADF00D - (Re)setting logfile jmp.txt
0BADF00D Found a total of 0 pointers
0BADF00D
0BADF00D [+] This mona.py action took 0:00:03.265000
I recognized that only one module (32bitftp.exe) has been queried. In the course lab, much more (system) modules have been queried. So I asked myself why and used the
!mona modules
command to check the modules. I got the following output:
0BADF00D !mona modules
---------- Mona command started on 2022-07-16 18:04:03 (v2.0, rev 616) ----------
0BADF00D [+] Processing arguments and criteria
0BADF00D - Pointer access level : X
0BADF00D [+] Generating module info table, hang on...
0BADF00D - Processing modules
0BADF00D - Done. Let's rock 'n roll.
0BADF00D -----------------------------------------------------------------------------
------------------------------------------------------------
0BADF00D Module info :
0BADF00D -----------------------------------------------------------------------------
------------------------------------------------------------
0BADF00D Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat |
OS Dll | Version, Modulename & Path
0BADF00D -----------------------------------------------------------------------------
------------------------------------------------------------
0BADF00D 0x74ef0000 | 0x75010000 | 0x00120000 | True | True | True | False |
True | 10.0.19041.789 [ucrtbase.dll] (C:\Windows\System32\ucrtbase.dll)
0BADF00D 0x715a0000 | 0x715b6000 | 0x00016000 | True | True | True | False |
True | 10.0.19041.1151 [NLAapi.dll] (C:\Windows\system32\NLAapi.dll)
0BADF00D 0x74e70000 | 0x74eeb000 | 0x0007b000 | True | True | True | False |
True | 10.0.19041.789 [msvcp_win.dll] (C:\Windows\System32\msvcp_win.dll)
0BADF00D 0x72ee0000 | 0x72f7f000 | 0x0009f000 | True | True | True | False |
True | 10.0.19041.1 [apphelp.dll] (C:\Windows\SYSTEM32\apphelp.dll)
0BADF00D 0x74480000 | 0x74511000 | 0x00091000 | True | True | True | False |
True | 10.0.19041.1 [DNSAPI.dll] (C:\Windows\SYSTEM32\DNSAPI.dll)
0BADF00D 0x760f0000 | 0x761af000 | 0x000bf000 | True | True | True | False |
True | 7.0.19041.546 [msvcrt.dll] (C:\Windows\System32\msvcrt.dll)
0BADF00D 0x72880000 | 0x72afe000 | 0x0027e000 | True | True | True | False |
True | 10.0.19041.546 [CoreUIComponents.dll]
(C:\Windows\System32\CoreUIComponents.dll)
0BADF00D 0x76ef0000 | 0x7708e000 | 0x0019e000 | True | True | True | False |
True | 10.0.19041.1023 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0BADF00D 0x68df0000 | 0x68e06000 | 0x00016000 | True | True | True | False |
True | 10.0.19041.1 [pnrpnsp.dll] (C:\Windows\system32\pnrpnsp.dll)
0BADF00D 0x640b0000 | 0x640c0000 | 0x00010000 | True | True | True | False |
True | 10.0.19041.546 [wshbth.dll] (C:\Windows\system32\wshbth.dll)
[...]
Every module has ASLR, Rebase, SafeSEH enabled. I have some basic knowledge about these security mechanisms but I'm pretty sure the exam will not require me to bypass them. In the labs, there have always been modules with ASLR, Rebase and SafeSEH disabled. So I came to the conclusion that mona.py didn't show me a result because these mechanisms are running.
My next idea was of course that I should turn off ASLR and DEP on my local Windows machines. After some research, I found out that on Windows 7 DEP can be disabled with the following command
bcdedit.exe /set {current} nx AlwaysOff
and ASLR can be disabled by using regedit to set a new 32-Bit DWORD value "MoveImages" under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]. After a reboot ASLR should be disabled.
But its not! If I use
!mona modules
after the reboot, the output stays the same. Still, all security mechanisms (including ASLR) are turned on. After some further research I was not able to find a way to disable it in Windows 7.
So I tried it on Windows 10. Here I did not have to create a new registry key. DEP and ASLR could be disabled under "Windows Security -> App and Browser Control -> Exploit Protection". After a reboot, the mechanisms should be disabled. But again: They are not!
If I load the program into ImmunityDebugger and use
!mona modules
to show the modules, the table is still unchanged, showing that all system modules have turned ASLR on.
Of course I was able to get a JMP ESP instruction from kernel32.dll for example with the following command:
!mona jmp -r esp -cpb "\x00\x0a\x0d" -m kernel32.dll
If I use it to exploit the BOF while the local Windows 7/10 system is still running, that works fine. But after a reboot, the system modules addresses changed, thanks to ASLR and the addresses wont work anymore.
And of course, if I use the exploit against the remote target system, the exploit will fail.
So my questions are:
- What am I doing wrong? (Maybe I think in the wrong way)
- How can I really disable ASLR and DEP on Windows 7/10 systems?
- In the exam, how can I know which modules on the remote target server have ASLR turned on? Even if I manage to turn of my local ASLR it might be that I'm unlucky and pick a module that has turned on ASLR on the remote target host...
Since my exam is not far anymore I would be very, very happy if someone could help me out with this. Anyway thanks so much that you took your time to read all this until here :)
