Windows 10 Exploit Development Setup - Vulnserver Walkthrough Part 1

8 minute read

Intro

Lately I have been getting more into exploit development as I needed a bit of a break from the more typical Red Team skills. Exploitation experience would help me bring more to red teams that I perform so wanted to start learning.

For this series of blog posts I aim to exploit the various functions within Vulnserver using a variety of Windows Exploitation techniques. Typically this is dont on an old box like a Windows 7 or XP, 32 bit machine. I like this approach in general for learning to do things as a beginner, but I always felt it caused a bit of a barrier moving exploits into modern Windows environments. Due to this, I will be doing them all (I plan to anyway) on a Windows 10 x64 machine.

At the start all exploit protections will be turned off for vulnserver on the Windows 10 machine. This is so that I can learn the basics without having to bypass a bunch of stuff Windows 10 does to protect binaries. After I have exploited the vulnserver mechanisms, I aim to turn on the various Windows 10 protections one by one and see what they do, and see how they can be bypassed (if I can figure it out).

Currently I have no idea if this is going to be do-able at my knowledge level, but I wanted to learn more about Windows 10 protections and finding bypasses and clear information on how they work can be difficult.

Setting Up the OS

I am going to be using Commando-VM. This project is super handy for installing a bunch of tools, making windows more lightweight in general and disabling AV. This is optional and do at your own risk, installations can take forever and installing it can be a pain. If you do it, then I recommend changing the install config so that it is only getting the tools you want (WinDBG, Ghidra, Metasploit, VSCode, Unix tools, Git, Python2, Python3, ncat).

Whether you use commando or not, you will want to be disabling AV. I typically just add exceptions to folders such as my home folder, since AV will turn back on and you dont want it wiping metasploit or something and ruining your flow.

Setting Up VulnServer

VulnServer is a piece of vulnerable software developed in C for Windows. The purpose of this software is to be owned in various ways. More about it can be found here.

You can download it by using git clone.

git clone https://github.com/stephenbradshaw/vulnserver.git

You can then run it using the following.

cd vulnserver
.\vulnserver.exe <port>

This will start it on port 9999 if no port number is provided.

Disabling Protections

In Windows 10 you can open the windows panel and search for Exploit protection. This will prompt a control panel item for managing exploit protection.

Go into the Program Settings tab and hit the Add program to customise button.

Click on the Choose exact file path and then select the vulnserver.exe that you downloaded.

With this selected, turn off all of the protections for it.

This will allow us to exploit the vulnserver without having to worry about ASLR, DEP, CFG etc at the start. We will come to that later ;)

WinDBG

If you are using commando you can just use choco install windbg.fireeye, windbg.pykd.flare (you can find the package names here). With WinDBG and PyKd installed, to finish the mona setup you only need to do download the relevant python scripts (mona.py and windbglib.py).

WinDBG can be downloaded with the following steps:

  • Download the Windows 10 SDK from https://developer.microsoft.com/windows/downloads/windows-10-sdk (It might be a good idea not to install the very latest version. You can get an older version from https://developer.microsoft.com/en-us/windows/downloads/sdk-archive - for instance version 10.0.17763.0)
  • Launch the installer with administrator privileges (right-click on the file and choose ‘Run as administrator’)
  • During installation, only select “Debugging tools for Windows”. Deselect the other options
  • Install in the default path. (C:\Program Files (x86)\Windows Kits\10\Debuggers…)
  • Create a new system environment variable called _NT_SYMBOL_PATH
  • Set the value of this new variable to srv*c:\symbols*http://msdl.microsoft.com/download/symbols (Make sure there are no spaces before & after)

The Lord and Saviour Mona

Mona is an exploitation framework that is hugely helpful and does a lot of heavy lifting for us. It will be invaluable. It was originally designed for immunity, but there is a WinDBG port which can be downloaded with the following steps:

  • Download pykd.zip from https://github.com/corelan/windbglib/raw/master/pykd/pykd.zip to a temporary location on your computer
  • Extract the archive. You should get 2 files: pykd.pyd and vcredist_x86.exe
  • Check the properties of both files and “Unblock” the files if necessary.
  • Run vcredist_x86.exe with administrator privileges and accept the default values.
  • Copy pykd.pyd to C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\winext
  • Open a command prompt with administrator privileges and run the following commands:
cd "C:\Program Files (x86)\Common Files\Microsoft Shared\VC"
regsvr32 msdia90.dll

(You should get a messagebox indicating that the dll was registered successfully)

NOTE: The place where you save the python files is one directory above where you save the pykd.pyd.

Python

For Mona to work you will need to have a 32 bit of Python 2.7.14 (or higher) on your system and in your path. To do this follow these steps:

  • Download the latest 32bit version of python 2.7.x from https://python.org (I got 2.7.18) and install it.
  • Make sure to use the default installation folder (C:\Python27) and verify once again that you are installing the 32bit version.

For scripting up my exploits I will be using Python 3 because tool development is dwindling on Python 2 and it makes packages a pain. To do this I downloaded a Python 3 installer from the python link above and installed, making sure to tick the box that includes it in my path.

You should now be able to open a prompt and type python --version and have it show python 2.7.18, and py --version to show python 3.

BooFuzz

For fuzzing I will be using the BooFuzz framework. I downloaded this using pip3 (Wheel is not mandatory but I was hitting issues on the install method it does without wheel).

pip3 install wheel
pip3 install boofuzz

You should now be able to import boofuzz in python3 without errors.

Telnet / Netcat

For interaction with vulnserver you will need something like netcat or Telnet. Telnet is nice to install for windows, but I do get issues when interacting with vulnserver using telnet, for unknown reasons. If you got commando, then ncat can be installed with choco install ncat.flare.

If you are not running commando then you can download ncat by downloading Nmap (which will also package ncat in for you) windows installers from https://nmap.org/download.html. After this is downloaded and installed you should be able to run it like below:

ncat 127.0.0.1 9999

Telnet works well for windows in general and won’t hit av issues or anything. On Windows Telnet is no longer installed by default, but it is there, it just needs to be enabled. That can be done with the following command:

dism /online /Enable-Feature /FeatureName:TelnetClient

After this you should be able to run Telnet and be taken to a telnet prompt. For connecting with vulnserver an example would be:

telnet 127.0.0.1 9999

IDE

An IDE to make your exploit scripts. For me I prefer Visual Studio Code which can be downloaded from https://code.visualstudio.com/download. It is up to you though, any text editor you can write code in will be fine.

If you do go with VSCode, I recommend installing some Python3 extensions and making Python3 your interpreter so that when you run code in VSCode it is Python3 and not Python2 (which we only have for mona to run).

Metasploit

We will need metasploit for making out shellcode (well, not need but it makes life a lot easier). This can be downloaded for Windows 10 64bit https://www.metasploit.com/download.

Before doing this make sure all anti-virus is turned off!

If you have commando this can all be done with choco install metasploit.flare.

Check that you can run MSFvenom to ensure you have what you need.

msfvenom.exe -h

Making Quality of Life Changes for WinDBG

Now you have all the tools you need, open WinDBG x86 and attach it to any process (for example run vulnserver.exe and then go into File > Attach > vulnserver.exe).

Once attached enter the following in the command box within WinDBG (in the bottom left).

.load pykd.pyd
!py mona

With all the changes we have done, this should work. If it doesn’t make sure you have followed the mona and python installation steps carefully.

Now lets change the mona working directory, as usually it puts logs next to the windbg.exe which makes it a pain in the arse to find and navigate too.

!py mona config -set workingfolder C:\monalogs\%p_%i

This will save all log files to C:\monalogs\processname_processpid, so for example C:\monalogs\vulnserver_1337.

Then close WinDBG, right click on the icon (on desktop for me) and hit properties. In the target field add -c ".load pykd.pyd". This makes it run it automatically when you load it, so you don’t need to remember that first step which is nice. Within properties, the target should now look like:

"C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\windbg.exe" -c ".load pykd.pyd"

Summary

Hopefully you have followed the steps and have it all working.

You should be able to launch vulnserver, attach WinDBG to it, run mona, write python code for exploits, import boofuzz for fuzzing and use MSFVenom to generate shellcode.

In the next post I will start covering the first exploit.

Issues?

If you have issues with this setup, please look at the following resources that helped me: