Exploiting Stack-based Buffer Overflow on Windows x64 | Step by Step explanation | Part-1

Hello Security folks, In previous article, we came to know about CPU Registers and Understanding of Structure of Stack which will help us in this article to perform Stack Buffer Overflow attack on a Windows x64 bit system so without further ado lets get started.

Note : Do not try this on a standalone computer, make sure to perform following attacks on system installed on a Hyper-V

Requirements

1. A Windows x64 bit installed on VirtualBox or VMware.
2. vulnserver — A vulnerable TCP application for Buffer Overflow Exploitation
3. Immunity Debugger — used to understand how software interacts with CPU in real-time.

Let’s get started!

Steps for Exploiting Stack Buffer Overflow:-

1. Spiking
2. Fuzzing with Python
3. Finding the offset
4. Overwriting the EIP
5. Finding Bad Characters
6. Finding the right module
7. Generating shellcode and gaining access

On Windows machine, Start the Vulnerser, which by-default runs on port 9999 and run Immunity Debugger as administrator. In Immunity Debugger, Press Ctrl + F1 and attach the vulnserver process to Immunity Debugger in order to understand how it interacts with CPU and further exploitation. Connect to the vulnserver on kali by using netcat

nc <IP> 9999

1. Spiking

Spike is protocol stress tests. it is same as fuzzing. The difference is that spiking send only garbage data with the aim of bringing down the security features of the system, while fuzzing is intended to get some useful information out of the data it sends. Here, we will use spiking for finding the vulnerable point in application. Here, I already know the vulnerable point is TRUN but you are supposed to test every point as you haven't performed attack before. We will use spiking script in combination with a Linux tool called generic_send_tcp on Linux side. On Windows side, we will use Immunity Debugger to understand what is happening in the memory. I have written the following spiking script called spike.spk to send garbage data to vulnserver.exe buffer.

Edited in CarbonNow

On Linux side, I execute the spiking script in generic_send_tcp. Here is the output I got.

After executing the script, I realized that at some point it could not connect to the target. I went in windows and check what was going on in Immunity Debugger. I saw the Access violation notification in Immunity Debugger.

Access violation means that we have overwritten the EIP, EBP and ESP parts of the memory and can perform any buffer overflow from now on.

2. Fuzzing

Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.

I wrote a python script called fuzzer.py to send data to vulnserver.exe TCP server.

Edited in CarbonNow

The program sends a bunch of A until it overflows the buffer. The difference with the spiking script is the python script will tell us how many bytes crashes vulnserver.exe TCP server. I executed the program, it had overflown the buffer. Here is the output.

3.Findind the Offset

we used a fuzzing script to find an approximate byte size where the vulnserver.exe process crashed. Previously the buffer overflowed with 2200 bytes Now, we need to find the offset where the EIP was overwritten. To achieve this, we need to generate a unique pattern using the Metasploit module. We will generate the pattern based on the result we got from the previous fuzzing process.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <value you got from fuzzer scrpit>

In our case, It will be 2200

Now place the output characters in Buffer variable in our python script.

Edited with CarbonNow

Now after we execute the script, the buffer overflowed. We can see Access Violation and EIP value in Immunity Debugger. The overwritten value of the EIP is 386F4337

Now, we are going to use another Metasploit module to find the exact match for our offset. We will get the offset based on the value of EIP and the length of pattern which was generated previously.

As we can see in the screenshot above, we managed to find the exact match for our offset at 2003 bytes. Now it’s time to overwrite the EIP.

4. Overwriting the EIP

We need to overwrite the EIP. It means that there are 2003 bytes right before we get to the EIP. To overwrite the EIP, we need 2003 bytes to get to EIP plus 4 bytes because the EIP size is 4 bytes.

So we will edit our python script in a way that it will send 2003 bytes of A to reach the EIP and 4 bytes of B to overwrite the EIP.

Edit in the python script:

change buffer variable value to

buffer = “A” * 2003 + “B” * 4

After executing the script, Check Immunity Debugger to examine the output. We can see that EBP is filled out with A’s (41414141) and the EIP with all B’s (42424242).

Now we can send a malicious shell code to infect our target computer and gain reverse shell access via vulnserver.exe buffer.

I will be writing the further steps in next article as this one is already too lengthy. Please do let me know if you are stuck in any step.

Thanks :)

LinkedIn : www.linkedin.com/in/tejas-kand