Buffer Overflow -BRAINPAN | Riha Maheshwari

Published in

securityresearch

7 min readFeb 22, 2019

Hi Techmates! Brainpan is a vulnerable virtual machine which is designed for people who are preparing for OSCP or wants to exploit buffer overflow vulnerability. This blog will take you through exploiting Brainpan step by step.

Setting up the Virtual Machine:

Download the ZIP file “brainpan.zip”.
Extract the file in a folder.
Import the “brainpan.ova” file in Virtualbox or VMWare.
The network connectivity is set to Bridge by default. You can change it according to the requirement. If you are not sure do not change the default setting.
Start the Virtualbox/VMWare.

Attacker’s IP — 192.168.43.204

Victim’s IP- (Brainpan)

Exploiting Brainpan:

Step 1: Discovering the IP Address

Discover the active host in the network using-
Nmap — nmap 192.168.43.1/24
Netdiscover — netdiscover
Brainpan VM is running on 192.168.43.205

Step 2: Scanning

Nmap — nmap -sC -sV -vv -Pn -p 1–65535 192.168.43.205

We have two tcp ports open: 9999 — abyss, 10000 — http.

Nikto — nikto -h 192.168.43.205 -p 10000

Step 3: Browse http://192.168.43.205:10000/. Checking the source code of the given page also doesn’t reveal much information.

Step 4: Run a Dirbuster scan — dirb http://192.168.43.205:10000/

Step 5: Here is what’s seen when connecting to 192.168.43.205:9999 using netcat:

nc 192.168.43.205 9999

Step 6: Try entering any password, it shows access denied.

Step 7: Browse http://192.168.43.205:10000/bin. We can see “brainpan.exe file which is a windows executable file.

Step 8: Let us check this file using “file” command.

Step 9: Let us check the file using “strings” command — Strings brainpan.exe. Let us take a look at the functions executables.

Since the application uses functions like socket, send, bind, recv, listen and accept, we can tell that it is a network server application. Functions like strcmp, strlen, printf and strcpy is also used. Strcpy is an important function since it is vulnerable to buffer overflow attack.

Step 10: Install Immunity debugger in windows machine and copy the executable. Click on File → Open → Brainpan.exe. Press f9 or click on run.

Step 11: We can see the service running on port 9999 and the function ‘strcpy’ vulnerable to buffer overflow attack. Lets us write a simple attacker’s script to see if we can crash the application. The following python script will connect to the service and send 1000 “A”s to the service:

Step 12: Save the file as exploit_brainpan.py. Executing the exploit from Kali linux — python exploit_brainpan.py.

Step 13: As soon as the payload is sent you notice that the EIP has been overwritten with 41414141 i.e. “AAAA” in Immunity Debugger.

Step 14: Thus, EIP has been successfully overwritten with A’s (ox41). The next step would be to determine after how many bytes the EIP is being overwritten. We will be using pattern_create and patter_offset using metasploit framework. To create a pattern go to /usr/share/metasploit-framework/tools/exploit/ and type the given command:

Step 15: We will take this pattern and replace the 1000 “A”s in our exploit with this entire pattern, so our exploit now looks like:

Step 16: Execute the script. Executing the program we see that the EIP is overwritten with 35724134.

Step 17: Let us check the pattern_offset using metasploit framework. Type the given command in the terminal.

Step 18: The updated attacker’s code will look like:

Step 19: Execute the script. You will notice that the EIP gets overwritten with 42424242 i.e. BBBB.

Step 20: Now we need to overwrite the EIP with JMP ESP address.So we need to find an instruction like jmp esp, call esp, or push esp; ret.

Go to View→ Executable Modules and select the file i.e. brainpan.exe whose SafeSEH and ASLR is set to False. This memory addresses containing a jmp esp instructions is good to put in EIP and make the flow jump to our Shellcode.

Step 21: Rightclick and click on Search→ Command.

Step 22: Enter the command JMP ESP and click on Find. You will notice JMP ESP in address 311712F3.

Step 23: Change the EIP with JMP ESP code.

Note: The EIP address is arranged in backward as it is sent to the stack i.e. \xf3\x12\x17\x31.

Step 24: Let us send the following exploit to the application.

Step 25: Send the payload. You can notice that the ESP gets overwritten with 10 D’s. Thus the first 10 C’s used has to be set to \x90 i.e. No operation value.

Step 26: The next step would be creating a payload. To create a reverse TCP Shellcode open terminal and type the following command in the terminal.

Step 27: Now the final shellcode looks like:

Step 28: We will run our exploit now. Before running the exploit run ‘nc -nvlp 1234’ on your attacking machine:

nc -nvlp 1234

Step 29: Run the exploit. We have a reverse shell on our WinXP test machine!

Attacker’s IP — 192.168.43.204

BrainPan’s IP -192.168.43.205

Windows IP — 192.168.43.88

Step 30: Now we need to generate a new shellcode for linux and run it against the brainpan machine.

Step 31: Take the exploit code and change the ip address with the Brainpan’s IP. Before executing the script listen on port 1234 from 192.168.48.204. Execute the script. We now have a low privileged shell on our victim machine. Let’s continue.

Step 32: We can see that we are not admin. Thus for privilege escalation let us enumerate more. We’ll take a look in the home directory to see if there is anything interesting…. nope. The only thing noticeable is that there is a script which restarts the web service should it die, as well as the root of the web service running on port 10000. Let us check if we have any special permissions we can use with sudo. Oh yeah!! We can see the output of sudo -l.