Brainstorm

Fuzzing: Check if we can overlow the buffer

import socket
import sys

username = "pika"
message = "A" * 4000

try:
        print("sending payload...")
        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('192.168.0.101',9999))
       # s.recv(1024)
       # s.recv(1024)
        s.send(username + b'\r\n')
        s.recv(1024)
        s.send(message + b'\r\n')
        s.recv(1024)
        s.close()
except:
        print("Cannot connect")
        sys.exit()

Use msf-pattern_create to overflow the buffer again. Replace the value of "A" with this.

Check the value in EIP register. Then use msf-patten_offset to check the position of overflow

Now use this offset value and try to overwrite the EIP with "B"

Check if the EIP is overwritten with 42424242. Now find badchars. \x00 is bad by default

Right Click on ESP and click Follow In Dump. Check the badchars there. Next step is to rerun Immunity and start the service. Go to the bottom and type

This will give you a list of information. Check the module which has FALSE across the board. Then do another search.

Check the Results section and note down the return address. Run the service and click on blue arrow. Enter the return address there. It will take you to the location of that address. Click F2 to set a breakpoint. Then run the following script. (Return Address= 625014DF)

Check if we have overwritten the EIP with the return address. Also check at the buttom if it says Breakpoint at essfunc.625014DF. Then create a msfvenom payload to get a shell. Remember to add any badchars found in the payload to remove them:

Now run the following script to get a shell

PreviousBrainpanNextInitial Shell Exploits

Last updated

Was this helpful?