-
Notifications
You must be signed in to change notification settings - Fork 14
BO Attacks
lethanhtung01011980 edited this page Jan 9, 2020
·
24 revisions
- To exploit BO
- Good ref (Linux): https://reboare.github.io/htb/htb-jail.html
- List of common BoF: https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
- Source code with array[xx]
- gcc -o jail jail.c -m32 -z execstack
- service jail stop
- cp jail /usr/local/bin/jail
- service jail start
In Kali, to use the below mode in GDB to make the process debug the forked process (optionally). "jail" is the executable to run.
apt-get install gdb
- NEED TO USE gcc -ggdb to compile!!!!
- https://web.eecs.umich.edu/~sugih/pointers/summary.html
gdb jail
list 1
info inferiors
(gdb) set follow-fork-mode child
(gdb) set detach-on-fork off
break 22
run &
continue &
i i
i r
To find JMP ESP:
find /b <from addr>, <to addr>, 0xff, 0xe4
In case the firewall blocks outgoing connection
- https://d3fa1t.ninja/2017/09/17/linux-x86-one-way-shellcode-socket-reuse/
- Sample payload at https://github.com/lethanhtung01011980/Notes/wiki/msf-payloads#11-partial-payload
To write payload program fast and return shell to the same socket.
- https://github.com/lethanhtung01011980/pwntools
- Sample pwn script: https://github.com/lethanhtung01011980/Notes/blob/master/pwn_sample.py
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 50
- EIP Address is at 0x62413961
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 50 -q 0x62413961