BoF - Windows(x86)
Introduction
This kind of exploitation you will only find in bizarre Windows systems (OSCP EXAM) that do not support 64 bits architecture.
Setting up the environment
To exploit a buffer overflow is required a test environment where the researcher can experiment with the vulnerable program for obtaining RCE instead of a DoS once it is executed against the victim.
To set up the environment, you need to download and install the following.
Windows 7 x86. Do not forget to change the keyboard layout at
Region and Language/Keyboards and Languages/Change keyboards...
monay.py: Add the file to the folder
C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands
.The vulnerable program version
Discovering the offset
The attacker should follow these steps to determine how many bytes are necessary to crash the service.
Run immunity debugger as administrator.
Set the mona directory.
Open the .exe file and press "PLAY"
F9
.Run the fuzzer against the remote program.
Fuzzer.py
Now, based on the last set of bytes that was sent to the server, you need to create a pattern for obtaining the specific number of bytes required to crash the service.
The file C:\mona\pattern.txt
with the generated pattern will have been created.
Then, modify the script, adapting it to the executable you want to exploit and add the ASCII pattern to the buffer
variable and execute it.
bof.py
Once the script is executed, the Immunity Debugger will have the status Paused, copy the value of the EIP registry and execute the following command.
The result is a text similar to this one:
Modify the buffer
variable in order to check that the offset is correct.
Restart the program Ctrl+F2
, hit PLAY F9
and re-launch the exploit, getting an "Access violation" with the EIP register full of Bs (0x42).
Finding bad characters
Generate the byte array, to find the bad chars with the following command.
Note: Remove the Null byte because it is always a bad char by default.
The byte array can be found in C:\mona\bytearray.txt
.
The script would look like this:
Restart the program, run the exploit, click on the ESP registry in the Immunity Debugger and click on "Follow in Dump".
Check if a character is missing from your BADCHARS string. Whether the byte does not appear or 00 appears instead, remove the byte from your exploit.
Another way to get the bad chars is to run the following command, where the first bad char is the one to remove.
The bad chars are listed in the following table.
Note: As you have removed the 00, the bad chars would be 07, 2e and a0.
Once the bad char is found, run the command !mona bytearray -b "\x00x<BADCHAR>"
, adding the bad chars found and run the exploit again. Moreover, remove the bad chars from the badchars
variables.
This process is iterative until no more bad chars appear.
Looking for JMP ESP instruction addresses
Now, look for memory addresses that contain the JMP ESP
instruction but whose address does not contain the previously obtained bad chars.
In the window/Log data
window, you will see several results, as it is possible to use the address of momeria, whose file is from the application itself and which has everything set to "False".
Copy the address and pass it to Little Endian.
Generating the payload
Run msfvenom to generate your payload with EXITFUNC=THREAD
so that the exploit can be launched multiple times.
Note: If the exploit does not work, try other encoders. You can list the available encoders with msfvenom --list encoders
.
The variables would look like this.
The NOPs (0x90) instructions are added to prevent your payload from overwriting the value of the JUMP ESP address.
Testing the exploit
Finally, use netcat to listen on port 443, restart the program and run the exploit. If you have obtained a functional reverse shell you can execute the exploit against the target machine.
References
Last updated