methodology
Last updated
Was this helpful?
Last updated
Was this helpful?
NOTE: for OSCP prep, you can skip the METHOD_1: SPIKING
section
Run Immunity debugger as administrator
Attach the vulnerable service to Immunity debugger
Configure Mona working folder using !mona config -set workingfolder c:\kashz
NOTE: there could be multiple buffers in the vulnerable service, we need to confirm which buffer is vulnerable.
./generic_send_tcp IP PORT SPIKE_SCRIPT SKIPVAR SKIPSTR
use SKIPVAR=0 SKIPSTR=0
to fuzz from beginning.
NOTE: you can modify the fuzzer.py
to send a specific number of bytes and confirm crash.
Run fuzzer.py
and note the crash byte number
Generate pattern 400 bytes more than crash using msf: msf-pattern_create -l <number>
set PAYLOAD = <generated-alue>
Run exploit.py
and find offset
Using mona: !mona findmsp -distance <EIP>
. Should show in log windows as EIP contains normal pattern : 0x6f43396e (offset 1978)
[OR] using msf: msf-pattern_offset -l <number> -q <EIP>
set OFFSET = value
, set PAYLOAD = ""
, set RETURN = iiii
value of 0x69696969.
Run exploit.py
Program (should) crash with EIP = 69696969
Generate byte-array using mona excluding the \x00
null byte using !mona bytearray -cpb "\x00"
set PAYLOAD = ( generated-byte-array )
Run exploit.py
Note ESP and find barChar using !mona compare -f C:\kashz\bytearray.bin -a <ESP_address>
Remove 1st badChar from mona byte-array and generate new !mona bytearray -cpb "\x00\xXX"
Remove the badChar from PAYLOAD
in exploit.py
Continue steps 3-6 until mona memory corruption log output says STATUS = UNMODIFIED
Note: ALL badChars are needed to find the JMP instruction.
Locate all JMP ESP using !mona jmp -r esp -cpb "\x00\xXX"
Select the one, for which ASLR and other security protections are FALSE.
Windows requires little endian style. So,
if JMP instruction is 0x12345678
.
Take 2 letter from right-to-left and form return address
return address is \x78\x56\x34\x12
set RETN = \x78\x56\x34\x12
in exploit.py
set PAYLOAD = ( payload )
NOTE: try 32
if 16
does not work.
Usually an encoder will be used to generate the msfvenom payload which requires memory space to unpack. set PADDING = "\x90" * 16
in exploit.py
If by any chance, mona is adding new badChars after every removal of possible badChar, time to do it manually. Follow the same process but instead of mona to check for badChar use the following method.
(top-menu option) View > CPU window > (top right register pane) right-click ESP > follow dump
(bottom left hexdump pane) same CPU windows - see all bad chars in line
read thoroughly and check if all byte-array-chars are in order.
If any char is skipped or missing - it is a badChar
If byte-array-chars are missing after a specific char - that is a badChar
Remove one char at a time until you reach the last \0xff.
Note: ALL badChars are needed to find the JMP instruction.
view > CPU window
(top left pane) right click > Search for > All Commands in all modules > JMP ESP > search
Choose JMP Address with Green color and module name (as the file running)
Follow the above process to create little endian style return address
[OR]
use !mona modules
.
Find a module that is being loaded with protection settings as False.
use !mona find -s "\xff\xe4" -m MODULE_NAME
JMP ESP == FFE4 (in assembly)