Sunday, August 9, 2015

Exploit-Development 1 Notes and write-up (Strategic Security training.)

This is a blog post contains Personal homework notes/step-by-step instructions on a buffer overflow exploit development. This material is from Joe McCrays Strategic Security training.

Lets begin...

First we need a skeleton script for out exploit.

This will send 2000 A's to the IP address specified as the first parameter of the programs

Next lets start up the target application using Immunity Debugger on the target system.

Now we run the program by clicking the “play” run button >

Next we need to run our skeleton script from the attacking host.

Doesnt look exciting from this view.

Checking out the target.

Boom! Its dead!
Notice EIP is 41414141 with is AAAA.

Now we need to find how much room we have for shellcode. :)

Lets use pattern_create.rb to generate a pattern that we can use.

Copy this into our skeleton script. I like saving it under a new name so I keep a skeleton script around.

Now we run this against our target.
NOTE: Remember to restart the application within Immunity.

And this is what we get.

Lets calculate our shellcode spacing.

We get the value in EIP and ESP.

Now we can use pattern_offset.rb to find the offsets at which these values are at.

So it looks like pattern_offset is having issues finding the offset of 0Aj1A

Lets do it by hand.

Vim find

Ok so we found it at 281. But thats from beginning of line which includes 'buff =' We don't want that. The actual string starts at offset 9. so 281-9=272

Now we have the offset of ESP

and its only 4 bytes away from EIP.

Lets translate this information into our python exploit.

Offset to EIP was 268 so we fill buffer with 268 A's

EIP is 4bytes long so we fill that with B's

ESP is filled with C's

Lets test it out and we should see EIP have B's and ESP C's.

Cool what we thought should happen did.

So we confirmed our information and now we can actually exploit this.

First we need the location of our shellcode, this is ESP. Since we have control over EIP we can just put the address directly in.

Lets generate some shellcode real quick, a bind_tcp should work for a poc.
Insert the shellcode into our script

New exploit script looks like this.

Lets run it agains our target now and if all goes as planned we should be able to use netcat to connect in on port 4444 (default for msf payloads).

And we have a shell.

Notice our connection in netstat from

1 comment:

  1. Thank you for this article and I have a question concerning your future articles - any plans to write about data room providers , or maybe to make a comparison of clouds? Thank you in advance for your reply!