You’ll find this vm here :
- Nmap found three open ports:
- For now let’s focus on port
Login | SQL injection
- The login page is vulnerable to
- We are logged in as admin
- There is in comments the
- Let’s check it
- This form allows to upload a file
- We will try to upload the Reverse Shell
- After success uploading of the reverse shell
- open your listener and reload the
- Running the
ps auxto find possible processes for root
access.exeis a windows application and running as root
- Also the
access.exeis the application that is running on port
- Download the
The way to Root
There is a possibility that the
access.exe is vulnerable to
Stack-based BOF. I will set up my environment to exploit the access.exe file.
Windows 10 vm i installed the
Eclipse + PyDev and the
What is BOF (Buffer Overflow)
Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another. A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the storage capacity of the memory buffer. As a result, the program attempting to write the data to the buffer overwrites adjacent memory locations. For example, a buffer for log-in credentials may be designed to expect username and password inputs of 8 bytes, so if a transaction involves an input of 10 bytes (that is, 2 bytes more than expected), the program may write the excess data past the buffer boundary. Buffer overflows can affect all types of software. They typically result from malformed inputs or failure to allocate enough space for the buffer. If the transaction overwrites executable code, it can cause the program to behave unpredictably and generate incorrect results, memory access errors, or crashes.
What is Buffer Overflow Attack
Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the program, triggering a response that damages files or exposes private information. For example, an attacker may introduce extra code, sending new instructions to the application to gain access to IT systems. If attackers know the memory layout of a program, they can intentionally feed input that the buffer cannot store, and overwrite areas that hold executable code, replacing it with their own code. For example, an attacker can overwrite a pointer (an object that points to another area in memory) and point it to an exploit payload, to gain control over the program.
Structure of the stack
Extended Stack Pointer (ESP)
ESP denotes the address where the next data has to be entered into the stack and holds the top of the stack. This is the point where the instructions which use the stack (PUSH, POP, CALL and RET).
A stack buffer is a type of buffer or temporary location created within a computer’s memory for storing and retrieving data from the stack. It enables the storage of data elements within the stack, which can later be accessed programmatically by the program’s stack function or any other function calling that stack. Any information placed into the buffer space should never travel outside of the buffer space itself.
Extended Base Pointer (EBP)
EBP denotes the address of the location where the first data has to be entered into the stack.
Extended Instruction Pointer (EIP) / Return Address
EIP denotes the address of next instruction has to be executed into the stack.
Ιn the image below we can see the sequence of A’s did not escape the buffer space. Therefore there is no buffer overflow vulnerability.
Ιn the second image below we can see the sequence of A’s have escaped the buffer space and have reached the EIP. Therefore there a buffer overflow vulnerability. Gaining control of the EIP is very dangerous because, the attacker can use the pointer to point to malicious code and spawn a reverse shell.
The first step in buffer overflow is
fuzzing. Fuzzing allows us to send bytes of data to the access.exe repeatedly with a constant increase in the size of the data being sent. This will help us, to overflow the buffer space and overwriting the EIP.
One second before running the script
After running the script
Okay, the system crashed at 2000 bytes, as we saw in the image before we can overwrite the EIP
(41414141 = AAAA).
The overwrite is between 1 and 2000 bytes. I will use the
msf-pattern_offset tools to find the exact size at which the EIP was overwritten.
After sending the generated string, i will check the value of the EIP. So, if we give to msf-pattern_offset the length of the generated string and the value of the EIP it will calculate the exact length of the point that the EIP was overwritted. Αs I understood the msf-pattern_offset checks at which point of the string the ASCII value of the EIP was found and calculates the size of the bytes from the beginning to the point of the EIP value.
Creating the pattern with 2000 bytes length
- Sending the pattern
- Calculating the exact length
- The exact match was found at
Confirm the EIP control
The value of the EIP successfully overwritted with four B’s = 42424242, so EIP control confirmed
Some characters can cause issues in the development of exploits. I will send at once every hex value of ASCII characters to the access.exe to see if any character cause issues.
The letter M =
\x4d (hex) is a bad char so let’s remove it from our
badchars variable and rerun the script We will repeat that proccess until bad chars not found.
- I will run it one more time for example
The second bad char was the letter O =
\x4f (hex). We will remove it from our
badchars variable and we will rerun the script.
- All bad chars that i found was :
Find the JMP ES
As i read, we don’t need to give to the EIP the exact address of our malicious shellcode. The instruction JMP ESP will jump to the stack pointer and execute our malicious shellcode. So, If we can find the JMP ESP instruction in the program, we can give its memory address to the EIP and it will jump to automatically to our malicious shellcode.
Finding the address of the JMP ESP
- Immunity Debugger -> View -> Executable modules, Select the funcs_access.dll
Remember we downloaded from the school machine the access.exe and the funcs_access.dll
Their location was under /opt/access/
- Search for -> All commands
- Type : JMP ESP
- We found 2 addresses, let’s use one of them
address 1 : 625012D0
address 2 : 625012DD
Remember the system understand the addresses using little endian.
\xD0\x12\x50\x62 stands for
Testing the return address
We will modify the script to check if the EIP call successfully the address of the
Instruction JMP ESP
- Run the script
We triggered the breakpoint. Therefore, the EIP call successfully the address of the Instruction JMP ESP.
Creating the reverse shell
In our kali, generate the shellcode
- The null byte char \x00 by default is a bad char so we add it to our badchars list (-b)
- Now we will add the shellcode into our script