Quick Stack Based Buffer Overflow For Tim

1. #############################################
2. # Quick Stack Based Buffer Overflow For Tim #
3. #############################################
4.  
5. - You can download everything you need for this exercise (except netcat) from the link below
6. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
7.  
8. - Extract this zip file to your Desktop
9.  
10. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
11.  
12. - Open a new command prompt and type:
13. nc localhost 9999
14.  
15. - In the new command prompt window where you ran nc type:
16. HELP
17.  
18. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
19. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
20.  
21. - Now double-click on 1-simplefuzzer.py
22. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
23.  
24.  
25. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
26.  
27. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
28.  
29. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
30.  
31. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
32.  
33. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
34.  
35. - Calculate the distance to EIP by running script 3-3000chars.py
36. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
37.  
38. 4-count-chars-to-EIP.py
39. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
40. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
41.  
42. 5-2006char-eip-check.py
43. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
44.  
45. 6-jmp-esp.py
46. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
47.  
48. 7-first-exploit
49. - In this script we actually do the stack overflow and launch a bind shell on port 4444
50.  
51. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
52.  
53.  
54. ------------------------------
55.  
56. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
57.  
58. vi vulnserv.rb (paste the code into this file)
59.  
60.  
61.  
62. cd ~/toolz/metasploit
63.  
64. ./msfconsole
65.  
66.  
67.  
68. use exploit/windows/misc/vulnserv
69. set PAYLOAD windows/meterpreter/bind_tcp
70. set RHOST 192.168.88.129
71. set RPORT 9999
72. exploit