Explaining Buffer Overflow with Immunity Debugger P1 | TryHackMe Buffer Overflow P1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on welcome back in today's video we're gonna start buffer overflow preparation which is part of the official security pathway this buffer overflow preparation is a room that's comprised of 2 to like 10 tasks from 2 and so 11. every task as you can see has different objective and the general objective is to prepare you for the buffer overload so basically we have them like they will overflow one two three four five six seven eight in every case we need to exploit the buffer overflow uh exploit so the first thing to do we're gonna have to deploy the machine and connect to the machine with a remote desktop service you're going to type this command in your cali box here okay and once you're connected you'll see the windows 7 professional screen here and you can start practicing so in the first example here we're going to be doing overflow one now for overflow one there is here the material that you need to do to the challenge the material is comprised of the fuzzing script and exploit one although these scripts can be used for other purposes right for testing other binaries but we're going to use them for the scenario and yep so let's get started and as all of you know the objective of buffer overflow is to manipulate the behavior of the vulnerable application in order to connect back to us so in this example we're going to use immunity debugger normally in linux we use gtp in the last videos we used gdb to demonstrate buffer overflow now for the sake of this scenario we can use image debugger so we open the emergency debugger and then the next step is to open the vulnerable application that you want to test file open and the application will find it in the oscp directory in desktop so open the application here and you will see the window open as you can see on the left we have the assembly code uh instructions and here we have the registers and we have down there the memory addresses the external and here we have command area so how it starts so basically we're gonna first need to execute the application know how it works understand how we're gonna exploit that application so basically we're gonna say run as you can see here this button run the program now after the program right we should see a command prompt here as you can see the command opened it means that the application has opened and saying listening on port 1337 waiting for the client connection so the client so the program that we are testing now is kind of a listener that takes a string string of commands from the client that connects to it so basically we can head back to the machine here open a new tab and say and see the workers specify the ip and the board that's listening on is one two three seven so it's saying welcome to oscp vulnerable server enter helpful enter help for help and these are the available commands so basically we are in overflow one and he will specify a string value for example overflow one and the example will be test for example we see overflow on complete now uh the objective here guys is to crash the application now we know how the app works and the next we want to crash the application right we're going to provide a number of string a number of strings here that exceeds the allowed buffer in the overflow one now for the purpose of that we're going to have to generate a pattern so we're gonna before that we're gonna configure the mona and directory here the one i'm working directly on as one script is a script that's used with immunity debugger to facilitate the testing so first we're gonna set the one directory we can find these commands in the try hack me room so like that and now we set the directory as you can see okay so the next thing we're going to generate a payload or a pattern right so to generate the pattern before to make the pattern actually we're gonna need to fuzz wanna know how many characters uh are required to crash the application so we're gonna head back to flyhackme here and take the script so the script here we're gonna this is a fuzzy script i'm gonna take it and explain how it works browser ui so basically this script connects you're going to have to modify the ip address right up here like the address it is the ip of the machine that we are testing the port is the board that your program is listing on and here we have the buffer the counter this script will connect as you can see here to the application on the listening port 337 right and sent a number of strings or number of strings that is increasing by value as you can see from the while loop here every time the uh string increases in in terms of the number so basically until we crash the application so we're going to click save hit save and we're on the string before doing that we're going to need to restart here so control f12 there's if i can send this to the okay let me click on restart all right so basically we decided the app and now it's saying paused we're going to say run now it's running now let's now fire the fuzzer so say oh great permission right as you can see the bytes are being sent and if you see on the application display here we see that this is the output now the application is still able to handle all of the bytes we are sending but at some point it's going to crash and we're going to see at how many bytes the application has crashed and based on that number of bytes we're going to create the pattern so as you can see it stopped at 2 000 bytes which means that application has crashed at 2 000 bytes right now the next step is creating a pattern right with a number of bytes that is over 2 000 bytes right in order to see how the instruction pointer here so actually you want to see the instruction pointer as you can see instruction pointer now is written with ace because the fuzzer here sends ace okay now this russian porter is overwritten with ace right and as you can see here the stack pointer points to a's as well this is the address here so basically when i generate a pattern with exactly more than two thousand bytes okay and find the offset at which the crash has happened so we can specify a customized number of strings or a customized string to see how it's going to appear on the instruction pointer now next step here let's generate a pattern with msf or button create so the user share with exploit framework all right tools exploits and then pattern creates all right dash l and we specify 2400 for example so these are the number of characters we're going to need to copy that number or we're going to copy these characters all right and these are the characters that we would like to send now okay now to send this number of characters to the uh application we're gonna need to copy the exploit code so basically here this is the fuzzer and here is the exploit code so we're going to place these characters or the pattern we generated in the payload section here so copy that and here says exploit the ip is right so here is the payload okay we're gonna replace that with the payload here so copy that go up so the payload is ready now the next we we're gonna need to find the offset all right so the offset at which the crash has happened so we can after that offset place the uh extra number of strings so here we type mona find msp distance 2400 2400 is the length of the you know the pattern we have just generated and we're going to look for the line where it's saying examining registers so examining registered years eip contains normal pattern offset 1978. so this is the offset guys right we're gonna need oh actually i missed myself so this is the offset here one nine seven eight we're gonna need that number okay so we know where to uh specify so we get back to the exploit nano exploit or sudan i know my result is limited and here in the offset instead of zero it will be one nine seven eight hit save and we restart the app let me do it like that and then open post it run now we're gonna have to send the exploits or send the page one more time so say python exploit ui okay now let's look at the value of the instruction pointer here as you can see it has changed to four one three zero six one four one and if you look at the esp pointer this is the string as you can see so basically now instead of eights right it has been overwritten with this with this string of characters right which is uh here at the eip that means guys we have just overwritten the uh the instruction pointer with a customized string of characters which is this one right instead of all a's now we know where to write our own exploits okay now the next stage is writing or creating a payload right in the payload we're gonna use that use msfm and then send the payload that we have just created with msf venom with the exploit p1 here script so here the instruction pointer will be overwritten with our own payload but before doing that comes an important stage which is eliminating the bad characters eliminating the white character is a very important stage since bad characters sometimes they miss the execution of the payload right in the memory so we're going to need to eliminate the bad characters so for doing that with the immunity debugger we're going to have to uh generate first a string of bad characters accepting the null byte and then we replace the exploit here payload now so we're going to replace that with bad characters right and compare with mona how the bad characters would appear in the memory so we'll eliminate them one by one so for that there is another script here this script is used to generate the bad characters so let's generate string of bad characters now run this script now this is a string of bad characters let's take it and head back to exploit now here comes this portion we're gonna remove the payload here okay so let me open that with another editor it's like mousepad so this is the payload so here we have the exploit we're going to remove the payload here and replace it with the bad characters we have just generated hit save provide the password let me hit seven more time okay now we are ready to send the bad characters before sending the white card as we have we got to know what is the purpose of this process let's get back here okay so once we send the bad characters the instruction pointer here will be overwritten with bad characters okay now we want to eliminate them so in order to eliminate them we have to compare uh divide characters we have just created and we will which are about to be sent right to another list so generate another list now with mona and we execute the null bytes so as you can see the bad characters have been generated at this path mona oscp biter.txt that's fine that's okay now let's minimize that and restart everything so restart and here run the app now it's listening let's get back to the console here clear all right now let's use the run the exploit this time the exploit will send the bad characters okay hit send okay let's examine the instruction pointer so asb now as you can see is overwritten with what seems to be guys the uh address for right characters so what we're gonna do now we're gonna have to compare okay this address now contains the bad characters at the stack pointer here so we're gonna have to use mona now to compare the uh what is in this address here at the stack pointer okay so the byte array we have just rated with mona right so let's see here so it's saying we have zero zero and zero one as bad characters which is weird there must be more now let's see the comparison oh that's a second okay so here's the command i have to specify the instruction point the stack pointer is saying 0 1 0 1 8 9 so show me how many bad characters we have oh that's not correct so we have divide characters here zero zero zero seven now how it got this result so basically if you remember we have generated this a file biter it contains a byte array of bad characters right and at the same time we have just sent the bad characters to the program so here it's saying the comparison okay between what is in the uh stack or right with the from the payload and compare them to what is in the byte array so it's saying in the stack in the stack there is these number of bad characters that match right the bad characters in the byte array so here is the part where we have to eliminate these bad characters one by one so first we have the zero zero no let's make sure these okay right so what's next we have the zero seven and zero eight to e to f a zero a of one don't forget to double code now we're gonna hit enter all right let's go now to the exploit and remove the same bad characters from here so zero zero zero seven zero eight and zero eight to e to f a0 a1 look for a0 a1 okay here we are now save as i said earlier the goal here is to not see these bad characters in the comparison so that they don't exist in the stack anymore so say here no say restart run okay and back here the same we're gonna have to do the comparison the others is a stack monitor address 0 1 hc 5a30 so it's saying here unmodified which is what we wanted so this means that no bad characters exist in the memory anymore okay so now after we get unmodified no bad characters we're gonna have to select a location from the memory where pad characters don't exist okay so we can have to use a command like that here in the command area oh trying to copy it okay and we put the bad characters so basically the white characters are here and say here yep and hit enter so here we gonna have to see an address where is mona okay so we can select one of these addresses right you can select this one or this one or this one and put that into return address so say i want to select the first one okay this one so i get back to the exploit here and update the um [Music] the return so instead of ps we put this address and make sure to inverse the characters okay the inversion is because this is little indian so we have to do the inversion don't write them as they are means i don't write them as six two five zero you have to do an inversion so how to do that remove this okay all right and let's copy the diagonal line get back here okay so where do we start so we start like that af and then we have 11 then 50. and six two i guess no i'm not correct here so the inversion starts this way so 6 2 as you can see here or af comes first no no i'm correct i was hurt actually so x all right so here x a f and then comes the 11 these things should be done carefully x50 or you would have to repeat the all the work all over and then six two okay now save the payload okay now next generate the msf phenom so player so here we exclude the white characters from the payload so we get back here copy the result characters and remove them or exclude them while creating the payload and say enter that's good copy the values or the path value hit back here remove this old one and paste the buff right and then say payload equal uf okay now the padding here we have the padding the padding value will be nop no operation so that we give we allow for more space or we'll give more space on the memory for the execution of our payload that's the purpose of the nob so say here copy one x90 and times 16 save that now you are ready to send the payload and receive the reversal so here one more time restart and send to payload and receive the reverse shell so that's how it worked id or roi osp pof preparation now we can do privilege escalation but we're not meant to do that on this uh video since this is only explanation of the performance flow so i hope you enjoyed that and next we're gonna do all of the tasks for buffer overflow so you won't feel any doubts why you were doing it thanks for watching

Info

Channel: Motasem Hamdan

Views: 12,045

Rating: undefined out of 5

Keywords: OSCP, Buffer overflow, pentesting, immunity debugger

Id: GAcmECMYAkY

Channel Id: undefined

Length: 28min 10sec (1690 seconds)

Published: Fri Jan 08 2021