Practicing Buffer OverFlow P8 | TryHackMe Solving All Tasks

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on welcome back in today's video we're gonna carry on the buffer overlook practice and this one is a reminder that it is part of the opposite security pathway so basically in the last video in the first part we did the first part which is overflow one now the rest of the tasks are nearly the same you just have to practice so overflow two all the way till ten they are a copy of overflow one but if you want to practice your skills and buffer overflows you will have to do all of the 11. there is no uh vast difference between these tasks there's nothing new you will learn except that they are just for practice so in this video i'm going to try to cover overflow 2 3 4 as much as i can and when i feel tired i'm going to just stop so basically you can wherever we stop down the road you can just carry on yourself and complete the rest of them if you do all of them then that's good for you okay so let's get started so basically the same questions we have to locate the eip for the overflow and the about characters basically we can technically we're going to do everything but right not just only locating the white characters and the eip so after you add the program to the immunity debugger and make sure it is running you just have overflow to run this over flow two okay so basically we don't need to use that we're gonna control c here okay now we will have to get back overflow one take the fuzzer take this um all right let me get back to the console so here we generate the buzzer technically you can use this code for all of the tasks so here we change this to the current ip of the machine which is a bit different than this no not different so keep it the same so one thing to modify here we have to change this instead of overflow 1 which is the first command we're going to change this overflow 2 since this is the uh the required command we need to send to the program program would send overflow to and the payload which is ace click on save and here restart do restart run okay run the fuzzer now let's see where it's gonna stop or where it's gonna crash that's how many bites seven eight oh stopped at seven seems like we crashed here so we crashed at 700 bytes already then so the next step we will have to find we will have to generate a payload right no payload sorry a pattern with msf phenom so sudo user share let me exploit framework tools and dash l so here 700 bytes we may choose to do the rates like more than 700 bars of course let's say um 1000 bytes okay this is the pattern now i will have to update the payload so let's copy that and edit the payload so here it is so basically here the payload will be the [Music] pattern we have just generated and of course change the prefix here to overflow two two okay other than that that's what we need to do here okay save so that's the first step we fast the application see after how many binary after how many bytes it has crashed generate a pattern with with a number of points a bit more than the number of bytes at which it has crashed and then here the we send the exploit so here we decide to restart restart run so now the goal is we send this pattern and we see the address or we see the instruction pointer so let's send this okay so this is the instruction pointer right and we see here it's over within with this so basically now the next step is to find the offset right once you want to find the offset so after finding the offset we can determine so let's take this value of the instruction border and find the offset so instead of python create i'm going to use pattern offset rb0 dash q and here we put the value the value here is well i think it's not going to copy seven six one seven six four seven six four [Music] one thirty one seven six let's find the offset so the offset is at six three four let's update the exploit and here we set the offset to be six three four six three four overflow two okay payload all right here we gotta change this so here we're gonna put some b's right or c whatever you would like and right here you want to see right if the piece will be uh overwritten to the instruction pointer okay after it has after it has written the a's here after this offset it will write the piece let's see how it's gonna work so restart again start run the exploit so the instruction pointer as you can see the value here is the base right four two four two four two meaning that we have b's here so what's your next step now your next step is to find an address right from the memory where you can write your payload at first we got first identified about characters and illuminate them so for the bad characters we're gonna have to generate a list of bad characters right store it locally and then we have to generate another list of pipe characters send it as a payload and compare between the two in order to identify them so here with now we can we can generate a list i'm not sure i have created a working directory with mona let me check computer c so there is none this generates one so let's get back here so let's rate the bad characters all right check on them mona ostp so we have the byte array here now the next step is to use the script from try hack me to generate the bad characters so let me get back to try hacking here and see the scripts where we can generate these bad characters paste it and run it really unexpected in the file oh i couldn't read the uh let's see what oh we have got something here missing it's the parenthesis without looking after that look but anyway so this is the list of bad characters take this and get back to the exploits okay now let's see here where is the exploit open it with key right get it right change this to divide characters let me make sure i copied correctly any mistake here is not something we can stand okay so this is about characters the reference is correct the offset is correct and here what is this look at that this one correct this okay save it go ahead now and yes so here we need to restart i guess okay so let's restart run it is running command line send the exploit what is this happening actually i made a mistake while editing the exploits okay finally done let's see here now the instruction pointer as you can see is overwritten with bs right now the objective here is to identify the bad characters so in order to do that we will have to use mona and compare the bad characters that have been sent to the memory stack to the list that we have just created so here dsp is 0 1 9 8 0 1 9 8 v0 syntax error hmm so this appears to be the bad characters that we have got so we will have to illuminate them from the byte array for the healthy comparison and from the payload so we're gonna get back here to the payload itself okay let's remove them from here so we have 23 24 23 23 24 except we'll have to do it on this and 3c 3d okay i guess it is here somewhere here yes 83 84. now we have more babb a384 ba and bb other than that all is good so this is for the payload save that okay let's now remove them from the x the byte array here from yes byte array so basically here okay now i will have to put the bad characters that i just found so 23 24 3 3d okay all of that quickly now and then you hit enter okay here just remove the bad characters okay now the white card doesn't have removed all we have to do now is to find uh the espn or the an appropriate address for the instruction pointer so to do that we'll have to rerun the program and see an address where the bad characters do not exist okay so here we will run the exploit one more time of course don't forget to [Music] um what don't forget to restart that's good run yes send the buffer uh okay that's fine now let's keep the bad characters here and update this command to jump to an address in the stack pointer where these back characters do not exist so let me remove all only this yes so show me what you have got all right let's check here so we can start from here we can take any address right among these addresses found a total of eight pointers so we can take one we're going to take the first one and use this one in the return address so let's head back to exploit and here we replace the return with the address we have just found one important thing here is don't forget to invert the characters while you place them in the return address so don't write it as 62 50 11 am return them af 1156 c2 so basically here let me copy this character symbol character whatever x a f and what else we have af 11 next one 50 dance comes 62 okay that's the return address now we will have to generate shield code to replace the shell code instead of the payload here so folder msf rename dashboard windows cell hellhost oh yeah this imports 455 exit function red dash f it will be kinda yeah c hp the bad characters we have just found and that's it i guess let's see okay great actually we should have put this as p y not c so here remove this one and it's the one that makes our life easier come on why all the time when i copy something it misses one character or wonder oh okay and now the payload here that remove this one will be b f so buffer equal prefix overflow return padding payload everything is in order well yes i think we're ready okay save this one more time i don't want anything to right so restart now are ready to get the listener you get the reversal so here it is now let's run nc lpp 45.5 and a separate oh no no need for this let's split the view better so when access violation i think we forgot something in the process okay fine let's stop this let's get back to the exploits so here's the padding we forgot the padding actually so let's make the padding as x90 and here we multiply this with let's say 20. save it and we get the reversal so that was for the overflow two this is overflow one the questions what is the eip offset for overflow two and i guess we got past this right okay in byte order and including the nullbytes wait where the bad characters of overflow tool so basically we get back these are divide characters i will answer is correct no well some of them aren't actually bad because let's meet him with dbb d4 3d 3c uh listen with d 24 23 24 oh that worked now is the eip offset yeah the offset is 634 right something like this yes so that's for oscb overflow two now let's head over to overflow three so here just restart run and all i have to do is to get better the fuzzer the further the fuzzer okay f use it so the father here will send everything is correct but instead of of 2 we're going to send over 3 save and run the overflow around the fuzzer to the right browser gonna connect what are you implying terminated okay because of this i guess let's let me close everything yes i got you restart open and i prefer to remove the bite arrays here because we have three new ones run let's see at how many bytes as you can see this reversal has been terminated but not no problem now six five seven eight nine one thousand one hundred thousand seems like a tough one oh 100 1 300 at 1300 let's not down what happened here so as you can see the ip is overwritten with base now let's generate a pattern with msf fenu let's see the command here that we used more on that here so the pattern is one thousandth in this case or an overflow two we're gonna make it thirteen hundred i'm gonna make it like fourteen hundreds is that enough or 1500 1500 is okay now take this this divider edit the exploit and here the prefix will be over flow three and i'm not sure i'm doing that correctly right okay no problem let's do it here faster reload so remove db uf remove the padding make it and hit return empty the payload here will be this this is your payload this is overflow now find the offset if we're finding the offset we're gonna send the first payload first so offsets here like that save all right now send the exploit restart of course jesus what here is like that i'm making something wrong here yeah you are let me check the offset is zero why i why seem like don't know what it is so here in the first it's gonna be zero same thing payload uh this is the eip note down the value on the ip now generate the or create the offset find the offset sorry paste this and take the value here the value is 3 five seven one one 1274 let me check on this value if it's correct how can we check that we try to answer with this question which i will answer with this value what is the aip offset for order flow 3 check i have a hunch that is wrong but correct okay so basically now we have the offset we have the exploit one two three four oh seven four we actually was seven i like to double check i am a paranoid person so overflow is right now we put here the piece so the vip now should be overwritten with peace okay after this offset and this is the pattern now send that one more time stop telling me reload okay so here get back and restart that's fine run send your payload note down the eip as you can see the ip is has been really overwritten with these okay now your favorite step now is to generate the bad characters let me take them from here i don't know writes commands [Music] so mona generate the byte array okay now next generate the list of part character with the script that take this update to exploit not from here let's do it from here now the bad curves are in the payload let's send them now send the appeal one more time this listening yo restart send no okay now let's compare of course here the address will be the esp address here which is 0a 0 1 a c f a zero the bad characters are these guys what you're gonna do we're gonna remove these bad characters from both the exploit and mona so we get back here see we have 11 12 40 41 11 12 40 41 and 5f60 5x60 consecutively okay and we have b8 b9 es ef okay all right now let's see what is about hackers from what from the here divider so we will have to let me get back to find jump point no since i'm bad at some rising cons i'm going to check i'm checking for the okay i guess i'm gonna need to get back here anyway so here instead of compared we put byte array dash p and here we have to put the list of the bad characters so we have 40 41 5 f 60 okay i guess i have written them one in a place here like that okay yes so let's remove them now from divide array all right now we have not to compare let's see anyway no need for that i guess okay now after we have removed the bad characters from the byte array and from the payload we will have to send to pair one more time to make sure the battery does not exist i know i skipped this in the overflow too but you can do that in overflow 3 because i am i'm sure that payloads or payload or the memory was actually free of bad characters so let's restart run run 70 characters the payload so and now we will have to see the stack pointer and compare so here instead of byte array we type compare and of dash p we type just a second i guess i made a mistake here so let's begin back and type right array remove the dash f make sure the right characters are removed okay fine now compare f and here what is the address the path and dash a see here we have zero one and indeed unmodified no bad characters right now what characters let's now find jump points or an address right in the memory where there are no bad characters so here keep this instead of compare we're going to type jump mark dash r esp dash cp and get to bad characters what is this no i don't like this let's restart run send why it's going zero pointers huh this shouldn't happen so we will have to revise this let's remove the b9 or yes b9 we're going to move some bad code some non-bad characters from here and see we have also there was a sixty five see here the 41 is not good and the 12 also is not good okay two let's see here the addresses okay we can take one but let's first take these characters and try to see if they are actually the bad characters try hacking is expecting to answer with so let's see overflow three submit wrong wrong and remove the uh or keep the ee i guess b9 6061 okay five f is good for one not good twelve also not good v8 sixty okay what about if we do the 60 as well oh okay let's try to find an address with these characters show me one only one so zero three and one two huh okay it turns right and don't forget the bedding which i did forgot actually in the last video so the padding which is the no op if you remember times let's say 15 no 16 and the payload so let's get the previous payload that we have used before yeah i know so annoying always omits the first character of the copying process all right so here remove this face that and say equal bof no no before yeah that was all for the exploit save it what's happening rerun the listener now send the payload of course read starts runs yo we haven't received anything are we doing everything correct i guess you know restart i guess there's a problem with the payload hmm how about we generate a new payload okay fine yes the bad characters were the problem we haven't replaced the bad characters with the new updated one so that's why i didn't work so guys let's copy the bad characters and here say numerate this will restart while it is being created run this get this ready what is this what is that the encoding we didn't do the encoding right so you have to do encoding here okay another character all right zero zero what about you remove the characters we have submitted or removed before so let's remove these and the 4g1 the 60 and the b9 let me try with this one okay yo yo okay take this fine save let's listen let's run what for now finally received it okay so that's the third reversal okay let's see overflow four we have too many actually i guess i'm not gonna be able to proceed further but you see guys it's the same process let's do the last one overflow four and i guess we're gonna need to stop after that okay so clear stop everything from here close pre-run all right now it's running it's back here let's edit the fuzzer now deposit here instead of overflow three it will be overflow four okay now send it six seven aids 2000 or 2100 okay let's check here what we have got as you can see the eip is overwritten with a's a is all of the life is so let's now generate a pattern so we have 2100 let's make it 23 000. 2300 sorry and copy this of course we're going to have to remove this make this empty string this one will be zero this will be overflow four this one would be empty string and here the payload that is right save okay restarts no no no we have run the fuzzer all right what this is weird right let's start okay so here's the ip let's keep taking note of the eip and find the offset 2026 let's try to answer this 20 26 okay now take this you get back here save those 26 here these send the payload we start shaking here oh come on you just just do me one more time no hope oh i forgot to i'm gonna need to remove this just for the sake of you know not getting into paranoia so open run running fine you know what's happening here i can't see the bees here finally this is these are the bees as you can see here the next step as always to generate the bad characters i am too lazy to write them so i'm going to copy them the mono okay one for mona and we just rate them with define that big device characters payload replace the pattern the divide cursors hit save and send run sends okay let's now find the bad characters itself that's a let me try my luck that's not coping okay what are the bad characters see what we have these guys okay so you have the bad cursors go ahead and remove them a9 c o o c d c e d4g5 let's just confuse and analyze this where is the d come on d4 d5 safe now it's time to remove them from what mona so here byte array dash b and the list of bad characters what's happening in my own okay and you've got characters here remove them from mona and it's time to jump to an address or before jumping let's uh send the payload one more time to make sure the bank connections are eliminated exterminated i prefer this word send i keep clicking on that okay so what do we have to do now we're gonna have to compare uh something bad happen again one more time let's delete this sent okay so here dash a zero one i think i have top something wrong efa all right what happened here what else we're getting here okay i'm gonna skip this step the comparison step and go right away to find an address or jump to another stack where we can use this in the return others in the exploit we do find so we have a total of nine pointers that's good let's take this one one more one more time so you get back to the exploit i need to return address where's the return this one so x here we start from af and then we have 11 50 62 the padding which is also for the knob so here x90 multiplied by say 20. and the rest is we have to generate the payloads so we have to delete this and say build the pool uf and here is the payload that we would have to iterate so right here it's going to be the same one but the difference here will be the bad characters where are the bad characters so take this [Music] run your listener we start run okay and that's the fourth reversal so that is for overflow four the bad characters are let's answer this and get away or run away one more time uh after all that it refuses to commit right characters just makes me crazy let me try one more time okay so overflow five six honestly five six seven eight nine they are the same questions so i guess by now you can do all of the rest of the tasks yourself follow the same process just replace the values so that was about this and see you the next video okay guys so i just wanted to share with you the answers to the rest of the tasks in case you are completing the rest of them alone so if you want just to make sure your answers are correct the answers for them are like that overflow five overflow six overflow seven eight nine and bingo these are the answers for tasks five all the way till ten now from two all the way to four we have covered them in two videos get back with them to understand the process you can then do the rest of the tasks easily the same process the same way

Info

Channel: Motasem Hamdan

Views: 8,813

Rating: undefined out of 5

Keywords: BOF, Pentesting, buffer overflow, tryhackme

Id: i-DUOtM8XS8

Channel Id: undefined

Length: 66min 53sec (4013 seconds)

Published: Mon Jan 11 2021