eCPPTv2 Exam Buffer Overflow Prep Windows 7 Questions

Cyber Security Penetration Testing Professional
, , ,
1

Hi everybody,

I will start my eCPPTv2 Exam in a week and have some questions about the BoF preparation.

  1. Some say you need a Windows 7 32Bit VM to test the exploit, some say you need a Windows 7/10 64Bit. In the INE and tryhackme labs usually only 32Bit machines are provided. Can anyone clearify?

  2. I just set up a Windows7 32Bit VM and tried to exploit the 32bitFTPserver BoF from the INE system security course as I did in the lab. Client-Server-Connection is working, program is crashing as it should, offset calculated normally, bad chars identified. So far so good. Next, I usually use mona to find a function to jump to ESP with the following command:

!mona jmp -r esp -cpb "\x00\x0a\x0d"

When I do it in the INE or tryhackme labs I get a list of functions which I can use. But in my own testing environment the mona output says:

          ---------- Mona command started on 2022-07-16 12:31:10 (v2.0, rev 616) ----------
0BADF00D  [+] Processing arguments and criteria
0BADF00D      - Pointer access level : X
0BADF00D      - Bad char filter will be applied to pointers : "\x00\x0a\x0d"
0BADF00D  [+] Generating module info table, hang on...
0BADF00D      - Processing modules
0BADF00D      - Done. Lets rock n roll.
0BADF00D  [+] **Querying 1 modules**
0BADF00D      - **Querying module 32bitftp.exe**
0BADF00D      - Search complete, processing results
0BADF00D  [+] Preparing output file "jmp.txt"
0BADF00D      - (Re)setting logfile c:\mona\32bitftp\jmp.txt
0BADF00D      **Found a total of 0 pointers**
0BADF00D

Normally there should be way more modules queried by mona so I asked myself why its only one. I tried the “!mona modules” command and discovered the following:

0BADF00D  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D   Module info :
0BADF00D  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D   Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D   0x770a0000 | 0x77174000 | 0x000d4000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [kernel32.dll] (C:\Windows\system32\kernel32.dll)
0BADF00D   0x76de0000 | 0x76e8c000 | 0x000ac000 | True   | True    | True  |  True    | True   | 7.0.7600.16385 [msvcrt.dll] (C:\Windows\system32\msvcrt.dll)
0BADF00D   0x73b30000 | 0x73b4c000 | 0x0001c000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [oledlg.dll] (C:\Windows\system32\oledlg.dll)
0BADF00D   0x77950000 | 0x77a8c000 | 0x0013c000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [ntdll.dll] (C:\Windows\SYSTEM32\ntdll.dll)
0BADF00D   0x75f10000 | 0x75f29000 | 0x00019000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [sechost.dll] (C:\Windows\SYSTEM32\sechost.dll)
0BADF00D   0x76e90000 | 0x76e9a000 | 0x0000a000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [LPK.dll] (C:\Windows\system32\LPK.dll)
0BADF00D   0x760f0000 | 0x7618d000 | 0x0009d000 | True   | True    | True  |  True    | True   | 1.0626.7601.17514 [USP10.dll] (C:\Windows\system32\USP10.dll)
0BADF00D   0x72970000 | 0x72977000 | 0x00007000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [WSOCK32.dll] (C:\Windows\system32\WSOCK32.dll)
0BADF00D   0x77a90000 | 0x77aaf000 | 0x0001f000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [IMM32.DLL] (C:\Windows\system32\IMM32.DLL)
0BADF00D   0x774f0000 | 0x7764c000 | 0x0015c000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [ole32.dll] (C:\Windows\system32\ole32.dll)
0BADF00D   0x77650000 | 0x776a7000 | 0x00057000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [SHLWAPI.dll] (C:\Windows\system32\SHLWAPI.dll)
0BADF00D   0x75e40000 | 0x75f09000 | 0x000c9000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [USER32.dll] (C:\Windows\system32\USER32.dll)
0BADF00D   0x77210000 | 0x7728b000 | 0x0007b000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [comdlg32.dll] (C:\Windows\system32\comdlg32.dll)
0BADF00D   0x75da0000 | 0x75e2f000 | 0x0008f000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [OLEAUT32.dll] (C:\Windows\system32\OLEAUT32.dll)
0BADF00D   0x76190000 | 0x76dda000 | 0x00c4a000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [SHELL32.dll] (C:\Windows\system32\SHELL32.dll)
0BADF00D   0x77290000 | 0x77331000 | 0x000a1000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [RPCRT4.dll] (C:\Windows\system32\RPCRT4.dll)
0BADF00D   0x6f5a0000 | 0x6f624000 | 0x00084000 | True   | True    | True  |  True    | True   | 5.82 [COMCTL32.dll] (C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\C
0BADF00D   0x77340000 | 0x77346000 | 0x00006000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [NSI.dll] (C:\Windows\system32\NSI.dll)
0BADF00D   0x743c0000 | 0x743d9000 | 0x00019000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [OLEPRO32.DLL] (C:\Windows\system32\OLEPRO32.DLL)
0BADF00D   0x77ab0000 | 0x77b7c000 | 0x000cc000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [MSCTF.dll] (C:\Windows\system32\MSCTF.dll)
0BADF00D   0x75d20000 | 0x75d6a000 | 0x0004a000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [KERNELBASE.dll] (C:\Windows\system32\KERNELBASE.dll)
0BADF00D   0x73fe0000 | 0x74012000 | 0x00032000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [WINMM.dll] (C:\Windows\system32\WINMM.dll)
0BADF00D   0x77350000 | 0x7739e000 | 0x0004e000 | True   | True    | True  |  True    | True   | 6.1.7601.17514 [GDI32.dll] (C:\Windows\system32\GDI32.dll)
0BADF00D   0x00400000 | 0x0054e000 | 0x0014e000 | False  | False   | False |  False   | False  | 1.0.0.1 [32bitftp.exe] (C:\Program Files\32BITFTP\32bitftp.exe)
0BADF00D   0x70eb0000 | 0x70f01000 | 0x00051000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [WINSPOOL.DRV] (C:\Windows\system32\WINSPOOL.DRV)
0BADF00D   0x773a0000 | 0x77440000 | 0x000a0000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [ADVAPI32.dll] (C:\Windows\system32\ADVAPI32.dll)
0BADF00D   0x75f30000 | 0x75f65000 | 0x00035000 | True   | True    | True  |  True    | True   | 6.1.7600.16385 [WS2_32.dll] (C:\Windows\system32\WS2_32.dll)
0BADF00D  -----------------------------------------------------------------------------------------------------------------------------------------
0BADF00D
0BADF00D
0BADF00D  [+] This mona.py action took 0:00:00.219000

All other modules, except 32bitftp.exe have ASLR, SafeSEH, etc. on “True”. In the labs it was always turned off. I guess thats the reason why mona cant find a pointer which I can use for my exploit? How do I know weather the ASLR, etc. is turned on or off for a specific module on the remote machine during the exam? Should I turn off these security mechanisms on my Windows7 VM now in order to practice? How do I turn it off the best way?

Would be very thankful for helping me out here.

Cheers