Exploit "Blind" buffer overflow in a lab

Question

In a CTF/exploitation lab, I am aware of two separate machines.

• Developer machine: Windows 7 x64, as blank, as it can get (no KB patch)
• Service machine: UNKNOWN

On Developer:

I have a source code file in C with a basic BoF vulnerability on a specific port and a compiled application of that source code. When I run the binary, I get an error with "missing api-ms-win-crt-runtime-l1-1-0.dll" and also I can not install, add, use that DLL unless I upgrade the developer machine to SP1. Therefore, I created a local VM with a blank Windows 7 x64 with "api-ms-win-crt-runtime-l1-1-0.dll" available. On my VM, I have a fully functional exploit.

On Service machine:

During a fuzzing trail and error procedure, I have identified that I can crush the target application on the same specific port due to a BoF vulnerability. Unfortunately, I can not execute any bind_tcp / reverse_tcp shell, ping back, dns request, nothing...

How can I ensure that I am pointing the EIP to the right address of a JMP ESP (for example) on the Service machine? Can I use addresses from "api-ms-win-crt-runtime-l1-1-0.dll"?

Answer 1

You should always be searching for an instruction (ex. JMP ESP) in an application lib first when writing exploits, as this will increase reliability across OSs/SPs.

What instruction did you use for your working exploit (more info on this will be very helpful)? If it was an OS library that is likely the issue, assuming the target is a different OS or SP level.

On x86 machines, I would use Immunity and mona.py to find appropriate instructions for your exploit. You can find a port of mona to x64dbg as well.

Given this is a CTF exercise, it should be possible with the information available to you, making me think that the application's libraries should be the answer. Another idea is -- what enumeration activities have you tried on the target machine? Can you pull back any information leaking more info about it?