This video continues with Buffer Overflow exercises as part of the Offensive Security Pathway. The focus is on hands-on practice, particularly targeting Overflow tasks 2, 3, and 4, building upon the concepts introduced in Overflow 1. The tasks aim to reinforce buffer overflow exploitation techniques using manual steps. Additionally, this video solves the rest of the tasks in TryHackMe Buffer OverFlow Prep room.

OSCP Study Notes

Offensive Security Web Assessor (OSWA) Study Notes

Introduction to Buffer Overflow Practice

  • The video builds on previous lessons, focusing on Overflow tasks from 2 to 10.
  • All overflow tasks are structurally similar and designed for practice.
  • The process involves using Immunity Debugger and Mona plugin to identify and exploit buffer overflow vulnerabilities.

Setup and Execution

  • The target program is run in Immunity Debugger.
  • A fuzzer script is used to send a stream of characters to the program, causing it to crash and helping locate the Exact Instruction Pointer (EIP) overwrite point.
  • The command to run the program is adjusted for each overflow task (e.g., changing from overflow1 to overflow2).

Fuzzing and Crash Analysis

  • Fuzzing identifies how many bytes cause the crash (e.g., 700 bytes in Overflow 2).
  • A pattern is generated using msf-pattern_create from Metasploit to help pinpoint the exact offset where the EIP gets overwritten.

Calculating the Offset

  • The crash address from the debugger is analyzed with msf-pattern_offset to find the exact byte position causing the EIP overwrite (e.g., offset at 634 for Overflow 2).

Overwriting EIP

  • The payload is updated with a series of controlled characters (e.g., Bs or Cs) to confirm the EIP can be overwritten.
  • Success is verified when the EIP register reflects the inserted pattern.

Identifying Bad Characters

  • A byte array of all possible characters is sent to detect bad characters that break the payload.
  • Identified bad characters are removed from the exploit payload to ensure smooth execution.

Finding a Jump Address

  • The next step involves finding a suitable memory address (free of bad characters) for the EIP to jump to the payload.
  • This address is placed in little-endian format into the exploit script.

Generating Shellcode

  • Shellcode is generated using Metasploit’s msfvenom to create a payload (e.g., reverse shell) that will execute once the buffer overflow is successful.
  • The payload replaces the filler data in the exploit.

Running the Exploit

  • The final exploit is executed, sending the payload to the vulnerable program.
  • A listener (e.g., Netcat) is set up to catch the reverse shell, verifying successful exploitation.

Extending to Overflow 3

  • The same process is applied to Overflow 3, adjusting the fuzzer, offsets, and payload.
  • The crash point for Overflow 3 was observed around 1300 bytes, and a similar method was used to calculate the new offset and refine the exploit.

Summary of Exploit Steps

  1. Fuzzing to determine crash size.
  2. Pattern creation to find the exact offset.
  3. Offset confirmation by overwriting EIP.
  4. Bad character detection and elimination.
  5. Finding a safe jump address in memory.
  6. Shellcode generation with msfvenom.
  7. Payload execution and verification via listener.

TryHackMe Buffer OverFlow Prep | Room Answers

What is the EIP offset for OVERFLOW1?
1978

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW1?

\x00\x07\x2e\xa0

What is the EIP offset for OVERFLOW2?
634

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW2?

\x00\x23\x3c\x83\xba

What is the EIP offset for OVERFLOW3?
1274

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW3?

\x00\x11\x40\x5F\xb8\xee

What is the EIP offset for OVERFLOW4?
2026

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW4?

\x00\xa9\xcd\xd4

What is the EIP offset for OVERFLOW5?
314

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW5?

\x00\x16\x2f\xf4\xfd

What is the EIP offset for OVERFLOW6?
1034

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW6?

\x00\x08\x2c\xad

What is the EIP offset for OVERFLOW7?
1306

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW7?

\x00\x8c\xae\xbe\xfb

What is the EIP offset for OVERFLOW8?
1786

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW8?

\x00\x1d\x2e\xc7\xee

What is the EIP offset for OVERFLOW9?
1514

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW9?

\x00\x04\x3e\x3f\xe1

What is the EIP offset for OVERFLOW10?
537

In byte order (e.g. \x00\x01\x02) and including the null byte \x00, what were the badchars for OVERFLOW10?

\x00\xa0\xad\xbe\xde\xef

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles