Buffer_Overflow_Prep3.md

TRYHACKME OSCP PREP 3

Offset

fuzzer.py

Crash:

Program crash with 1300

I recommend put 400 bytes more than crasher.

Create pattern:

Put in payload of exploit.py:

Offset Discover

Let's put EIP Register with BBBB its same than 42424242 in Hex.

I run exploit:

BadChars

!mona bytearray -b "\x00"

I put payload in exploit.py:

I run exploit:

!mona compare -a esp -f bytearray.bin

BadChars are:

\x00\x11\x40\x5f\xb8\xee

Comprove:

!mona bytearray -b "\x00\x11\x40\x5f\xb8\xee"

I put in exploit and i run exploit:

0 badchars!!

!mona jmp -r esp -cbq "\x00\x11\x40\x5f\xb8\xee"

I choose first jmp:

I put in retn with little-endian:

I copy new payload in my exploit

Add padding:

I put listener:

I run exploit:

DONE :)