This is a simple buffer overflow helper script I originally wrote to make the process faster for the OSCP.
This script automates initial overflow, offset discovery, bad character detection, and shellcode script generation. You just have to push a couple buttons and find the address of the instruction you want to jump to. And if if the exploitation process is more complex than that, it writes the shellcode script to a file for you to edit and fix all the non-trivialities (may be updated in the future to automate some non-trivialities). e.g. If you need to execute custom instructions (like modifying the stack pointer and jumping to it) before your shellcode, you're going to have to add that manually. If you use this on the OSCP exam, be careful. I don't consider it an automatic exploitation tool yet (though I may eventually create a fully-automated tool), but keep in mind that this is a helper script meant to take care of some of the more tedious processes for you behind the scenes. You still need to interact with your debugger and understand how these overflows work conceptually. Ensuring that information is clearly communicated in your report is your responsibility.
usage: BofHelper.py [-h] [-o FILE] [-b] [-p PREFIX] [-s SUFFIX] host port
positional arguments:
host The host executing the vulnerable application (usually your debugger)
port The port the application is running on
optional arguments:
-h, --help show this help message and exit
-o FILE, --output FILE Write payload script to FILE
-b, --badchars Attempt to detect bad characters with your debugger of choice
-p PREFIX, --prefix PREFIX Append a prefix to the beginning of your overflow string
-s SUFFIX, --suffix SUFFIX Append a suffix to the end of your overflow string
Example: ./BofHelper.py -o exploit.py -b -p 'USER ' 127.0.0.1 9001
IMPORTANT:
If you use the bad character detection option, please ensure there are at least two spaces between the dump address and your actual memory, as well as between your memory and the ASCII representation. e.g.
0x012345678 14 15 16 17 18 19 20 21 ABCDEFGH
I may modify the regex in the future to make this more robust, but for the time being, you have to extend your dump output margins in some debuggers. Olly formats it correct by default.
Be sure to paste your data dump every time it asks because fixing a bad character could lead to new bad characters being discovered. In order to mitigate this, the script loops the detection process until all bad characters have been discovered.
Also, when generating your shellcode with venom, you HAVE to use the -f py option or it will fail to generate. This will be automated in the future (along with automatically adding the bad characters), but for right now, you have to pretend you're running the command directly in the console.
Example video coming soon!
FAQ:
Q: The bad character detection asks me to paste the dump more than once!
A: Because removing bad characters can reveal new ones, you have to paste the dump until it figures out that all bad characters have been removed.
Q: The script crashes when I generate a venom payload!
A: Make sure you're using -f py so the script can properly read the output.
Q: Can you make it detect JMP ESP for me?
A: Not without integrating it into a debugger (which I may make a version for in the future).
License TL;DR: Use this script wherever you want, however you want, but include a link to https://YouTube.com/LegendBegins whenever you distribute it. All my content is gaming related, but I figured this was as good a place as any to advertise.