Hey man, thanks a lot for these videos. Currently attempting buffer overflows for my OSCP. The documentation confused the hell out of me. But this simplified it more for me to the point I completely understand it, reread the documentation and it now makes sense. Dude you are a god sent.
You can more easily identify potential bad characters using mona in immunity, if you used mona to generate the badchars array to begin with. I understand if you didn't do this for your viewers in this video, as it is good practice to explore manually instead of automating things sometimes. Could be helpful, either way. I know for me, the method below was useful as my vision isn't always the best. In immunity debugger, in the white input bar: !mona bytearray -b "\x00" Copy contents of bytearray.bin / bytearray.txt to python script badchars variable. Send badchars buffer to server with our testing script. Note ESP address on crash. In immunity debugger, in the white input bar (after crash): !mona compare -f bytearray.bin -a Your videos are awesome man, keep up the great work!
Once the EIP is overwritten with BBBB doesn't the ESP still point to the top of the stack (where the buffer of AAAAs starts)? How are we "jumping" back to the top of the stack - I thought this is what using JMP ESP was for, to essentially loop back to the beginning of the buffer? Why do the hex characters we generated to find bad characters begin at ESP if the ESP points to the top of the stack?
If you're eyes are bad/ for a sanity check if you're using mona modules in immunity then you can use mona to create and save a byte array of bad chats to bytearray.bin (using the command: !mona bytearray -b "\x00" ); and then run "!mona compare -f C:\mona\file_address_to\bytearray.bin -a " to tell us which are the bad chars
Here is what I don't get: How did we overwrite the esp register with everything that was in the badchars variable in the python script? Isn't the esp register at a lower memory address than the buffer that overflows? Also I hope I'm right that the overflow happens "upwards" so it overwrites memory addresses that are higher. I'm confused.
I'm literally trying to find the answer to this as well... once the EIP is overwritten with BBBB isn't the ESP at the top of the stack (where the buffer of AAAAs starts)? How are we "jumping" back to the top of the stack - I thought this is what using JMP ESP was for to essentially loop back to the beginning of the buffer? Why do the hex characters we generated to find the bad characters begin at the ESP if the ESP points to the top of the stack?
I had the same question at first, but I find this could explain: ESP is the stack pointer. It points to (holds the address of) the most recently pushed value on the stack. In this example, bad char is the most recently pushed value therefore ESP would point to it. Hope this helps you as well.
How if you just make a screen shot of those bad characters 5:40 and use ocr tool to extract the values of those characters and create a simple script to perform you the test ;)
If there is a bad char like the one shown in the video at time frame 4:54, what is the next step? Are we going to remove the B0 and replace with the right char?
Hi - you’ve called the actual B0 are bad char, is it supposed to be? Do we assume that the bad char symbol is always bad including the one time it should actually appear ?
The ESP value shows you where in memory the array of bad characters was stored. Nothing more, nothing less. Viewing the data stored in memory at the ESP address will show you which characters are bad.
How can i put in badchars as arguments in immunity debugger if the exe can't be runned as a process you can attached to ? fx. if the prorgam takes its inputs as argument when you start something like program.exe AAAABBBB
I hope you enjoyed this video! If so, please consider dropping a like and subscribing.
The ability to explain things that easy makes you a really skilled pentester. Big thumbs up!
Hey man, thanks a lot for these videos.
Currently attempting buffer overflows for my OSCP. The documentation confused the hell out of me. But this simplified it more for me to the point I completely understand it, reread the documentation and it now makes sense.
Dude you are a god sent.
You can more easily identify potential bad characters using mona in immunity, if you used mona to generate the badchars array to begin with. I understand if you didn't do this for your viewers in this video, as it is good practice to explore manually instead of automating things sometimes. Could be helpful, either way. I know for me, the method below was useful as my vision isn't always the best.
In immunity debugger, in the white input bar:
!mona bytearray -b "\x00"
Copy contents of bytearray.bin / bytearray.txt to python script badchars variable.
Send badchars buffer to server with our testing script. Note ESP address on crash.
In immunity debugger, in the white input bar (after crash):
!mona compare -f bytearray.bin -a
Your videos are awesome man, keep up the great work!
Oh man, this material is better than the BOF section from OSCP!! Thanks a lot
thats I recon as well
Thank you
Very Good Explanation. These Bufferoverflow videos will be very helpful for people preparing for OSCP. Thanks a lot.. Good Job.
You highlighted a bad-char in the example that was OK, it was B0 itself :P
#truth
Was about to reply with the same thing. :)
@@TheDexxra Same. Still a great video though.
yep saw it too
Once the EIP is overwritten with BBBB doesn't the ESP still point to the top of the stack (where the buffer of AAAAs starts)? How are we "jumping" back to the top of the stack - I thought this is what using JMP ESP was for, to essentially loop back to the beginning of the buffer? Why do the hex characters we generated to find bad characters begin at ESP if the ESP points to the top of the stack?
Yeah im super confused about this. Been breaking my head over the last few days thinking about it.
One of those B0’s wasn’t a bad char but the actual B0, between AF and B1. Nice class btw, very good for beginners.
Wanted to see that comment :D
If you're eyes are bad/ for a sanity check if you're using mona modules in immunity then you can use mona to create and save a byte array of bad chats to bytearray.bin (using the command: !mona bytearray -b "\x00"
); and then run "!mona compare -f C:\mona\file_address_to\bytearray.bin -a " to tell us which are the bad chars
B0, the alone one is ok!
Edit: other users said it yes, sorry
Here is what I don't get: How did we overwrite the esp register with everything that was in the badchars variable in the python script? Isn't the esp register at a lower memory address than the buffer that overflows? Also I hope I'm right that the overflow happens "upwards" so it overwrites memory addresses that are higher. I'm confused.
I'm literally trying to find the answer to this as well... once the EIP is overwritten with BBBB isn't the ESP at the top of the stack (where the buffer of AAAAs starts)? How are we "jumping" back to the top of the stack - I thought this is what using JMP ESP was for to essentially loop back to the beginning of the buffer? Why do the hex characters we generated to find the bad characters begin at the ESP if the ESP points to the top of the stack?
I had the same question at first, but I find this could explain: ESP is the stack pointer. It points to (holds the address of) the most recently pushed value on the stack.
In this example, bad char is the most recently pushed value therefore ESP would point to it. Hope this helps you as well.
6:05 why the B0 that came after AF is a bad char bcz its going in order ???? was it mistake by u or it is ?? please reply sir !!
Hey, can you make a video on how to automate finding bad characters using bytearray in Mona?
How if you just make a screen shot of those bad characters 5:40 and use ocr tool to extract the values of those characters and create a simple script to perform you the test ;)
If there is a bad char like the one shown in the video at time frame 4:54, what is the next step? Are we going to remove the B0 and replace with the right char?
Keep watching the series :)
The Cyber Mentor got it😊
Amazing Video Thank you so much!
Thanks for the very helpful video. Is there any particular reason you didn't use mona for character comparison?
Hi - you’ve called the actual B0 are bad char, is it supposed to be? Do we assume that the bad char symbol is always bad including the one time it should actually appear ?
Sir , What is the fastest and best way to find bad characters ?
Any tools that you can recommend ?
Sir why are we looking at ESP when bad characters are written after EIP (BBBB) ?
U found the ans??even i have the same doubt ,if u found it ,share it here
The ESP value shows you where in memory the array of bad characters was stored. Nothing more, nothing less.
Viewing the data stored in memory at the ESP address will show you which characters are bad.
How can i put in badchars as arguments in immunity debugger if the exe can't be runned as a process you can attached to ? fx. if the prorgam takes its inputs as argument when you start something like program.exe AAAABBBB
The B0 between AF and B1 isn't a badchar right?
nice
I bought your course on udemy but this vedio is free here ! then why paid course