Full disclosure

I recently passed my OSCP exam and opted not to use my tool on it. Offensive Security clearly states they will not comment on disallowed tools, so I didn't bother asking them. If you choose to use this on the exam, do so at your own risk!

StackAttack

A tool written in python3 to exploit simple stack-based buffer overflows.

This tool contains 8 functions to help exploit buffer overflow vulnerabilities. I created this tool to maximize time for those working on their OSCP certification. Most buffer overflow resources I've encountered are taught using python2 due to easier implementation (i.e. sending ascii data over sockets). As most of you know, python2 was sunset at the beginning of 2020 and could disappear from mainstream distros any day now. For this reason, I chose to make the leap to python3 for this tool and learn some new concepts along the way. StackAttack requires the following software to be installed on the attacker system and in the attacker's path: metasploit-framework (check your distro's repo or vist https://github.com/rapid7/metasploit-framework).

Below is a screenshot of the usage menu.

Brainpan POC

Brainpan is one of the more simple binaries available to test and learn stack-based buffer overflows. For this reason, I found it suitable to use as a walkthrough of how StackAttack functions. Credit for brainpan binary goes to superkojiman on vulnhub ("https://www.vulnhub.com/entry/brainpan-1,51/").

Fuzzing:

The fuzzing module works by sending a number of bytes at the target incrementally in attempt to crash the target. The size switch determines the number of bytes sent. The increment switch determines how many additional bytes are sent until the while loop condition is met (10,000 bytes).

Here is the fuzzing module being ran against brainpan.

Pattern:

The pattern module uses msf-pattern_create to create a pattern of bytes to send in place of our "A's". After the pattern is created, the pattern is sent to the target. The size switch dictates the length of the pattern.

Offset:

The offset module uses msf-pattern_offset to find the offset using the EIP register witnessed in the debuger from running the pattern module. The size switch is used for the pattern size.

EIP Control:

The eipcontrol module confirms the offset is correct by sending filler bytes ("A's") with 4 different valued bytes ("B's"). What we are looking for here is the "B's" landing on the EIP register. The size switch is used for our filler bytes.

Bad Characters:

The badchars module sends a list of hexadecimal characters excluding 00 as bytes to the target to determine forbidden characters. I have coded logic to allow for the removal of up to 10 forbidden characters. This should be enough for the applications being exploited by this program. The size switch is used for our filler bytes. This module is dependent on the chars.txt file located in the repo. Note: letters are case sensitive and must be capitalized i.e. x0a would be 0A.

Mona (not part of the tool but part of the process):

Below are screenshots of running the mona module withing immunity to find our JMP ESP for exploitation. While not part of this tool, this process is important to the overall exploitation of the buffer overflow. First run "!mona modules" to discover the unsafe application. Next run "!mona find -s "\xff\xe4" -m 'unsafemodulename'" to locate our JMP ESP.

JMP:

The jmp module uses the JMP ESP address discovered using mona to test that our exploit hits the corect point. Set a break point on the JMP ESP address and run the module. Use the size switch for our filler bytes. Note: enter the JMP ESP address as hexadecimal. Instead of \xe1\xe2\xe3\xe4 you would type E1E2E3E4.

Calc:

The calc module uses msfvenom to generate a payload that pops calc.exe on the target (Windows). The size switch is used for our filler bytes. The nops switch is used for adding a nopsled to our payload.

Shell:

The shell module uses msfvenom to generate a payload to send to our target to hopefully gain a reverse shell. The size switch is used for our filler bytes. The nops switch is is used for adding a nopsled to our payload. Follow the prompts and hit enter when your listener is ready.

dostackbufferoverflowgood POC

Dostackbufferoverflowgood is a great resource for learning how to exploit stack-based buffer overflow vulnerabiltites. This POC shows the effectiveness of StackAttack against the dostackbufferoverflowgood binary. Notice that the optional command switch has been used in the following examples. Credit for the binary goes to Justin Steven ("https://github.com/justinsteven/dostackbufferoverflowgood").

Fuzzing:

Running the fuzzing module against the dostackbufferoverflowgood binary.

Pattern:

Running the pattern module against the dostackbufferoverflowgood binary.

Offset:

Running the offset module against the dostackbufferoverflowgood binary.

EIP Control:

Running the eipcontrol module against the dostackbufferoverflowgood binary.

Bad Characters:

Running the badchars module against the dostackbufferoverflowgood binary.

Mona (not part of the tool but part of the process):

Below are screenshots of running the mona module withing immunity to find our JMP ESP for exploitation. While not part of this tool, this process is important to the overall exploitation of the buffer overflow. First run "!mona modules" to discover the unsafe application. Next run "!mona find -s "\xff\xe4" -m 'unsafemodulename'" to locate our JMP ESP.

JMP:

Running the jmp module against the dostackbufferoverflowgood binary.

Calc:

Running the calc module against the dostackbufferoverflowgood binary.

Shell:

Running the shell module against the dostackbufferoverflowgood binary.

Vulnserver POC:

Vulnserver is another great learning resource for exploiting stack-based bufferoverflow vulnerabilities. This POC shows the effectiveness of StackAttack against the vulnserver binary. Notice that the optional command switch has been used in the following examples. Credit for the binary goes to Stephen Bradshaw ("https://github.com/stephenbradshaw/vulnserver").

Fuzzing:

Running the fuzzing module against the vulnserver binary. Notice for the following examples I used and unescaped quote in the command parameter. This is because the application requires both a username and password to be provided and the closing of the unescaped quotes appears as two separate inputs on the application. We attach the payload to the password input.

Pattern:

Running the pattern module against the vulnserver binary.

Offset:

Running the offset module against the vulnserver binary.

EIP Control:

Running the eipcontrol module against the vulnserver binary.

Bad Characters:

Running the badchars module against the vulnserver binary.

Mona (not part of the tool but part of the process):

Below are screenshots of running the mona module withing immunity to find our JMP ESP for exploitation. While not part of this tool, this process is important to t