Find Buffer Overflows at a target you want to gain access

I want to pass my OSCP exam and I am learning with the material I got. I watched the videos and read the pdf but I have a question about buffer overflows.

In the example in the videos the guy has access to the target system and can so control, debug and restart the application. So he can see what length he should send to cause the buffer overflow and where the EIP register is in the sended string and so on.

But my intetion of a buffer overflow is to get access to a system I were not accessed before, isn’t it?

So how do I get to know all the relevent data without having access like debug functions before?

Thanks in advance!

you will need some sort of access to the box. you need to have the binary. either you have the binary and disassemble it or if they have gdb-server and you can debug on the server.

The only way to achieve this without access to the physical system, ie you are logged into it would be the whole enumeration process. Scan the system, find the application and the replicate the system in a virtual environment. I have completed the OSCP and I had issues with the BoF, rather than pay for additional time in the labs I managed to find the software version used within the videos and construction a virtual lab for myself, to ensure that I fully understood the whole process.

I have mention this before in other conversations when doing the BoF, check out John Hammond’s video about OSCP, he make reference to BoF and what he did to achieve a shell.

@DennisF47
Try brainpan from Vulnhub it is a oscp like machine.

Type your comment> @DennisF47 said:

So how do I get to know all the relevent data without having access like debug functions before?

So in a real world example you would need to figure out what software is running the service you want to exploit, get a copy of it and install it on an identical system (or as close as possible). In some cases it may also be possible to create an exploit which work across different operating systems. Then with a debugger attached to the process you look for vulnerabilities and create an exploit. If all goes well that exploit will also work on the “real” target system.

For the OSCP BoF task you will be provided with RDP access to a system on which you develop/debug your exploit.

Type your comment> @DennisF47 said:

But my intetion of a buffer overflow is to get access to a system I were not accessed before, isn’t it?

So how do I get to know all the relevent data without having access like debug functions before?

Thanks in advance!

What you say is correct. What the guys saying here is also correct.
There are too many variables in a buffer overflow to pull it off without having access to the binary.

But that’s true with many exploits: gaining access to say a webcam you’ll also need to download the firmware and pick it apart to find a vulnerability. Hard breaking into anything without a map, right.
Same for buffer overflow. The thing @zaicurity says about the system needing to be exactly the same same is important. Different build can result in different address spaces. Building an exploit on one system doesn’t necessarily mean it works on every system.

Hack the Box has many systems that deal with buffer overflow. If you have a VIP (10$ a month), the practise is probably way cheaper then buying lab time. If you look for specific machines, ask around or send me a PM, I currently know I think 4 machines that deal with buffer overflow.

Do you know what debugger/disassembler you will be dealing? If you’re used to say an IDA, tools like gdb will look like the stoneages. No offence, but just make sure you know what you will be dealing with and make sure you know your tool.
I don’t know about the oscp, but the biggest factor in exams is often the time you get. You don’t want to waste it by looking your way around a debugger you don’t know.

Best of luck man