Basics

PRACTICE ! PRACTICE ! PRACTICE !

Anatomy of Memory and Stack

  • We have the Kernel at the top(1111111111's) and we've got Text at the bottom(00000000's) and in the middle lies the Stack

  • Inside a Stack - We have the ESP (Extended Stack Pointer) sitting on the top and the EBP (Extended Base Pointer) sitting in the bottom and in the middle we have the BUFFER SPACE

  • So basically the BUFFER SPACE fills up with the user input characters and it's gonna go downwards the Stack - as it fills up

Normally, the BUFFER SPACE should properly be sanitized so that when a bunch of A's is getting filled up in that space - It musn't cross the BUFFER SPACE and disturb the EBP

  • Incase of a BUFFER OVERFLOW, what happens is when the user input crosses the BUFFER SPACE and disturbs the EBP - It immediately goes down the EBP and disturbs the EIP (Extended Instruction Pointer) as well - EIP is also called the RETURN ADDR a.k.a ret :)

  • Once when the bunch of A's disturbs the EIP / Return address we'll have an error saying Segmentation fault - The EIP is the most interesting register as it has the control over the flow of execution in the program, So once we get hold of that EIP register, it's easy to pop a shell on the box :)

Steps to consider to exploit a BOF

Spiking

Method to find a vulnerable part of a program

Fuzzing

Kinda similar to spiking, we are gonna flood the user input by sending large amount of characters and see if we can break it :)

Finding the Offset

If we do break it, the next step would be finding at which character the program crashes (ie finding the offset for that bunch of characters)

Overwrite the EIP

And now we use that offset to overwrite the EIP with our payload to pop a shell :)

Finding the Bad Characters and Module

Once we have the EIP control, we'll have to find some bad characters and find the right python module to exploit the overflow

Generating Shellcode

This is the final step where we generate the malicious shellcode to get a reverse shell on the box, more specifically we are gonna point our EIP to our shellcode and gain R00t

Tools Required

  • Victim Machine - Windows 10

  • Vulnerable Server - VULNServer

  • Attacker Machine - Parrot OS

  • Victim Machine - Immunity Debugger

PreviousInterview TopicsNextSpiking

Last updated