Basics
PRACTICE ! PRACTICE ! PRACTICE !
Anatomy of Memory and Stack
We have the Kernel at the top(1111111111's) and we've got Text at the bottom(00000000's) and in the middle lies the Stack
Inside a Stack - We have the ESP (Extended Stack Pointer) sitting on the top and the EBP (Extended Base Pointer) sitting in the bottom and in the middle we have the BUFFER SPACE
So basically the BUFFER SPACE fills up with the user input characters and it's gonna go downwards the Stack - as it fills up
Normally, the BUFFER SPACE should properly be sanitized so that when a bunch of A's is getting filled up in that space - It musn't cross the BUFFER SPACE and disturb the EBP
Incase of a BUFFER OVERFLOW, what happens is when the user input crosses the BUFFER SPACE and disturbs the EBP - It immediately goes down the EBP and disturbs the EIP (Extended Instruction Pointer) as well - EIP is also called the RETURN ADDR a.k.a ret :)
Once when the bunch of A's disturbs the EIP / Return address we'll have an error saying
Segmentation fault
- The EIP is the most interesting register as it has the control over the flow of execution in the program, So once we get hold of that EIP register, it's easy to pop a shell on the box :)
Steps to consider to exploit a BOF
Spiking
Method to find a vulnerable part of a program
Fuzzing
Kinda similar to spiking, we are gonna flood the user input by sending large amount of characters and see if we can break it :)
Finding the Offset
If we do break it, the next step would be finding at which character the program crashes (ie finding the offset for that bunch of characters)
Overwrite the EIP
And now we use that offset to overwrite the EIP with our payload to pop a shell :)
Finding the Bad Characters and Module
Once we have the EIP control, we'll have to find some bad characters and find the right python module to exploit the overflow
Generating Shellcode
This is the final step where we generate the malicious shellcode to get a reverse shell on the box, more specifically we are gonna point our EIP to our shellcode and gain R00t
Tools Required
Victim Machine - Windows 10
Vulnerable Server - VULNServer
Attacker Machine - Parrot OS
Victim Machine - Immunity Debugger
Last updated