search

Buffer Overflow

hashtag
Steps

  1. Run Immunity Debugger

  2. Open exe file or attach the service

  3. Set mona configuration for the working directory

!mona config -set workingfolder c:\mona\%p

  1. Press play button

  2. Try to connect with the server

nc $IP <port>

Immunity Debugger would tell you the port which service are listening.

  1. Fuzzing until crash and check byte number of crash.

  2. Generate the pattern with some script program and send it like sending fuzzer. ( length of pattern --> <number of crash + 200>

LogoBuffer overflow pattern generatorwiremask.euchevron-right

  1. Check offset with mona or other tool.

or using the website with just input the EIP address.

  1. [Optional] check EIP with BBBB

  2. Set bytearray mona (make sure you have been set working directory)

  1. Create badchar "\x00" with python script

LogoBuffer-Overflows/create.py at main · synack-jmason/Buffer-OverflowsGitHubchevron-right

  1. Send badchar and compare it with mona on the ESP Address

How to note badchar:

  • 00 is always badchar

  • The second char is badchar

  • The third char is affected by the second char, so not a badchar

  • The fourth char is badchar

  • The fifth char is affected by fourth char so not a badchar

  • and so on

  1. Test bad char, if mona Memory comparison result shows "unmodified" then your badchars are correct.

  2. Search module for jmp esp, because you just could control EIP and put payload on ESP, you you need to control EIP and put command "jmp esp", it mean always jumping the running code to ESP (your payload)

Get the module address of jmp esp, and write it reverse

  1. Generate payload

hashtag
LAB - Buffer Overflow

PreviousSTUCK? Look at this :DNextWinDbg

Last updated