This video presents the material that will be covered in my course, Buffer Overflows Made Easy. I also highlight important aspects, such as the anatomy of memory and the anatomy of the stack. In future course videos, we will be covering:
3. Finding the Offset
4. Overwriting the EIP
5. Finding Bad Characters
6. Finding the Right Module
7. Generating Shellcode
This video covers the art of spiking in buffer overflows, which allows us to identify vulnerable commands within a program.
This video covers the art of fuzzing in buffer overflows, which allows us to identify if a command is vulnerable in software and approximately how many bytes it takes for an overflow.
This video covers how to find the EIP offset in buffer overflows, which will allow us to point to malicious shellcode later on.
This video covers how to control and overwrite the EIP in buffer overflows, which will lead to malicious code execution.
This video covers how to find the find bad characters in a buffer overflow process. We will examine the ESP dump and learn what bad characters look like, how they interact with shellcode, and their importance.
This video covers how to find the right module in buffer overflows, which will allow us to avoid memory protections (such a DEP, ASLR, etc.) and find a valid return address.
This video covers how to correctly generate shellcode for buffer overflows, which will allow us to gain shell access to our victim machine.
You should also notice something pretty interesting in Immunity Debugger:
Now, we’re going to need to modify our code to include all of the bytes that were just generated by Pattern Create. Our new code should look something like this:
Where the offset variable is a copy/paste of the Pattern Create output. You will notice that I changed the code slightly. We no longer need to run loops, so I have put a try command in instead. We just need to send this code one time. So, let’s go ahead and restart Vulnserver AND Immunity Debugger. I recommend closing completely out of Immunity Debugger and reattaching as you did in the previous step. I have had issues leaving Immunity open and attempting to continue on. Remember to run both as Administrator. Now, execute the code and see what is returned:
So, let’s again close/re-open Vulnserver and Immunity Debugger and send this bad boy off. Once you have sent the exploit, you will need to right click on the ESP register and select “Follow in Dump”. You should notice a little bit of movement in the bottom left corner of the program. If you look carefully, you should see all of your bytes in order starting with 01, 02, 03, etc and ending with FF. If a bad character were present, it would seem out of place. Luckily for us, there are no bad characters in the Vulnserver program. Notice below how all of our numbers appear perfect and in order:
The image is a little small, so zoom in if you need to. What we have just generated is a list of addresses that we can potentially use as our pointer. The addresses are located on the left side, in white. I am going to select the first address, 625011AF, and add it to my Python code. Note: your address may be different depending on the version of Windows you are running. So, do not panic if the addresses are not the same! Your shellcode should now look something like this:
Then search for “625011AF” (or the return address you found), without the quotes, in the “Enter expression to follow” prompt. That should bring up your return address, FFE4, JMP ESP location. Once you’ve found it, hit F2 and the address should turn baby blue, indicating that we have set a breakpoint.
As you can see, we generated 351 bytes of shellcode. We need to copy/paste this shellcode into our Python script. Here is what my final script looks like: