![]() Felix 'FX' Lindner writes an excellent article (2006) on The H Security which describes your exploit in depth. ![]() As this is the first article in this series, we will be looking at an exploit where we have a complete EIP overwrite and ESP points directly into our buffer. While stack overflow and heap overflow are subtly different, the techniques are similar/related. In this article we will cover the creation of an exploit for a 32-bit Windows application vulnerable to a buffer overflow using X64dbg and the associated ERC plugin. The shell provides us with an easy way to run anything we want on the target computer. A buffer overflow is the result of stuffing more data into a buffer than it can handle. A great, in-depth resource on a buffer overflow attack is the Smashing the Stack tutorial by Aleph One. Usually, the end objective in binary exploitation is to get a shell (often called "popping a shell") on the remote computer. If we can overwrite this, we can control where the program jumps after main finishes running, giving us the ability to control what the program does entirely. Going one step further ¶Īs discussed on the stack page, the instruction that the current function should jump to when it is done is also saved on the stack (denoted as "Saved EIP" in the above stack diagrams). This will fill the name buffer with 100 'A's, then overwrite secret with the 32-bit little-endian encoding of 0x1337. How can we use this to pass the seemingly impossible check in the original program? Well, if we carefully line up our input so that the bytes that overwrite secret happen to be the bytes that represent 0x1337 in little-endian, we'll see the secret message.Ī small Python one-liner will work nicely: python -c "print 'A'*100 + '\x31\x13\x00\x00'" The remaining 152 bytes would continue clobbering values up the stack.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |