Buffer Overflow
Python Buffer Overflow Sample Script
Wikis
- https://liodeus.github.io/2020/08/11/bufferOverflow.html
- https://casvancooten.com/posts/2020/05/oscp-cheat-sheet-and-command-reference/#buffer-overflows
- https://guif.re/bo
Introduction to the X86 Architecture
Program Memory
- Each Tread has its own Stack
- A Stack aka. "Data Area" consist of:
- Code can be in the Program Image section or in a DLL
- Last in First out Structure, meaning when new data is pushed to the stack it will also be popped off first
- Stack Frame: When a function is called it needs to know where to return when the function has reached its end, this "return address" as well as the function parameters and local variables are stored on the stack in a section called Stack Frame
- When a function returns, the return address is taken out of the stack frame
CPU Registers
- There are a bunch of registers, which consist of either a 32-bit, 16-bit or 8-bit value, but the important ones are:
- ESP: Stores the most recently referenced location pointer
- EBP: Stores the pointers for the functions stack frames
- EIP: Stores the pointer of the next function (this is the primary target of any buffer overflow)
- As well as:
- EAX (accumulator): Arithmetical and logical instructions
- EBX (base): Base pointer for memory addresses
- ECX (counter): Loop, shift, and rotation counter
- EDX (data): I/O port addressing, multiplication, and division
- ESI (source index): Pointer addressing of data and source in string copy operations
- EDI (destination index): Pointer addressing of data and destination in string copy operations
Buffer Overflow Walkthrough
- Learn how to control EIP
Sample Vulnerable Code
- If a function reserves space and writes to it, but doesn't verify that the given input is limited to that space's size, we can pass a large value to it and overwrite the return address (which is below in the stack)
Introducing the Immunity Debugger
- Allows us to stop the execution at any time and inspect the content of the registers and the process memory space
- Debugger starts at the entry point, but this is not the main function
- Top Left: Assembly Instructions (the blue line is the instruction the be executed next)
- Top Right: All Registers
- Bottom Right: Stack and its contents
- Bottom Left: Contents of memory
Navigating Code
- Find the main function
- Usually this can be done by searching for a string (Right-Click the Top Left Windows > Select "All referenced text strings")
- Set a breakpoint at the
CALL(F2)
- Run the code (F9)
- Step into (F7)
- Execute up to the next return (Ctrl + F9)
- Double-Click on the strcpy destination address to view it in memory and see whats around it (like the return address of the main function!)
Overflowing the Buffer
- In the
Argumentssection of Immunity Debugger, pass enough A's to overflow the main function return address - Check if EIP is
41414141 - This will cause an error
Relevant Note(s): Penetration Testing Windows Buffer Overflow Linux Buffer Overflow