# Buffer Overflow

**Step 1.** 

**Passing the provided fuzz file breaks the application.** 

![](/files/-MeTk-_lPjy3BRJXk4RF)

**Step 2.** 

**Checking the fuzz file (.asx) opening with notepad++, Gives us hint that a string starting with http\:// and  followed by multiple A characters.** 

![](/files/-MeTjxHC5B4pVmiAqoKd)

**Step 3.** 

**Create a Python script which can also create a similar file for us.**

![](/files/-MeTjtFfBZXKCE6Q7OL1)

**Step 4.** 

**Start Immunity debugger and check if the created .asx file is replacing EIP values. Application crashes with access violation error.** 

![](/files/-MeTjoGjW3wIuC8_lLTV)

**Step 5.** 

**Now we have to find the exact value for EIP** 

**5.1 Binary Tree Analysis** 

**Sending 5000 \* B from last to check if EIP is updating with the value of B.** 

**Within some try we found that sending a \* 15000 and b \* 5000, updates the EIP value  with B.**

![](/files/-MeTjjp8VvTLiRmUxKjJ)

![](/files/-MeTjg9ko5m8NVP4x14K)

**5.2 Sending Unique string**  

**• Now as we know in the buffer length of 20000, EIP value updates with B within  the last 5000 so we can use msfvenom script “pattern\_create.rb” to create 5000 unique characters.** 

![](/files/-MeTj_T75-UXtE-VwOKg)

**• After updating the code with unique characters , we got the below result:**

![](/files/-MeTjRqo6Bi31g4_FxJt)

**• Now, checking the exact location of the found value.** 

**• We can do this by another msfvenom script “pattern\_offset.rb”** 

![](/files/-MeTjMj---B88N7Au7vq)

**5.3 Basic calculation** 

**A (15000 + 2417 = 17417) + 4 \*B(value of EIP) + remaining buffer (20000-17417-4)\*C** 

**Updating the code as required :** 

![](/files/-MeTjJ9yW20ppJ4bCFTj)

**We are able to control EIP.**

![](/files/-MeTjCQ9_s7jwU8mT62T)

**Step 6.** 

**Now we have to check the Bad characters which are either truncate the buffer or terminate the buffer. So sending all possible combination in the code.** 

**After analysis, we found that the Bad character are null byte \x00 and carriage return \x0a**

![](/files/-MeTj7U8x8ZEwAoVKBft)

![](/files/-MeTj3JcK8TU96d-VpK2)

**Step 7.** 

**Now we have to find any module which does not have any protection like ASLR,REBASE,SEH,DEP,etc. To Do so we will use mona.py script within immunity debugger.** 

**By using command “!mona modules”** 

**we are able to identify such module which is:** 

**Log data, item 32** 

**Address=0BADF00D** 

**Message= 0x10000000 | 0x1007f000 | 0x0007f000 | False | False | False | False | False | -1.0- \[MSA2Mfilter03.dll] (C:\Program Files (x86)\Mini-stream\ASX to MP3 Converter\MSA2Mfilter03.dll)**

![](/files/-MeTizXbHPJ1Yvjpa9zY)

**We can use search command in the module or search sequence string**  

**Search command -> jmp esp (which is not found in the module)** 

**Search sequence -> push esp** 

 **retn** 

![](/files/-MeTiu_i_badPxdp9esC)

**Found the reliable address in memory which contain PUSH ESP and next instruction as RETN found on  address:** 

**1003DF73 54 PUSH ESP** 

**1003DF74 C3 RETN** 

**Step 8.** 

**Now as we have found the Address for PUSH ESP instruction which is also not having any of our bad  characters, we can pass it in our EIP using the below code.**

![](/files/-MeTiqGhuk_GXCKzJG1F)

**We can see from the below screenshot we are able to PUSH ESP address into our instruction pointer  which is EIP.** 

![](/files/-MeTi6WfiVB3u11gLJTo)

**Step 9.** 

**Now we are ready to pass our shell code into the remaining buffer.**

**To do so we need a shell code which we can get using the msfvenom.** 

![](/files/-MeTiFGU5k8X9PzcPBN2)

**We also know that our esp register points to the beginning of our shell code we need to provide some  stack space to work the decoder which is automatically generated by msfvenom.** 

**We will add no operation input (nops) in the code “\x90”.** 

![](/files/-MeTiJfoNEjxryKB9-fp)

**Step 10.** 

**Getting the cmd prompt.**

![](/files/-MeTiNYGBuox-bFF3nYH)

![](/files/-MeTiUZzmfG0j1uX0W6-)

![](/files/-MeTiYr9AfEUZ2HEYcxH)

**Getting the cmd prompt opening using vulnerable application.**

![](/files/-MeTiao5bxXxGmY8889z)

![](/files/-MeTie_bYzBi1eztZ6P4)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://modi-arun91.gitbook.io/penetration-testing/web-application-vulnerabilities/buffer-overflow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.