Buffer Overflow Practice
It’s been a while since I have written here. Next week is my exam, so hopefully I can blog some good news soon! I managed to finished all the Lab exercises in the PDF, x10 Lab Machine reports (for 5 extra points) and rooted all Machines on all 4 networks.
I will utilized my time from now until next week for Windows and Linux Privileged escalation techniques as I still have about 17 days left for my Lab access. I’m so scared but I know its not the end of the world if I fail.
Below is something different. I managed to record myself doing a Buffer Overflow on a Vulnerable application called FTPServer. Below are some dot points of the steps in the video:
- Create a POC and send 421 amount of A’s to the application
- Determine where the application crashes
- Generate a 421 random strings and add this to the POC, determine the ESP
- Use pattern offset against the found ESP to determine the offset =247
- Update POC to send the correct 247 As + 4 Bs and the remaining Cs
- Run the POC and we can see that the ESP has been cleanly overwritten. The Bs will be our Jump instruction and the Cs will be our shellcode.
- Locate bad characters by sending a bunch of Hex after the 4 Bs (x42). Following the dump, after the Bs (42) we can see a bunch of hex. We took out x00 x0a x0d. There are no more bad characters after the test as we have observed the memory dump as clean (ascending hex numbers)
- Executable module and find the jmp esp code.
- POC= It will crash after 247 As, then it will jump to the JMP ESP instruction then execute our malicious code.
- Generate a payload with msfvenom
- Finalize the POC with added nops. Execute the POC and catch a shell with a netcat listener.
Click here for a Buffer Overflow Demonstration