Required Installations

Buffer overflow explained

Anatomy of memory

Kernel 11111
Stack
Heap
Data
Text 00000

Anatomy of stack

ESP (Extended Stack Pointer)
Buffer space
EBP (Extended Base Pointer)
EIP (Extended Instruction Pointer) / Return Address

Steps

  1. Spiking ⇒ find vulnerable part
  2. Fuzzing ⇒ can we break it
  3. Find the Offset ⇒ where does it broke
  4. Overwriting the EIP ⇒
  5. Finding Bad Characters ⇒
  6. Finding the Right Module ⇒
  7. Generating Shellcode ⇒
  8. Root ⇒ :)

Spiking

generic_send_tcp host port spike_script SKIPVAR SKIPSTR

Testing if a command can overflow

connect to vulnserver

nc -nv <ip> <port>

Spike ⇒ send random character to see if we can break a program

spike_script :

s_readline();
s_string("STATS ");
s_string_variable("0");