4

So I'm trying to write a buffer overflow for a knowingly vulnerable server application, I want to learn how to do this on my own and just want some direction.

I'm watching it in immunity debugger on the server and have control over the ECX, EBP, and importantly the EIP register. Sending my buffer from the attacking machine crashes the program however I don't have enough space afterwards to place my reverse shell, I do have enough space in the first part of my buffer. I only have a few bytes to figure it out and past this point I'm stuck. Is it possible to place an instruction set in an earlier part of my buffer and use those few bytes to move back to it? Where can I read up on how to do this?

Hadoken
  • 53
  • 2
  • 7
  • I'm confused, you control EIP, but somehow end up jumping to the middle of your overflow zone? – Nalaurien Nov 17 '17 at 07:31
  • I updated it my question because I did some wrong math. I have a buffer of 1072 bytes, adding anymore messes things up. At 1040 I am able to overwrite EIP. I was thinking that maybe I could place my payload in that first area of my buffer and somehow jump back to it with EIP, otherwise I was hoping someone could offer a different suggestion on how to deal with the limited space and point me in the right direction. – Hadoken Nov 17 '17 at 07:57
  • @Hadoken - EIP contains the address of the next instruction to execute. If you can replace the EIP then you can point it to anywhere in executable memory. – Hector Nov 17 '17 at 08:54
  • @Hector I saw that, I don't know much about the x86 instruction set but I read up a bit. My issue is I can't just hard code any address because it changes every time it crashes, I only have one module/exe file I can look to for use but there is still that issue of I can't write more than 20 something bytes to the stack, right? I'm confused at what I need to do now, I think I'm expected to use that unused area of my buffer somehow – Hadoken Nov 17 '17 at 09:15

2 Answers2

4

Assuming that you're talking about a vanilla EIP overwrite and not something like SEH, you have two options available to you. Neither of these are what I would consider to be "beginner" techniques as they require a bit of Assembly knowledge though there are some great websites that can help you out.

1. Employ an Egg Hunter. An egg hunter involves sticking a small bit of a shell code in a limited buffer space and then prepending a 8 byte egg (ie n00bn00b) before your shell code. The egg hunter will search through memory for your unique egg and then jump to the shell code that follows it. Example buffer Variable

buffer = "\x41" *100 + "n00bn00b" + shellcode + "\x90" * 50 + egghunter + offset + jmpback

Where above "offset" could be a simple JMP ESP in a DLL and "jmpback" would be an assembly instruction to jump back into the buffer to somewhere in the nopslide.

While it looks a bit confusing the execution flow is as follows

  1. The offset variable is placed where your EIP overwrite is. This variable simply holds the address to a JMP ESP instruction which then points to the jmpback variable

  2. The jmpback variable holds an assembly instruction (ie \xeb\xc4) which jumps back into the nopsled.

  3. The egghunter shellcode runs and begins searching for the n00bn00b string.

  4. When the n00bn00b string is found it jumps to the shellcode which executes.

The Egghunter is a great way to give yourself some more buffer space.

2. Jumping backwards into the buffer : The second option, if the buffer space is available to you, is to issue some assembly instructions to jump further back into the buffer to execute your shell code. This sounds like the easier of the two options, however it's possible to trash the stack if you're not careful to re-align the stack after shell code execution.

If you have a clean overwrite of another register, such as ECX, it might even be possible to just JMP ECX to fire your shell code.

Note that this answer assumes that things like DEP and ASLR are not enabled on the machine you're attempting to exploit.

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
1

There are various ways to do this. Are you able to get a fixed point in the code to set your EIP to? You are not telling us whether you have any ASLR restrictions, but if you do, are you then able to still get a fixed location to refer to? Look into:

https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

They are a great read and you should find some answers there.

RLFP
  • 617
  • 5
  • 15
  • Lol looking at that, I'm pretty certain that corelan may have had some influence on this exercise, I'm still struggling since I have no experience with assembly. Since I could overwrite ECX and EBX I thought about trying to point there and write code but since they both are almost immediately before the EIP register, it still wouldn't be enough space. I only have one place to point my EIP register that isn't compiled with ASLR or DEP but it's the application itself. Thanks! I have some new stuff to try now with those posts. – Hadoken Nov 17 '17 at 09:43