ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

I Want My EIP - Buffer Overflow 101

?
?
Mike Saunders
Mike Saunders

A 101-level overview of 32-bit x86 stack-based buffer overflows. In this presentation I discuss buffer overflows, the stack, and how overflows work on the stack. I also discuss how to identify an overflow opportunity, locate the return address, and develop a working exploit. Presented at DerbyCon 7 (2017) and BSides Winnipeg 2017. Video available at: https://www.youtube.com/watch?v=NHDRJbLj7Jg

1 of 60
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Server accepted 1906 bytes but crashed at 2106. - BO is occuring between 1906 & 2106 bytes of input 25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Final shellcode. Note return address (ret) is in reverse byte order (little endian) 8 NOPs (x90) inserted after return address because we are generated encoded shellcode with the shikata_ga_nai encoder. The encoder requires a few bytes of space on the stack as scratch space to allow it to decode the encoded shellcode before it can execute. If we do not allow some space by using these NOPs, the shellcode will decode over the top of itself, resulting in mangled shellcode and a failed exploit. 50
Note calc has been executed but tvulnserver is still running. We can close calc and vulnserver will not crash. This is because we used EXITFUNC=thread, which created shellcode to launch our payload in a new thread, allowing vulnserver to continue running when our payload exits. 51
52
53
54
55
56
57
58
59
60

More Related Content

I Want My EIP - Buffer Overflow 101