![Time to visualize the exploit void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input(); } Vulnerable to Buffer overflow because , gets() doesn’t check the size of the buffer causing it to overflow.According to the slide before, if we give 1024 + 8 bytes we overwrite saved return address which can be the address of our shellcode in memory to alter the execution path of our program.](https://image.slidesharecdn.com/exploitingstackoverflow101-111125002336-phpapp02/75/Exploiting-stack-overflow-101-9-2048.jpg)
Uploaded byn|u - The Open Security Community
Exploiting stack overflow 101
This document provides an overview of exploiting a stack overflow vulnerability in EasyRmtoMp3 player software. It discusses the stack and function calls in assembly, and how a buffer overflow can be used to overwrite the return address and redirect program execution to injected shellcode. The agenda includes setting up the environment in Immunity Debugger and Metasploit, explaining the theory behind stack overflows, visualizing how it works, and demonstrating an exploit against the vulnerable software.
Exploiting stack overflow 101
- 1. Exploiting Stack Overflow101 By Sebas Sujeen (_masteR)
- 2. #whoami Student @CEG currently in my fourth year Interested in exploit development/systems security Active member of g4h , an online community for hackers Attitude: Learn what you don’t know , share what you learn Blog @ http://phr33dom.wordpress.com
- 3. Agenda We willbe exploiting a simple stack overflow found in EasyRmtoMp3 player Nothing new, the reason for choosing this software is that reference to exploit this software is available online @ http://corelan.be So , nothing stops you from trying it out yourselves!
- 4. Setting up theEnvironment Immunity Debugger Windows Xp SP3 Metasploit framework
- 5. The theory... Beforethe fun part A typical function call looks like this in assembly push args call function
- 6. The theory... Beforethe fun part A typical function prologue push ebp ;save the sfp mov ebp,esp; ebp points to base of current sf sub esp,<offset>;space for local variables
- 7. The theory... Beforethe fun part A typical function epilogue looks like this leave; mov esp,ebp / pop ebp ret ; pop the dword @ esp and put it in eip
- 8. Visualize the stackBreno de Medeiros Florida State University Fall 2005 Function (sub-routine) calls results in an activation frame being pushed onto a memory area called the stack . <previous stack frame> function arguments return address previous frame pointer local variables local buffer variables Direction of stack growth
- 9. Time to visualizethe exploit void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input(); } Vulnerable to Buffer overflow because , gets() doesn’t check the size of the buffer causing it to overflow.According to the slide before, if we give 1024 + 8 bytes we overwrite saved return address which can be the address of our shellcode in memory to alter the execution path of our program.
- 10. References http://phrack.org http://corelan.behttp://metasploit.com
- 11.
- 12.