Introduction to Exploit Development (Buffer Overflows) Flashcards
Describe the anatomy of the stack memory.
The stack grows towards lower memory addresses. The EBP will point to the base of the stack while the ESP will point to its top part. Also, we have the EIP which is the instruction pointer and points to the next instruction to be executed. The Buffer space fills up with characters and it id adjacent to the EBP pointer.
Buffer
(Fills up with characters that are saved towards higher addresses inside of the buffer)
——
EBP —–> Higher memory address
——
EIP
What is the main idea of a stack-based buffer overflow attack?
The main idea is to overflow the buffer space in order to overwrite the EIP pointer, forcing it to point to another address and thus indicating another code to be executed next. This new malicious code indicated will try to spawn a shell as root.
What is the difference between fuzzing and spiking?
In spiking we send random characters to test if the service is vulnerable. In fuzzing we send different inputs to analyze the response, in this case, we are looking for what input size crashes the service.
Why does a service that is vulnerable to a stack-based overflow crash when we send a bunch of random characters in the spiking stage?
Because the buffer overflow will overwrite the EIP with a random address, causing an access violation.
In the context of stack-based buffer overflows
Explain the Spiking stage.
It’s the act of sending a bunch of characters in order to test if a service is vulnerable to a buffer overflow. We can use the generic_send_tcp tool with a spiking script to send inumerous requests and if the service crashes it’s a sign that it is vulnerable to a buffer overflow.
In the context of stack-based buffer overflows
Explain the Fuzzing stage.
It’s the act of sending inputs of different size in order to find aproximately at which size the buffer overflow occurs and the program crashes.
In the context of stack-based buffer overflows
Explain the “Finding the offset” stage.
In this step we want to find the offset where the EIP is overwritten. Using the pattern_create tool we will generate a byte sequence of the size found in the fuzzing stage. This byte sequence will be sent as input, then the EIP value will be copied and sent to the pattern_offset tool. With that we can see the exact offset where the EIP is overwitten.
What is a bad character?
It’s any character that prevent the shellcode from running as intended, such as a string terminator \x00.
In the context of buffer overflows
Explain the finding bad characters stage
We need to remove all the bad characters so our shellcode can run as intended. To do that we can look for a byte sequence and send it as input. Then use the immunity debugger to see which ones are out of place when analyzing the hexdump.
What byte is always considered a bad character?
\x00
Explain the “finding the right module” stage.
In this stage we are looking for any dll or module that don’t have memory protection. Using mona modules we can find this module. After finding it we will use the NASM shell to see the OPCODE of a JMP ESP instruction and using mona find we’ll look if this opcode appears in the selected module. With the address of this instruction, we can send a input to overwite the EIP with it and make the program jump to the ESP where our malicious shellcode will be.
In msfvenom, which flag is used to determine bad characters?
-b “\x00…”
During a Buffer Overflow attack, once the buffer space is full, what can we potentially overwrite? (multiple choice)
1. ESP
2. EBP
3. EIP
2 and 3.
What are the steps to perform a stack-based buffer overflow?
- Spiking
- Fuzzing
- Finding the offset
- Overwriting the EIP
- Removing bad characters
- Finding the right modules
- Generating shellcode