Introduction to Exploit Development (Buffer Overflows) Flashcards

1
Q

Describe the anatomy of the stack memory.

A

The stack grows towards lower memory addresses. The EBP will point to the base of the stack while the ESP will point to its top part. Also, we have the EIP which is the instruction pointer and points to the next instruction to be executed. The Buffer space fills up with characters and it id adjacent to the EBP pointer.

Buffer
(Fills up with characters that are saved towards higher addresses inside of the buffer)
——
EBP —–> Higher memory address
——
EIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the main idea of a stack-based buffer overflow attack?

A

The main idea is to overflow the buffer space in order to overwrite the EIP pointer, forcing it to point to another address and thus indicating another code to be executed next. This new malicious code indicated will try to spawn a shell as root.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the difference between fuzzing and spiking?

A

In spiking we send random characters to test if the service is vulnerable. In fuzzing we send different inputs to analyze the response, in this case, we are looking for what input size crashes the service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Why does a service that is vulnerable to a stack-based overflow crash when we send a bunch of random characters in the spiking stage?

A

Because the buffer overflow will overwrite the EIP with a random address, causing an access violation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

In the context of stack-based buffer overflows

Explain the Spiking stage.

A

It’s the act of sending a bunch of characters in order to test if a service is vulnerable to a buffer overflow. We can use the generic_send_tcp tool with a spiking script to send inumerous requests and if the service crashes it’s a sign that it is vulnerable to a buffer overflow.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

In the context of stack-based buffer overflows

Explain the Fuzzing stage.

A

It’s the act of sending inputs of different size in order to find aproximately at which size the buffer overflow occurs and the program crashes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In the context of stack-based buffer overflows

Explain the “Finding the offset” stage.

A

In this step we want to find the offset where the EIP is overwritten. Using the pattern_create tool we will generate a byte sequence of the size found in the fuzzing stage. This byte sequence will be sent as input, then the EIP value will be copied and sent to the pattern_offset tool. With that we can see the exact offset where the EIP is overwitten.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a bad character?

A

It’s any character that prevent the shellcode from running as intended, such as a string terminator \x00.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In the context of buffer overflows

Explain the finding bad characters stage

A

We need to remove all the bad characters so our shellcode can run as intended. To do that we can look for a byte sequence and send it as input. Then use the immunity debugger to see which ones are out of place when analyzing the hexdump.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What byte is always considered a bad character?

A

\x00

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain the “finding the right module” stage.

A

In this stage we are looking for any dll or module that don’t have memory protection. Using mona modules we can find this module. After finding it we will use the NASM shell to see the OPCODE of a JMP ESP instruction and using mona find we’ll look if this opcode appears in the selected module. With the address of this instruction, we can send a input to overwite the EIP with it and make the program jump to the ESP where our malicious shellcode will be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In msfvenom, which flag is used to determine bad characters?

A

-b “\x00…”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

During a Buffer Overflow attack, once the buffer space is full, what can we potentially overwrite? (multiple choice)
1. ESP
2. EBP
3. EIP

A

2 and 3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the steps to perform a stack-based buffer overflow?

A
  1. Spiking
  2. Fuzzing
  3. Finding the offset
  4. Overwriting the EIP
  5. Removing bad characters
  6. Finding the right modules
  7. Generating shellcode
How well did you know this?
1
Not at all
2
3
4
5
Perfectly