Windows Exploit Development Basics
◾
273
How to Find Buffer Overflows
When the source code is available, it’s very easy to find buffer overflows by doing a source code review.
In case the source code is not available, you would need to resort to a reverse engineering approach
that involves disassembling the program. We do the same in a black box approach. In this chapter
we will talk about a technique known as
fuzzing
. In fuzzing, we maintain data of various lengths in
the program input to see if the program crashes. We can create our own fuzzers or use existing ones.
Methodology
So the methodology we will follow for creating a simple stack-based overflow exploit is as follows:
◾
We will create a fuzzer that sends data of various sizes (in increasing order) and wait for the
application to crash.
◾
We will then identify the offset to see what bytes are exactly overwriting the ESP and EIP
register. The EIP register is the holy grail for hackers; if we are able to control EIP , we will be
able to control the next instruction to be executed by the program. The ESP register stands
for stack pointer register, and it points to the top of the stack.
◾
We will then use Metasploit to generate a Shell code that we want to be executed by the
target computer.
◾
Next, we will identify all the bad characters from the shell code that could prevent the buffer
from overflowing.
◾
Next, we will identify the usable amount of space for our shellcode.
◾
Finally we will deploy our shell code, and our exploit will be completed.
Dostları ilə paylaş: