6/15/2023 0 Comments Buffer overflow in process monitorTo determine which characters we cannot use in our malicious application, we inject all possible ASCII characters into the application and then compare them with the contents of the systems memory using mona.py. For instance the null byte (0x00) acts as a string terminator and as such if you added it into the malicious payload, any characters after the null byte would not be executed. When attempting to exploit buffer overflows, most likely you will find some characters cannot be injected. Below, we will make sure it runs and create a way of finding the code once we have created it and injected it. Okay, we can now slide towards our malicious code but first we must create that code, inject it, find it and make sure it runs. These instructions do not perform any function by themselves, but makes the exploit more robust since the exact address we are aiming for may change slightly depending on the system. If we carry on from where we left off and step through to the next instruction, we can see we are returned to the stack into a series of NOP (0x90) instructions (See Figure 7). In the last article, we had run our code to insert the address of the ‘Call ESP’ command and a load of NOPs. Then we found the address of a ‘Call ESP’ command which will enable us to run our code. We have also found that this vulnerability has let us overwrite the EIP which means we can insert the address of a command we might want to run. So far we know that our chosen target allows us to overflow a buffer.
0 Comments
Leave a Reply. |