Buffer Overflow

Introductions

Testing tools

Generating Random Patterns

locate pattern_create
pattern_create.rb 2700
pattern_offset.rb 39624438

Bad characters

  • Use all hex combinations and append that to buffer (\x01\x02)

Finding Gadgets

When main program is not memory protected

EDB -> Op code searcher

Example : ESP -> EIP

When main program is memory protected

  • Find a var that loads a memory location into and offset that
  • Find a module with no memory protection and memory module address (base) does not contain any bad characters
    !mona modules
    
    • Open modules and open the selected module (e)
    • Search for a instructions
      • JUMP ESP
      • PUSH ESP
      • RTN
  • If not found look at modules list (m) and check in other sections (if DEP or ASLR is not enabled)
nasm_shell
  > jmp esp (to get get opcode)
  > FF E4

!mona find -s "\xff\xe4" -m slmfc.dll