First step always, let’s check binary protections using
Great, this should be easy. Now let’s run the binary to check what it does.
Takes an argument and print it. Let’s find out if the binary is vulnerable or not by trying to crash it.
Segfault -> accessing memory that does not belong to us.
It crashes before 300 bytes, next step is to know where exactly does it crash. (finding the offset, how many chars overwrite EIP)
Great offset is 268, after 268 bytes we can overwrite EIP.
EIP (Extended Instruction Pointer) register tells the computer where to go next to execute the next command.
Let’s verify that we overwrite EIP.
0x42 = B
\x90 = NOP/no-op is an assembly instruction that does nothing.
We use NOPS to make sure that our exploit doesn’t fail.
Now let’s get the location of ESP.
Now let’s take some shellcode.
Shellcode is our payload, lot of
\x** characters together. Shellcode will gives us a shell.
We’re on x86 OS :
So we will search for x86 /bin/sh shellcode. We can use this 23bytes one shellcode /bin/sh
So the idea of the exploit will be this :
We will fill the buffer with “A”, we will reach the EIP and overwrite it with a new address that points to our shellcode, then we will add NOPS , and finally the shellcode.
The exploit will look like this :
"A" * 268 + ESP Location Reversed + NOPS + Shellcode
When you debugging a binary in gdb or whatever debugger you choose, the actual memory location of everything in that binary might be slightly off, so let’s add 1-2 addresses later.
We can use
We have root shell!, we can also code a simple exploit for that.