I could go into a lot of detail here, but I guess it would be mostly off-topic.
However generally a successful buffer overflow attack requires two things:
- A static buffer (keeping things simple) being overwritten such that a function return address on the stack can be modified.
- A piece of shellcode somewhere in the processes address-space.
Once you've written past the end of the buffer to be overflowed, and modified the saved "return address" value you want to write the address of your shellcode there. The net result is that once the buffer is overflown your own code gets executed, and you win!
Traditionally this is done by saving the code to execute in an environmental variable - which will exist in all processes spawned by a parent shell, and which won't move around.
So the process becomes:
- run /bin/sh
- setup the $EGG variable via "export EGG=shellcode..." (remember that environmental variables can contain binary data)
- Construct an overly long argument/parameter/fileinputand feed it to your vulnerable program - attempting to cause the overritten return address/EIP to be set to getenv( "EGG")
- Profit!
Or you could cheat and use a pre-made tool to do all the work ..
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.