0Sec
0Sec
0Sec
  • Spider Security
  • offensive security
    • OSCP
      • WriteUps
        • PortSwigger
          • SQL injection labs
          • Exploiting XXE to retrieve data by repurposing a local DTD
        • PentesterLabs
          • Recon
        • HTB
          • BoardLight
          • Lame
        • THM
          • Walkthroughs
            • Attacktive Directory
            • LineKernel
            • Day 1 — Linux PrivEsc
          • CTF
            • Page
            • BLUE
            • mKingdom
            • RazorBlack
      • Module 1 (General Info)
      • Module 2 (Getting Kali)
        • Leason 1 - Booting Up Kali Linux
        • Leason 2 - The Kali Menu
        • Leason 4 - Finding Your Way Around Kali
        • Leason 5 - Managing Kali Linux Services
      • Module 3 (CLI)
        • The Bash Environment
        • Piping and Redirection
        • Text Searching and Manipulation
          • Regular
        • Managing Processes
        • File and Command Monitoring
      • Module 4 (Practical Tools)
        • Netcat
        • Socat
        • PowerShell & Powercat
        • Wireshark
        • Tcpdump
      • Module 5 (Bash Script)
      • Module 6 (Passive Info Gathering)
      • Module 7 ( Active Info Gathering)
      • Module 8 (Vulnerability Scanning)
      • Module 9 (Web Application Attacks)
        • Cross Site Scripting (XSS)
        • local file inclusion & remote file inclusion
          • Exploit LFI
        • SQL injection
          • Blind Boolean based SQL & Evasion Techniques
          • SQL
          • Login bypass List
        • File upload
        • Remote code execution
      • Module 10 ( Intro Buffer OverFlow)
      • Module 11 (Widows Buffer OverFlow)
        • Buffer OverFlow Challange
      • Module 12 (Linux Buffer OverFlows)
      • Module 13 (Clint Side Attacks)
      • Module 14 (Locating Public Exploits)
      • Module 15 (FIxing Exploits)
      • Module 16 (File Transfers)
      • Module 17 (Antivirus Evasion)
        • Windows
      • Module 18 (Privllege Escalation)
        • Windows
          • Checklist
          • THM - Windows PrivEsc Arena
        • Linux
          • Checklist
          • Linux PrivEsc Arena
      • Module 19 (Password Attacks)
      • Module 20 (Port Redirection and Tunneling)
      • Module 21 (Active Directory Attacks)
        • adbasics_v1.2
      • Module 22 (Metasploit Framwork)
      • Module 23 (Powershell Empire)
      • Course Materials
  • SANS
  • AppSec
    • EWAPTX
      • PHP Type Juggling
      • CSP
      • SqlI
        • Information_schema
        • WriteUps
      • SSTI & CSTI
      • XSS_HTML Injection
      • CORS Attack
      • Clickjacking
      • Open redirect
      • JSONP
      • LFI && LFD && RFI
      • HTTP Host header attacks
      • CSRF
      • XML injection
      • XML external entity (XXE) injection
      • APIs & JWT attacks
      • Insecure Deserialization
      • OAUTH 2.0 authentication vulnerabilities
      • Host Header Injection
      • Insecure Direct Object References (IDOR)
  • Reverse Eng & Malware dev
    • Internals
      • Windows internals
        • Topics in GitHub
        • Chapter 1 Concepts and tools
        • Chapter 2. System architecture
        • Chapter 3. Processes and jobs
        • Chapter 4. Threads
        • Chapter 5. Memory management
        • Chapter 6. I/O system
        • Chapter 7. Security
      • Linux internals ⇒ Soon
      • MacOs X internals ⇒ Soon
  • cheat sheet
    • Pentest_Notes
    • Linux BOF & Wireless Attacks
    • WriteUps
Powered by GitBook
On this page
  • Architecture Fundamentals (Numbers)
  • BUFFER OVERFLOW
  • WHAT ARE BUFFERS?
  • CAUSE
  • MEMORY LAYOUT
  • Intro to BOF
  • Buffer Oveflow
  • Register
  1. offensive security
  2. OSCP

Module 10 ( Intro Buffer OverFlow)

PreviousRemote code executionNextModule 11 (Widows Buffer OverFlow)

Last updated 10 months ago

Architecture Fundamentals (Numbers)

Number System
Base
Used digits

Binary

2

0,1

Octal

8

0,1,2,3,4,5,6,7

Decimal

10

0,1,2,3,4,5,6,7,8,9

Hexadecimal

16

0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F

EX

Binary
Hexadecimal

0000

0

0x0

0001

1

0x1

0010

2

0x2

0011

3

0x3

0100

4

0x4

0101

5

0x5

0110

6

0x6

0111

7

0x7

11111

15

0xf

bit    => 0 OR 1
byte   => 000001010 => 0x0A               ===> 0 to 7
H-Word => 000000000000000 => 0x0000       ===> 0 to 15
Word   => 0000000000000000000000000000000 ===> 0 to 31

BUFFER OVERFLOW

A buffer overflow occurs when the size of data exceeds the storage capacity of the memory buffer

WHAT ARE BUFFERS?

Buffers are memory storage regions that temporarily hold data while it is being transferred from one location to another

CAUSE

Buffer overflow is triggered by user input

In the case of buffer overflow vulnerabilities, the developer must check the input length before using any functions that might cause an overflow to happen

These attacks are caused by vulnerable functions in C

The following five common unsafe functions that can lead to a buffer overflow vulnerability:

printf, sprintf, strcat, strcpy, and gets.

MEMORY LAYOUT

The buffer space grows towards the Base Pointer (BP) and Instruction Pointer (IP) from lower memory to higher memory

Below Base Pointer (BP) there will be Instruction Pointer (IP)/Return Address

The stack components of the program are always stored above the Base Pointer (BP)

Intro to BOF

Buffer Oveflow

Ex Code 

#include <stdio.h>
int main(int argc,char  *argv[]){
    Buffer[8];
    strcpy(Buffer, argv[1]);
    return 0;
}

  • Step1: open Immuntiy Debbuger

  • Step2 run the app

  • Step3

Main Code 

00401500  /$ 55             PUSH EBP
00401501  |. 89E5           MOV EBP,ESP
00401503  |. 83E4 F0        AND ESP,FFFFFFF0
00401506  |. 83EC 20        SUB ESP,20

00401509  |. E8 72090000    CALL Buffer.00401E80
0040150E  |. 8B45 0C        MOV EAX,DWORD PTR SS:[EBP+C]             
00401511  |. 83C0 04        ADD EAX,4                               
00401514  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]              
00401516  |. 894424 04      MOV DWORD PTR SS:[ESP+4],EAX            
0040151A  |. 8D4424 18      LEA EAX,DWORD PTR SS:[ESP+18]            
0040151E  |. 890424         MOV DWORD PTR SS:[ESP],EAX
               
00401521  |. E8 D2100000    CALL <JMP.&msvcrt.strcpy>   #strcpy           
00401526  |. B8 00000000    MOV EAX,0
0040152B  |. C9             LEAVE
0040152C  \. C3             RETN

Register

Instruaction pointer  EIP = 
Stack Pointer         ESP = 
Base  Pointer         EBP =

Security Implementations

  • What is the vulnerable Functions?

    • gets

    • scanf

    • sprintf

    • Strcpy

  • what is the security implementations ?

    • ASLR , Dep Canary...

  • How to bypass it ?

    • SHE, ret to libc , etc...