Buffer overflows can be approached almost systematically if there are no memory exploitation defense mechanisms in place. This post will go over the basic steps to successfully execute a stack-based buffer overflow attack to achieve code execution with an EIP overwrite.
Steps to Success
- Identify that buffer that will overflow.
- Determine the length of the buffer which would cause the crash
- Determine the offset of the instruction pointer
- Determine bad characters that will cause the exploit to fail
- Determine what register(s) we will be able to write to using our buffer
- If necessary, send staged payload if none of the registers have easy access to our buffer
- Find a loaded module with the least memory exploit protections and find a JMP instruction which will JMP to the register found in step 5.
- Overwrite EIP with JMP address from step 7.
- Generate shellcode within the allotted restrictions
- Prepend a sufficiently long NOP slide to your shellcode
- Place the shellcode in the register identified in step 5