Description:
Welcome to Part 3 of the Exploit Research Megaprimer.
Please begin this series by watching Part 1, if you have not already done so!In this video, we will look at how to exploit a simple buffer overflow caused by misuse of the strcpy function. You can
download the vulnerable server Server-Strcpy.exe and follow this video.
We will take the vulnerable server, understand how it works, write a python program to cause a buffer overflow, use Immunity Debugger to investigate the buffer overflow, find the offset of the Return Address and ESP from the start of the user input. Then we will create a payload and try to exploit the overflow, but we will figure out that our payload and return address contains the bad character 0x00. We will then learn how to find bad characters, use a "JMP ESP" address in a DLL to exploit this overflow, use msfpayload and msfencode to create a payload without the bad characters to finally exploit this overflow! We will be looking at some new concepts which include jumping to our payload on the stack using a "JMP ESP" instruction, finding and removing bad characters and understanding the need for a NOP Sled.
Hope you enjoy this video! Its a 30 minute long journey :) Please do leave your comments behind.
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments:
Interesting. I hope there will be some information on fuzzing as well in on of the other videos or in future ones.
great video vivek.. nicely explained.. am starting to grasp exploiting and assembly at the same time. great work
Very good tutorial Vivek!
thank you, very well explained
I can remove bad characters! wow
I succeed and really thank you.
another great video ty :D, i've tried loading different .dll jmp address and its works :D
Hello vivek,
I have successfully made the exploit !!
now on windows 7 !! the just "hi" is crashing the server !!
Please help me why it is not running on the windows 7 ?
i am just trying to telnet & hi to the server and crash !!
can anyone hep me
why does the shell code address change when during exploitation...
when i get the dump of stack i can see that my net EIP has changed..
if my address is 0028ff40
then in the dump conatins:
...AAAA47ff2800<then rest="" of="" shell="" code="">
why does it change to 47?
i run this exploit both in window xp and 7 ...the problem remains the same...
if i change the adress to something else then it wont get incremented...
even i tried adding NOP sleds still the adress changes accordingly point to the middle of the shellcode..
Great tutorial.
But i have trouble to understand why "nop sled" must use here. Isn't "JMP ESP" will always jump to where esp is? If so, what is the point to use "nop sled" in this case?
If not, what exactly does JMP ESP does?
I'd be appreciated if someone can explain in layman's term to me....
very nice
Great! your works are more helpful to us,..
and we are requesting you to post sources of this servers for all other videos too...
Thanks man.
if u published your source code your both memcp or strcopy server code for we are able to complie this code for all version of windows like xp windows2000 windows2003 windows7 windows8 etc...