21 hours 43 minutes
fuzzing the application
are learning objective is to understand how to fuzz an application and find the offset where E. I. P. Is overwritten.
So we had our proof of concept test script that just sent a message to
the vulnerable program and it sent a message back. Our objective now is to see if we can actually overwrite the buffer of the application
and cause it to crash.
What we like to do is figure out how we can control E. I. P. Which I'll show you in the d bugger. But what this program that I wrote, this python script does is it sends an array of buffers. It sends 50 days over and over and over in increments with fifties until the program crashes.
So we want to figure out where exactly uh we crashed this program with our A's.
So what I'll do
is I will start up this program again
with our desktop
hoops, not set up. We're just going to start immunity bugger.
If you get stuck here you can always go to see.
And what we'll do again is we will open
do stack buffer overflow. Good. Some mouthful
cancel out of this,
make sure it's running.
So what I'm gonna do now is
going to go back
and run the fuzz er
Now you see it fuzzing and now it stops at 1:50.
So if we go back to immunity d bugger
the chip is overwritten here and so is
E. V. P.
With a Space 41 41 41 41.
So now we need to figure out exactly where it caused it to crash and we see it's around 1 50 now what you have or. And what's in the guide is he sends I think 1024 A's which crashes the program so I'm going to use that as our test
next. So what we'll do
is we need to use
it's in here. Users share medicine point framework tools exploit.
So we're going to create a long string of characters to find are offset.
So what we'll do here is we'll do pack,
we'll do pattern,
The length of 1024, which is what's in the guide. Right?
So we take this
and we make a script out of that.
So what I did,
is create another script.
So you should have that that script where he sent 1024 A's. This is taking
all these characters
And now I'm just putting it here where it said A times 10 24 and just
putting this long string of
Alpha Numeric characters 1 24 to be exact.
And we're now we're gonna send this to try to find exactly where we overwrite e I p.
So if I go back
a lot of back and forth with the buffer overflow
so I'm going to go back.
hit the play button again,
make sure you're up and running
now. I'm going to go back
and I'm going to send the pattern create python script.
So now we see e type was overwritten here. 3965
So what I have to do now is figure out
where it was overwritten
and we can use another module in medicine Floyd called pattern offset to find exactly
we've crashed the program and controlled the chip.
So we do now is we do pattern
Our length is 1024
tak Q. Of where we crash the program 39654138
And we see there is an exact match of 146. Was was around that 150 mark where we saw the program crash
from our father.
So we want what we want to do now is be sure that the offset is 146.
So I've created this other program and you may have seen that me launched this earlier.
But here's our offset.
We have eight times 146. Which is
Right here are exact match at 1:46. and I want to send four bees
And I'm gonna send 90 sees. You could make that less than that if you wanted.
But the important thing is making seeing if our four bees land and overwrite the I. P. To make sure that we have controlled the I. P.
So we'll go back
like I said a lot of back and forth here
it will start this again
and now we will send
are offset script
and see if we've overridden E. I. P. With those bees which should be hex character 42 we sent four of them.
So going back we see IP was overridden by our four babies
42-42-42-42. So now we know that our offset is correct.
So now we should understand how we can cause a vulnerable application to crash. You saw me do that with the fuzz er
you saw how we can use medicine. Ploy to do that pattern create so it creates a unique pattern of
characters. Then we can send that payload and crash the application
and from that determined from ip
where it crashed exactly by using pattern offset
and then setting setting another payload where we not only send the exact amount of A's but the four B's and the seas after that. To ensure that we're cleanly overwriting e i. P.
And in summary, we should understand how to fund an application and find the offset where the I. P. Is overwritten.