setting up the environment
are learning objective is to understand how to set up the environment to practice the buffer overflow.
So, first things first, I want to give credit to Justin steven here
for making this vulnerable program
and also creating the tutorial to go through. It explains why the program is vulnerable. There's a lot of detail about it and I suggest or recommend that you read through it. So you understand why we're able to uh to take advantage of this buffer overflow attack for do stack
buffer overflow good is execute Herbal
and here's the pdf. You'll notice that he added python three to this. Why did he do that? Because
Recently I think last year we switched over to Python three from Python two. So if you go to the command prompt then you type in Python version.
If I just type in Python, it's going to use Python 3.9.1.
The way he wrote it first was using Python two. And how we know that is the test script that he used.
We can see us using python to well, how do I do that?
How I do that is I do period forward slash in this directory
execute this. And that will use python two instead of python three.
So what I'm gonna do
is that a remote desktop over to our vulnerable Windows machine?
This is a Windows Machine that I downloaded from the Microsoft Developer site. Uh these are free to use for 30 days, 30 day trial.
Um But here I have my user, my host, username password and full screen. Full screen makes things a lot easier for you.
But then you might go, oh no, how do I get out of here?
Well, you do control, alternate enter or format control option enter. I'll try that now
and you can see it takes us out of full screen mode but I want to stay in full screen mode to show you this
so you'll notice we have immunity to bugger here. We have our do stack buffer overflow. Good here.
And what I'll be doing a lot
is I'll be attaching or opening this program. You can do it two ways.
You can open up immunity. D bugger,
you can do file open
and here's the execute Herbal.
You'll notice it pops up here but it's going to pause
so you need to hit this
play button here maybe more than once to make sure the program is running.
So you can either do it that way
looks out of here. I'll launch the program
then I'll launch immediately. D bugger
find it here, attach.
And again it will pause it and I'll need to hit play to make sure that it's running
now. What I want to do
as you'll see coming out of full screen mode. It's really hard to see now
and I want to launch this here. Let me let me make it nicer for you.
This is the test script he has in his pdf so he really does a great job using comments setting the I. P. So of course we have to set that to the I. P. Of our victim host. The port is gonna be the same. Elite.
We're creating this TCP connection here. We're building a little message where a buffer will go right now just as buffer script
it prints out what we sent,
receive some data and then it prints out what we receive.
So we should be able to execute this
and see what happens.
So he sent sent python script received. Hello, python script. It's very friendly.
If we go back to full screen mode here,
you'll notice if we go back to our program, we see that connection that came through and how many bytes were received and how many bytes were sent.
The next step is to fund the program and see if it crashes
by sending a long string of A's. So stay tuned for our fuzzing next.
So in summary, we should now understand how to set up the environment to practice the buffer overflow.