Word List Builder Buffer Overflow Write-Up

Hi All,

This is just a write up about Word List Builder Buffer Overflow.

If you’re not familiar with Buffer Overflow please read those tutorials:
Exploit writing tutorial part 1 : Stack Based Overflows
Exploit writing tutorial part 3 : SEH Based Exploits

and :
Stack Based Windows Buffer Overflow Tutorial

SEH Stack Based Windows Buffer Overflow Tutorial

Triggering the vulnerability:

Well, opening an invalid (.dic) file will cause the overflow.

Now we have to find “next SEH” & “SEH” offset.

Run: !pvefindaddr suggest

We got it; Next SEH is overwritten after 4108 bytes.

The next steep is to find a pop pop ret, again the Corelan’s Tool;

Run: !pvefindaddr p

As you can see, all modules are SafeSEH compiled, except the binary, but we have to deal with null byte, so the shellcode must be placed before overwriting “next SEH” & “SEH”.

Let’s Exploit it.

Backward jump to the shellcode:

The exploit payload must look like this:

JUNK + SHELLCODE + JUMP + NSEH + SEH

Using an Egg hunter:

This way we only need to jump 34 bytes, and the Egg hunter will do the rest of the job, so the exploit payload will look like this:

JUNK + EGG + SHELLCODE + EGG-HUNTER + NSEH + SEH

Thanks:

Thanks to all those who share their experience, and knowledge.

6 comments:

Anonymous said...: Hey Are You Moroccan?; April 10, 2011 at 4:03 AM
Hicham said...: Yes, Moroccan; April 10, 2011 at 6:50 AM
Anonymous said...: Good :) Keep up the Great Work Brother:)

Im From Safi :); April 11, 2011 at 4:31 AM
Hicham said...: Thanks Brother,
ana Soussi; April 11, 2011 at 4:48 AM
Anonymous said...: Nice To Meet you :)

Golli wach darouri Metasploit ila Bghina nl9aw Chi Buffer ?? ola XP 9adya lgharad ?; April 11, 2011 at 1:56 PM
Anonymous said...: Good job man!; May 12, 2011 at 8:10 AM

Net Effects

Translate / Traduire

Labels

Publications

Membres

Friday, April 1, 2011