Skip to content

Security Knowledge Base Buffer Overflow

Security Knowledge Base

Home
Bug hunting
Bug hunting
- Bounties
- Guides
Career
Career
- References
Certifications
Certifications
- Osce
  Osce
  - Preparation
- Oscp
  Oscp
  - Enumeration
  - preparation
  - Lab Setup
  - Notes
  - Practice
  - Tools
  - Cheatsheet
    Cheatsheet
    
    Cheatsheets
    
    Exploits
    
    Share files
    
    TTY
    
    Web
    
    Windows
    
    Enumeration
    Enumeration
    
    Network
    
    Vulnerability
    
    Windows local
Cloud
Cloud
- Aws s3
- Aws
- Azuer
Collections
Collections
Containers
Containers
Crypto
Crypto
- Tools
- z References
Ctf
Ctf
- Practice Resources
- Write-ups
- Hack the box
  Hack the box
  - CronOS
  - Bank
  - Bastard
  - Beep
  - Grandpa
  - Lame
  - Popcorn
  - Bashed[ippsec pending]
    Bashed[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Phpbash
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    05 UsersGroups
    
    ScriptResults
    ScriptResults
    
    LinEnum
    
    04 PrivEscalation
    04 PrivEscalation
    
    PrevEsc
  - Blue
    Blue
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    02 Exploitation
    02 Exploitation
    
    EternalBlue
  - Brainfuck
    Brainfuck
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
  - Curling[ippsecpending]
    Curling[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    01 Joomla
    
    02 Binary
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Granny
    Granny
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Irked
    Irked
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Unreal
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Jerry[ippsec pending]
    Jerry[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Tomcat
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
  - Sense[ippsecpending]
    Sense[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Pfsense
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Silo[ippsecpending]
    Silo[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Oracle
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
- Template
  Template
  - Log
  - 01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
  - 03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
Databases
Databases
- Access
  Access
  - Tools
- Mongodb
  Mongodb
  - 0 cheatsheet
- Mysql
  Mysql
  - Cheatsheet
  - MySQL-Root to System-Root
- Oracle
  Oracle
  - Tools
- Sqlserver
  Sqlserver
Dfir
Dfir
- Cheatsheet
- CTFs
- Important Files
- Tools
- References
Embedded and iot
Embedded and iot
- Cheetshet
- FCC
- Protocols
- Tools
- References
- Scenario
  Scenario
  - Test Conditions
- Specific
  Specific
  - ATMs
  - Automobile
  - Bluetooth
  - Cameras
  - Locks
  - Printers
  - Ships
  - UEFI
- Techniques
  Techniques
  - Glitching
  - Side Channel
Exploits and shellcoding
Exploits and shellcoding
- Cheatsheet
- Buffer Overflow Buffer Overflow
  Table of contents
- Fuzzing
- Lateral Movement
- Memory Protection
- OS Linux Specific
- Payloads
- Practice
- Metasploit
- y Tool SilentTrinity
- Tools
- References
Identity and access management
Identity and access management
- Kerberos
- References
Languages
Languages
- GO
- Java
- Javascript
- NodeJS
- PHP
- Python
- Rails
- Regex
- Rust
Malware
Malware
Network
Network
Os
Os
- Android
  Android
  - Android
- Ios
  Ios
  - IOS
- Linux
  Linux
  - Cheatsheet
  - Important Files / Folders
  - Important issues
  - Kernel Exploitation
  - Privilege Escalation
  - Wildcards
  - Defense
  - Tools
    Tools
    
    Iptables
    
    Netcat (NC)
    
    tcpdump
    
    VI
- Macos
  Macos
  - Defense
- Windows
  Windows
  - Cheatsheet
  - Active Directory
  - Windows API
  - Events
  - HyperV
  - Important Endpoints
  - Important Files
  - Important issues
  - Important Processes
  - Important Registry Locations
  - Kernel Exploitation
  - Privilege Escalation
  - WMI
  - Defense Bypass
  - Defense
  - Tools
  - References
  - Credentials
    Credentials
    
    Hashes and Credentials
    
    Using Credentials
  - Powershell
    Powershell
    
    Cheatsheet
    
    Collections
    
    Modules
    
    Resources
Osint
Osint
- Tools
- References
Password attacks
Password attacks
Protocols and ports
Protocols and ports
- Citrix 1494
- DHCP
- DNS 53
- FTP 21
- Finger 79
- HTTP HTTPS 80,443
- IMAP 143,993
- IRC 8067
- LDAP 389
- Memcache
- Modbus 502
- MySQL 3306
- NFS 2049
- NTP 123
- References
- POP3 110
- PPTP L2TP VPN 500,1723
- Portmapper 111
- RDP 3389
- RPC 445
- SIP 5060
- SMB Samba NetBIOS 135 139,445
- SMTP 25
- SNMP 161
- SQL Server 1433,1434
- SSH 22
- TFTP 69
- Telnet 23
- Tor 9001,9030
- VNC 5900
- WebDev
- X11 6000
- Rlogin 513
- References
Reverse engineering
Reverse engineering
- 0 cheatsheet
- Defense
- Practice
- Tools
- References
- Linux
  Linux
  - ELF
  - GDB
  - Lab Setup
- Specific
  Specific
  - ARM
  - C / C++
  - .NET
  - Go
  - Java
  - Mobile App
- Windows
  Windows
  - PE Files
  - Tools
  - VBA
  - Defense
Rf and wireless
Rf and wireless
- Rfid nfc
- RaspberryPi
- SDR
Shellcoding
Shellcoding
- Reverse Shell
- Memorize the 8086 opcodes
Shells
Shells
- C++
- ICMP Shells
- Java
- Linux
- PHP
- Python
Steganography
Steganography
- Tools
Theoretical
Theoretical
- Pentesting Process
Vulnerable
Vulnerable
Web
Web
- Cheatsheet
- Client Side Attacks
- CMS
- Discovery
- Sharepoint
- SSL/TLS
- Defense Bypass
- Defense
- Tools
- References
- Scenario
  Scenario
- Vulnerabilities
  Vulnerabilities
  - Command injection
  - CRLF
  - CSRF
  - LFI / RFI
  - Open Redirect
  - PUT
  - SQL Injection
  - SSRF
  - XSS

Buffer Overflow

Introductions

Buffer Overflow Attack - Computerphile: https://www.youtube.com/watch?v=1S0aBV-Waeo
Binary Exploitation - Buffer Overflow Explained in Detail: https://0xrick.github.io/binary-exploitation/bof1/

Testing tools

Program to detect the existence of remote / local stack-based buffer-overflow vulnerabilities (FTP, IMAP, POP3 and SMTP): https://github.com/iricartb/buffer-overflow-vulnerability-services-tester-tool
https://hakin9.org/bovstt-buffer-overflow-vulnerability-services-tester-tool/

Generating Random Patterns

locate pattern_create
pattern_create.rb 2700
pattern_offset.rb 39624438

Bad characters

Use all hex combinations and append that to buffer (\x01\x02)

Finding Gadgets

When main program is not memory protected

EDB -> Op code searcher

Example : ESP -> EIP

When main program is memory protected

Find a var that loads a memory location into and offset that
Find a module with no memory protection and memory module address (base) does not contain any bad characters

!mona modules

Open modules and open the selected module (e)
Search for a instructions
- JUMP ESP
- PUSH ESP
- RTN
If not found look at modules list (m) and check in other sections (if DEP or ASLR is not enabled)

nasm_shell
  > jmp esp (to get get opcode)
  > FF E4

!mona find -s "\xff\xe4" -m slmfc.dll