what's up YouTube in today's video we
are going to learn how to exploit a
buffer overflow inside a Windows
application so let's get to it
all right to get started we're gonna
need to download some tools and the
first thing you're going to need to
download is the immunity debugger or any
debugger that you like to use so head on
over to the immunity website go to
products go to immunity debugger and
click the download link once you get
there you'll have to fill out this form
click download and you can install the
debugger now once you have the debugger
installed we're going to use a add-on
for it called Mona so go ahead and
download this PI file right here and
once you have it downloaded you're going
to place it inside the folder named PI
commands depending on wherever you
stalled immunity by defaults Program
Files immunity immunity debugger PI
commands and you can see that I have it
installed right here perfect ok now next
we're going to need a compiler and here
we can download mgw for Windows which
gives us GCC support to create binaries
for Windows so go ahead and download and
install that and I have mine installed
into the sea there we go folder right
here and now before you're all said and
done you're going to need to add the bin
directory to your Windows path that way
you can execute all the commands from
any location so let's go ahead and do
that now so go ahead and open up a
command prompt and then all you need to
do is execute the following command now
your replace Durer C colon backslash dur
with whatever folder you installed into
so in my case let's say go back and just
copy-paste this I would just copy this
and paste it right here and hit enter
and that will update my path I've
already did that so it's not necessary
so I'll show you
oops and you can see I have it installed
right here so now I can type GCC from
any location and access all those tools
so I can compile programs all right so
with that out of the way let's move on
alright so the first thing we're going
to need is a program in which we can
overflow so we need to write a
exploitable program so we're just going
to write a simple C program that will
contain a basic buffer overflow nothing
fancy so we're going to create a buffer
and give it let's say 50 characters
let's print something to the screen then
we're gonna use the gets function to
take whatever input the user types and
then store it into our variable now the
gets function is a vulnerable function
because that does not do any bound
checking so if the user were to enter
more than 50 characters gets would allow
this try to copy it to the buffer and it
will overflow the buffer which is
exactly what we want and finally we'll
just print the return to the user and
finally we'll execute a pause command
just this will just prevent our program
from closing on us when we're testing
actually since we're doing it not
through Visual Studio it's not really
necessary
so we'll just get rid of that actually
and there we go so
this is our basic program basically we
create a buffer of 50 bytes we ask the
user for the name we get their input
with the gets function we then print the
results and then when we close the
program all right so let's go ahead and
compile this and test it out so we're
okay desktop so just go desktop and then
we'll compile the code overflow that C
dash overflowed exe all right there we
go we can see our executable right here
so let's go ahead and run it almost
probably gonna trip my antivirus let's
give it a second there we go
all right so we'll just type in a name
and there you go hello hack copy all
good and done all right now let's take a
look and see what happens when we throw
a bunch of X's at it and overflow the
buffer and you can see the program
crashes all right so now it's time to
fire up our debugger and take a look
what's going on so if you haven't used
immunity debugger before don't worry
just follow along with me and just kind
of see what I'm doing it's not really
you don't really need to know the
nitty-gritty right now in a future video
I'll go over the debugger and kind of
show you all about it and the things
that you can do but for now just follow
along and to get started we will open
our program and you can see everything
gets loaded up so up here we're gonna
use these buttons and this little play
button will execute our program
so let's go ahead and click that and
when you do that it runs our program
down here in a window twice and now we
have our program so let's go ahead and
throw a bunch of X's in it let's see
what happens okay so something happen
you can see immunity debugger stopped
execution now if we get on our stack
here so this okay let me back up so
here's our AIP value and this is what we
want to gain control over and as you can
see we have gained control over it
because we have filled it or replaced it
rather with 7 8 7 8 7 8 and what is
seven eight well seven eight is the
decimal value of the letter X and we
just overflowed the buffer with a bunch
of X's and we over writ the EIP register
so you can see we'll also overflow the
EBP and down here you can see the stack
and you can see what's going on now if
you take notice you can see that right
here we have this memory address and if
you come up here that corresponds to the
ESP so what we need to do so actually
let me do this real quick so that's just
kind of what we have going on
so we filled our buffer with a bunch of
exes a whole bunch of junk bites all the
way up to the EBP so you can see the EBP
it's filled with seven h which is exes
continued on until we over writ the EIP
which is exes so at seventy eight and
then we continue to overwrite with exes
which you then filled the memory address
after the IP fill the memory address of
what the ESP is pointing so the ESP
register is pointing to this next
instruction so when this is complete and
theoretically would then jump to this
next memory address and continue
execution so what we want to do instead
of filling this data with seven eighths
which don't do anything this is where
our shellcode payload won't go so let's
go back junk bytes
let me fill our junk bytes we overwrite
the EBP then we want to overwrite the
EIP not with exes but with an actual
memory address to our shellcode which
will be placed right here in this
section of the buffer now how do we know
what memory address our shellcode will
be placed in well we don't and that's a
problem because we need to change the
EIP to point to the location of our
shellcode that way it will run our
shellcode and we then have controlled
the execution path so what we need to do
is find a method of pointing or rather
we need to find a method of getting our
the execution to jump to our shellcode
all right so let me just kind of affirm
getting a little bit ahead of myself so
that's why I'm stumbling a little bit I
don't want to say too much just yet so
let's kind of take a few steps back and
let's work up to that
all right so now let's go ahead and
let's introduce Mona so let's get that
started all right so we're gonna use
Mona and to do that you just do
exclamation mark four slash Mona and
that gives us access to the script and
what we're gonna do is we're going to
first configure it and this sets the
working directory for Mona because Mona
will create files and I need to know
where it wants to put it so go ahead and
run this command and you can place that
wherever you like I have already done so
so I don't need to do that actually I'll
just go ahead and do it so you can see
what happens so when you click it you
can see it's basically here just telling
you what it did so that's fine you can
go ahead and close that window and now
what we want to do is we want to find
the offset how many bytes do we need to
overflow before we reach the EIP value
and so mmm Mona has some cool tools for
that so what we're going to do is we're
going to do a pattern create a pattern
and we're going to create a pattern of
100 bytes so go ahead and execute the
command Mona did its magic and you can
see inside the Mona folder I messed up
something here I mean it's fine but it
shouldn't be percent yes what did I do
mmm 9% s 50% P so we'll go ahead and run
that again perfect let me go back here
just delete this folder I'll show you
what it's supposed to look like all
right so now let's go ahead and run that
patter configuration again this time
let's go back to our Mona folder and you
can see we have a folder with the name
of the program we are currently
debugging in immunity so open that and
there is a pattern dot txt file inside
that file is the contents of our
patterns so we have an ascii hex and
javascript so we're just simply going to
copy that and then we're going to go
back to immunity so now we're going to
restart the program I'll go ahead and
push play on it and then we're gonna
paste in that pattern and enter our
program will crash and then we can go
back to immunity so we can see the
program has crashed we have this new EIP
value three one six three four one three
zero so go ahead and click on that right
click and copy selection to clipboard
and once again you can see ESP is
pointing to the following memory address
and for one three two six four three a
is not a proper memory address so that's
why the program crashes all right so now
what we're going to do is figure out the
proper offset for our overflow so the
next command we're going to use is the
pattern offset command and you just
simply type p.o with the memory address
of the EIP value so go ahead hit enter
on that Mona will do its magic and you
can see we have a position of 62 so
we're gonna need 62 junk bytes for our
exploit so let's take note
that all right so great so now we know
how many bytes that will fill up to
reach the EIP let's go back and look at
our little thing so we'll have 62 bytes
and then from here from here this is
where we ran overwrite the EIP with a
new memory address that points to our
shellcode located here and now we need
to figure out how to point to our
shellcode since we won't know exactly
which memory address it will be because
it will be dynamically created we need
to come up with another method well
since this is a Windows program it will
load necessary dll files for it to
properly operate one of those dll files
is the kernel32.dll and inside there we
may be able to find a jump to ESP which
this is assembly code which just simply
tells it to jump to the memory address
located inside ESP so if this were to
execute at this time it would go to ESP
read the summary address and the
execution flow within jump down to this
a memory address and start executing and
that's exactly what we want because in
this memory address will be the
beginning of our shellcode so what we
need to do is see if we can find a
memory address inside the kernel32.dll
with this instruction and if we can find
one then we can just simply overwrite
the EIP value right here with the memory
address of the jump instruction in the
kernel32.dll that will then make it jump
to our address which is located in the
ESP register and then execute our
payload so really I should say payload
all right so how do we find a jump
instruction any kernel32.dll well Mona
is great for that so you can type this
command to search for that instruction
so go ahead and just type that it's
enter and give it a second and it will
do its magic all right so let's minimize
that get to the log data window you can
see and here we go these are all D calls
which will jump to the ESP register
value so all we need to do is go ahead
and copy this address you can see 7 4 B
2 1 D 1 9 is the address location to
this jump ESP instruction inside D DLL
you can see it over here
it's kind of cut off kernel32.dll all
right so now we have all the information
we need to execute or write an exploit
and hopefully exploit this overflow and
execute some shell code so let's start
writing our exploit all right go ahead
just paste in that memory address well
you need that in a second let's see what
are we gonna need well since we're gonna
do this in Python of course we're going
to need to execute the program so we're
going to need to use P open and we're
going to create our payload now first we
need to fill it with junk bytes so
let's just go ahead and fill it with our
62 junk bytes remember 62 that we found
earlier
so we'll just fill it with these junk
bytes next what we need to do is we need
to replace the e IP value with this
memory address so now we're going to do
that here we need to do it in reverse
order so 1 9 1 db2 and 74 all right and
finally we need our shellcode basically
this will be the code that will be
executed whenever our program overflows
above her over writes the EIP that means
the code will then jump to this address
that address is a jump to ESP and the
ESP memory address will now contain our
payload which will then be executed and
we that point will have successfully
exploited the overflow so now I'm just
going to paste in the shell code and the
shell code will execute calc C so if all
goes well we should see the calculator
automatically open after exploiting or
executing the overflow attack all right
so we have our payload complete our junk
bytes this is the memory address to our
jump ESP call which is going to this
will which this memory address will
overwrite the EIP which will then allow
our shellcode to get executed so all we
need to do now is run the program and
then
let's get that you know and then once we
have that open we then need to send our
payload and if all goes well at this
point our calculator will open so this
is a very bare bones basic exploit so go
ahead and save that go back to our
command prompt go ahead and release the
debugger minimize that and now let's go
ahead and execute our exploit and if all
goes well the calculator should open so
let's give it a shot
and there you have it you can see that
the program crashed because we
overflowed everything and we were
successfully able to execute our shell
code and load the calculator so that's
it guys that is how you take advantage
and exploit a buffer overflow in a
Windows application now we'll look at
some more both for overflows example for
some more advanced applications I guess
for lack of a better word and also dive
a little bit deeper into the immunity
debugger and kind of breaking down
buffer overflows but for now that's
going to do it if you liked this video
please give me a thumb up do not forget
to subscribe if you want to see new
videos and I will see you on the other
side
you
