this is intended for beginners. I will leave the very deep details and write obvious comments. this is also not done yet.
My (various and different) latest attempts on the VULNSERVER.
-
attempt 1: just crashing it
- (choosing a random huge number, say
5000)
- (choosing a random huge number, say
-
attempt 2: overwriting EIP
-
(a bit less than
1, say EIP overwrite control) -
attempt 3: predicting registers
- (begin with small value, move up until it crashed, but not overwrote anything, now - predict by first try to overwrite EDI, EBP, then EIP)
-
attempt 4 and onward
- modifying the memory of other registers from the previous (now controlled) registers
- jump, call and go to's
- assembly
- shellcode
- modifying the memory of other registers from the previous (now controlled) registers
-
Attempt 5(overkill for beginners)
- using undocumented registers (see link eecg below for more info)
Note how I also overwrote EBP?let's change that shall we?
Given one (assuming no ASLR,DEP,.. is present) registers Position(easy to predict given it's minimal overflowing value) (which, again is easy to predict by itself, given 1 reliable amount of A's' that crash the app
- Writeup (describing basics of my methodology)
- Bibliography
- More References
- Finally the code and a Proof Of Concept (POC) not using Metasploit's msfvenom. and Not radare2 either :) (why not make shellcode from scratch? so you know what you really launch at your poor target..)
- PY COD,E R2
- vulnserver
- https://www.eecg.utoronto.ca/~amza/www.mindsec.com/files/x86regs.html
- coming soon