Skip to main content

Buffer Overflow And Exploits

Well buffer is nothing,but small amount of memory used for temporary storage of data, usually to compensate for different in processing or transmitting speeds of two connected devices,such as computer and a Printer or any devices.

The stack is an area of memory that holds temporary data followed by LIFO(Last In First Out) data structure where items are “pushed” and “popped” onto them.
The data is placed on the stack by PUSH operation and removed by POP operation.

Let's do same thing by doing some illustration below.

First PUSH operation

After PUSH Operation:
The below is how looks stack after PUSH operation happened

Second POP operation:

After POP operation:
The below is how look like in the stack after POP operation happened in the stack

So the following things we have concluded:

The current location of the stack pointer can be accessed at any given time by accessing the stack pointer register (ESP).

The current base of a function can be accessed by using the EBP register which is called the base pointer or frame pointer

The current location of execution can be accessed by accessing the instruction pointer register (EIP)

We will go through a below example:

mov eax,0AAAAAAAAh
mov ebx,0BBBBBBBBh
mov ecx,0CCCCCCCCh
mov edx,0DDDDDDDDh
PUSH eax
Fo ex:Initially ESP contains the address:0xb2000000 and it contains 0AAAAAAAA
so now ESP will be (0xb2000000-4) =0xb1fffffc
So PUSH operation decrements the register by 4 .And if POP operation used,it will increment register by 4.we will see by example below:

PUSH ebx--> 0xb1fffffc-4=0xb1fffff8(ESP) and it contains 0BBBBBBBB

POP esi-->0xb1fffff8+4=0xb1fffffc(point to ESP) and ESI contains the value 0xBBBBBBBB

POP edi-->0xb1fffffc+4=0xb2000000(ESP) and EDI contains the value 0xAAAAAAAA

Registers are the small chunk of internal memory that resides with in the processor and can be accessed easily without no performance hampering.A Register may hold A Instruction,Address that have storage

Type Of Registers:
Here we will discuss about IA32 family which is X86 Architecture because of widely used in the community.we will classify as follows:
General Purpose Registers:
These registers are used for common mathmetical Operaion and also can be used to store data and address,offset address and counting Operaion.
There are 8 32 bit General Purpose Register like:
EAX:Accumulators for result and operand data
EBX:Base Register
ECX:Counter for string and loop operation
EDX:Data Register
ESI:Pointer to data in the segment pointed to by the DS register; source pointer for string operations.
EDI:Pointer to data (or destination) in the segment pointed to by the ES register; destination pointer for string operations.
EBP:Pointer to the data on the stack(In the SS segment)/Holds base address of the Stack
ESP:Stack pointer register/Holds the top data of the stack

Also the 32 bit address again can be subdivided into 8 and 16 bit register.check below.
The following figure shows the lower 16 bits of the general-purpose registers can be used with the names AX, BX, CX, DX, BP, SP, SI, and DI (the names for the corresponding 32-bit ones have a prefix "E" for "extended"). Each of the lower two bytes of the EAX, EBX, ECX, and EDX registers can be referenced by the names AH, BH, CH, and DH (high bytes) and AL, BL, CL, and DL (low bytes).

Segment Registers:
There are 6 segment register that holds the 16 bit segment selectors.they are below.
. A segment selector is a special pointer that identifies a segment in memory. The six segment registers are:
  • CS: code segment register
  • SS: stack segment register
  • DS, ES, FS, GS: data segment registers
Four data segment registers provide programs with flexible and efficient ways to access data.
The EFLAGS register :

The EFLAGS register hold the state of the processor. It is modified by many intructions and is used for comparing some parameters,conditional loops and conditional jumps.Each bit holds the specific parameter of the last Instruction. Here is a listing :

Bit   Label    Desciption
0 CF Carry flag
2 PF Parity flag
4 AF Auxiliary carry flag
6 ZF Zero flag
7 SF Sign flag
8 TF Trap flag
9 IF Interrupt enable flag
10 DF Direction flag
11 OF Overflow flag
12-13 IOPL I/O Priviledge level
14 NT Nested task flag
16 RF Resume flag
17 VM Virtual 8086 mode flag
18 AC Alignment check flag (486+)
19 VIF Virutal interrupt flag
20 VIP Virtual interrupt pending flag
21 ID ID flag

Controll Registers:
These registers are the type of registers that are used to controll the function of processor.The most
impoertant of these registers is Extended Instruction Pointer(EIP) or simply Instruction Pointer.EIP contains the address of the next machine instruction to be executed.

There are other types of controll registers availble like CR0 to CR4 which works on Protected mode
ese registers are accessible to systems programmers only via variants of the MOV instruction, which allow them to be loaded from or stored in general registers.Please check below links for more details:
We will discuss about these registers when it comes to use
Exploit is nothing but taking the benifits of vulnerability and taking over programm.In our case after a overflow happen  or after crashing a application if we can take over the system wit the help of that software,then that will be exploit for us.
For crashing we need fuzzing.we will discuss in the future upcoming blogs.After crashing attacker will overwrite the EIP register and successful jump to shell code and shell code contains complete take-over feature.


Popular posts from this blog

Top N Malware Analysis Tools

Hello folks, hope you are in good health in this lockdown. during my day to day work i invest time in reverse engineering, coding and some malware analysis. so thought to share these info which can help. A malware analysis and research are very trivial process for an organization to track down threats, malicious actors whose main intention to turn down organization’s reputation and economy. Also, this applies to government organization where they conduct targeted attacks like APT (Advance Persistent Threat). In general attacks can be combination of vulnerabilities, exploit and malwares . Security companies produces antivirus product, IDS, IPS, sandboxes and EDR products to track down those threats to protects organizations. An antivirus product contains both behavioral and signature-based even a combination of sandbox mechanism, which is given by security researcher to block these attack attempt A Malware researcher generally use both static and dynamic analysis of malware sampl

Buffer Overflow Attack on Windows

Generally Exploiting In windows system is very tough,though you have to overcome various protection and bypass.In some cases you have to use Kernel Mode exploits. And also we will show you the target machine which we will perform attack is XP,otherwise if we will try on win7,win8,win10, then we will have to cross the path where all doors are closed.hope you got my point.First we will discuss some of the protection mechanism here. ASLR DEP SEH SAFESEH SEHOP Control Flow Guard(CFG) Stack Compiler Option(/GS cookie option) EMET Heap Isolation and many more coming............. But before starting our exploit development process we should know some theory which is very necessary.Otherwise we are in the middle of way and we don't know the path to go around. Windows Memory Layout   In an X86 system, when a application starts,a process is created and virtual memory the address space ranges from 0x00000000 to 0xFFFFFFFF which is called user-land level of OS.If the address range

Intro To Malware Analsys

Hi Folks, here I will analyze a malware which is possible packed with nspack. Details are below: SHA256: 5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4 File name: 5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4 First, we will do static analysis of the file. Using string utility: we see following things. most of the strings are obfuscated or encrypted content. we saw the strings like. nsp0 .nsp1. .nsp2.if  we google it we can know that it is a packer which based on NS packer. VirusTotal Analysis: Upon analysis using virus Total we saw detection 49 out of 55 which is a malicious in nature so we should unpack the malware because without unpacking the malware looks obfuscated and it is not possible to debug the looks like below in IDA As we saw above we saw custom sections like ns0 ns1 ns2 and OEP starts with PUSHF PUSHA which is indication of a packer.we can confirm it