questions on buffer overflow

Stuart Brown

Ok, i understand the principles of all this.
Just a couple of questions so i can understand if i need to be explain etc.

in first python script when you did

import socket
and then the ip.

QUESTION 1

Obviously this ip is the ip of the server that you would be testing i take it and you replace that with the ip of the server.
Answer :

QUESTION 2

When you use the TRUN command and the period etc to send the initial string to immunity.
If was testing someones server how do i know what command to use thats bit i don't get?
it is always the trun command or was that an example?
ANSWER :

QUESTION 3

You said that JMP ESP is what you look for but it could have been the return when it didn't inititally populate the EIP.
Could be any command in there then if you try all the JMP ESP in any of them that say false and if none of them work
you have to move onto other assembly commands or should one of them work.
ANSWER :

QUESTION 4

When you ran nasm to get hex for JMP ESP i guess you don't need to keep doing that.Once you know the hex you know
and that'll we same on any system you test?
ANSWER:

Most of the rest made sense to me
Thanks

daniel-lowrie87

Hey @Stuart-Brown

Q1) The IP in your script will be the IP of the server you wish to connect to.

Q2) TRUN is specific to the vulnerable server software being used in the demonstration. You would fuzz all inputs of an unknown software to discover where it may be vulnerable. If you had access to the source code, you could look there as well.

Q3)JMP ESP is looked for because ESP is the register where the shellcode will spill into. There is no guarantee that any of this will work if there are protections in place, but yes, trying any of the options is a viable strategy.

Q4) If you install the vulnerable software on the same platform/architecture across multiple machines you should be able to reuse your exploit across those machines, meaning the memory addresses will be the same across the machines. But if you change the platform, (ie you move from Windows 7 to Windows Server 2012 R2), then you will almost certainly need to retest and refactor your exploit to allow for the new platform.

Hope this helps.
Daniel