Linux Buffer Overflow Example
I uploaded a video and I wrote about Windows Buffer Overflow Example two weeks ago. I learnt a lot with this example but I wanted to study about Linux Buffer Overflow as well. Therefore, I’ve been testing with the crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow these days. I installed a Kali Linux 32 bits with the crossfire server, which is an online computer game, and thanks to the edb debugger and python scripts, I’ve been able to learn how to exploit a Linux Buffer Overflow vulnerability. You can check in the next video.
Firstly, I’ve started the virtual machine with the NX protection disabled (noexec=off) and I’ve executed the crossfire server, which listens in the 13327 TCP port. I’ve also tested a simple python script to send 4379 ‘A’s to the vulnerable service. We can see how the program crashes and ESP register contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. After I’ve controlled the EIP register, I have to know where I’m going to save the shellcode. Following the EIP register, only 7 bytes are left thus shellcode can’t be saved there. As a result, I’ve pointed to the EAX register where the shellcode is going to be located. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Linux remote reverse shell.
Regards my friends. This is another amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.