Hey folks, i have been thinking for so long to start a noob friendly series on exploit writing but never got that much time. Anyways, let’s talk about exploit writing-

So, What is an exploit?

an exploit is a piece of code that takes the advantage of a vulnerable system.

However, keeping this a noob friendly tutorial let’s make some things very clear. Firstly, an exploit may or may not work on two different application versions, may not work on two different operating systems. Secondly, if you think you already know basics, you can leave the website immediately.

Well, Throughout this series we will start from the very basic (I Mean it :P) this means we will take up things as soon as they appear. So, you don’t have to worry about ASM, Comp. Architecture etc.

Pre-Requisites

I already mentioned that we will take up things as soon as they appear. However, for this tutorial you should have a lil knowledge about C Programming.

So, let’s take up the most basic “Stack based Buffer Overflows” at the very first stage-

Now, what is a stack?

We can see in the above picture that we organized every book one above the other. However, we can collectively say that this is a stack of books. Now, to build this stack, we placed the first book, then the other on top of it and so on until we run out of books.

Exactly, what follows in Computer systems. We can put operands and operators one above the other to form a stack. This is called the “Push” operation. This also means that the first book is now at the bottom and the last one is at the top. This is why stack is called Last-in-First-Out. So, when we need to remove a book, we first need to remove the book at the top, this is called the “Pop” operation.

So, What is Buffer Overflow?

A buffer is a region which stores data temporarily and when more data than its capacity is supplied, it gets overflowed.

Let’s see an example-

#include<stdio.h>
#include<string.h>
<include<stdlib.h>

 void noexec()
 {
 printf("this never executes");
 exit(0);
 }

 void main(int argc, char **argv)
 {
 char buffer[50];
 strcpy(buffer,argv[1]);
 printf(buffer);
 }

In the above program, we have two different functions main and noexec. When we run this program, it simply receives the command line argument, copies it into the buffer variable and simply prints it.

Now, you might ask, why do we have noexec() function if we are not calling it any where in the program? this is because in order to work out the simplest buffer overflow, we will try to execute this function by exploiting it.

Let’s compile this program using the following command:

#gcc -ggdb -o rofl -fno-stack-protector expl1.c -mpreferred-stack-boundary=2

To compile a C program in linux, we use gcc, -ggdb option allows the code to be executed and listed in debugger by supplying enough information to the debugger, about the program, -fno-stack-protector option turns off stack protection mechanisms in Linux while compiling the program and -mpreferred-stack-boundary=2 option aligns the stack on a 4-byte boundary and will be susceptible to crash as well. However, by default it’s on 16-byte boundary.

(You can Skip the above paragraph, for now we just need to focus on compiling the application program)

Let’s execute the program, and supply 50 A’s, we can see that it gets printed, Let’s try with 51 A’s, 52 A’s and 53 A’s. We can see that program exited normally after outputting the supplied input. However, as soon as we provide 54 A’s we get Segmentation Fault which denotes crashing of the program or we can say the buffer just overflowed. You might ask, we had the buffer for 50 characters but it still got executed at 51,52,53. This is because the input didn’t overwrote the values fetched to the EIP register initially and may have overwrote other registers which didn’t affected the program’s execution.

What is EIP?

A register which stores the address of the next instruction. Therefore, if we overwrite the return pointer which EIP register loads, we can have the address of our choice, our choice will be the next instruction to be executed by the program. This potentially means that we can redirect the flow of a program to anywhere we want.

Let’s open this program in GDB: GDB is a debugger which can allow us to view the state of the registers, stack, memory locations etc throughout the execution of a program(I Know this is the most basic tutorial and introducing GDB may not be the correct idea right now, but for the sake of running the noexec function we need its memory address).

#gdb ./rofl

The above command will run the program in GDB. To find the starting address of the noexec() function we need to input a simple command which is disassemble followed by the name of the function as follows:

(gdb) disas noexec**

this command will output the following-

Don’t get scared! for Now, we only need the address of the first instruction which is 0x0804847c.

Next, we simply need to input this address after 54 A characters and this will overwrite the memory from where EIP will load a value resulting in altering the flow of the program according to our needs.

Let’s test it out: Keeping it simple, we will supply 54 A’s and the address in Little endian format which is to reverse the bytes (For Example:split the bytes 08 04 84 7c to 7c 84 04 08).

We can see that after outputting the input, noexec function runs thus outputting This Function Does Not Execute.

This tutorial is purely for the newbies in exploit writing. If You liked this tutorial, comment your feedback and suggestions.