Description:
Welcome to Part 2 of the Exploit Research Megaprimer.
Please begin this series by watching Part 1, if you have not already done so!In this video, we will look at how to exploit a simple buffer overflow caused by misuse of the memcpy function. You can
download the vulnerable server Server-Memcpy.exe and follow this video. I take you through a 30 minute journey which starts with bug discovery with a crash, analyzing the crash with Immunity Debugger, finding where the return address and ESP are overwritten using byte patterns created by pattern_create of the Metasploit framework, creating the payload, creating the exploit script and finally exploiting the vulnerable server! The grand prize is that we are able to get a remote shell on the victim over port 10000.
Grab a coffee and join me in this epic journey from bug to root! all in 30 minutes :)
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments:
Hello Vivek,
very good work, thank you. I have a question.
1. Can we get your C++ Source Code for the Server.exe?
Or can we decompile the .exe to get the source code, but how?
2. is it possible to exploit the memcpy function, without to have a server. I mean without to listen on a specific port, just connect to the remote machine. Maybe to place the memcpy exploit in a specific tcp stack? just an idea?
thanks
johny
thank you Vivek for all the hard work you put into these tutorials. Can you do smth about the shell spawn thru format string vuln.
I just wanted to log in to say thank you sir, these primers are great and I'm looking forward to learning a lot more watching the rest of them!
really enjoyed this one. thanks.
very nice!!! great!
thank you, EIP->ESP
very very interesting!
I really have fun with this turotiral.
I can't wait to see SEH BOF.
Thank you Vivek Sir :) enjoyed alot :D
thanx for the video it was really intresting
but when i try it everything goes fine but
while doing nc i am not getting the command prompt of windows machine can u plz tell me what may be the error...
i have a Q
1- your shellcode had null bytes
2- and the eip address you overwritten also had a null byte \x70\xfb\x22\x00
how did this work @.@ ?
the answer to my Q is answered here http://www.securitytube.net/video/1399
thanks man best explanation ever <3
Awesome!
Thanks for putting the effort, but I am unable to continue watching your videos due to the audio quality. It seems your microphone is either too close to your mouth or its levels are not correctly calibrated and it causes uncomfortable quality to listen to.
Your first video of this series was perfectly fine.
thanks for this video i found very very help for me but i have problem i checkded this exploit work in winxp+service pack3 but your server not run in windows2003 server or windows 7 can u and also help us 32bit systems and 64bits system to. and please help us about other protocl like oracle tns i want recreate oracle9i tns arguments explit thanks for
if u published your source code your both memcp or strcopy server code for we are able to complie this code for all version of windows like xp windows2000 windows2003 windows7 windows8 etc...