10 replies to this topic

[amohanta]

I wanted to know how to find out which is the vulnerable function that caused the buffer overflow.
when olly crashes in stack overflow the cpu windows shows nothing and as the stack is overflowed we cannot find the return address.
In this case hoe to determine the function that caused he buffer overflow.

[Juza]

The return address is the EIP register, so you need to calculate every bit for that EIP would point to your shellcode.
If you are interesting in learning this subject view this topic, Overwriting EIP Question, or just read this books Hacking: the art exploitation, Buffer overflow attacks or the shellcoder's handbook.
I am sure that you can find this books out there, just google it xD.

If you want to learn shellcoding go here.

i hope that can help you.

[amohanta]

I have experimented on exploitaion and familiar on how to overwrite eip to jump to shellcode. .I want to know the function that that causes the overflow overwrites the eip.
say if thrs a function abc() that calls strcpy() I want to locate and analyse the function abc().

[webdevil]

I am assuming that this not your code that you are trying to overflow. In that case you will need to reverse engineer, use ida and you will get a better idea.

[amohanta]

no,I am trying to analyse warftpd.I ll illustrate what I did.
I set breakpoint on ws2!recv() function and sent the buffer .I am using IDA to analyse the code where I break.But I think I landed much behind the overflow code.Even after a lot of debugging could not reach the overflow code.I tried to find strcpy() and other vuln functions in IDA but could not find out a solution.Can there be a easier way to find the vuln func?

[Juza]

What's the warftpd version?

[amohanta]

warftpd1.65

[Juza]

warftpd1.65

OK exploit here.
Breakpoint winsock dll (WS2_32.dll) function recv(), to find out where is the code that handle the login, with a setp out, i am sure you can find it!

Good Luck!

[amohanta]

I ll explain u the steps what i did .
I set bp on wsock_32.recv().Found the buffer parameter address and set memory breakpoint on the buffer and run execute till return.
I am still doing that not reached a proper conclusion yet.Please let me know if I m correct.

[Juza]

I ll explain u the steps what i did .
I set bp on wsock_32.recv().Found the buffer parameter address and set memory breakpoint on the buffer and run execute till return.
I am still doing that not reached a proper conclusion yet.Please let me know if I m correct.

Here enjoy it!

[amohanta]

Here enjoy it!
Well I don't have any problem in exploiting the warftpd I just want to analyse the vuln function.In the tutorial the eip gets overwriten stack gets overwritten so not able to determine the return address.