Government Security
Network Security Resources

Jump to content

Photo

How To Find Return Address And And Function Caused The Buffer Overflow

- - - - - windows buffer overflow
  • Please log in to reply
10 replies to this topic

#1 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 17 February 2010 - 09:08 AM

I wanted to know how to find out which is the vulnerable function that caused the buffer overflow.
when olly crashes in stack overflow the cpu windows shows nothing and as the stack is overflowed we cannot find the return address.
In this case hoe to determine the function that caused he buffer overflow.

#2 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 17 February 2010 - 10:36 AM

The return address is the EIP register, so you need to calculate every bit for that EIP would point to your shellcode.
If you are interesting in learning this subject view this topic, Overwriting EIP Question, or just read this books Hacking: the art exploitation, Buffer overflow attacks or the shellcoder's handbook.
I am sure that you can find this books out there, just google it xD.

If you want to learn shellcoding go here.

i hope that can help you.
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#3 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 18 February 2010 - 07:33 AM

I have experimented on exploitaion and familiar on how to overwrite eip to jump to shellcode. .I want to know the function that that causes the overflow overwrites the eip.
say if thrs a function abc() that calls strcpy() I want to locate and analyse the function abc().

#4 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 18 February 2010 - 06:23 PM

I am assuming that this not your code that you are trying to overflow. In that case you will need to reverse engineer, use ida and you will get a better idea.

#5 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 19 February 2010 - 05:02 PM

no,I am trying to analyse warftpd.I ll illustrate what I did.
I set breakpoint on ws2!recv() function and sent the buffer .I am using IDA to analyse the code where I break.But I think I landed much behind the overflow code.Even after a lot of debugging could not reach the overflow code.I tried to find strcpy() and other vuln functions in IDA but could not find out a solution.Can there be a easier way to find the vuln func?

#6 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 19 February 2010 - 09:11 PM

What's the warftpd version?
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#7 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 20 February 2010 - 10:01 AM

warftpd1.65

#8 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 21 February 2010 - 07:06 PM

warftpd1.65


OK exploit here.
Breakpoint winsock dll (WS2_32.dll) function recv(), to find out where is the code that handle the login, with a setp out, i am sure you can find it!

Good Luck!
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#9 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 21 February 2010 - 09:12 PM

I ll explain u the steps what i did .
I set bp on wsock_32.recv().Found the buffer parameter address and set memory breakpoint on the buffer and run execute till return.
I am still doing that not reached a proper conclusion yet.Please let me know if I m correct.

#10 Juza

Juza

    Specialist

  • Sergeant Major
  • 149 posts

Posted 21 February 2010 - 10:57 PM

I ll explain u the steps what i did .
I set bp on wsock_32.recv().Found the buffer parameter address and set memory breakpoint on the buffer and run execute till return.
I am still doing that not reached a proper conclusion yet.Please let me know if I m correct.


Here enjoy it!
Go to iamjuza.blogspot.com
Follow me twitter.com/iamjuza

The true beginning of our end.


#11 amohanta

amohanta

    Private

  • Members
  • 13 posts

Posted 22 February 2010 - 09:23 AM

Here enjoy it!
Well I don't have any problem in exploiting the warftpd I just want to analyse the vuln function.In the tutorial the eip gets overwriten stack gets overwritten so not able to determine the return address.





Also tagged with one or more of these keywords: windows, buffer overflow