This document is a technical write up of the process which is used to exploit the vulnerability of buffer overflow

present in earlier versions on Windows to get the privilege access of Operating system.

Part 1: Testing the Vulnerability

 First of all, we need to carry out some test to extract the information of memory registers which we will
overflow and to test the vulnerability.
 To gather the information we need to run the executable file and immunity debugger on windows machine
then we need to run our code containing the ASCII value of any character using command python attack.py
IP_ADDRESS Port# on Kali. Where IP address will be windows machine IP address and port of the process
running.
 Now we can see that the process running has been interrupted and current state is paused giving access
violation error and its code. This code is also present in EIP and other register pointing to its location.

Part 2: Preparing the Exploit

 Before we start preparing the exploit we first restart the immunity debugger on the targeted system.
 Now using the predesigned tool present in Metasploit-framework called as pattern_create.rb we will
generate the unique non-repeating characters and direct it towards the victim system using its IP Address
and Port on which specific service is running. Following command is used ./pattern_create.rb -l 5000 | nc
IP_ADDRESS 1337 and directory should be /usr/share/metasploit-framework/tools/exploit.
Aforementioned command will take the output generated and send as input to specified IP address and port.
 Now go to windows machine and we observe same condition with different access violation code. Same
code can be seen in the EIP that it has tried to execute all the random values which we had provided but
failed.
 We copy the code of access violation which will be later used for exploiting the vulnerability
 With the help of another predesign exploit tool “ patter_offset.rb” we will search for the value we copied in
the pattern generated earlier. This process will help in overriding the EIP. For this purpose we use following
command in same directory “./pattern_offset.rb -l 5000 -q CODE ”
 The output will show after how many bytes the memory address is going to execute. Note: Memory address
uses 4 bytes of data. For example if the output states “Exact match at offset 450” this means after 450 byte
of data the memory address is going to execute.
 Now we are able to put the values in the memory, in the next step we will determine which will be the best
suited location. For this we refer to debugger where we can see that our values are being restored in ESP.
  We are now going to restart the process and go to the running modules loaded in the memory for that
specific application. These modules are the set of instruction we can performed with it.
 Search out the specific instruction which can move the execution to the ESP location which can control but
here in our case GDI32 is the one we are looking for. In the GDI32 find out the “JMP ESP” and extract the
memory address which will be used for buffer overflow.

Part 3: Developing/Modifying the Shell Code

 http://netsec.ws/?p=180
 https://stackoverflow.com/questions/34369379/buffer-overflow-exploit-why-does-jmp-esp-need-to-be-
located-in-a-dll
