Fuzzy registers – the low-level perspective
The fuzzing research we've done so far was effective in discovering the fact that these two FTP programs are vulnerable to overflows. Now, we need to understand what's happening behind the scenes by watching the stack as we send fuzz payloads. Of course, this will be done with a debugger. Since we're on Windows in this lab, we'll fire up WinDbg and attach it to the vulnerable software PID. Since we just got done toying around with the nfsAxe client, I'll assume that's still up and ready to go in your lab. Keep your 3Com Daemon lab handy, though, because the principles are the same. Let's go down the rabbit hole with Metasploit's offset discovery duo: pattern_create
and pattern_offset
.
Calculating the EIP offset with the Metasploit toolset
Head on over to the tools
directory in Metasploit with cd /usr/share/metasploit-framework/tools
. First, let's generate a 4,000-byte payload, as we know that's enough bytes to overwrite critical parts of memory:
...